diff --git a/.github/workflows/plan-only.yml b/.github/workflows/dns-plan.yml
similarity index 54%
rename from .github/workflows/plan-only.yml
rename to .github/workflows/dns-plan.yml
index d74b338..5b108d6 100644
--- a/.github/workflows/plan-only.yml
+++ b/.github/workflows/dns-plan.yml
@@ -1,36 +1,19 @@
-name: Run PLAN only for DNS to AWS
+name: PLAN only for DNS to AWS
 
 on:
   push:
-    branches-ignore: 
-      - 'main'
+    branches-ignore: [main]
     paths:
       - 'dns/*'
       - '.github/workflows/dns-option-deploy.yml'
-      - '**.tf'
   workflow_dispatch:
-    inputs:
-      action:
-        description: 'Run mode (plan)'
-        required: true
-        default: 'plan'
-        type: choice
-        options:
-          - plan
-
+permissions:
+      id-token: write   # This is required for requesting the JWT for AWS authentication
+      contents: read    # This is required for actions/checkout
 jobs:
   test-and-deploy:
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: bash
-    strategy:
-      max-parallel: 1
-      fail-fast: true
-      matrix:
-        environment: [staging]
     environment: aws
-
     steps:
       - name: Checkout infrastructure-as-code (public) repo
         uses: actions/checkout@v3
@@ -52,24 +35,8 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE }}
           aws-region: eu-west-2
 
-      # ------------ TERRAFORM INIT (uses lockfile) ------------
-      - name: Terraform Init
-        run: terraform init
-        working-directory: dns/
-
-      - name: Terraform Format
-        run: terraform fmt -write=false
-        working-directory: dns/
-
-      - name: Terraform Validate
-        run: |
-          terraform workspace select $TERRAFORM_WORKSPACE_STG
-          terraform validate
-        working-directory: dns/
-          
       # ------------ PLAN ------------
       - name: Terraform Plan
-        if: ${{ github.event.inputs.action == 'plan' }}
         shell: bash
         run: |
           cd security.gov.uk-iac/dns/