diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index f79f186..a889fd0 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -1,58 +1,49 @@
-name: Terraform
+name: Terraform AWS Deployment
 
 on:
   push:
-    branches:
-      - main
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   terraform:
     runs-on: ubuntu-latest
 
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: us-west-2
+
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
-
-      - name: Verify AWS Secrets Presence (Debug Step)
-        run: |
-          if [ -z "${{ secrets.AWS_ACCESS_KEY_ID }}" ]; then
-            echo "AWS_ACCESS_KEY_ID secret is not set"
-            exit 1
-          fi
-          if [ -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ]; then
-            echo "AWS_SECRET_ACCESS_KEY secret is not set"
-            exit 1
-          fi
-          echo "AWS secrets are set"
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-
-      - name: Verify AWS credentials
-        run: aws sts get-caller-identity
-
-      - name: Initialize Terraform
-        run: terraform init
-        working-directory: terraform
-
-      - name: Plan Terraform
-        run: terraform plan -out=tfplan
-        working-directory: terraform
-
-      - name: Apply Terraform
-        run: terraform apply -auto-approve tfplan
-        working-directory: terraform
-
-      - name: Wait for 6 minutes
-        run: sleep 600  # 360 seconds equals 4 minutes
-
-      - name: Destroy Terraform
-        run: terraform destroy -auto-approve
-        working-directory: terraform
+    - uses: actions/checkout@v2
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v1
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Terraform Init
+      run: terraform init
+
+    - name: Terraform Plan
+      run: terraform plan
+
+    - name: Terraform Apply
+      if: github.ref == 'refs/heads/main'
+      run: terraform apply -auto-approve
+
+    - name: Cleanup old resources
+      if: always()
+      run: |
+        # List and remove old security groups that aren't being used
+        OLD_SGS=$(aws ec2 describe-security-groups --query 'SecurityGroups[?contains(GroupName, `allow_ssh_`) || contains(GroupName, `allow_http_flask_`)].GroupId' --output text)
+        for SG_ID in $OLD_SGS; do
+          aws ec2 delete-security-group --group-id $SG_ID || true
+        done
+      continue-on-error: true
diff --git a/src/tfgha/app.py b/src/tfgha/app.py
index 5d42457..fb30197 100644
--- a/src/tfgha/app.py
+++ b/src/tfgha/app.py
@@ -1,4 +1,5 @@
 from flask import Flask
+import chromadb
 
 app = Flask(__name__)
 
diff --git a/terraform/main.tf b/terraform/main.tf
index 67ab534..ae11acb 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -2,28 +2,60 @@ provider "aws" {
   region = "us-west-2"
 }
 
+# Add random suffix to avoid conflicts
+resource "random_id" "suffix" {
+  byte_length = 4
+}
+
 resource "aws_key_pair" "deployer" {
-  key_name = "deployer-key"
+  key_name   = "deployer-key-${random_id.suffix.hex}"
   public_key = file("id_rsa.pub")
 }
 
 resource "aws_security_group" "allow_ssh" {
-  name        = "allow_ssh"
+  name        = "allow_ssh_${random_id.suffix.hex}"
   description = "Allow SSH inbound traffic"
 
   ingress {
-    from_port = 22
-    to_port   = 22
-    protocol  = "tcp"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   egress {
-    from_port = 0
-    to_port   = 0
-    protocol  = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group" "allow_http" {
+  name        = "allow_http_flask_${random_id.suffix.hex}"
+  description = "Allow inbound HTTP traffic"
+
+  ingress {
+    from_port   = 5000
+    to_port     = 5000
+    protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_instance" "py_server" {