diff --git a/.github/workflows/digger_workflow.yml b/.github/workflows/digger_workflow.yml
index f645b83..4fcca5a 100644
--- a/.github/workflows/digger_workflow.yml
+++ b/.github/workflows/digger_workflow.yml
@@ -30,6 +30,7 @@ jobs:
           ee: 'true'
           digger-spec: ${{ inputs.spec }}
           setup-aws: true
+          setup-terraform: true
           # recommended to use oidc instead
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/dev-ec2/main.tf b/dev-ec2/main.tf
index 396da95..9ee7203 100644
--- a/dev-ec2/main.tf
+++ b/dev-ec2/main.tf
@@ -2,24 +2,17 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.24.0"
+      version = "~> 5.0"
     }
   }
-    backend "s3" {
-      bucket = "digger-states-test"
-      key    = "demo-ee/features/state"
-      region = "us-east-1"
-    }
 }
 
 provider "aws" {
-  region = "us-east-1"  # Replace with your desired AWS region
+  region = "us-east-1"
 }
 
-
-resource "aws_ssm_parameter" "foo" {
-  name  = "/dev/ec2"
-  type  = "String"
-  value = "ec2 instance"
+# This EC2 instance should trigger the Rego deny rule
+resource "aws_instance" "test" {
+  ami           = "ami-0c55b159cbfafe1f0"  # Amazon Linux 2 AMI
+  instance_type = "t2.micro"
 }
-
diff --git a/dev-vpc/main.tf b/dev-vpc/main.tf
index 29f7b3f..9ee7203 100644
--- a/dev-vpc/main.tf
+++ b/dev-vpc/main.tf
@@ -2,23 +2,17 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.24.0"
+      version = "~> 5.0"
     }
   }
-    backend "s3" {
-    bucket = "digger-states-test"              # Change if a different S3 bucket name was used for the backend 
-    /* Un-comment to use DynamoDB state locking
-    dynamodb_table = "digger-locktable-quickstart-aws"      # Change if a different DynamoDB table name was used for backend
-    */
-    key    = "terraform/state"
-    region = "us-east-1"
-  }
 }
 
-resource "aws_ssm_parameter" "foo" {
-  name  = "/dev/vpc"
-  type  = "String"
-  value = "10.10.10.0/32"
+provider "aws" {
+  region = "us-east-1"
 }
 
-resource "null_resource" "test" {}
+# This EC2 instance should trigger the Rego deny rule
+resource "aws_instance" "test" {
+  ami           = "ami-0c55b159cbfafe1f0"  # Amazon Linux 2 AMI
+  instance_type = "t2.micro"
+}