diff --git a/.woodpecker/dns.yml b/.woodpecker/dns.yml
index f8903a0..1a0a918 100644
--- a/.woodpecker/dns.yml
+++ b/.woodpecker/dns.yml
@@ -4,10 +4,6 @@ pipeline:
     when:
       path: "dns/**"
       event: pull_request
-    secrets:
-      - linode_token
-      - aws_access_key_id
-      - aws_secret_access_key
     commands:
       - apk add --no-cache terraform
       - terraform version
@@ -15,6 +11,7 @@ pipeline:
       - terraform init
       - terraform validate
       - terraform plan -var "token=$LINODE_TOKEN"
+    secrets: [linode_token, aws_access_key_id, aws_secret_access_key]
 
   deploy:
     image: alpine:3.16
@@ -22,10 +19,6 @@ pipeline:
       path: "dns/**"
       branch: main
       event: push
-    secrets:
-      - linode_token
-      - aws_access_key_id
-      - aws_secret_access_key
     commands:
       - apk add --no-cache terraform
       - terraform version
@@ -34,3 +27,4 @@ pipeline:
       - terraform validate
       - terraform plan -out deploy.plan -var "token=$LINODE_TOKEN"
       - terraform apply deploy.plan -var "token=$LINODE_TOKEN"
+    secrets: [linode_token, aws_access_key_id, aws_secret_access_key]
diff --git a/dns/main.tf b/dns/main.tf
index bc40892..17da10f 100644
--- a/dns/main.tf
+++ b/dns/main.tf
@@ -5,6 +5,15 @@ terraform {
 			version = "1.26.0"
 		}
 	}
+
+	backend "s3" {
+		bucket = "treehouse-state"
+		key = "tfstate"
+		region = "us-southeast-1"
+		endpoint = "us-southeast-1.linodeobjects.com"
+		skip_credentials_validation = true
+		skip_region_validation = true
+	}
 }
 
 provider "linode" {