diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf
index ced2b09..6180f21 100644
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@@ -11,20 +11,28 @@ module "aws_iam_ci_user" {
   source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
 
   name = local.name
-  tests_policy_statements = jsonencode([
-    {
+}
+
+resource "aws_iam_policy" "tftest" {
+  provider = aws.all["root"]
+
+  name = "${local.name}-tftest"
+  policy = jsonencode({
+    Statement = [{
       Action = "iam:*"
       Effect = "Allow"
       Resource = [
         "arn:aws:iam::*:user/tftest-user",
         "arn:aws:iam::*:policy/${local.name}-tftest",
       ]
-    },
-    {
-      # Necessary for removing an IAM user
-      Action   = "iam:ListVirtualMFADevices",
-      Effect   = "Allow"
-      Resource = "*"
-    }
-  ])
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "tftest" {
+  provider = aws.all["root"]
+
+  policy_arn = aws_iam_policy.tftest.arn
+  user       = local.name
 }
diff --git a/main.tftest.hcl b/main.tftest.hcl
index 90ccb91..1662cf6 100644
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@@ -1,14 +1,15 @@
 provider "aws" {
-  profile = "tests"
+  profile = "root"
   region  = "eu-west-3"
 }
 
 run "main" {
   assert {
-    condition     = data.external.main.result.Arn == local.expected_arn
-    error_message = "user ARN mismatch"
-  }
-  module {
-    source = "./test"
+    condition     = output.access_key_id != null
+    error_message = "invalid IAM access key ID"
   }
 }
+
+variables {
+  name = "tftest-user"
+}
diff --git a/test/aws_config.tftpl b/test/aws_config.tftpl
deleted file mode 100644
index a5470b2..0000000
--- a/test/aws_config.tftpl
+++ /dev/null
@@ -1,4 +0,0 @@
-[default]
-aws_access_key_id = ${aws_access_key_id}
-aws_secret_access_key = ${aws_access_key_secret}
-region = eu-west-3
diff --git a/test/main.tf b/test/main.tf
deleted file mode 100644
index 450636a..0000000
--- a/test/main.tf
+++ /dev/null
@@ -1,31 +0,0 @@
-module "main" {
-  source = "../"
-
-  name = "tftest-user"
-}
-
-data "aws_caller_identity" "current" {}
-
-# tflint-ignore: terraform_unused_declarations
-data "external" "main" {
-  program = ["${path.module}/test.sh"]
-
-  depends_on = [local_file.aws_config]
-}
-
-locals {
-  # tflint-ignore: terraform_unused_declarations
-  expected_arn = format(
-    "arn:aws:iam::%s:user/tftest-user",
-    data.aws_caller_identity.current.account_id,
-  )
-}
-
-resource "local_file" "aws_config" {
-  filename        = "${path.module}/aws_config"
-  file_permission = "0600"
-  content = templatefile("${path.module}/aws_config.tftpl", {
-    aws_access_key_id     = module.main.access_key_id
-    aws_access_key_secret = module.main.access_key_secret
-  })
-}
diff --git a/test/providers.tf b/test/providers.tf
deleted file mode 100644
index 7886647..0000000
--- a/test/providers.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source = "hashicorp/aws"
-    }
-    external = {
-      source  = "hashicorp/external"
-      version = "2.3.4"
-    }
-    local = {
-      source  = "hashicorp/local"
-      version = "2.5.2"
-    }
-  }
-}
diff --git a/test/test.sh b/test/test.sh
deleted file mode 100755
index 325fcd2..0000000
--- a/test/test.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Wait a bit for the ACCESS KEY to be usable on AWS
-sleep 10
-
-export AWS_CONFIG_FILE="${PWD}/test/aws_config"
-aws sts get-caller-identity