diff --git a/infrastructure/tofu/.terraform.lock.hcl b/infrastructure/tofu/.terraform.lock.hcl
index 9ee3c83..3c0cd99 100644
--- a/infrastructure/tofu/.terraform.lock.hcl
+++ b/infrastructure/tofu/.terraform.lock.hcl
@@ -1,21 +1,36 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.91.0"
-  constraints = "5.91.0"
+provider "registry.opentofu.org/adyxax/forgejo" {
+  version     = "1.1.0"
+  constraints = "1.1.0"
   hashes = [
-    "h1:g+uDHz6bZ36QaxoKWmJEYGh7OP5RAE5MPbxLohzcU18=",
-    "h1:qw1Sp5py+7rRwzHgHNJvgYTeTkBnPHY7WercO1BsOh0=",
-    "zh:057e6cb85e3efe2c30ef5ca47cc47abc8217e2e0dddce2e92a8d2d6f18b6cee6",
-    "zh:0f15d3f599e07307ac9771c602dcaaf0c46dd259649da985cb3cb80a7a647cea",
-    "zh:187086070cc878ab0a27163939516983e3efae65ebff78dc3466619cdf978dee",
-    "zh:67a58fc85c630bcc6c772f573813caabe6c9af291c71c7207590fc4792e4d94e",
-    "zh:68abb9382928ce29c0f3dd9a75b41ad2a453f3a46330f484d1ea858589146c1b",
-    "zh:772134ba713e879e5b70d614d08a6650f156e7a3fa724d538bfa85632b1ed639",
-    "zh:bf67439e47cf6720dcec7a1e2988d6c10c56d7eea69bb1ecff1b22d6bb63a36d",
-    "zh:bfd0b91dc4ae338eb79ec41bede5eed7a0740380bffbdfbda362f7ed08e0e2ad",
-    "zh:ca3c3313cd4971850da45ce4337b027a804389db740c310ba637bc0a86775eef",
-    "zh:d75a8ec54a4783c25cb806b887f0d3c67cded08db8c496fd9cf831791e4c8482",
+    "h1:xa2K1rn2OzQofizev01UBKEgq4WHo3EM5/fiPCxFL/E=",
+    "zh:0a9fb11ae6b14abca1a5376b3c83182586e8735e67aa863b223737af1edb9802",
+    "zh:16a86c5a4b394f04ab14992b15ee812daee38c88570a6431a9dd7c0b961c3166",
+    "zh:2c2f2703fad8d682d74832ea650cb58efbaf7b63e67c57f4344561ab529c81de",
+    "zh:38326430e210fb899981a5d99b3dd17f0040356ef1879e0a3fe96c9d13d27b4b",
+    "zh:7757c16957287f8e1cca39d349d5c219fc31ef8ce55b60db9f83099e10cd3a93",
+    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+    "zh:b91bd40d90199ff8c811e241f94931a540d571807743dcd9768625d177c38e29",
+    "zh:efb6d4c30e3412a727c63af9d04ed4b24dfdde251d18343d62a45ae967e4f6ab",
+    "zh:f5357ef185a3183f01555371602471aeadc340a16b1f1355e706fedbfd1f9dad",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "6.2.0"
+  constraints = "6.2.0"
+  hashes = [
+    "h1:UcBl0SyNxOTHOa3Ske3ClmzA7V1S7e/I4+29DLGe85A=",
+    "zh:26072ed06da98bfeff0a9ef54edd215c7af005658a670e098dc6445c10bf2b55",
+    "zh:39aba613926547b289128a8c37baa0b8762dce974ed0e5859c1fd24afaa753b0",
+    "zh:3a97a68258a7cb707ae571a43cfb44142c00a4543689fea4dcbe2e9db2336310",
+    "zh:3af54af122ffc4477ee23dc855b27fdeb3682fff09ac8394b37eac3164faaa65",
+    "zh:4ab39e61f699b9189386b037ba8a6725634e99115a6d24946baae2f461ce519e",
+    "zh:98455edb4f11267c144f15eb36a25adec3121ac8af34754ebfac9e6e00fd5ec7",
+    "zh:b51e505cd73ddf015ce765f4df5ddc5f7e5a42eb596f57bcf0f1eae5338d4efa",
+    "zh:c132a00c0495ae62a14affd1f41bcd7d11f91cf559c6229aa168f326938aedbe",
+    "zh:e14ddc80f4ca1d394889e27d9188f4368ac7d3437e6a10490d1314da66039bf4",
   ]
 }
diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf
index 6180f21..682f220 100644
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@@ -8,31 +8,27 @@ module "aws_iam_ci_user" {
     aws.root  = aws.all["root"]
     aws.tests = aws.all["tests"]
   }
-  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
+  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.1.0"
 
+  forgejo_repository = {
+    name  = local.name
+    owner = "adyxax"
+  }
   name = local.name
-}
-
-resource "aws_iam_policy" "tftest" {
-  provider = aws.all["root"]
-
-  name = "${local.name}-tftest"
-  policy = jsonencode({
-    Statement = [{
+  tests_policy_statements = jsonencode([
+    {
       Action = "iam:*"
       Effect = "Allow"
       Resource = [
         "arn:aws:iam::*:user/tftest-user",
         "arn:aws:iam::*:policy/${local.name}-tftest",
       ]
-    }]
-    Version = "2012-10-17"
-  })
-}
-
-resource "aws_iam_user_policy_attachment" "tftest" {
-  provider = aws.all["root"]
-
-  policy_arn = aws_iam_policy.tftest.arn
-  user       = local.name
+    },
+    {
+      # Necessary for removing an IAM user
+      Action   = "iam:ListVirtualMFADevices",
+      Effect   = "Allow"
+      Resource = "*"
+    }
+  ])
 }
diff --git a/infrastructure/tofu/providers.tf b/infrastructure/tofu/providers.tf
index 8b42979..a312874 100644
--- a/infrastructure/tofu/providers.tf
+++ b/infrastructure/tofu/providers.tf
@@ -9,7 +9,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.91.0"
+      version = "6.2.0"
+    }
+    forgejo = {
+      source  = "adyxax/forgejo"
+      version = "1.1.0"
     }
   }
 }
@@ -22,3 +26,7 @@ provider "aws" {
   profile = each.key
   region  = "eu-west-3"
 }
+
+provider "forgejo" {
+  base_uri = "https://git.adyxax.org/"
+}
diff --git a/main.tftest.hcl b/main.tftest.hcl
index 1662cf6..90ccb91 100644
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@@ -1,15 +1,14 @@
 provider "aws" {
-  profile = "root"
+  profile = "tests"
   region  = "eu-west-3"
 }
 
 run "main" {
   assert {
-    condition     = output.access_key_id != null
-    error_message = "invalid IAM access key ID"
+    condition     = data.external.main.result.Arn == local.expected_arn
+    error_message = "user ARN mismatch"
+  }
+  module {
+    source = "./test"
   }
 }
-
-variables {
-  name = "tftest-user"
-}
diff --git a/test/aws_config.tftpl b/test/aws_config.tftpl
new file mode 100644
index 0000000..a5470b2
--- /dev/null
+++ b/test/aws_config.tftpl
@@ -0,0 +1,4 @@
+[default]
+aws_access_key_id = ${aws_access_key_id}
+aws_secret_access_key = ${aws_access_key_secret}
+region = eu-west-3
diff --git a/test/main.tf b/test/main.tf
new file mode 100644
index 0000000..450636a
--- /dev/null
+++ b/test/main.tf
@@ -0,0 +1,31 @@
+module "main" {
+  source = "../"
+
+  name = "tftest-user"
+}
+
+data "aws_caller_identity" "current" {}
+
+# tflint-ignore: terraform_unused_declarations
+data "external" "main" {
+  program = ["${path.module}/test.sh"]
+
+  depends_on = [local_file.aws_config]
+}
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  expected_arn = format(
+    "arn:aws:iam::%s:user/tftest-user",
+    data.aws_caller_identity.current.account_id,
+  )
+}
+
+resource "local_file" "aws_config" {
+  filename        = "${path.module}/aws_config"
+  file_permission = "0600"
+  content = templatefile("${path.module}/aws_config.tftpl", {
+    aws_access_key_id     = module.main.access_key_id
+    aws_access_key_secret = module.main.access_key_secret
+  })
+}
diff --git a/test/providers.tf b/test/providers.tf
new file mode 100644
index 0000000..7886647
--- /dev/null
+++ b/test/providers.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = "2.3.4"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.2"
+    }
+  }
+}
diff --git a/test/test.sh b/test/test.sh
new file mode 100755
index 0000000..325fcd2
--- /dev/null
+++ b/test/test.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wait a bit for the ACCESS KEY to be usable on AWS
+sleep 10
+
+export AWS_CONFIG_FILE="${PWD}/test/aws_config"
+aws sts get-caller-identity