diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index b0fb912..bf13ff1 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+    tags:
+      - v\d+\.\d+\.\d+$
   pull_request:
 
 jobs:
@@ -36,7 +38,7 @@ jobs:
       - name: Terraform Plan
         id: plan
         if: github.event_name == 'pull_request'
-        run: terraform plan -no-color
+        run: terraform plan -var db_pass=${{secrets.DB_PASS }} -no-color
         continue-on-error: true
 
       - uses: actions/github-script@0.9.0
@@ -70,6 +72,20 @@ jobs:
         if: steps.plan.outcome == 'failure'
         run: exit 1
 
-      # - name: Terraform Apply
-      #   if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-      #   run: terraform apply -auto-approve
\ No newline at end of file
+      - name: Check tag
+        id: check-tag
+        run: |
+          if [[ ${{ github.ref }} =~ ^refs/tags/vd+\.d+\.d+$ ]]; then echo ::set-output name=environment::production
+          elif [[ github.ref == 'refs/heads/main' ]]; then echo ::set-output name=environment::staging
+          else echo ::set-output name=environment::unknown
+          fi
+
+      - name: Terraform Apply Staging
+        if: steps.check-tag.outputs.environment == 'production' && github.event_name == 'push'
+        working-directory: 07-managing-multiple-environments/file-structure/staging
+        run: terraform apply -var db_pass=${{secrets.DB_PASS }} -auto-approve
+
+      - name: Terraform Apply Production
+        if: steps.check-tag.outputs.environment == 'staging' && github.event_name == 'push'
+        working-directory: 07-managing-multiple-environments/file-structure/production
+        run: terraform apply -var db_pass=${{secrets.DB_PASS }} -auto-approve
diff --git a/07-managing-multiple-environments/file-structure/global/main.tf b/07-managing-multiple-environments/file-structure/global/main.tf
new file mode 100644
index 0000000..12fba71
--- /dev/null
+++ b/07-managing-multiple-environments/file-structure/global/main.tf
@@ -0,0 +1,27 @@
+terraform {
+  # Assumes s3 bucket and dynamo DB table already set up
+  # See /code/03-basics/aws-backend
+  backend "s3" {
+    bucket         = "devops-directive-tf-state"
+    key            = "07-managing-multiple-environments/global/terraform.tfstate"
+    region         = "us-east-1"
+    dynamodb_table = "terraform-state-locking"
+    encrypt        = true
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# Route53 zone is shared across staging and production
+resource "aws_route53_zone" "primary" {
+  name  = "mysuperawesomesite.com"
+}
\ No newline at end of file
diff --git a/07-managing-multiple-environments/file-structure/production/main.tf b/07-managing-multiple-environments/file-structure/production/main.tf
index 5793ada..e1061e6 100644
--- a/07-managing-multiple-environments/file-structure/production/main.tf
+++ b/07-managing-multiple-environments/file-structure/production/main.tf
@@ -39,7 +39,7 @@ module "web_app" {
   domain           = "mysuperawesomesite.com"
   environment_name = local.environment_name
   instance_type    = "t2.small"
-  create_dns_zone  = true
+  create_dns_zone  = false
   db_name          = "${local.environment_name}mydb"
   db_user          = "foo"
   db_pass          = var.db_pass