diff --git a/.github/iac/main.tf b/.github/iac/main.tf
new file mode 100644
index 0000000..bd84d22
--- /dev/null
+++ b/.github/iac/main.tf
@@ -0,0 +1,82 @@
+terraform {
+  backend "s3" {
+    bucket = "demeter-tf"
+    key    = "github/demeter-fabric.tfstate"
+    region = "us-west-2"
+  }
+  required_providers {
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+    }
+  }
+}
+
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+  config_context = "arn:aws:eks:us-west-2:295114534192:cluster/m2-prod-7xjh33"
+}
+
+provider "helm" {
+  kubernetes {
+    config_path    = "~/.kube/config"
+    config_context = "arn:aws:eks:us-west-2:295114534192:cluster/m2-prod-7xjh33"
+  }
+}
+
+variable "rpc_image" {}
+variable "kafka_rpc_password" {}
+variable "secret" {}
+variable "auth0_client_id" {}
+variable "auth0_client_secret" {}
+variable "auth0_audience" {}
+variable "stripe_api_key" {}
+variable "email_ses_access_key_id" {}
+variable "email_ses_secret_access_key" {}
+
+locals {
+  namespace                   = "fabric-stg"
+  replicas                    = 1
+  broker_urls                 = "redpanda.stg-fabric-queue.demeter.run:31092"
+  secret                      = var.secret
+  kafka_rpc_username          = "rpc"
+  kafka_rpc_password          = var.kafka_rpc_password
+  kafka_topic                 = "stg"
+  auth0_client_id             = var.auth0_client_id
+  auth0_client_secret         = var.auth0_client_secret
+  auth0_audience              = var.auth0_audience
+  stripe_api_key              = var.stripe_api_key
+  email_invite_ttl_min        = 15
+  email_ses_region            = "us-west-2"
+  email_ses_access_key_id     = var.email_ses_access_key_id
+  email_ses_secret_access_key = var.email_ses_secret_access_key
+  email_ses_verified_email    = "no-reply@demeter.run"
+}
+
+resource "kubernetes_namespace_v1" "fabric_namespace" {
+  metadata {
+    name = local.namespace
+  }
+}
+
+module "fabric_rpc" {
+  source = "../../../fabric/bootstrap/rpc"
+
+  namespace                   = local.namespace
+  image                       = var.rpc_image
+  broker_urls                 = local.broker_urls
+  consumer_name               = "rpc"
+  kafka_username              = local.kafka_rpc_username
+  kafka_password              = local.kafka_rpc_password
+  kafka_topic                 = local.kafka_topic
+  secret                      = local.secret
+  auth0_client_id             = local.auth0_client_id
+  auth0_client_secret         = local.auth0_client_secret
+  auth0_audience              = local.auth0_audience
+  stripe_api_key              = local.stripe_api_key
+  email_invite_ttl_min        = local.email_invite_ttl_min
+  email_ses_region            = local.email_ses_region
+  email_ses_access_key_id     = local.email_ses_access_key_id
+  email_ses_secret_access_key = local.email_ses_secret_access_key
+  email_ses_verified_email    = local.email_ses_verified_email
+}
+
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3d8a0a4..229c294 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: build
+name: Build
 
 on:
   workflow_dispatch: {}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..3f05fad
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,52 @@
+name: Deploy
+
+on:
+  workflow_dispatch: {}
+  workflow_run:
+    workflows: [Build]
+    types: [completed]
+
+jobs:
+  rpc:
+    runs-on: ubuntu-latest
+    env:
+      TF_VAR_rpc_image: rpc_image=ghcr.io/demeter-run/fabric-rpc:${{ github.sha }}
+      TF_VAR_kafka_rpc_password: ${{ secrets.KAFKA_RPC_PASSWORD }}
+      TF_VAR_secret: ${{ secrets.SECRET }}
+      TF_VAR_auth0_client_id: ${{ secrets.AUTH0_CLIENT_ID }}
+      TF_VAR_auth0_client_secret: ${{ secrets.AUTH0_CLIENT_SECRET }} 
+      TF_VAR_auth0_audience:  ${{ secrets.AUTH0_AUDIENCE }}
+      TF_VAR_stripe_api_key:  ${{ secrets.STRIPE_API_KEY }}
+      TF_VAR_email_ses_access_key_id: ${{ secrets.EMAIL_SES_ACCESS_KEY_ID }}
+      TF_VAR_email_ses_secret_access_key: ${{ secrets.EMAIL_SES_SECRET_ACCESS_KEY }}
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ClusterAdminRole
+          role-session-name: Github-Actions-Demeter
+          role-duration-seconds: 1200
+
+      - name: setup kubeconfig
+        run: aws eks update-kubeconfig --name ${{ secrets.AWS_CLUSTER_NAME }}
+
+      - name: setup terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: init terraform
+        working-directory: .github/iac
+        run: terraform init
+
+      - name: validate terraform
+        working-directory: .github/iac
+        run: terraform validate
+
+      - name: apply terraform
+        working-directory: .github/iac
+        env:
+          IMAGE_TAG: ${{ github.sha }}
+        run: terraform apply -auto-approve -input=false
diff --git a/.gitignore b/.gitignore
index 27d1eb1..6cc28cf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ rpc.toml
 test/.terraform*
 test/local.tfstate*
 crds-path/
+.github/iac/.terraform*