diff --git a/.github/workflows/terraform-qa.yaml b/.github/workflows/terraform-qa.yaml
new file mode 100644
index 0000000..3dc3ffe
--- /dev/null
+++ b/.github/workflows/terraform-qa.yaml
@@ -0,0 +1,46 @@
+---
+on:
+  push:
+    exclude-branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+env:
+  AWS_REGION: ${{ vars.AWS_REGION }}
+  AWS_ENDPOINT_URL_S3: ${{ vars.AWS_ENDPOINT_URL_S3 }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  GITHUB_OWNER: ${{ vars.GH_OWNER }}
+  GITHUB_APP_ID: ${{ vars.GH_APP_ID }}
+  GITHUB_APP_INSTALLATION_ID: ${{ vars.GH_APP_INSTALLATION_ID }}
+  GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }}
+  TF_WORKSPACE: ${{ vars.GH_OWNER }}
+  TF_VAR_path: ${{ '../test.yaml' }}
+
+jobs:
+  terraform-qa:
+    name: "Terraform QA"
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      
+      - name: Setup Terraform with specified version
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.13.3
+      
+      - name: Terraform init
+        run: terraform -chdir=terraform init
+
+      - name: Terraform format check
+        run: terraform -chdir=terraform fmt -check -recursive -no-color
+
+      - name: Terraform run tests
+        run: terraform -chdir=terraform test -no-color
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
index 2a785c5..8e8f5f8 100644
--- a/.github/workflows/terraform.yaml
+++ b/.github/workflows/terraform.yaml
@@ -56,13 +56,13 @@ jobs:
 
     steps:
       - name: Checkout called repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: 'xebis/github-organization-as-code'
       
       - name: Checkout caller YAML configuration
         if: github.repository != 'xebis/github-organization-as-code'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           path: iac
           sparse-checkout: ${{ inputs.path || 'test.yaml' }}
@@ -71,7 +71,7 @@ jobs:
       - name: Setup Terraform with specified version
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: 1.11.0
+          terraform_version: 1.13.3
       
       - name: Terraform init
         id: init
diff --git a/.gitignore b/.gitignore
index 6240748..eef346c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,9 @@
-# Dotenv files
-.env*
+# Direnv files
+.env
+.envrc
+
+# Private Keys
+*.pem
 
 # Local .terraform directories
 **/.terraform/*
diff --git a/README.md b/README.md
index 7bb8bba..e8071b9 100644
--- a/README.md
+++ b/README.md
@@ -245,8 +245,18 @@ terraform -chdir=terraform plan
 terraform -chdir=terraform apply
 ```
 
+## Development
+
+Format Terraform configuration by `terraform -chdir=terraform fmt -recursive`.
+
 ## Testing
 
+### Terraform Test
+
+Run test scenarios in [`terraform/tests`](terraform/tests/) by `terraform -chdir=terraform test`.
+
+### End-to-end Testing
+
 This repository is tested using [`test.yaml`](test.yaml) as the configuration file for the [Xebis Test GitHub Organization](https://github.com/xebis-test) settings and repositories.
 
 The workflow is designed to post a Terraform plan as a pull request comment whenever a pull request to the main branch is created or whenever a new commit to the pull request is pushed. Once the pull request is merged into `main`, the plan is applied automatically.
diff --git a/terraform/main.tf b/terraform/main.tf
index c0d183a..21e9c66 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,10 +1,10 @@
 locals {
   config           = yamldecode(file(var.path))
-  all_repositories = try(local.config.organization.all-repositories, null)
-  repositories     = local.config.repositories
+  all_repositories = try(local.config.organization.all-repositories, [])
+  repositories     = try(local.config.repositories, [])
   all_repositories_rulesets = [
-    for pair in setproduct(local.repositories, local.all_repositories.rulesets) : {
-      repository = pair[0]
+    for pair in try(setproduct(local.repositories, local.all_repositories.rulesets), []) : {
+      repository = pair[0],
       ruleset    = pair[1]
     }
   ]
diff --git a/terraform/tests/empty.tftest.hcl b/terraform/tests/empty.tftest.hcl
new file mode 100644
index 0000000..f4352e0
--- /dev/null
+++ b/terraform/tests/empty.tftest.hcl
@@ -0,0 +1,12 @@
+run "empty_file" {
+  command = plan
+
+  variables {
+    path = "tests/fixtures/empty.yaml"
+  }
+
+  assert {
+    condition     = local.config == null
+    error_message = "Expected empty file to produce empty result."
+  }
+}
diff --git a/terraform/tests/fixtures/empty.yaml b/terraform/tests/fixtures/empty.yaml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/terraform/tests/fixtures/empty.yaml
@@ -0,0 +1 @@
+---