diff --git a/.gitea/workflows/staging.yml b/.gitea/workflows/staging.yml
index 44bb527..da74ff2 100644
--- a/.gitea/workflows/staging.yml
+++ b/.gitea/workflows/staging.yml
@@ -18,6 +18,19 @@ jobs:
         working-directory: terraform
         run: |
           terraform init
+
+          # State neu laden (falls alte VM in Proxmox existiert)
+          terraform refresh \
+            -var="proxmox_host=${{ secrets.PROXMOX_HOST }}" \
+            -var="proxmox_token_id=${{ secrets.PROXMOX_TOKEN_ID }}" \
+            -var="proxmox_token_secret=${{ secrets.PROXMOX_TOKEN_SECRET }}" \
+            -var="proxmox_node=${{ secrets.PROXMOX_NODE }}" \
+            -var="lxc_bridge=vmbr2" \
+            -var="staging_ip=${{ secrets.STAGING_IP }}" \
+            -var="staging_gw=${{ secrets.STAGING_GW }}" \
+            -var="ssh_public_key=${{ secrets.DEPLOY_SSH_PUBKEY }}" \
+            -var="ssh_private_key=${{ secrets.DEPLOY_SSH_KEY }}" || true
+
           # Alte Staging VM zerstören (falls existiert)
           terraform destroy -auto-approve \
             -var="proxmox_host=${{ secrets.PROXMOX_HOST }}" \
diff --git a/terraform/main.tf b/terraform/main.tf
index 6dc3d98..c4703f2 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -41,6 +41,11 @@ resource "proxmox_lxc" "staging" {
 
   ssh_public_keys = var.ssh_public_key
 
+  # Lifecycle: Erlaubt Destroy von geschützten Ressourcen
+  lifecycle {
+    create_before_destroy = false
+  }
+
   provisioner "remote-exec" {
     inline = [
       "apt-get update -qq",