diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml
index 00a4f579b..63bcb2c63 100644
--- a/.github/workflows/infrastructure.yml
+++ b/.github/workflows/infrastructure.yml
@@ -82,8 +82,22 @@ jobs:
           export ARM_TENANT_ID="${{ vars.AZURE_TENANT_ID }}"
           export ARM_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}"
 
-          # Common -var flags used by plan and import
+          # Select the per-environment Terraform variable file. This is the
+          # single source of truth for networking, model deployments, and
+          # other env config (e.g. enable_networking / enable_private_endpoint).
+          #   production → prod.tfvars ; everything else → dev.tfvars
+          case "${{ inputs.environment }}" in
+            production|prod) VAR_FILE="prod.tfvars" ;;
+            *)               VAR_FILE="dev.tfvars" ;;
+          esac
+          echo "Using -var-file=${VAR_FILE} for environment '${{ inputs.environment }}'"
+
+          # -var-file is listed FIRST so the explicit -var flags below (env,
+          # subscription, location, ACR, images, iteration) override the
+          # matching keys from the tfvars file. Terraform applies -var/-var-file
+          # in command-line order, with later values winning.
           TF_VARS=(
+            -var-file=${VAR_FILE}
             -var project_name=${{ github.event.repository.name }}
             -var environment=${{ inputs.environment }}
             -var tenant_id=${{ vars.AZURE_TENANT_ID }}