Provision infrastructure with StackGen
Prerequisites
Install the following before you provision or deploy appStacks:
- Terraform: Install Terraform.
- OpenTofu: Install OpenTofu.
The terraform and tofu binaries must be on your PATH when you use each engine. To upgrade the StackGen CLI, see Install and uninstall.
The stackgen provision command drives the IaC workflow for an exported appStack. When you omit --apply, the CLI runs init and plan only (preview, no apply). Add --apply to apply in the same run. Cloud credentials must already be configured.
stackgen provision
Usage
stackgen provision [flags]
Without --apply, stackgen provision runs init and plan only (preview). It does not apply. Add --apply when you want apply in the same CLI run.
Updating governance in the UI does not retroactively swap policies on existing appStacks. Teams that need new enforcement sometimes create new appStacks. See Creating appStacks.
Flags
| Flag | Description |
|---|---|
--apply | When set: preview and apply (no extra approval in the CLI). When omitted: init and plan only. |
--appstack-id string | AppStack id to provision. Use stackgen appstack list, show, or ls for ids. |
--backend-config stringArray | Backend config as key=value or path to an HCL file. Repeatable. Example: --backend-config='bucket=my-bucket' or --backend-config=./backend.conf. |
--cloud-profile string | Specify the credential profile to use for provisioning the infrastructure. This works only for AWS. For other clouds, please make sure default credentials are set. |
-e, --environment string | Name of the environment that belongs to the provided appStack. |
-h, --help | Help for provision |
--iac-tool string | IaC tool: terraform or tofu. Default is usually OpenTofu for this command; confirm with stackgen provision --help. Details: IaC tool and infrastructure lifecycle. |
--var stringArray | Input variable value. Repeatable. Example: --var='region=us-west-1'. |
--var-file string | Vars file path. Default terraform.tfvars.json in the working directory unless overridden. |
Examples
Usage 1: Init and plan only (no apply)
stackgen provision --appstack-id <appstack-id> --cloud-profile <aws-profile> --var 'region=us-west-2'
The above command runs init and plan for the specified appstack-id using the given AWS profile and region. It does not apply changes because --apply is omitted.
Usage 2: Init and plan with backend configuration and environment
stackgen provision --appstack-id <appstack-id> --backend-config 'bucket=my-bucket' --environment dev
The above command runs init and plan (still no apply). It will:
- Use the provided backend configuration for the storage bucket.
- Pass the environment name
devfor the appStack (-e/--environment).
It does not apply infrastructure until you run again with --apply (or use a separate apply flow).
Usage 3: Plan and apply changes
stackgen provision --appstack-id <appstack-id> --apply --var 'region=us-west-1'
The above command previews and applies infrastructure changes for the specified appstack-id without further approval in the CLI because --apply is set.
IaC tool and infrastructure lifecycle
StackGen supports OpenTofu and HashiCorp Terraform for infrastructure lifecycle management (ILM). Use --iac-tool=terraform or --iac-tool=tofu on commands that expose the flag so teams can align with the engine they standardize on.
The default engine can differ by command and CLI version. For stackgen provision and stackgen destroy, omitting --iac-tool usually selects OpenTofu (tofu). For stackgen drift detect, the default is often Terraform; see stackgen drift detect for the flag table and defaults.
ILM commands that support --iac-tool include stackgen provision (this page), stackgen destroy, and stackgen drift detect. Always check the command help on your machine for the exact list of flags.
iac-tool values
| Value | Description |
|---|---|
tofu | Run the workflow with OpenTofu. |
terraform | Run the workflow with HashiCorp Terraform. |
Examples with --iac-tool
Provision with OpenTofu (init and plan only unless you add --apply):
stackgen provision --appstack-id <appstack-id> --cloud-profile <aws-profile> --iac-tool=tofu --var 'region=us-west-2'
Detect drift with OpenTofu:
stackgen drift detect --appstack-id <appstack-id> --cloud-profile <aws-profile> --iac-tool=tofu --var 'region=us-west-2'
Destroy infrastructure with OpenTofu:
stackgen destroy --appstack-id <appstack-id> --iac-tool=tofu --var 'region=us-east-2'
Add --apply on stackgen destroy when your workflow requires it to perform the teardown, consistent with that command’s documentation.