Plan & Deploy
The Plan feature in the StackGen web app (StackGen Cloud) lets you see what would change in your cloud before anything is applied. This page is a user guide for everything around that flow in a project: how to set up provider credentials and environment variables, which roles can do what, what happens if you refresh the browser during a Plan, how to use TF_VAR_ for inbuilt modules, and how to read CLI Runs and logs.
Requirements
- You must work inside a project. Plan & Deploy is not available in Personal Workspace. For the Actions menu on the canvas, see Topology canvas, section Actions.
- Set up Environment configuration for the project before you rely on Plan.
For project-level templates (blueprints for new appStacks), see Environment configurations.
- For the exact UI steps to run Plan from the appStack (Deploy > Plan > environment > run), use Plan infrastructure changes (AWS) in IaC in StackGen. The steps there include the success state, the log button, and a screenshot.
You can start Plan from the appStack Deploy area, or from the topology Actions menu with Plan & Deploy, when you are in a project and the appStack is ready to plan.
Provider credentials (Environment configuration)
You use Project Settings > Environment configuration > Runner Configuration > Provider Credentials to attach provider credentials to the runner so Plan can reach your cloud.
Examples include AWS, Git, or other types your org enables. Credential definitions are created in the org Secret Store; in this screen you attach them to the project and, when the table shows it, to each environment (for example dev and qa).
This table shows what project roles can add or remove provider credentials.
| Project role | Add or remove provider credentials |
|---|---|
| Admin | Yes |
| DevOps | Yes |
| Developer | Yes |
Your tenant-level role does not block these project actions.
Add Provider Credentials
To run Plan, you must add provider credentials to the project. This section shows how to add them.
Click to view
- Open Project Settings in the left sidebar.
- Open the Environment configuration tab.
- Under Runner Configuration, open Provider Credentials (not Env Variables).
- Click + Attach Credentials. The Attach Credentials side panel opens. The text at the top explains that you select a secret from the store to attach to your environments.
- In Credential type, choose the provider (for example AWS Cloud Provider or GitHub). If the credential is not in the org store yet, use Add New Secret (next to the type) and create it, then return to this panel. Definitions live in the Secret Store.
- Optional: turn on Use same credentials for all existing environments if you want one pick to apply to every environment row.
- For each environment, use the Select secret for dropdown for that environment and choose a secret from the list. You must set at least one. If nothing is selected, the panel may show At least one environment secret is required.
- Click Attach Credentials in the panel footer. Use Cancel to close without saving. After a successful attach, the Provider credentials view shows your environments and the attached store entries.
Run Plan
Plan is a read-only preview. It does not apply changes. If a role is limited on Apply (deploy), Plan can still run.
Who can do what
| Project role | Tenant role | Outcome |
|---|---|---|
| Admin | Admin | Trigger Plan, open CLI Runs, see status (for example completed), and open Logs (init, plan, plan_stdout). |
| DevOps | Developer | Trigger Plan and see status and results in line with the Admin case for that project. |
| Developer | Developer | Run Plan to validate the topology, including work with locals, variables, and providers. |
Follow the same flow as in IaC in StackGen, Plan infrastructure changes (AWS): open the appStack, use Deploy, choose Plan, select an environment, then run. On success you see a plan was successful style result and a path into init and plan output. You can also open the run from CLI Runs as in the next section.
Plan Behavior
Click to view
Refresh while a Plan is running
If you refresh the browser, StackGen keeps the Plan you already started. Status (for example Running or Deploying) can stay visible, including in the top right, so you do not lose the flow.
Same appStack, or more than one environment
You can run Plan again on the same appStack, for example after you change the topology (sometimes described as a redeploy of the plan step). You can also run Plan for different environments in the same appStack (for example dev and qa), using the environment option in the Plan flow.
The product may streamline repeated runs and multi-environment plans in a future update.
Plan Inputs
Click to view
Expressions in the canvas
When the stack uses locals, variables, and providers, you can enter Terraform and OpenTofu expression syntax in the resource configuration fields, for example ${var.application_name}. Use the IaC tab to see provider.tf and variables.tf and to confirm names.
Inbuilt StackGen modules
Inbuilt resources often need values such as region. If the log shows Enter a value for something like var.region, or init / plan fails on the provider, add the value as a project environment variable using the TF_VAR_ pattern from the OpenTofu docs (Terraform uses the same idea).
Workflow for TF_VAR_
- In the appStack, open the IaC tab. Read provider.tf and variables.tf and note required names (for example
region). - Go to Project Settings > Environment Configuration > Env Variables.
- Click + Add New Variable.
- Name:
TF_VAR_plus the HCL name with matching spelling and case (for exampleTF_VAR_regionfor a variableregionin HCL). Value: for exampleap-south-1or the region you use. - Go back to the appStack and run Plan again.
Custom modules
If you use a custom module, you must have a provider (and often provider.tf) in the appStack Terraform blocks. That is not added by default; without it, deploy and related flows can fail. See your module and IaC in StackGen as needed.
Limitation: private Git modules
You cannot complete Plan for a module that is only available from a private repository that the runner cannot reach. The limitation is known and is on the roadmap.
Read CLI Runs & Log Viewer
After you trigger Plan, you can review it in two layers: a summary in CLI Runs, and the full tool output in logs.
Click to view
CLI Runs (list and metadata)
In the project,
- Open CLI Runs in the left sidebar. You get a list of runs.
- Open the row for your Plan. You should see status (for example completed or running).
- The run detail can also show metadata, such as how many resources were added, changed, or removed, when the product shows that view.
Logs (init, plan, stderr)
On that run, open View Logs. The log viewer uses tabs for each stream.
- Use plan_stdout to read the full Terraform or OpenTofu plan. That is the same information you would see at the end of a local
terraform planortofu plan: what would be created, changed, or destroyed. - If init failed, open the init (or init_stdout) tab.
- If plan failed or printed errors, check plan_stderr or the stderr tab.
From the appStack
You do not have to start from CLI Runs.
When Plan finishes on the appStack, the success area includes a way to open init and plan output in the product. See Plan infrastructure changes (AWS) in IaC in StackGen for that path and the log control after a successful plan.
Next Steps
- IaC in StackGen: full Plan UI steps, screenshot, and link from Plan success to logs.
- Environment configurations: project environment templates.
- CLI Runs: the CLI Runs list and how runs appear in the app.