This page walks through the most common CLI flows, CI/CD patterns, and how pltf keeps Terraform runs deterministic and cache-friendly.
Validate / Preview / Generate
pltf validate -f env.yaml -e prod
pltf preview -f example/e2e.yaml -e prod
pltf generate -f service.yaml -e prod -m ./modules --out .pltf/example/payments/workspace
validatechecks spec structure, references, and wiring before any generation. It picks the environment via--env,PLTF_DEFAULT_ENV, or the profiledefault_env.previewsurfaces providers, backend, labels, and modules without invoking Terraform.generaterenders workspace-ready Terraform—file inputs are copied into the output tree, and--var/-voverrides merge over spec vars.--modules/-mselects a custom module root (local path or git ref); modules taggedsource: customresolve only from the custom root, while git/localsourceentries bypass it.--out/-odefaults to.pltf/<environment_name>/workspaceor.pltf/<environment_name>/<service_name>/workspace.
Terraform Commands
pltf terraform plan -f service.yaml -e dev # supports --scan, --cost, --rover, --plan-file
pltf terraform apply -f env.yaml -e prod
pltf terraform destroy -f env.yaml -e prod
pltf terraform output -f service.yaml -e dev --json
pltf terraform force-unlock -f env.yaml -e prod --lock-id=<id>
- Every Terraform helper runs locally in the generated workspace, picks up credentials (
~/.aws,~/.docker, etc.) from the host, and benefits from the plain.terraformcache Terraform maintains inside the workspace. - Plan/apply/destroy run
terraform planfirst and keep.pltf-plan.tfplanplus optional tfsec/cost summaries or Rover output for audit trails. - Apply/destroy append
-auto-approveso there’s no interactive approval. planbuilds images without pushing;applybuilds and then pushes with the host registry credentials;destroyskips image builds.
Common Terraform flags
--target/-t,--parallelism/-p,--lock/-l,--lock-timeout/-T,--no-color/-C,--input/-i,--refresh/-r,--plan-file/-P,--detailed-exitcode/-d,--json/-j.
Module inventory
pltf module list [-m ./modules] [-o table|json|yaml]
pltf module get aws_eks [-m ./modules] [-o table|json|yaml]
pltf module init --path ./modules/aws_eks [--force]
- Lists modules from embedded and custom roots;
source: custommodules resolve only from your shared catalog (via--modulesor profile defaults), but you can now point modules directly at git URLs somodules_rootis optional. module initemitsmodule.yamlfrom an existing Terraform module directory (--forceoverwrites).
Profiles & Defaults
~/.pltf/profile.yaml(orPLTF_PROFILE) setsdefault_env,default_out, and telemetry controls; the oldmodules_rootsetting is no longer required unless you still rely on a shared catalog.PLTF_DEFAULT_ENVis also respected when choosing the environment.
Backends
backend.typemust be compatible with the provider (s3for AWS,gcsfor GCP,azurermfor Azure).- Optional
backend.profile,region,container, andresource_groupsupport cross-account S3 or Azure storage.
CI/CD integration
pltf works nicely in GitHub Actions, GitLab CI, or any runner that can install Go and Terraform. Jobs share the same env vars/caches as local runs.
Matrix plan across environments
- Checkout + setup Go/Terraform.
- Run a matrix plan job once per env/region.
- Cache
GITHUB_TOKEN, AWS credentials, and the.pltfworkspace artifacts for reuse in later steps or PR comments. - Example plan step:
Deploy on branch/tag
- Tags push to prod,
maindeploys staging, others map todevelopment. - Select the env in-step and call
pltf terraform plan+ auto-approvedpltf terraform apply. - Example apply step (staging/prod only):
- name: Apply
if: github.event_name == 'push'
run: |
pltf terraform apply -f example/e2e.yaml --env ${{ steps.select.outputs.env }}
Tips: swap AWS env vars with GCP/Azure equivalents and run
pltf terraform planon service specs when verifying app deployments. UseOPENAI_API_KEYto automatically post plan summaries/AI critiques in PR comments.