IaC: Plan & Apply Workflow

Detailed workflow for validating, planning, and applying infrastructure changes.

IaC: Plan & Apply Workflow

Overview

The IaC engine follows a strict validate-plan-apply workflow to ensure safe and predictable infrastructure changes. Each stage builds on the previous one, and you can inspect the results at each step before proceeding.

Stage 1: Validate

Validation checks the stack file for correctness without making any changes.

CLI

agentmetal iac validate stack.json

API

curl -X POST $API/v1/iac/validate -H "$AUTH" -H "$CT" -d @stack.json

What It Checks

  • JSON syntax validity
  • Required fields present for each resource kind
  • Valid kind values
  • CIDR format validation
  • dependsOn references point to existing resources in the stack
  • No circular dependencies
  • No duplicate resource names

Output

Validation passed.
Warnings:
  - Resource 'web-01' has no security groups defined

Stage 2: Plan

Planning compares the desired state with the actual state and generates a list of actions.

CLI

agentmetal iac plan stack.json

API

curl -X POST $API/v1/iac/plan -H "$AUTH" -H "$CT" -d @stack.json

Output

Plan: 3 to create, 1 to update, 0 to delete

+ VPC "production-vpc" (cidr: 10.0.0.0/16)
  + Subnet "web-subnet" (cidr: 10.0.1.0/24)
  ~ Instance "web-01" (type: cx21 → cx31)
  + SecurityGroup "web-sg" (2 rules)

Action symbols: + create, ~ update, - delete.

Stage 3: Apply

Apply executes the planned actions in dependency order.

CLI

agentmetal iac apply stack.json

API

curl -X POST $API/v1/iac/apply -H "$AUTH" -H "$CT" -d @stack.json

Execution Order

Resources are created in topological order based on dependsOn:

  1. Resources with no dependencies are created first (potentially in parallel)
  2. Dependent resources are created after their dependencies complete
  3. Updates are applied in-place where possible
  4. Deletions happen in reverse dependency order

Output

Applying 3 actions...
  [1/3] Creating VPC "production-vpc"... done (vpc-abc123)
  [2/3] Creating Subnet "web-subnet"... done (subnet-def456)
  [3/3] Creating Instance "web-01"... done (inst-xyz789)

Apply complete. 3 resources created.

Destroy

Destroy removes all resources defined in a stack.

CLI

agentmetal iac destroy stack.json

API

curl -X POST $API/v1/iac/destroy -H "$AUTH" -H "$CT" -d @stack.json

Resources are deleted in reverse dependency order to avoid conflicts.