Assume cloud credentials

Same as PLAN jobs.

Download plan artifact

Fetches the binary plan.tfplan from the PLAN job's Supabase Storage upload.

Validate config hash

Compares the vine's current config hash against the plan's config hash. If they differ (vine was modified after planning), the job fails:

"Configuration has changed since the plan was generated. Please re-plan."

This prevents applying a stale plan. See Plan & Apply.

terraform init

Initializes with the S3 backend (same as PLAN).

terraform apply

terraform apply plan.tfplan

Provisions all infrastructure resources. State is written back to S3 after each resource operation.

Extract Terraform outputs

Reads outputs: cluster name, endpoint, ARN, database endpoints, cache endpoints, VPC ID, etc.

Generate kubeconfig

Calls the provider-specific CLI:

aws eks update-kubeconfig --name {cluster} --region {region}

gcloud container clusters get-credentials {cluster} --region {region}

az aks get-credentials --name {cluster} --resource-group {rg}

Install ArgoCD

Deploys ArgoCD via Helm chart, waits for pods to be Ready, extracts admin password. See GitOps & ArgoCD.

Configure App of Apps

Renders ArgoCD Application manifests with infrastructure facts (cluster name, DB endpoints, etc.) as Helm values. Applies manifests to the cluster.

Report results

Job status → SUCCESS with execution metadata:

• Cluster name, endpoint, ARN
• ArgoCD URL and admin password
• All Terraform outputs
• Execution timing per phase