Runs
Run types
Section titled “Run types”| Type | Command | When |
|---|---|---|
plan | tofu plan | Always runs first |
apply | tofu apply | After successful plan |
destroy | tofu destroy | PR closed/merged |
Execution
Section titled “Execution”Runs execute in isolated ECS Fargate containers:
- Workspace downloaded from S3
- Backend configured for this workspace
- Variables and secrets injected
- OpenTofu command executed
- Results uploaded to S3
- Status posted to GitHub
Status
Section titled “Status”| Status | Meaning |
|---|---|
pending | Queued |
running | Executing |
success | Completed |
failed | Error |
GitHub check — click “Details” to see the plan
Dashboard — full streaming logs
API:
curl https://yaffle.dev/api/runs/{id}/logsConcurrency
Section titled “Concurrency”- One run per workspace at a time (DynamoDB locking)
- Multiple workspaces can run in parallel
- Runs queue if runners are busy
Secrets
Section titled “Secrets”Secrets are fetched from AWS Secrets Manager at runtime:
[[workspaces]]path = "infra"secrets.db_password = "arn:aws:secretsmanager:us-east-1:123:secret:db-password"Available as var.db_password in OpenTofu. Never logged.