Skip to main content

Overview

The hoop resources command group lets you automate role provisioning workflows from CI pipelines, scripts, or the terminal. It mirrors the plan/apply workflow available in the Provisioning hub of the Web App.

hoop resources health

Runs a lightweight connectivity check (SELECT 1) against a resource using the agent. Use this to confirm network access before planning or applying.
Example:
A successful check exits 0 and prints OK. On failure, the error from the agent is printed and the command exits non-zero.

hoop resources plan

Connects to the Postgres cluster via the agent, introspects the live catalog state, and computes the exact SQL statements needed to reach the desired role configuration. Nothing is written to Postgres — this is a read-only dry run.

Single resource

Pass the resource name as a positional argument along with role configuration flags:
On success, the command prints the session ID (SID) and the plan YAML, which includes a checksum that locks in the intended SQL. The same checksum is verified at apply time — if the live Postgres state changes between plan and apply, the apply is rejected and a fresh plan is required.

Flags

Batch mode

To plan multiple resources at once, pass a YAML file with -f and write results to a file with -o:
plan.yaml format — one entry per role:
Hoop plans all entries concurrently. The output file (results.yaml) contains the plan result for each entry including session IDs and checksums, and is passed directly to hoop resources apply.

hoop resources plan status

Fetches and prints the output of a plan or apply session after the fact. Useful in CI when you want to archive the SQL output or inspect a historical plan.
Example:
Prints the full session output including the YAML configuration block and the generated SQL statements.

hoop resources apply

Applies a plan that was previously computed with hoop resources plan. Hoop re-verifies the checksum against the current live state before executing any SQL — if the Postgres cluster has changed since the plan was computed, the apply fails with a drift error and a new plan must be run.

Single resource (from session ID)

Pass the SID returned by a previous plan run:

Batch mode

Pass the results file produced by hoop resources plan -o:
Hoop applies all entries concurrently. Each apply creates a Hoop session that captures the full SQL output for auditing.

Flags


End-to-End File Workflow

The canonical CI pattern for bulk provisioning:
The results.yaml file produced by plan acts as the handoff artifact between the plan and apply stages. Keeping this file in version control or passing it as a CI artifact lets you separate the review step from execution.

Role Naming

Role names are generated deterministically from the resource name, label, and configuration:
For example, a ro role on the analytics resource might produce hoopdev_analytics_ro_6079a443. The hash prevents collisions when multiple roles share the same label and keeps names within Postgres’ 63-byte identifier limit.

Auditing

Every plan and apply call creates a Hoop session that records:
  • The role configuration (type, scopes, privileges, source role)
  • The generated SQL statements
  • The exit status and timing
Sessions are visible in the Web App under Provisioning → Sessions and in the main Sessions view. Use hoop resources plan status <sid> to retrieve session output directly from the CLI.

Next Steps

Resource Provisioning Hub

Walk through the same workflow in the Web App with a visual step-by-step guide

Session Recording

Every plan and apply is a full audit session — explore what gets captured

Access Control

Restrict provisioned resource roles to specific user groups after roles are applied

CLI Reference

Full CLI installation and authentication guide