Overview
Thehoop resources command group lets you automate role provisioning workflows from CI pipelines, scripts, or the terminal. It mirrors the plan/apply workflow available in the Provisioning hub of the Web App.
hoop resources health
Runs a lightweight connectivity check (SELECT 1) against a resource using the agent. Use this to confirm network access before planning or applying.
OK. On failure, the error from the agent is printed and the command exits non-zero.
hoop resources plan
Connects to the Postgres cluster via the agent, introspects the live catalog state, and computes the exact SQL statements needed to reach the desired role configuration. Nothing is written to Postgres — this is a read-only dry run.Single resource
Pass the resource name as a positional argument along with role configuration flags:Flags
Batch mode
To plan multiple resources at once, pass a YAML file with-f and write results to a file with -o:
results.yaml) contains the plan result for each entry including session IDs and checksums, and is passed directly to hoop resources apply.
hoop resources plan status
Fetches and prints the output of a plan or apply session after the fact. Useful in CI when you want to archive the SQL output or inspect a historical plan.hoop resources apply
Applies a plan that was previously computed withhoop resources plan. Hoop re-verifies the checksum against the current live state before executing any SQL — if the Postgres cluster has changed since the plan was computed, the apply fails with a drift error and a new plan must be run.
Single resource (from session ID)
Pass the SID returned by a previousplan run:
Batch mode
Pass the results file produced byhoop resources plan -o:
Flags
End-to-End File Workflow
The canonical CI pattern for bulk provisioning:results.yaml file produced by plan acts as the handoff artifact between the plan and apply stages. Keeping this file in version control or passing it as a CI artifact lets you separate the review step from execution.
Role Naming
Role names are generated deterministically from the resource name, label, and configuration:ro role on the analytics resource might produce hoopdev_analytics_ro_6079a443. The hash prevents collisions when multiple roles share the same label and keeps names within Postgres’ 63-byte identifier limit.
Auditing
Everyplan and apply call creates a Hoop session that records:
- The role configuration (type, scopes, privileges, source role)
- The generated SQL statements
- The exit status and timing
hoop resources plan status <sid> to retrieve session output directly from the CLI.
Next Steps
Resource Provisioning Hub
Walk through the same workflow in the Web App with a visual step-by-step guide
Session Recording
Every plan and apply is a full audit session — explore what gets captured
Access Control
Restrict provisioned resource roles to specific user groups after roles are applied
CLI Reference
Full CLI installation and authentication guide