Modes

TFO adapts its behavior based on where it runs. The mode is a compile-time build flag that defaults to local and cannot be changed at runtime.

Local

./zig/zig build -Dmode=local

Developer workstations. This is the mode used by ./zig/zig build plan, ./zig/zig build apply, etc.

Service account impersonation is mandatory — personal GCP credentials are never used
terraform apply is restricted to the development environment only
Uses -lock=false for plan operations so multiple developers can plan concurrently
Runs terraform fmt automatically after plan and apply
Detects uninitialized modules and runs terraform init transparently

./zig/zig build -Dmode=ci

Continuous integration pipelines. Used for automated formatting checks.

plan and apply are forbidden — the process exits immediately if attempted
Impersonation is skipped (not needed for formatting checks)
Only fmt, check, and clean commands are expected

./zig/zig build -Dmode=cloudbuild

Cloud Build deployments. Used for infrastructure changes merged to plan

Impersonation is skipped — Cloud Build authenticates through its own service accounts
Each environment (development, non-production, production, shared) uses a dedicated service account with permissions scoped to that environment only
Skips development environments entirely during plan and apply
Saves plan output to a workspace file, then applies from that saved plan with -auto-approve