CLI Reference

Global
  • --server <url> — API endpoint (default http://localhost:8080).
Unit
  • taco unit create <id>
  • taco unit ls [--prefix <pfx>]
  • taco unit rm <id>
  • taco unit pull <id> [-f <file>]
  • taco unit push <id> [-f <file>] [--if-locked-by <uuid>]
  • taco unit lock <id> [--who <str>] [--info <str>]
  • taco unit unlock <id> [<lock-id>]
    • Lock ID is positional. If omitted, the CLI looks for a local .taco/<id>.lock file created by taco unit lock/acquire.
    • Requires auth; run taco login first.
  • taco unit acquire <id> [-f <file>]
  • taco unit release <id> [-f <file>]
  • taco unit status [<id> | --prefix <pfx>] [-o json]
    • Without args shows all units. --prefix / is also treated as all.
    • Table output uses friendly, color-coded labels:
      • up to date (green), needs re-apply (red), might need re-apply (yellow)
    • JSON output returns raw statuses and incoming edge details from /v1/units/{id}/status.
Versions
  • taco unit versions <id> — List all versions of a unit
    • Shows version number, creation timestamp, size, and content hash
    • Versions are numbered from 1 (oldest) to N (newest)
    • Each upload creates a new version from the previous tfstate
  • taco unit restore <id> <version-number> — Restore to a previous version
    • Version numbers match those shown by taco unit versions
    • Archives current tfstate before restoring
    • Respects existing locks (use with taco unit lock if needed)
Provider
  • taco provider init [dir] [--system-unit <id>] [--no-create] [--force]
Auth
  • taco login [--force-login] — OIDC PKCE login; saves tokens to ~/.config/opentaco/credentials.json.
  • taco whoami — Prints current identity.
  • taco creds --json — Prints AWS Process Credentials JSON via /v1/auth/issue-s3-creds.
  • taco logout — Removes saved tokens for --server.