Skip to main content
When you create a release, your control plane compiles your origin stack into two artifacts: a deployment stack that gets applied into the customer’s appliance, and an audit stack that is produced for the customer to review. The audit stack exists so that customers can satisfy their own security, policy, and compliance review before any Tensor9-managed infrastructure is applied in their environment.

What’s in the audit stack

The audit stack describes the same application infrastructure as the deployment stack, but with the Tensor9 runtime plumbing stripped out:
  • No Tensor9 Terraform provider
  • No Tensor9 runtime links or reflection resources
What remains is the vendor’s application infrastructure as the customer will see it in their account: the compute, storage, networking, and managed service resources that the deployment stack provisions.
The audit stack is intended for review only. Do not apply it. The deployment stack is what actually provisions a working appliance - the audit stack is a companion artifact for inspection.

How it’s produced

Audit stack compilation happens automatically as part of tensor9 stack release create. No extra flags or configuration are required. If audit stack compilation fails for any reason, the release itself is not blocked - the deployment stack is still produced. Audit stacks are currently produced for Terraform and OpenTofu origin stacks.

Where the audit stack lands

When tensor9 stack release create finishes, it writes the audit stack to disk alongside the deployment stack, under a directory named after the target appliance: 
acme-corp-appliance/
├── my-app-stack/          # deployment stack - apply this
│   └── ...terraform files...
└── my-app-stack.audit/    # audit stack - review only
    └── ...terraform files...
The deployment stack directory is what you (or your customer) feed to tofu init / tofu apply. The .audit directory mirrors it for inspection.

Review workflow

A typical pre-deployment review loop:
1

Create the release

Creating a release for an appliance also writes the compiled deployment and audit stacks to the local filesystem:
tensor9 stack release create \
  -appName my-app \
  -customerName acme-corp \
  -vendorVersion "1.0.0" \
  -description "Release 1.0.0" \
  -notes "Initial release"
This produces both the deployment and audit directories for the customer’s appliance.
2

Inspect the audit stack

Point your existing IaC review tooling at the .audit directory. For example:
cd acme-corp-appliance/my-app-stack.audit
tofu init
tofu plan -out=plan.tfplan

# Security / policy scans
tfsec .
checkov -d .
Because the audit stack has no Tensor9 providers or runtime plumbing, these tools can plan and scan it standalone and see exactly the resources your customer will be asked to host.
3

Hand off for customer review

Share the .audit directory with your customer’s security or platform team. They can run it through their own review pipeline - including tools like Atlantis or Spacelift - without any Tensor9-specific context.
4

Apply the deployment stack

Once review is complete, apply the deployment stack (not the audit stack):
cd acme-corp-appliance/my-app-stack
tofu init
tofu apply