ubx apply to the same S3 backend that holds your state. Every entry records who ran the apply, when, from which machine or CI runner, and what resources were created, modified, or deleted. ubx history reads this log and shows it as a readable timeline. ubx blame answers “who last touched this resource”. ubx rollback reverts to a previous state snapshot.
What you’ll learn
- How
history { enabled = true }activates shared apply history - What
ubx history,ubx blame, andubx rollbackshow - How history entries are stored alongside state in S3
Why this matters
Shared apply history turns “who changed what and when” from a forensic exercise into a single command.
ubx history is the audit trail your security team asks for, the debugging tool your on-call engineer needs, and the accountability mechanism that makes everyone more careful about what they apply.The source code
How it works
Each apply writes a history entry to S3
After a successful
ubx apply, ubx writes a structured JSON entry to s3://myorg-ubx-state/stacks/<stack>/ubx-history.json. The entry includes the timestamp, the identity of who ran it (from AWS STS or UBX_ACTOR env var), the machine hostname, and a summary of resources created, modified, and deleted.ubx history reads and formats the log
ubx history fetches the history file from S3 and displays it as a timeline, newest first. Each entry shows the apply timestamp, actor, resource change counts, and a link to the CI run if UBX_CI_URL is set.Example ubx history output
Common mistakes
Run it
What you learned
history { enabled = true } writes a structured JSON entry to S3 after every successful applyubx history shows a timeline; ubx blame attributes changes; ubx rollback reverts stateHistory entries record actor, timestamp, machine, and resource change summary
Next steps
CI/CD with GitHub Actions
Automate plan on PRs and apply on merge
Backend S3 state
Configure the S3 backend that history writes to
Full runnable example: github.com/ubiquex/ubx-examples/51-shared-apply-history

