diff --git a/Containerfile.tools b/Containerfile.tools
index e774205..28527d7 100644
--- a/Containerfile.tools
+++ b/Containerfile.tools
@@ -43,4 +43,3 @@ COPY --from=user-k9s . /
 RUN mkdir -p /root/.gnupg
 RUN chmod 0700 /root/.gnupg
 
-ENTRYPOINT ["/bin/sh"]
diff --git a/Makefile b/Makefile
index 0f4daba..8e592f8 100644
--- a/Makefile
+++ b/Makefile
@@ -34,7 +34,7 @@ update-tools:
 
 .PHONY: shell
 shell: out/tools-image.digest
-	$(call run-container, -v ./secrets:/secrets, $(shell cat $<))
+	$(call run-container, -v ./secrets:/secrets, $(shell cat $<), bin/sh)
 
 .PHONY: credentials
 credentials: \
@@ -140,9 +140,22 @@ define run-container
 		-e GPG_TTY="$(GPG_TTY)" \
 		-v $(shell gpgconf --list-dirs agent-socket):/root/.gnupg/S.gpg-agent:ro \
 		-v $(shell gpgconf --list-dirs homedir):/root/.gnupg:rw \
-		$(2)
+		$(2) \
+		$(3)
 endef
 
+.PHONY: plan
+plan: out/tools-image.digest
+	$(call run-container, \
+		-v $(PWD)/secrets:/secrets -v $(PWD)/infra:/infra, \
+		$(shell cat $<), \
+		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- \
+		'tofu -chdir=/infra/main plan \
+			-var environment=$(ENVIRONMENT) \
+			-var namespace=$(ENVIRONMENT) \
+			-var region=$(REGION)' \
+	)
+
 .PHONY: new-apply
 new-apply: out/tools-image.digest 
 	$(call run-container,'\