cloudposse/atmos v1.194.0

on GitHub

what

• Code Refactoring: Extracted common component processing logic into reusable helper functions, eliminating ~991 lines of duplicated code
• Auth Section Deep-Merging: Implemented complete deep-merge support for auth section following the same hierarchy as vars/env/settings:
  • Global → Component-Type-Specific → Base Component → Component → Overrides
  • Supports all three component types: Terraform, Helmfile, and Packer
  • Consistent with existing section merge behavior
• Comprehensive Testing: Created extensive test coverage for all new helper functions with 29 test cases

why

• The ProcessStackConfig function contained nearly identical logic repeated 3 times for Terraform, Helmfile, and Packer components
• This duplication made the codebase harder to maintain, more error-prone, and difficult to extend
• The auth section needed proper deep-merge support to enable hierarchical authentication configuration across the stack
• Centralized logic improves code quality, maintainability, and makes future enhancements easier
• Better test coverage ensures reliability and prevents regressions

changes

Auth Section Deep-Merge Implementation

Merge Hierarchy

The auth section now merges through the complete hierarchy (later values override earlier ones):

1. Global auth (auth: at stack root)
2. Component-type-specific auth (terraform.auth:, helmfile.auth:, or packer.auth:)
3. Base component auth (from component: inheritance)
4. Component auth (component-specific auth:)
5. Component overrides auth (overrides.auth:)

Test Coverage

• All existing test cases updated with auth fields
• Auth assertion added to test validation
• Tests verify auth merges correctly through the hierarchy
• ✅ All tests passing

Comprehensive test coverage with:

• TestProcessComponent

  • Terraform component with all sections
  • Helmfile component without Terraform-specific sections
  • Packer component
  • Component with overrides
  • Component with inheritance
  • Invalid configuration error cases

• TestProcessTerraformBackend

  • S3, GCS, Azure backend processing
  • Base component name handling
  • Backend type precedence
  • Path normalization (component names with slashes)

• TestProcessTerraformRemoteStateBackend

  • Inheritance from backend type
  • Type precedence rules
  • Section merging

• TestMergeComponentConfigurations

  • All component types (Terraform, Helmfile, Packer)
  • Base component handling
  • Abstract component special processing
  • Auth section merging validation

• TestProcessAuthConfig

  • Auth configuration merging

testing

Test Results

✅ All new test cases pass
✅ All auth merging tests pass

Test Quality

• Table-driven test pattern
• Real behavior testing (not stub/tautological)
• Comprehensive coverage of happy paths and error cases
• Clear test names describing expected behavior
• Proper error validation
• Auth section merge hierarchy fully tested

Auth Section Usage Examples

# Stack manifest: stacks/catalog/vpc.yaml

# Global auth (applies to all components)
auth:
  aws:
    profile: default-profile
    region: us-east-1

# Terraform-specific auth (applies to all Terraform components)
terraform:
  auth:
    aws:
      profile: terraform-profile

components:
  terraform:
    vpc:
      # Component-specific auth
      auth:
        aws:
          profile: vpc-specific-profile

Result: The final merged auth for the vpc component will be:

auth:
  aws:
    profile: vpc-specific-profile  # From vpc.auth (highest precedence)
    region: us-east-1              # From global auth (merged in)

# Stack manifest: stacks/catalog/vpc.yaml

# Global auth (applies to all components)
auth:
  aws:
    profile: default-profile
    region: us-east-1

# Terraform-specific auth (applies to all Terraform components)
terraform:
  auth:
    aws:
      profile: terraform-profile

components:
  terraform:
    vpc:
      # Component-specific auth
      auth:
        aws:
          profile: vpc-specific-profile
      
# Override auth takes highest precedence
overrides:
  auth:
    aws:
      profile: override-profile

Result: The final merged auth for the vpc component will be:

auth:
  aws:
    profile: override-profile  # From overrides.auth (highest precedence)
    region: us-east-1          # From global auth (merged in)

notes

✅ Auth deep-merge implementation complete

• Full hierarchy support: Global → Component-Type → Base → Component → Overrides
• Consistent with vars/env/settings merge behavior
• All errors properly wrapped with static errors
• Comprehensive test coverage

Current status:

• ✅ Code refactoring complete
• ✅ Auth section deep-merge complete
• ✅ Test coverage complete
• ✅ Error wrapping complete
• ✅ Backward compatibility verified

Summary by CodeRabbit

• New Features

  • Richer stack/component processing: deeper merges for vars/settings/env/auth, base-component auth support, inheritance and overrides resolution, and unified per-stack component assembly.
  • Terraform backend & remote-state handling with sensible defaults and generated state keys for S3/GCS/Azure.

• Improvements

  • More granular, standardized error signaling for invalid manifest sections and clearer provenance for imports.
  • New utilities to process stack manifests and query component relationships.

• Chores

  • Dependency version bumps for stability.

• Tests

  • Expanded unit test coverage across stack processing, merging, inheritance, overrides, and backend resolution.

what

Introduce a complete authentication system for Atmos, enabling secure multi-cloud authentication with support for AWS IAM Identity Center (SSO), SAML providers, assume role chains, and AWS user credentials. The system provides seamless integration with Terraform workflows while maintaining isolation from users' existing AWS configurations.

Features

Authentication Providers

• AWS IAM Identity Center (SSO) - Full SSO integration with session management
• AWS SAML - Browser-based SAML authentication with MFA support (Google Apps, Okta, ADFS)
• AWS Assume Role - Cross-account role assumption capabilities
• AWS User - Direct AWS access key authentication with MFA support

Identity Chaining

• Sequential authentication flows (e.g., SSO → Permission Set → Assume Role)
• Recursive provider resolution through identity chains
• Circular dependency detection and prevention

CLI Commands

• atmos auth login - Interactive authentication with identity selection
• atmos auth whoami - Display current authentication status
• atmos auth env - Export environment variables (export, json, dotenv formats)
• atmos auth exec - Execute commands with authentication context
• atmos auth validate - Comprehensive configuration validation
• atmos auth user configure - AWS user credential configuration

AWS Integration

• Isolated credential files: ~/.aws/atmos//credentials
• Separate config files: ~/.aws/atmos//config
• Automatic environment variable management (AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE)
• Terraform prehook integration for seamless workflow execution
• User's existing AWS files remain untouched

Architecture

Layout

internal/auth/
├── manager.go              # Core authentication manager
├── interfaces.go           # Core interfaces and types
├── factory.go             # Provider/identity factory functions
├── providers/aws/         # AWS authentication providers
│   ├── sso.go            # IAM Identity Center provider
│   ├── saml.go           # SAML provider with browser automation
│   └── assume_role.go    # Assume role provider
├── identities/aws/        # AWS identity implementations
│   ├── permission_set.go # Permission set identity
│   ├── assume_role.go    # Assume role identity
│   └── user.go           # AWS user identity
├── credentials/           # Secure credential storage
├── environment/           # AWS file management
├── config/               # Configuration merging
└── validation/           # Configuration validation

why

Atmos Auth allows us to simplify our reference architecture and helps assist with consolidating the toolset that the typical DevOps user needs to manage Terraform.

Summary by CodeRabbit

• New Features

  • Introduces a full "auth" CLI (validate, login, whoami, env [bash/json/dotenv], exec, user configure), per-component auth merging, Terraform --identity (-i) option, Terraform auth pre-hooks, demo-auth example, credential/keyring store, and AWS file helpers.

• Documentation

  • Full Auth docs: architecture, user guide, CLI reference, examples and demo.

• Tests

  • Extensive unit, integration and snapshot coverage for auth flows, providers, identities, hooks and CLI.

• Bug Fixes

  • Unified cross-platform URL opener; docs-open message now printed to stderr.

what

• Add support for Go's -short flag to skip long-running tests (>2 seconds)
• Enable faster development feedback loop while preserving comprehensive CI testing
• Add SkipIfShort() helper function for Go tests
• Add short field to YAML test case schema (defaults to true)
• Mark 13 Go tests and 9 YAML tests as long-running
• Add make test-short and make test-short-cover Makefile targets
• Fix AWS profile precondition failures in 2 auth tests

why

• Developers need faster test feedback during development
• Full test suite takes 3+ minutes, making rapid iteration slow
• Many tests require network I/O, Git operations, or binary compilation (>2s each)
• CI should run all tests, but local development benefits from quick tests
• Follows Go's standard -short flag convention for test skipping

Performance Impact

Before: Full test suite only (~3+ minutes)

After:

• Quick mode (make test-short): ~2m30s (skips 30+ seconds of slow tests)
• Full mode (make testacc): ~3m+ (runs everything including slow tests)

Changes by Category

Go Tests Marked Long (13 tests)

• Git operations (3 tests, ~60s saved):
  • TestDescribeAffectedWithTargetRefClone (36s - Git cloning)
  • TestExecuteAtlantisGenerateRepoConfigAffectedOnly (21s - Git ops)
  • TestExecuteTerraformAffectedWithDependents (26s - Git + Terraform)
• Network I/O (3 tests, ~10s saved):
  • TestVendorComponentPullCommand (6s)
  • TestVendorPullFullWorkflow (network + OCI)
  • TestVendorPullBasicExecution (4s)
• Binary compilation (7 tests in testhelpers, ~100s saved):
  • All atmos binary build tests (15-20s each)
• AWS SDK (2 tests, now with proper preconditions):
  • TestAssumeRoleIdentity_newSTSClient_RegionFallbackAndPersist
  • TestPermissionSetIdentity_newSSOClient_Success

YAML Tests Marked Long (9 tests)

All vendor pull tests requiring network I/O:

• tests/test-cases/vendor-test.yaml (2 tests)
• tests/test-cases/demo-vendoring.yaml (2 tests)
• tests/test-cases/demo-globs.yaml (1 test)
• tests/test-cases/vendoring-ssh-dryrun.yaml (3 tests)

Infrastructure

• New helper: tests.SkipIfShort(t) in tests/preconditions.go
• Schema update: Added short field to tests/test-cases/schema.json
• CLI framework: Modified tests/cli_test.go to check short mode before running tests
• Makefile targets: test-short and test-short-cover
• Documentation: Updated CLAUDE.md and tests/README.md

Testing

# Quick tests pass in ~2m30s
make test-short

# All tests still pass (full suite)
make testacc

# Verify long tests are skipped
go test -short -v ./internal/exec | grep SKIP

# Verify long tests run without -short
go test -v ./internal/exec | grep "TestExecuteTerraformAffectedWithDependents"

Usage

# Development: quick feedback
make test-short
go test -short ./...

# CI/comprehensive testing
make testacc
go test ./...

# With coverage
make test-short-cover
go test -short -cover ./...

references

• Follows Go testing conventions: https://pkg.go.dev/testing#Short
• Related to test precondition system in tests/preconditions.go

what

• Add PrintfMarkdownToTUI function to print markdown-formatted text to stderr
• Change PrintTelemetryDisclosure to use PrintfMarkdownToTUI for proper output routing
• Consolidate telemetry invocation to a single place in root.go to avoid duplication
• Skip telemetry disclosure for shell completion commands
• Add test precondition checks to skip tests when tools aren't installed
• Update golden snapshots to reflect telemetry notice in stderr
• Add necessary error definitions for proper compilation

why

• Telemetry notices should not go to stdout as they interfere with piped commands
• When using commands like atmos describe component <component> -s <stack> | jq, the telemetry notice breaks JSON parsing
• All UI messages should go to stderr to maintain clean stdout for data output
• The telemetry notice should be properly formatted with markdown for better readability
• Consolidating telemetry calls prevents multiple notices from appearing
• Shell completion should not trigger telemetry notices

Summary by CodeRabbit

• New Features

  • User-facing telemetry notice (Markdown-rendered) shown once (suppressed for shell completion); new "Missing Configuration" and "Getting Started" guidance.
  • describe stacks: --components accepts multiple values.

• Improvements

  • Terminal-aware Markdown output with better spacing/formatting.
  • Clearer error messages and improved path/URL handling (including Windows UNC).
  • Vendor config schema accepts optional base_path.

• Documentation

  • Updated help text, examples, and Support content.

• Tests

  • Enhanced TTY-aware test harness, snapshots, and many new/updated tests.

• Chores

  • Devcontainer Go bumped to 1.24.6; linter discourages t.Skip/SkipNow.

what

• Add --version persistent flag to RootCmd as a simple alias for atmos version command
• Update isVersionCommand() helper to detect both version and --version forms
• Add test case for atmos --version in empty directory (no config required)
• Add test case for --version flag to TestIsVersionCommand

why

• Provides a conventional CLI experience - most command-line tools support --version flag
• Aligns with standard POSIX/GNU conventions for version flags
• Makes version checking easier for users and scripts
• Both atmos version and atmos --version now work without requiring atmos.yaml configuration

references

• atmos --version outputs simple format: atmos <version>
• atmos version outputs full styled format with update checks
• The --version flag does not support additional flags like --check or --format (use atmos version for those features)

Summary by CodeRabbit

• New Features

  • Added a global --version flag that prints the Atmos CLI version and exits; help/usage updated across commands.

• Bug Fixes

  • Treat "--version" as a valid version invocation (equivalent to "version").

• Tests

  • Added tests for flag parsing and execution, updated help snapshots, added empty-dir CLI test, and isolated flag state between tests.

• Documentation

  • Updated CLI docs and cheatsheet; added guidance on version disambiguation.

what

• Atmos terraform plan-diff ignore data

why

• The data itself should not raise a plan diff, only if it leads to resource changes

Summary by CodeRabbit

• Bug Fixes

  • Terraform plan diffs now skip data resources and entries missing a mode, so comparisons show only managed resources.

• Tests

  • Added unit tests verifying data resources and missing-mode entries are consistently excluded across all plan sections.

• Documentation

  • CLI docs updated with an informational note and examples showing data resources are skipped and outputs display only managed resources.

what

• Add --provenance flag to atmos describe component command
• Create new pkg/ui/provenance package for rendering configuration provenance
• Implement two-column TTY display showing configuration values alongside their source files
• Support both YAML and JSON output formats with embedded provenance metadata
• Achieve 90.9% test coverage with comprehensive test suite (18 tests)

why

• Users need to understand where configuration values come from in complex inheritance chains
• Debugging configuration issues requires knowing which file set each value
• The existing sources data structure was already tracked but not displayed in a user-friendly way
• Provenance tracking improves auditability and troubleshooting of stack configurations

references

• Implements the feature request discussed in-session
• Leverages existing ConfigSources infrastructure from Atmos
• Uses Charm Bracelet lipgloss for consistent terminal UI styling
• Gracefully degrades for non-TTY environments (pipes/redirects)

Summary by CodeRabbit

• New Features

  • Added --provenance to describe component: inline file/line/column annotations, optional file output, stack-aware inline/tree/side‑by‑side rendering, and pruning of generated computed fields when provenance is active.

• Documentation

  • CLI docs updated for --provenance; added comprehensive Import Provenance design doc and usage guidance.

• UI

  • Improved terminal highlighting, YAML rendering (folded scalars respected), and two new theme colors.

• Tests

  • Extensive unit, integration, and benchmark coverage for provenance, YAML positions, rendering, and JSONPath utilities.

what

• Add test coverage to verify lifecycle hooks are properly scoped to their respective components
• Add comprehensive PRD documentation for hooks component scoping design and best practices
• Refactor hooks tests to eliminate curve-fitted tests and improve testability using dependency injection
• Add comprehensive mock reliability tests for intermittent failure investigation
• Identify and document critical nil output bug causing intermittent mock failures

why

• Users have reported confusion about hook scoping behavior and potential hook pollution across components
• Need to verify that hooks defined in component catalog files remain isolated and don't leak to other components
• Existing tests had tautological tests that masked underlying code coverage issues
• Mock outputs reported as "intermittently overlooked or not honored" (1-2 failures per 10 runs in Atmos 1.188.0)
• Root cause found: AWS rate limits cause terraform output to return nil, which is silently stored instead of erroring

tests

Hooks Component Scoping Tests

• TestHooksAreComponentScoped - Verifies components with unique hook names remain isolated
• TestHooksWithDRYPattern - Verifies DRY pattern (global structure + component outputs) maintains proper scoping
• Both tests pass, confirming hooks work as designed

Test Quality Improvements

• Removed: TestConvertToHooks - tautological test that only verified stub function
• Removed: Skipped test TestStoreCommand_GetOutputValue_DotPrefix
• Added: Dependency injection for TerraformOutputGetter to enable proper testing
• Added: Mock-based tests with 4 test cases validating dot-prefix terraform output retrieval
• Added: Error test cases to TestRunAll for proper error handling verification
• Refactored: RunAll() to return errors instead of calling CheckErrorPrintAndExit

Mock Reliability Tests

• TestMockReliability_TestifyMock - 100 iterations sequential (100% pass rate)
• TestMockReliability_TestifyMock_Parallel - 100 iterations parallel (100% pass rate)
• TestMockReliability_TestifyMock_MultipleExpectations - 100 iterations with 3 Get + 1 Set (100% pass rate)
• TestMockReliability_VerifyCalledValues - 100 iterations strict verification (100% pass rate)
• No intermittent failures detected with testify/mock framework
• No race conditions found with go test -race

Nil Output Bug Tests (All tests FAIL - confirming bug exists)

• TestStoreCommand_NilOutputBug - Reproduces nil output silently stored instead of erroring
• TestStoreCommand_IntermittentNilFailure - Demonstrates 10% failure rate (10 nil returns, 0 errors, 10 silent failures)
• TestStoreCommand_RateLimitSimulation - Simulates AWS SDK retry exhaustion returning nil
• TestStoreCommand_NilPropagation - Proves Set() is called with nil value

bug analysis

Root Cause Identified ✓

AWS Rate Limit → Nil Output → Silent Failure

1. AWS rate limit hits SSM/Terraform state access
2. AWS SDK retries (3 attempts, exponential backoff)
3. SDK exhausts retries, returns partial/empty response (nil)
4. GetTerraformOutput() returns nil (no error check)
5. store_cmd.go:70 uses nil as output value
6. Store.Set() is called with nil value
7. Mock output is never used!

The Bugs (3 locations)

Bug #1: internal/exec/terraform_output_utils.go:310-314

if err2 != nil {
    log.Error("failed to convert output", "output", s, "error", err2)
    return k, nil  // ❌ Returns nil instead of propagating error
}

Bug #2: pkg/hooks/store_cmd.go:70

outputValue = c.outputGetter(c.atmosConfig, c.info.Stack, c.info.ComponentFromArg, outputKey, true)
// ❌ No nil check! Blindly uses whatever is returned

Bug #3: No validation before storing

return store.Set(c.info.Stack, c.info.ComponentFromArg, key, outputValue)
// ❌ Stores nil without checking

Test Results Confirming Bug

Intermittent Failure Statistics (100 iterations, 10% nil rate):

Nil returned (simulated rate limits): 10 (10.0%)
Successful stores: 100 (100.0%)  ← ALL treated as success!
Errors: 0 (0.0%)                  ← NO errors raised!

BUG DETECTED: 10 nil returns but only 0 errors - 10 silent failures!

This matches the reported behavior: "if I run the same test 10 times in a row, it'll fail once or twice"

references

• PRD: docs/prd/hooks-component-scoping.md
• Test implementation: pkg/hooks/hooks_component_scope_test.go
• Test cases: tests/test-cases/hooks-component-scoped/
• Mock reliability tests: pkg/store/mock_reliability_test.go
• Nil output bug tests: pkg/hooks/store_cmd_nil_bug_test.go
• Hooks documentation: https://atmos.tools/core-concepts/stacks/hooks

Summary

• Fixed invalid error format constants in pkg/store/errors.go that used multiple %w verbs
• Added comprehensive static error definitions for common error patterns
• Replaced dynamic error messages with proper static error wrapping across the codebase
• Added 88+ new test cases for utility functions in pkg/utils/
• Enabled unused linter and removed 148 lines of dead code

Details

Problem

The codebase contained error format strings with multiple %w verbs, which violates Go's rule that only one %w verb is allowed per fmt.Errorf call. This was causing potential go vet failures and undefined behavior.

Solution

1. Fixed pkg/store/errors.go:

   • Changed errWrapFormat = "%w: %w" to "%w: %s"
   • Changed errWrapFormatWithID = "%w '%s': %w" to "%w '%s': %s"

2. Added new static errors in errors/errors.go for:

   • File operations (copy, create directory, open, stat, etc.)
   • OCI/Container operations
   • Configuration and initialization
   • Template and documentation generation

3. Updated error handling across multiple files:

   • internal/exec/oci_utils.go
   • internal/exec/copy_glob.go
   • internal/exec/docs_generate.go
   • pkg/config/load.go
   • cmd/terraform_utils.go
   • pkg/utils/doc_utils.go
   • internal/tui/templates/templater.go

4. Added format constants to eliminate string literal duplication and satisfy linter requirements

Test Coverage Improvements

Added comprehensive test coverage for previously untested utilities:

• cli_utils_test.go: Flag validation tests (4 cases for --stacks-dir, --workflows-dir)
• slice_test.go: 5 new test functions with 25 test cases
• string_utils_test.go: 2 new test functions with 14 test cases
• type_utils_test.go: Generic Coalesce function tests (17 cases across 4 types)
• map_utils_test.go: 5 new test functions with 28 test cases

Total: 88 new test cases added

Dead Code Removal

Enabled the unused linter in .golangci.yml and removed dead code:

• cmd/workflow.go: Unused workflowMarkdown variable
• internal/exec/help.go: Entire file (42 lines) - processHelp never called
• internal/exec/copy_glob.go: Unused sourceKey constant
• internal/exec/vendor_utils.go: 4 unused functions (97 lines):
  • copyToTarget - replaced by copyToTargetWithPatterns in Nov 2024
  • generateSkipFunction - only called by dead copyToTarget
  • shouldExcludeFile - only called by dead generateSkipFunction
  • shouldIncludeFile - only called by dead generateSkipFunction
• pkg/utils/config_utils.go: Unused ExtractAtmosConfig function (17 lines)

Total: 148 lines of dead code removed

Test Plan

• Compiled successfully with go build
• Ran go vet - no multiple %w verb violations found
• Package tests pass (88 new tests added)
• Linting passes with golangci-lint (including new unused linter)
• Pre-commit hooks pass
• Verified no remaining dead code with staticcheck -checks=U1000

Summary by CodeRabbit

• New Features

  • Configurable pager (ATMOS_PAGER > PAGER), preserved -var handling in plan-diff, and a worktree-aware Git opener.

• Bug Fixes

  • Improved Windows plan-diff robustness and cross-platform path handling; clearer errors for workflows base path and invalid component arguments.

• Refactor

  • Standardized error handling across the codebase and introduced a broader set of sentinel errors.

• Documentation

  • Added comprehensive error-handling PRD and updated contributor guidance.

• Chores

  • Ignore .tool-versions; lint and pre-commit workflow updates.

• Tests

  • Extensive new and expanded unit/integration tests across validation, OCI, docs, API client, plan-diff, and more.

what

• Renamed package directory from pkg/config/go-homedir/ to pkg/config/homedir/
• Updated import path in pkg/filesystem/homedir.go

why

• Simplifies the package name by removing the redundant "go-" prefix
• Aligns the directory name with the actual package name (already package homedir internally)
• Follows Go naming conventions for cleaner, more concise package names

what

• Make Codecov patch coverage informational only (won't fail builds)
• Set project coverage threshold to 0% (no decrease allowed)
• Maintain 80% patch coverage target for visibility

why

• Patch coverage should provide feedback without blocking PRs
• Overall project coverage must not decrease to maintain quality
• Reduce noise by only posting comments when coverage changes

Summary by CodeRabbit

• Chores
  • Updated test coverage policies to clarify reporting and reduce false negatives from rounding.
  • Patch coverage is now informational (still targeting 80% on new/changed lines) rather than enforced.
  • Base branch coverage comparison remains enabled.
  • No changes to product functionality; end-user experience is unaffected.

what

• Skip go-build-mod and golangci-lint hooks in the pre-commit CI workflow
• Add SKIP environment variable to .github/workflows/pre-commit.yml
• Add clear comments explaining why these hooks are skipped

why

• go-build-mod already runs in test.yml build job across all platforms (Linux, macOS, Windows)
• golangci-lint already runs in codeql.yml lint-golangci job
• This eliminates redundant work in CI since these checks are already enforced by other jobs
• Hooks remain active for local development where they enforce code quality before commits

references

• Reduces CI execution time by skipping duplicate checks
• Maintains code quality through existing CI jobs

Summary by CodeRabbit

• Chores
  • Streamlined pre-commit workflow to skip duplicate lint/build hooks already covered in other CI jobs.
  • Reduces redundant checks, speeding up CI pipelines and local commits.
  • No impact on application functionality or user-facing features.
  • Maintains existing hook behavior; only execution scope adjusted for efficiency.

what

• Process templates and YAML functions by default in atmos describe stacks command
• Exclude disabled dependent components from atmos describe affected --include-dependents results
• Filter dependents by stack when using atmos describe affected --stack <stack> --include-dependents
• Add comprehensive test coverage for describe affected scenarios

why

1. atmos describe stacks - Enable Template/Function Processing by Default

The documentation states that atmos describe stacks processes templates and YAML functions by default, but the code was doing the opposite. This change aligns the implementation with the documentation and provides consistency with other atmos describe commands.

Users can still disable processing with:

• --process-templates=false
• --process-functions=false

2. atmos describe affected --include-dependents - Honor metadata.enabled: false

When using --include-dependents, disabled dependent components (with metadata.enabled: false) should not be included in the dependents list for each affected component. This prevents showing components that are intentionally disabled from being part of the dependency chain.

3. atmos describe affected --stack <stack> --include-dependents - Filter Dependents by Stack

When using both --stack <stack> and --include-dependents flags together, the provided stack filter should apply to:

• The affected components (existing behavior)
• AND the dependent components (new behavior)

This ensures that when filtering by a specific stack, you only see the dependency relationships within that stack, making it easier to understand stack-specific impacts.

Example:

# Show affected components in ue1-network and their dependents (also in ue1-network only)
atmos describe affected --stack ue1-network --include-dependents

Test Coverage

Added comprehensive test coverage for all describe affected scenarios:

• TestDescribeAffectedWithTemplatesAndFunctions - Template/function processing enabled
• TestDescribeAffectedWithoutTemplatesAndFunctions - Template/function processing disabled
• TestDescribeAffectedWithExcludeLocked - Exclude locked components
• TestDescribeAffectedWithDependents - Include all dependents
• TestDescribeAffectedWithDependentsWithoutTemplates - Dependents without template processing
• TestDescribeAffectedWithDependentsFilteredByStack - Filter dependents to specific stack (ue1-network)
• TestDescribeAffectedWithDisabledDependents - Verify disabled components excluded (uw2-network)

Summary by CodeRabbit

• New Features
  • Describe stacks now processes templates and YAML functions by default.
• Bug Fixes
  • Dependents handling respects target stack filters and excludes disabled components.
• Documentation
  • Added note that disabled components are excluded from dependents.
  • Updated integration docs to reference ATMOS_VERSION 1.194.0.
• Chores
  • Example Dockerfile updated to ATMOS_VERSION 1.194.0.
  • AWS SDK S3 manager bumped (patch).
• Style
  • Minor comment and formatting cleanups.

what

• Comprehensive test coverage improvements across 8 key packages
• Phase 1: Add error path tests for pkg/config (coverage: 90.0% → 93.7%)
• Phase 2: Add error path tests for internal/exec/copy_glob.go (coverage: 59.0% → 83.1%)
• Phase 3: Add tests for pkg/list/utils with mocked ExecuteDescribeStacks (coverage: 0% → 40.9%)
• Phase 4: Add schema processing tests for pkg/schema (coverage: 55.7% → 91.4%)
• Phase 5: Add token injection tests for pkg/downloader (coverage improved, 100% on NewCustomGitDetector, injectToken, resolveToken)
• Phase 6: Add git interface tests for pkg/git (coverage: 51.6% → 89.1%)
• Phase 7: Add error path tests for pkg/datafetcher (100% on getDataFetcher)
• Phase 8: Add rendering tests for pkg/ui/markdown (coverage: 63.2% → 70.7%)

why

• Increase overall test coverage to meet 80% threshold enforced by CodeCov
• Improve confidence in error handling paths and edge cases
• Reduce risk of regressions in critical infrastructure code
• Focus on medium-effort packages that provide high coverage ROI

references

• Testing strategy follows guidelines in docs/prd/testing-strategy.md
• Uses table-driven tests with comprehensive error scenarios
• Leverages gomonkey for mocking where appropriate
• All tests follow Atmos testing conventions with proper precondition checks

why

• Atmos Pro functionality lacked sufficient test coverage because the API client interface was incomplete
• Missing interface methods prevented proper mocking of lock/unlock and affected stacks upload functionality
• Core Pro features are commercial products that require robust testing to ensure reliability
• Test coverage improvements enable confident future development and refactoring

coverage results

• pkg/pro: 88.9% coverage (exceeds 80% target) ✅
• Core Pro functions: 100% coverage on drift detection, instance filtering, and processing ✅
• internal/exec/pro.go: uploadStatus 92.9%, shouldUploadStatus 100% ✅

detailed breakdown

pkg/pro package (88.9%):

• LockStack: 100%
• UnlockStack: 100%
• UploadAffectedStacks: 93.8%
• UploadInstanceStatus: 75.0%
• UploadInstances: 78.3%

pkg/list Pro functions (100%):

• isProDriftDetectionEnabled: 100%
• filterProEnabledInstances: 100%
• processComponentConfig: 100%
• createInstance: 100%
• sortInstances: 100%

testing strategy

This PR follows a layered testing approach:

1. Unit tests (implemented): Mock interfaces for external dependencies, test core business logic in isolation
2. Command structure tests (implemented): Verify command initialization, flag definitions, and hierarchy
3. Integration tests (future): Full command execution with fixtures for end-to-end workflows

files modified

• pkg/pro/api_client.go - Extended interface with 3 missing methods
• internal/exec/pro_test.go - Updated mock implementation
• pkg/list/list_instances_pro_test.go - Added comprehensive edge case tests

files created

• cmd/pro_test.go - Base Pro command tests
• cmd/pro_lock_test.go - Lock command structure tests
• cmd/pro_unlock_test.go - Unlock command structure tests

references

• Addresses lack of test coverage for Atmos Pro commercial features
• Enables future Pro feature development with confidence
• No breaking changes to existing functionality

Summary by CodeRabbit

• Tests
  • Expanded test coverage for Pro features, including command initialization for pro/lock/unlock, required flags and defaults, and handling of unknown flags.
  • Added tests for drift-detection enablement and filtering across edge cases.
  • Enhanced validation of Pro-related API operations to improve stability.
  • These updates improve reliability and guard against regressions; no changes to CLI usage or user-facing behavior.

what

• Migrate all YAML v3 imports from unmaintained gopkg.in/yaml.v3 to maintained go.yaml.in/yaml/v3
• Update 21 Go files with new import paths
• Update go.mod to use go.yaml.in/yaml/v3 v3.0.4 as direct dependency

why

• The gopkg.in/yaml.v3 repository was marked as UNMAINTAINED by the author in April 2025
• go.yaml.in/yaml/v3 is the new official maintained version by the YAML organization
• This is a drop-in replacement with the same API (zero breaking changes)
• Ensures we receive bug fixes and security patches going forward
• Eliminates dependency confusion (we previously had both old and new v3 in our dependency tree)

references

• Migration follows the two-phase approach: migrate to stable v3 now, evaluate v4 (currently RC) later
• All tests passing: compilation, unit tests, and linting
• Import statements reorganized following the 3-section import style (Go stdlib, 3rd-party, Atmos packages)

Summary by CodeRabbit

• Chores
  • Updated YAML parsing dependency across the app and aligned transitive dependencies.
  • Standardized import paths to improve consistency and maintenance.
• Refactor
  • Switched internal references to new YAML and schema validation libraries without changing behavior or public APIs.
• Tests
  • Updated test suites and helpers to use the new dependencies and import structure; no functional changes.

what

• fix parsing of !terraform.output arguments that use single quotes around expressions with nested double quotes

why

• addresses issue #1362 where the YAML function failed with bare " in non-quoted-field

testing

Issue output

After the fix single quote

Summary by CodeRabbit

• Bug Fixes
  • Improved delimited-string parsing to handle quoting edge cases: retries with relaxed parsing on certain parse errors and trims matching surrounding quotes while preserving unmatched quotes and removing quoted empty values.
• Tests
  • Added comprehensive tests for nested/escaped quotes, quoted empty values, unmatched quotes, and splitting edge cases.
• Documentation
  • Expanded YAML function guidance with examples and tips for nested/mixed quotes and YQ bracket-notation across related functions.
• Dependencies
  • Updated Azure identity SDK to a newer patch version.