github cloudposse/atmos v1.198.0-rc.4
on GitHub

latest release: v1.198.0-rc.5
pre-releaseone day ago
feat: Add --identity=false flag to disable authentication @osterman (#1765) ## what

This PR adds support for explicitly disabling Atmos identity authentication via --identity=false (or ATMOS_IDENTITY=false), allowing users to fall back to standard cloud provider SDK credential resolution.

Changes

  • Core Implementation

    • Added IdentityFlagDisabledValue constant (__DISABLED__)
    • Implemented normalizeIdentityValue() to detect boolean false values (false, 0, no, off)
    • Updated TerraformPreHook() to check for disabled state and skip authentication

  • Testing (80-100% coverage)

    • TestNormalizeIdentityValue - 20 test cases covering all boolean variants
    • TestGetIdentityFromFlags - 13 test cases including disabled scenarios
    • TestIsAuthenticationDisabled - 5 test cases for sentinel detection
    • TestTerraformPreHook_DisabledIdentity - 3 scenarios with/without auth config
    • All existing tests continue to pass

  • Documentation

    • New section in auth docs: "Disabling Identity Authentication"
    • Updated terraform command docs with disable examples
    • Updated all describe command docs with disable examples
    • Updated internal technical documentation
    • Added comprehensive PRD at docs/prd/disable-identity-flag.md
    • Made all language cloud-provider agnostic (not AWS-specific)

why

Users needed a way to disable Atmos authentication in CI/CD environments (especially GitHub Actions with OIDC) where different credential mechanisms are preferred. Previously, this required complex workarounds:

  • Using yq commands to remove auth configuration at runtime
  • Maintaining separate atmos.yaml files for different environments
  • No clean solution for mixed local/CI environments

This feature enables users to:

  • Use GitHub Actions OIDC credentials instead of Atmos-managed identities
  • Temporarily use local cloud provider profiles during development
  • Test without Atmos authentication
  • Support mixed environments seamlessly

Use Case Example

# GitHub Actions workflow
- name: Configure AWS credentials via OIDC
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
    aws-region: us-east-1

- name: Deploy with Atmos (using GitHub OIDC credentials)
  env:
    ATMOS_IDENTITY: false  # Disable Atmos auth, use GitHub-provided credentials
  run: atmos terraform apply mycomponent --stack=prod

references

  • PRD: docs/prd/disable-identity-flag.md
  • Resolves use case from Slack discussion about GitHub Actions OIDC authentication
  • Related to RFC: Atmos Profiles (this provides interim solution)
feat: Add agent-developer meta-agent for scaling Atmos with specialized agents @osterman (#1761) ## what
  • Added agent-developer meta-agent for creating and maintaining Claude agents
  • Established agent-per-subsystem pattern for scaling Atmos development
  • Implemented self-updating mechanism with PRD dependency tracking
  • Added mandatory user confirmation for all agent/PRD modifications
  • Created comprehensive agent architecture PRD documentation

why

  • Scale Atmos development through specialized domain expertise as core functionality grows
  • Ensure agents always implement current architectural patterns via PRD awareness
  • Maintain consistency across codebase with focused, self-maintaining agents
  • Provide human oversight for all architectural changes via user confirmation
  • Establish foundation for creating subsystem-specific agents (command-registry, cobra-flag, stack-processor, etc.)

references

  • Related PRD: docs/prd/claude-agent-architecture.md - Agent architecture patterns
  • Implements strategic vision for agent-per-subsystem development model
  • Foundation for future specialized agents as Atmos subsystems mature

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Summary by CodeRabbit

  • Documentation

    • Added comprehensive Claude Agents framework documentation, including architecture, development guidelines, and coordination patterns.

  • Chores

    • Updated GitHub Actions workflows to validate multiple markdown files with enhanced size checking capabilities.

🚀 Enhancements

fix: Make --chdir flag work with terraform/helmfile/packer commands @osterman (#1767) ## what
  • Fixed --chdir flag to work correctly with terraform, helmfile, and packer commands
  • Added manual argument parsing for --chdir/-C flags when Cobra flag parsing is disabled

why

  • Commands with DisableFlagParsing=true (terraform, helmfile, packer) were not processing the --chdir flag before atmos.yaml was loaded
  • Cobra doesn't parse flags when DisableFlagParsing=true, but PersistentPreRun runs before the command's Run function where flags would be manually parsed
  • This caused --chdir to be ignored, making it impossible to run these commands from subdirectories

references

  • Related to PR #1751 (original chdir implementation)
  • Fixes issue where atmos --chdir /path terraform plan would fail to find atmos.yaml
  • Supersedes PR #1766
fix: AWS user identity should reuse valid session credentials instead of regenerating @osterman (#1760) ## what
  • Fixed AWS user identity authentication to check for and reuse existing valid session credentials before generating new ones
  • AWS user identity Authenticate() method now calls LoadCredentials() first to check for existing valid session credentials in AWS files
  • Only generates new session tokens via GetSessionToken STS API call when no valid credentials exist or when they have expired
  • Added comprehensive tests to verify credential reuse behavior and expiration handling

why

  • The previous implementation always called GetSessionToken to generate new session tokens, even when valid session credentials already existed
  • This caused authentication failures in terraform commands, workflows, and custom commands when base credentials were expired or invalid
  • Users reported that atmos auth exec worked correctly but atmos terraform plan failed with "InvalidClientTokenId: The security token included in the request is invalid"
  • The issue occurred because each authentication attempt tried to generate new tokens using potentially expired base credentials, rather than reusing valid existing session credentials
  • This fix prevents unnecessary AWS STS API calls and authentication failures by properly reusing valid credentials across all command types

references

  • Related to previous session token keyring fix in PR #1757
  • Fixes authentication failures reported where terraform/workflow commands failed while auth exec worked
  • Impacts all authentication flows: auth exec, terraform commands, workflows, and custom commands
Check out latest releases or
releases around cloudposse/atmos v1.198.0-rc.4

Don't miss a new atmos release

NewReleases is sending notifications on new releases.

Get notifications