cloudposse/atmos v1.203.0

on GitHub

what

• Correct Azure authentication provider YAML configuration structure in tutorial documentation
• Move tenant_id, subscription_id, location, and other provider-specific fields under a spec block for all Azure providers (device-code, oidc, service-principal)
• Update 8 Azure provider configuration examples throughout the tutorial

why

Azure authentication providers require configuration to be nested under a spec block according to the schema and provider implementation. The documentation was showing an incorrect structure that would fail when users attempted to use it. This fix aligns the documentation with the actual implementation.

references

User report: Azure authentication tutorial showed incorrect YAML configuration structure with provider-specific fields at the top level instead of nested under spec

Summary by CodeRabbit

• Documentation
  • Updated Azure authentication configuration examples to reflect a restructured format where authentication provider parameters (tenant_id, subscription_id, location, etc.) are now organized under a nested spec object across all Azure authentication methods.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

Added an optional version field to all 93 shipped milestones in the roadmap, indicating which release each feature was shipped in. Versions are sourced from blog post release: fields and git history research using git tags.

why

Version metadata enables better tracking of feature releases, supports release notes generation, and provides users with a clear version reference for each shipped feature on the roadmap.

references

• Versions derived from blog post frontmatter (release: field)
• Git history research using git describe --tags for features without blog post references
• Version range: v1.100.0 (Changelog introduction) to v1.203.0 (RC features)

Summary by CodeRabbit

• Chores
  • Roadmap milestones now include optional version identifiers so items map directly to releases across multiple quarters.
• New Features
  • Roadmap UI displays a release link when a milestone has a version, enabling quick access to the corresponding release.
• Style
  • Added a compact version badge/visual treatment in roadmap drawers for clearer discoverability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

Implements ECR authentication integration for Atmos, allowing automatic Docker login to AWS ECR registries using Atmos-managed identities.

New auth.integrations Section

Integrations specify which identity they use via via.identity, and can auto-trigger on identity login via spec.auto_provision:

auth:
  identities:
    dev-admin:
      kind: aws/permission-set
      via:
        provider: company-sso
      principal:
        name: AdministratorAccess
        account: dev

  # Integrations reference identities - not the other way around
  integrations:
    dev/ecr/primary:
      kind: aws/ecr
      via:
        identity: dev-admin           # Which identity provides AWS creds
      spec:
        auto_provision: true          # Auto-trigger on identity login
        registry:
          account_id: "123456789012"
          region: us-east-2

    dev/ecr/secondary:
      kind: aws/ecr
      via:
        identity: dev-admin
      spec:
        auto_provision: true
        registry:
          account_id: "987654321098"
          region: us-west-2

Design: One Registry Per Integration

Each integration defines a single registry rather than a list. This approach:

1. Better Deep Merging: Works with Atmos stack inheritance and merging
2. Clearer Naming: Integration name reflects its purpose (e.g., dev/ecr/main)
3. Consistent Pattern: Matches how identities and providers are defined
4. Easier Override: Individual registries can be overridden in stack configs

New atmos auth ecr-login Command

# Using a named integration
atmos auth ecr-login dev/ecr/primary

# Using an identity (triggers all integrations referencing that identity)
atmos auth ecr-login --identity dev-admin

# Explicit registries (ad-hoc)
atmos auth ecr-login --registry 123456789012.dkr.ecr.us-east-1.amazonaws.com

Auto-Provision on Identity Login

When you login with an identity, all integrations with auto_provision: true that reference that identity are triggered:

$ atmos auth login dev-admin
✓ Authenticated as arn:aws:sts::123456789012:assumed-role/DevRole/user
✓ ECR login: 123456789012.dkr.ecr.us-east-2.amazonaws.com (expires in 12h)
✓ ECR login: 987654321098.dkr.ecr.us-west-2.amazonaws.com (expires in 12h)

Implementation

why

• Eliminates manual ECR authentication - No more aws ecr get-login-password | docker login incantations
• Configuration as code - ECR registries defined in atmos.yaml alongside identities
• Automatic login - Integrations with auto_provision: true trigger on identity login
• Multi-registry support - Multiple integrations can reference the same identity
• Isolated credentials - Docker config at ~/.config/atmos/docker/config.json (XDG)
• Non-blocking failures - Integration errors during atmos auth login don't block authentication
• Deep merge friendly - Single registry per integration works with stack inheritance

Design Decisions

Why integrations not identities?

ECR login and EKS kubeconfig are client-only credential materializations, not identities:

Integrations use an identity to derive credentials for specific services.

Why integrations reference identities (not vice versa)?

Integrations specify their required identity via via.identity instead of identities listing their integrations. This:

1. Keeps identities focused on "who you are"
2. Allows multiple integrations to reference the same identity
3. Enables stack-level integration overrides without touching identity config
4. Follows the same pattern as via.provider on identities

references

• PRD: docs/prd/ecr-authentication.md
• Blog post: website/blog/2025-12-15-ecr-authentication-integration.mdx
• Future: EKS integration (aws/eks kind) follows same pattern

Summary by CodeRabbit

• New Features

  • atmos auth ecr-login: explicit registry, named-integration, and identity-driven modes; automatic, non-blocking AWS ECR Docker login with multi‑registry support and managed Docker config.

• Integrations

  • New integration framework and registry for auth plugins (ECR, EKS); per-identity auto-triggering with explicit retry/standalone command; schema and manifest support for integrations/identities.

• Documentation

  • PRD, tutorial, CLI docs, and blog post with examples, CI/CD guidance, rollout and security notes.

• Tests

  • Extensive unit tests covering ECR, Docker config manager, integrations and CLI behavior.

• Chores

  • Dependency and license/version updates; roadmap milestone marked shipped.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

Mobile Responsiveness

• Auto-enters fullscreen mode on mobile and tablet devices
• Fullscreen respects current light/dark theme instead of forcing dark mode
• Content scales responsively on mobile using viewport units (vw) and clamp()
• Maintains 2-column split layouts on mobile with proportionally scaled content
• Adds responsive breakpoints for tablet (996px) and mobile (768px)
• Fixes navbar overlap by increasing z-index to 99999

Speaker Notes Customization

• Position toggle: Move notes panel to right (default) or bottom (Google Slides style)
• Display mode toggle: Overlay on slides (default) or shrink slides to make room
• Popout window: Pop out notes to separate window for multi-monitor setups (desktop only)
• All preferences persist in localStorage
• Notes content is scrollable
• Navigation buttons work when notes overlay is present (z-index fix)
• Controls moved to notes panel header for cleaner toolbar

Technical Improvements

• Fixed React hydration mismatch by initializing fullscreen/mobile state after mount
• Fixed stale closure in resize handler using useRef
• Fixed XSS vulnerability in popout window by using textContent instead of innerHTML
• Optimized popout window effect to not recreate on every slide change
• Added immediate slide state sync when popout opens (fixes "Loading..." flash)
• Added popup=yes to window.open() for better browser compatibility
• Progress bar extends to full viewport width in page mode

why

Mobile users need fullscreen viewing by default without manual toggling. Content should remain readable at all viewport sizes while preserving intended layout structure (2-column splits don't stack vertically). Theme consistency improves visual experience across devices.

Speaker notes customization addresses different presenter preferences:

• Some prefer notes overlaying slides, others prefer shrinking the slide area
• Bottom position mimics Google Slides for familiarity
• Popout window supports presenters with dual monitors
• Persistent preferences mean settings survive page refreshes

references

Addresses mobile responsiveness for slide deck presentations with improved handling of landscape phones and split layouts.

Summary by CodeRabbit

• New Features

  • Speaker notes: right/bottom positions, overlay/shrink modes, detachable popout window, persistent notes preferences.
  • Text-to-speech: integrated player with play/pause, mute, voice & speed selection, progress/seek, auto-advance, toolbar controls, and keyboard shortcuts (P/M/N).

• Style

  • Extensive responsive and fullscreen refinements: typography, sizing, overflow/scrolling, controls, and mobile layout tweaks.

• Other

  • Build step: generates per-slide speaker-note files post-build.
  • Slide visual: one slide image scaled wider.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Summary

This PR introduces comprehensive toolchain management for Atmos, enabling users to manage third-party tools alongside Atmos version management. It also refactors the terraform commands to use the registry pattern for better code organization.

Key Features

🔧 Atmos Toolchain for 3rd Party Tools

• Tool Management: Install, uninstall, list, and execute versioned tools from configurable registries
• Multi-Registry Support: Configure multiple tool registries (Atmos, Aqua) with search and listing capabilities
• Lock File Support: atmos.lock.hcl for reproducible, multi-platform dependency locking
• Tool Dependencies: Workflows and commands can declare tool dependencies with automatic installation
• Aliases: Configure tool aliases for convenient command execution
• Version Constraints: Support for semantic versioning constraints

📦 Atmos Version Management

• atmos version list: List available Atmos versions with active/installed indicators
• atmos version install/uninstall: Install and manage multiple Atmos versions
• --use-version Flag: Run any command with a specific Atmos version via re-exec mechanism

🏗️ Terraform Command Registry Migration

• Migrated all terraform commands to the registry pattern (cmd/terraform/)
• Implemented CommandProvider interface for consistent command registration
• Added comprehensive compatibility flag support for terraform/tofu pass-through
• Interactive prompts for component and stack selection
• Better flag handling with pkg/flags/StandardParser

🌍 Global Environment Configuration

• atmos env Command: Output environment variables in bash, JSON, dotenv, or GitHub Actions format
• env Section in atmos.yaml: Configure global environment variables with template support

📝 Stack Configuration Enhancements

• File-Scoped Locals: Define locals: at the top level of stack files for file-specific templating
• !literal YAML Function: Preserve template syntax for deferred evaluation

📚 Documentation

• Comprehensive documentation for toolchain features, registries, and lock file management
• Updated configuration docs for new features
• New how-to guides for version management

Changes

New Commands

• atmos toolchain (add, clean, du, env, exec, get, info, install, list, path, remove, search, set, uninstall, versions, which)
• atmos version list, atmos version install, atmos version uninstall
• atmos env

New Packages

• toolchain/ - Core toolchain business logic (install, registry, progress, etc.)
• pkg/toolchain/filemanager/ - Lock file and .tool-versions management
• pkg/toolchain/lockfile/ - Lock file parsing and generation
• cmd/toolchain/ - Toolchain CLI commands using registry pattern
• cmd/terraform/ - Terraform commands migrated to registry pattern
• cmd/env/ - Environment variable output command

Architectural Improvements

• Command registry pattern for all new commands
• Unified flag parsing infrastructure in pkg/flags/
• Static error wrapping with sentinel errors from errors/errors.go
• Test improvements using t.Setenv and t.TempDir

Testing

• Comprehensive unit tests for all toolchain packages
• Golden snapshot tests for CLI output
• Mock-based testing for external dependencies

Breaking Changes

None - all new features are additive.

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Summary by CodeRabbit

• New Features

  • Built-in Toolchain CLI to manage tools (add/clean/du/env/install/uninstall/list/get/info/path/which/set/remove/exec) and registry search/list.
  • Automatic tool dependency resolution with on-demand installs and per-command PATH injection.
  • Version management: install/uninstall specific Atmos versions.

• Documentation

  • Many new user guides, PRDs, examples, and READMEs for toolchain, registries, lockfiles, and dependency workflows.

• Other

  • CLI help now lists Toolchain commands; telemetry notice removed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Migrated static slide image gallery to interactive MDX-based slide deck
• Created AtmosLogo component with animated color gradient overlay matching navbar
• Created MetallicIcon component for logos with metallic gradient effect
• Updated Cloud Posse introduction slide with new messaging and larger metallic logo
• Enhanced split slide layout with wider text column (2:1 ratio)
• Expanded drawer trigger zone to entire left navigation area
• Removed 27 static slide SVG files in favor of dynamic MDX content

why

• Interactive slide deck provides better user experience and maintainability
• Animated components create visual consistency with the navbar branding
• Metallic gradient effect gives professional appearance to logo imagery
• MDX approach allows for easier updates and customization

references

• Replaces old slide image gallery component with new SlideDeck component system
• Implements exact animation techniques from existing navbar logo component
• Uses mix-blend-mode color technique for gradient overlay effects

Summary by CodeRabbit

• New Features

  • Interactive slide deck system: fullscreen, keyboard navigation, speaker notes panel, thumbnail drawer, progress bar, tooltips, and slide index; added Atmos intro deck and Slide Decks browsing page; old reference now redirects.

• Style

  • Animated Atmos logo, metallic icon treatment, comprehensive slide visuals and responsive theming; watermark hidden when slide decks are active.

• Documentation

  • Reference page updated to redirect to the new Slide Decks location with an informational note.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

• When atmos auth login is run without a --provider flag and no identities are configured, it now falls back to provider authentication
• Single providers are automatically selected without user input
• Multiple providers trigger an interactive selector (or error in non-interactive mode)
• Users no longer need to know about the --provider flag for initial authentication
• Fix #1915: atmos auth console --identity {identity} now correctly uses the provided identity instead of ignoring it

why

• Improves user experience for first-time login with auto_provision_identities enabled
• Makes the system seamless after atmos auth logout (no need to rerun with --provider flag)
• Addresses feedback that atmos auth login should work without requiring explicit provider specification when only one provider exists
• #1915 Fix: The --identity flag with space-separated value (e.g., --identity myid) was being ignored due to Cobra's NoOptDefVal quirk. The fix uses GetIdentityFromFlags which parses os.Args directly to work around this issue.

references

• Closes #1915
• User feedback: When auto_provision_identities: true is configured, the first atmos auth login command fails with "no identities available". User expects seamless fallback to provider auth when identities don't exist yet.

Summary by CodeRabbit

• New Features

  • Auth login now falls back to provider authentication when no identities exist: auto-selects a single provider, prompts interactive selection for multiple providers, or requires --provider (-p) in non-interactive/CI.

• Bug Fixes

  • Improved identity-flag resolution and interactive selection edge-case handling; clearer error paths for missing providers or non-interactive selection.

• Documentation

  • Added CLI docs and blog post explaining provider-fallback behavior and usage.

• Tests

  • Expanded coverage for fallback flows, prompts, formatting, and identity-resolution.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Summary

Implements a comprehensive source provisioner system for just-in-time (JIT) vendoring of component sources. This enables components to declare their source location inline using source configuration, supporting dynamic vendoring workflows for Terraform, Helmfile, and Packer components.

What Changed

Core Source Provisioner (pkg/provisioner/source/)

• Vendor Engine - go-getter integration supporting Git, GitHub, S3, HTTP, and OCI sources
• Path Filtering - Include/exclude patterns for selective file vendoring
• Retry Support - Configurable retry with exponential backoff for transient failures
• URI Resolution - Version tag injection and URI normalization for go-getter

CLI Commands

• atmos terraform source pull - Vendor component source on demand
• atmos terraform source describe - Display source configuration details
• atmos terraform source delete - Remove vendored source (requires --force)
• atmos terraform source list - List components with source configuration
• Extended to Helmfile and Packer with identical command structure

JIT Auto-Provisioning

• Automatic vendoring before terraform plan/apply/deploy, helmfile sync/diff, packer build
• Smart skipping - Only vendors if target directory doesn't exist
• Force re-vendor - --force flag to override existing sources

Workdir Provisioner (pkg/provisioner/workdir/)

• Stack isolation - Unique working directories per stack (.workdir/<type>/<stack>-<component>)
• Source + Workdir - Combines JIT vendoring with per-stack isolation
• Path resolution - Integrates with construct*ComponentWorkingDir functions

Schema Updates

• source - URI, version, included_paths, excluded_paths, retry configuration
• provision.workdir - Enable per-stack working directories
• source_retry - max_retries, delay, max_delay for download resilience

Error Handling

• 10 new sentinel errors: ErrSourceProvision, ErrSourceInvalidSpec, ErrSourceCopyFailed, ErrSourceMissing, ErrSourceTargetExists, ErrForceRequired, ErrCreateTempDir, ErrSourceWorkdirConflict, ErrFailedToInitConfig, ErrDescribeComponent
• ErrorBuilder integration with hints and context

Testing

• Unit tests - Comprehensive coverage for extraction, targeting, URI handling, copying
• Mock interfaces - Testable design with dependency injection
• Integration fixtures - tests/fixtures/scenarios/source-provisioner/ and source-provisioner-workdir/
• CLI snapshots - Updated golden files for new commands

Documentation

• CLI docs - Full documentation for all source commands
• Design patterns - Source-based versioning guide
• Blog post - Feature announcement with examples
• PRD - Product requirements document

Example Usage

# Stack configuration with inline source
components:
  terraform:
    vpc:
      source:
        uri: "github.com/cloudposse/terraform-aws-vpc//src?ref={{.version}}"
        version: "2.0.0"
        included_paths:
          - "*.tf"
        excluded_paths:
          - "examples/**"
        retry:
          max_retries: 3
          delay: "5s"
      vars:
        cidr_block: "10.0.0.0/16"

# Manual source operations
atmos terraform source pull vpc -s dev-us-east-1
atmos terraform source describe vpc -s dev-us-east-1
atmos terraform source delete vpc -s dev-us-east-1 --force

# JIT auto-provisioning (source vendored automatically)
atmos terraform plan vpc -s dev-us-east-1

Why

• Simplified workflows - No separate vendor.yaml or component.yaml files needed
• Per-environment versioning - Different component versions per stack
• Dynamic vendoring - Sources fetched on-demand, not pre-vendored
• Stack isolation - Workdir support prevents cross-stack interference

References

• Closes #598 - Remote sources for components (requested by @Gowiem)
• See #1813 for terraform command registry refactoring pattern
• PRD: docs/prd/source-provisioner.md

Summary by CodeRabbit

• New Features

  • Added a new "source" command suite (pull, list, describe, delete) for Terraform, Helmfile, and Packer to manage component sources and JIT vendoring.
  • Introduced top-level source manifest support with uri/version, include/exclude paths, and per-source retry policies.
  • Automatic on‑first‑use provisioning and optional workdir isolation (with force override).

• Documentation

  • Extensive CLI docs, design patterns, examples, and blog posts covering source-based versioning and retry behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Removed misleading claims about cost estimates and approval buttons (not part of this feature)
• Updated tagline to "Local = CI. Same command, run everywhere" for clarity
• Refocused description and benefits on eliminating wrapper scripts and glue code
• Fixed PRD reference: terraform-registry-migration → native-ci-integration

why

The roadmap entry misrepresented the Native CI/CD feature. Per PR #1891's blog post, the core value is replacing separate github-action-atmos-* actions with a single CLI that auto-detects CI and behaves identically locally and in CI. Removed unrelated claims about cost estimates and approval buttons.

references

• PR #1891: Native CI Integration with Summary Templates and Terraform Command Registry

Summary by CodeRabbit

• Documentation
  • Updated Public Roadmap to clarify Native CI/CD Support features, emphasizing environment auto-detection and streamlined CI workflows without wrapper scripts.
  • Expanded GitHub Actions milestone details to highlight native mode capabilities, including enhanced job summaries, resource visualization, and planned multi-provider support.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Implement isolated working directories for Terraform component execution via WorkdirProvisioner
• Add atmos terraform workdir CLI commands: list, describe, show, clean
• Prevent component instance conflicts by providing separate execution spaces with metadata tracking
• Integrate provisioner into terraform command pipeline with automatic workdir path override
• Support component workdir configuration in stack manifests with caching and content hashing

why

Multiple component instances targeting the same component caused conflicts due to shared working directories. Workdir provisioning isolates each component execution to a dedicated directory (.workdir/terraform/<stack>-<component>/), enabling parallel execution and preventing state/artifact interference.

references

• Related PRs: Component workdir provisioning implementation
• Feature scope: Local provisioning of component folders into isolated workdirs; remote sources deferred

Summary by CodeRabbit

• New Features

  • Component Workdir: opt-in isolated per-component working directories for Terraform; new CLI subcommands: workdir list/describe/show/clean (clean supports specific or --all). List supports table/json/yaml outputs; help updated.

• Documentation

  • PRD, CLI docs, and blog post added with usage, examples, and cleanup guidance.

• Schema

  • Manifest/schema extended to include provision.workdir.enabled.

• Tests

  • Extensive unit, integration, and end-to-end CLI tests added.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Summary

• Fixes markdown formatting issue where the opening code fence was accidentally deleted

Closes #1913

Details

PR #1913 simplified the Nerd Fonts installation instructions by removing deprecated Homebrew tap commands. However, the deletion also removed the opening ```shell code fence while keeping the closing ```, breaking the markdown formatting.

This PR incorporates the original change from @topperge and adds back the missing code fence.

Test plan

• Verify the code block renders correctly in the docs

Summary by CodeRabbit

• Documentation
  • Simplified macOS installation instructions by removing unnecessary preliminary steps from the Homebrew setup process. The installation now requires fewer commands to complete.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Created CloudPosseSlackEmbed and CloudPosseOfficeHoursEmbed React components that dynamically adapt to Docusaurus theme (light/dark)
• Replaced HubSpot form with CloudPosse embed iframe for Office Hours page
• Added UTM tracking parameters to both embeds for analytics:
  • utm_source=atmos-docs
  • utm_medium=embed
  • utm_campaign=office-hours / slack-community
  • utm_content=community-page
• Updated embed styling: 380px height, left-justified, max-width 80rem
• Added allow-popups to sandbox attributes for proper link functionality
• Added hide_title: true to Office Hours page to prevent duplicate headings

why

• Theme awareness: Embeds now automatically switch between light/dark themes when users toggle Docusaurus theme, providing a consistent user experience
• Better tracking: UTM parameters enable conversion rate and traffic analytics for both community engagement channels
• Improved UX: Standardized sizing across both embeds, left-justified layout, proper link support
• Cleaner interface: Office Hours embed heading eliminates duplicate page title
• Modern approach: React components with MutationObserver pattern (following existing codebase patterns like Tooltip.tsx)

references

• Updated website/docs/community/slack.mdx
• Updated website/docs/community/office-hours.mdx
• Created website/src/components/CloudPosseSlackEmbed/index.tsx
• Created website/src/components/CloudPosseOfficeHoursEmbed/index.tsx

Summary by CodeRabbit

• New Features

  • Added theme-aware embed components for Office Hours and Slack that automatically adapt to light and dark mode settings.

• Documentation

  • Updated Office Hours and Slack documentation pages to use the new custom embed components with improved styling and functionality.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Move hamburger menu to the right side of the mobile navbar (after search icon)
• Add mobile responsive fixes for roadmap and changelog pages
• Reduce vertical spacing between CTA buttons on mobile
• Simplify mobile hero title display using "IaC Framework" shorthand
• Reorder changelog filters (Tags above Years)
• Reduce mobile timeline left margin and adjust connector spacing
• Fix navbar search positioning on mobile to prevent overlap

why

These changes significantly improve the mobile user experience by providing better navbar organization, reducing visual clutter, and ensuring all interactive elements are properly visible and spaced on small screens.

The hamburger menu relocation to the right side follows modern mobile UI conventions and improves content discoverability.

references

Branch: osterman/roadmap-mobile-fix

what

• Add interactive roadmap page with 10 initiatives and 50+ milestones
• Create Roadmap component with initiative cards, milestone lists, and quarter timeline
• Implement MilestoneDrawer for detailed milestone information with descriptions, screenshots, and code examples
• Add Tooltip component for PR/issue title hover tooltips with theme-aware styling
• Include extensive roadmap data with changelog and documentation links
• Add Roadmap navigation link to Docusaurus navbar
• Fix milestone/bullet alignment with proper flexbox and margin adjustments

why

• Provides users with transparent view of product roadmap and upcoming features
• Helps users understand what's shipped, in progress, and planned
• Links to relevant documentation and announcements for each milestone
• Improves project visibility and community engagement with detailed progress tracking

references

• Implements planned Roadmap feature from project PRD
• Related discussions: Strategic product planning and user visibility

Summary by CodeRabbit

• New Features
  • Full interactive Roadmap page: navbar link, hero, quarter timeline, highlights, featured improvements, initiative cards, milestone lists with slide-in drawers, progress bars, tooltips, animations, and keyboard accessibility.
• Documentation
  • Roadmap Maintainer guide and contributor instructions added; CLAUDE.md updated; new blog post announcing the product roadmap.
• Style
  • Comprehensive responsive, theme- and dark-mode-aware styling for the Roadmap UI.
• Chores
  • CI workflow updated to enforce release documentation checks (blog + roadmap).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Implement the azure/oidc provider for CI/CD environments (GitHub Actions, Azure DevOps, etc.)
• Exchange federated identity tokens for Azure credentials without storing long-lived secrets
• Add comprehensive unit tests with >90% coverage

why

• Enable secure, secretless authentication in CI/CD pipelines
• Support Azure Workload Identity Federation for GitHub Actions workflows
• Complete the Azure authentication story alongside existing azure/cli and azure/device-code providers

Key Features

• Federated token exchange with Azure AD using OAuth 2.0 client credentials flow
• Automatic GitHub Actions OIDC token retrieval when running in GitHub Actions
• Support for AZURE_FEDERATED_TOKEN_FILE environment variable
• Token file path configuration via token_file_path in spec
• Sets ARM_USE_OIDC=true for Terraform azurerm/azapi/azuread providers

Configuration Example

auth:
  providers:
    azure-oidc:
      kind: azure/oidc
      spec:
        tenant_id: "your-tenant-id"
        client_id: "your-client-id"
        subscription_id: "your-subscription-id"
        # Optional: audience for OIDC token
        audience: "api://AzureADTokenExchange"
        # Optional: path to federated token file
        token_file_path: "/path/to/token"

references

• Closes gap in Azure auth provider support
• Follows existing patterns from azure/cli and azure/device-code providers

Summary by CodeRabbit

• New Features

  • Azure OIDC provider: workload identity federation with GitHub Actions OIDC support, federated token file/env discovery, multi-scope token exchange, and Terraform/ARM OIDC compatibility.

• Documentation

  • New blog and expanded CLI docs with configuration examples and GitHub Actions workflow snippets.

• Tests

  • Extensive unit tests covering provider flows, token sources, exchanges, CI integration, and environment preparation.

• Bug Fixes

  • Use single management scope to improve token caching and lookup.

• Refactor

  • Auth cache and credential model extended to support service-principal and OIDC flows.

• Chores

  • Auth exec command adjusted to skip stack validation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

What

Create new packages for modularized function handling and YAML utilities:

• pkg/function/: Format-agnostic function registry and handlers (env, exec, random, include, template, store, terraform, aws, repo-root)
• pkg/yaml/: YAML-specific utilities (position tracking, error handling, types)
• pkg/aws/identity/: Consolidated AWS identity caching (from internal/aws_utils)

Why

• Separation of Concerns: Function handlers work across all formats (YAML, HCL, JSON); only parsing differs
• Code Reuse: Registry pattern eliminates duplication across formats
• Extensibility: New functions without modifying core logic
• Testing: Interface-driven design with dependency injection
• AWS Consolidation: Eliminate duplicate identity caching logic

References

Foundation for PR #1842 which refactors YAML processing.
Consolidates AWS identity handling per request.

Summary by CodeRabbit

• New Features

  • New AWS functions: aws.account_id, aws.caller_identity_arn, aws.caller_identity_user_id, aws.region.
  • Format-agnostic function registry added with built-in handlers: env, exec, store, store.get, template, terraform.output, terraform.state, random, literal, include, repo-root.
  • Store interface now supports direct key retrieval (GetKey).

• Refactor

  • Centralized AWS identity handling with per-context caching and Atmos auth support.
  • YAML utilities improved with position tracking and clearer error signals.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Add aws/assume-root identity kind for centralized root access to AWS member accounts
• Implement STS AssumeRoot API integration with AWS-managed task policies
• Add shared STS client helper for assume-role and assume-root identities
• Include comprehensive test coverage (1000+ lines)

why

• Enables secure, centralized management of root access across AWS Organizations
• Provides audit trail for root operations through AWS-managed task policies
• Reduces risk of credentials scattered across multiple accounts
• Follows AWS best practices for delegated root access via IAM Identity Center

references

• AWS Centralized Root Access Documentation
• PRD: docs/prd/aws-assume-root-identity.md

Validated locally. Here's an example

auth:
  providers:
   sso:
      kind: aws/iam-identity-center
      region: us-east-2
      start_url: https://acme.awsapps.com/start
      auto_provision_identities: true

  identities:
    # ==========================================================================
    # Centralized Root Access
    # ==========================================================================
    # AWS Centralized Root Access allows management account administrators to
    # assume root in member accounts using short-lived STS credentials.
    # See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
    #
    # Prerequisites:
    #   1. Centralized root access enabled in AWS Organizations
    #   2. Permission set with sts:AssumeRoot in management account
    #
    # Supported task policies (limit root operations to specific tasks):
    #   - IAMAuditRootUserCredentials  - Audit root MFA and access keys
    #   - IAMCreateRootUserPassword    - Create/reset root password
    #   - IAMDeleteRootUserCredentials - Remove root access keys and MFA
    #   - S3UnlockBucketPolicy         - Unlock S3 buckets with restrictive policies
    #   - SQSUnlockQueuePolicy         - Unlock SQS queues with restrictive policies
    # ==========================================================================

    # Step 1: Authenticate to permission set with sts:AssumeRoot in management account
    organizational-root-access:
      kind: aws/permission-set
      via:
        provider: sso
      principal:
        name: RootAccess
        account:
          name: Root

    # Step 2: Chain to assume root in target member account
    #
    # Usage:
    #   atmos auth login --identity core-audit/iam-audit-root
    #   atmos auth exec --identity core-audit/iam-audit-root -- aws iam list-mfa-devices
    #
    core-audit/iam-audit-root:
      kind: aws/assume-root
      via:
        identity: organizational-root-access
      principal:
        target_principal: "1234567890"  # core-audit
        task_policy_arn: arn:aws:iam::aws:policy/root-task/IAMAuditRootUserCredentials

atmos auth exec --identity core-audit/iam-audit-root -- aws sts get-caller-identity
{
    "UserId": "1234567890",
    "Account": "1234567890",
    "Arn": "arn:aws:iam::1234567890:root"
}

Summary by CodeRabbit

• New Features

  • Added AWS "assume-root" identity for task-scoped, short-lived root access via AWS STS.

• Documentation

  • New PRD and blog post with examples, supported policies, prerequisites, and getting-started guidance.
  • Added blog author metadata for the new guide.

• Tests

  • Extensive tests covering identity flows, STS client behavior, environment setup, credential handling, and lifecycle operations.

• Chores

  • Provider registration and STS client support enhancements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Implement new atmos list affected command to compare affected components between branches
• Fix false positive affected components when using the -C flag by correctly computing relative paths from git root
• Generalize spinner implementation from internal/exec to pkg/ui/spinner for better reusability across the codebase
• Add FormatSuccess/FormatError functions to properly render markdown in toast messages, fixing backtick formatting

why

The original describe affected implementation had a bug where components appeared affected with reason stack.metadata even when there were zero differences between branches when using the -C flag. This was caused by incorrect path calculation and cache contamination. The new list affected command provides a cleaner interface while fixing these issues. Additionally, the spinner implementation was duplicated across multiple files with formatting issues, so we centralized it in pkg/ui/spinner for better maintainability and proper markdown rendering support.

references

• Fixes false positive issue in describe affected when using -C flag
• Consolidates duplicate spinner implementations
• Improves CLI output formatting and markdown rendering

Summary by CodeRabbit

• New Features

  • Added the new atmos list affected command with filtering, sorting, custom columns and multiple output formats.
  • Enhanced CLI spinner UI with dynamic completion messages and improved success/error formatting.

• Bug Fixes

  • Fixed false positives when listing affected components in subdirectories by improving path handling and cache isolation.
  • Clearer error when a Git reference is not found.

• Documentation

  • New docs and blog post describing the list affected command and usage.

• Tests

  • Expanded test coverage and updated snapshots.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

what

• Implement generic credential prompting interface (CredentialPromptSpec, CredentialField) for multi-cloud extensibility
• Add AWS IAM User implementation that uses the generic interface
• Automatically detect InvalidClientTokenId error when AWS access keys are rotated or revoked
• Clear stale credentials from keyring and prompt for new ones inline during atmos auth login
• Fix session duration bug where configured 36h MFA sessions expired after 12h
• Add comprehensive error detection for ExpiredTokenException and AccessDenied with proper explanations and hints
• Add MFA-only re-prompt flow - when MFA token is invalid but long-lived credentials are still valid, only re-prompt for MFA token (not all credentials)
• Detect session credentials accidentally stored in keyring and prompt for new long-lived credentials
• Add warning message to auth whoami when credentials are invalid or expired with recovery instructions
• Add helpful tip to auth exec when subprocess fails, guiding users to refresh credentials
• Fix auth whoami to display proper session token expiration by preferring session credentials from files over long-lived keyring credentials
• Comprehensive test coverage (81.1% for pkg/auth/identities/aws)

why

• Users experienced persistent authentication failures after AWS credential rotation
• atmos auth logout + atmos auth login didn't resolve the issue because stale credentials remained in keyring
• Session duration from atmos auth user configure was not being preserved
• When MFA token expired, users had to re-enter ALL credentials instead of just the MFA token
• Session credentials accidentally stored in keyring would cause InvalidClientTokenId errors on GetSessionToken calls
• auth whoami showed incorrect authentication status without guidance on how to fix it
• auth exec failures left users guessing about the cause when credentials were expired
• auth whoami was not showing "Expires" field because it loaded long-lived credentials from keyring instead of session credentials from files
• Need extensible architecture for future Azure/GCP credential prompting support

User Experience

Single Command Recovery

$ atmos auth login dev-admin

⚠ AWS credentials are required for identity: dev-admin

AWS Access Key ID: AKIAXXXXXXXXXX
AWS Secret Access Key: ********
MFA ARN (optional): arn:aws:iam::123456789012:mfa/user
Session Duration (optional, default: 12h): 36h

✓ Credentials saved to keyring: dev-admin

Enter MFA Token: 123456

✓ Authentication successful!

MFA-Only Re-prompt (Session Expired)

When session expires but long-lived credentials are still valid:

$ atmos auth login dev-admin

Enter MFA Token: 123456    # Invalid/expired token

⚠ MFA token was invalid, prompting for new token

Enter MFA Token: 789012    # User enters new token

✓ Authentication successful!

Improved Whoami Status

The auth whoami command now shows session token expiration and displays a warning with recovery instructions when credentials are invalid:

$ atmos auth whoami dev-admin
✗ Current Authentication Status

  Provider      aws-user
  Identity      dev-admin
  Expires       2025-12-30 10:11:05 EST (expired)
  Last Updated  2025-12-30 09:55:34 EST

⚠ Credentials may be expired or invalid.
  Run 'atmos auth login --identity dev-admin' to refresh.

Auth Exec Guidance

When auth exec runs a command that fails due to expired credentials, it now provides a helpful tip:

$ atmos auth exec --identity dev-admin -- aws sts get-caller-identity
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

 Tip  If credentials are expired, refresh with:
      atmos auth login --identity dev-admin

Error Detection and Response

Architecture

Introduces a generic credential prompting interface:

// pkg/auth/types/credential_prompt.go
type CredentialField struct {
    Name, Title, Description string
    Required, Secret         bool
    Default                  string
    Validator                func(string) error
}

type CredentialPromptSpec struct {
    IdentityName string
    CloudType    string  // "aws", "azure", "gcp"
    Fields       []CredentialField
}

type CredentialPromptFunc func(spec CredentialPromptSpec) (map[string]string, error)

Each identity type (AWS IAM User, Azure, GCP) can define its own credential fields, and the prompting UI is generic.

Session Credential Loading

The auth manager intelligently loads credentials:

1. First checks keyring for cached credentials
2. If keyring has long-lived credentials (no session token), also checks files for session credentials
3. Prefers session credentials from files when available (they have proper expiration info)
4. Falls back to keyring credentials if no session credentials exist in files

This ensures auth whoami displays accurate expiration times for session tokens.

Applies To

This enhancement applies to AWS IAM User identities (aws/user kind). Other identity types like AWS SSO, assume-role, and permission-set are not affected.

Test Coverage

• pkg/auth/identities/aws: 81.1% statement coverage
• All error scenarios have unit test coverage
• Integration tests with mock auth provider
• Tests for loadCredentialsWithFallback session credential preference
• Tests for loadSessionCredsFromFiles edge cases
• Tests for printWhoamiHuman warning message
• Tests for printAuthExecTip guidance message

Files Modified

Summary by CodeRabbit

• New Features

  • Inline credential prompting and single-command recovery for invalid/rotated AWS credentials, with MFA re-prompting and session-duration controls
  • Non-interactive contexts suppress prompts; session tokens preserved without overwriting long-lived credentials

• Bug Fixes

  • Better detection and user guidance for common AWS auth errors; tips shown on auth-exec failures

• Documentation

  • New PRD and blog post explaining recovery flows and UX

• Tests

  • Extensive test coverage for auth flows, STS errors, prompting, and caching behavior

_{✏️ Tip: You can customize this high-level summary in your review settings.}