cloudposse/atmos v1.203.0-rc.4

on GitHub

• Migrated static slide image gallery to interactive MDX-based slide deck
• Created AtmosLogo component with animated color gradient overlay matching navbar
• Created MetallicIcon component for logos with metallic gradient effect
• Updated Cloud Posse introduction slide with new messaging and larger metallic logo
• Enhanced split slide layout with wider text column (2:1 ratio)
• Expanded drawer trigger zone to entire left navigation area
• Removed 27 static slide SVG files in favor of dynamic MDX content

why

• Interactive slide deck provides better user experience and maintainability
• Animated components create visual consistency with the navbar branding
• Metallic gradient effect gives professional appearance to logo imagery
• MDX approach allows for easier updates and customization

references

• Replaces old slide image gallery component with new SlideDeck component system
• Implements exact animation techniques from existing navbar logo component
• Uses mix-blend-mode color technique for gradient overlay effects

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Interactive slide deck system: fullscreen, keyboard navigation, speaker notes panel, thumbnail drawer, progress bar, tooltips, and slide index; added Atmos intro deck and Slide Decks browsing page; old reference now redirects.

• Style

  • Animated Atmos logo, metallic icon treatment, comprehensive slide visuals and responsive theming; watermark hidden when slide decks are active.

• Documentation

  • Reference page updated to redirect to the new Slide Decks location with an informational note.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

• When atmos auth login is run without a --provider flag and no identities are configured, it now falls back to provider authentication
• Single providers are automatically selected without user input
• Multiple providers trigger an interactive selector (or error in non-interactive mode)
• Users no longer need to know about the --provider flag for initial authentication
• Fix #1915: atmos auth console --identity {identity} now correctly uses the provided identity instead of ignoring it

why

• Improves user experience for first-time login with auto_provision_identities enabled
• Makes the system seamless after atmos auth logout (no need to rerun with --provider flag)
• Addresses feedback that atmos auth login should work without requiring explicit provider specification when only one provider exists
• #1915 Fix: The --identity flag with space-separated value (e.g., --identity myid) was being ignored due to Cobra's NoOptDefVal quirk. The fix uses GetIdentityFromFlags which parses os.Args directly to work around this issue.

references

• Closes #1915
• User feedback: When auto_provision_identities: true is configured, the first atmos auth login command fails with "no identities available". User expects seamless fallback to provider auth when identities don't exist yet.

Summary by CodeRabbit

• New Features

  • Auth login now falls back to provider authentication when no identities exist: auto-selects a single provider, prompts interactive selection for multiple providers, or requires --provider (-p) in non-interactive/CI.

• Bug Fixes

  • Improved identity-flag resolution and interactive selection edge-case handling; clearer error paths for missing providers or non-interactive selection.

• Documentation

  • Added CLI docs and blog post explaining provider-fallback behavior and usage.

• Tests

  • Expanded coverage for fallback flows, prompts, formatting, and identity-resolution.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Implements a comprehensive source provisioner system for just-in-time (JIT) vendoring of component sources. This enables components to declare their source location inline using source configuration, supporting dynamic vendoring workflows for Terraform, Helmfile, and Packer components.

Closes #598

What Changed

Core Source Provisioner (pkg/provisioner/source/)

• Vendor Engine - go-getter integration supporting Git, GitHub, S3, HTTP, and OCI sources
• Path Filtering - Include/exclude patterns for selective file vendoring
• Retry Support - Configurable retry with exponential backoff for transient failures
• URI Resolution - Version tag injection and URI normalization for go-getter

CLI Commands

• atmos terraform source pull - Vendor component source on demand
• atmos terraform source describe - Display source configuration details
• atmos terraform source delete - Remove vendored source (requires --force)
• atmos terraform source list - List components with source configuration
• Extended to Helmfile and Packer with identical command structure

JIT Auto-Provisioning

• Automatic vendoring before terraform plan/apply/deploy, helmfile sync/diff, packer build
• Smart skipping - Only vendors if target directory doesn't exist
• Force re-vendor - --force flag to override existing sources

Workdir Provisioner (pkg/provisioner/workdir/)

• Stack isolation - Unique working directories per stack (.workdir/<type>/<stack>-<component>)
• Source + Workdir - Combines JIT vendoring with per-stack isolation
• Path resolution - Integrates with construct*ComponentWorkingDir functions

Schema Updates

• source - URI, version, included_paths, excluded_paths, retry configuration
• provision.workdir - Enable per-stack working directories
• source_retry - max_retries, delay, max_delay for download resilience

Error Handling

• 10 new sentinel errors: ErrSourceProvision, ErrSourceInvalidSpec, ErrSourceCopyFailed, ErrSourceMissing, ErrSourceTargetExists, ErrForceRequired, ErrCreateTempDir, ErrSourceWorkdirConflict, ErrFailedToInitConfig, ErrDescribeComponent
• ErrorBuilder integration with hints and context

Testing

• Unit tests - Comprehensive coverage for extraction, targeting, URI handling, copying
• Mock interfaces - Testable design with dependency injection
• Integration fixtures - tests/fixtures/scenarios/source-provisioner/ and source-provisioner-workdir/
• CLI snapshots - Updated golden files for new commands

Documentation

• CLI docs - Full documentation for all source commands
• Design patterns - Source-based versioning guide
• Blog post - Feature announcement with examples
• PRD - Product requirements document

Example Usage

# Stack configuration with inline source
components:
  terraform:
    vpc:
      source:
        uri: "github.com/cloudposse/terraform-aws-vpc//src?ref={{.version}}"
        version: "2.0.0"
        included_paths:
          - "*.tf"
        excluded_paths:
          - "examples/**"
        retry:
          max_retries: 3
          delay: "5s"
      vars:
        cidr_block: "10.0.0.0/16"

# Manual source operations
atmos terraform source pull vpc -s dev-us-east-1
atmos terraform source describe vpc -s dev-us-east-1
atmos terraform source delete vpc -s dev-us-east-1 --force

# JIT auto-provisioning (source vendored automatically)
atmos terraform plan vpc -s dev-us-east-1

Why

• Simplified workflows - No separate vendor.yaml or component.yaml files needed
• Per-environment versioning - Different component versions per stack
• Dynamic vendoring - Sources fetched on-demand, not pre-vendored
• Stack isolation - Workdir support prevents cross-stack interference

References

• Closes #598 - Remote sources for components (requested by @Gowiem)
• See #1813 for terraform command registry refactoring pattern
• PRD: docs/prd/source-provisioner.md

Summary by CodeRabbit

• New Features

  • Added a new "source" command suite (pull, list, describe, delete) for Terraform, Helmfile, and Packer to manage component sources and JIT vendoring.
  • Introduced top-level source manifest support with uri/version, include/exclude paths, and per-source retry policies.
  • Automatic on‑first‑use provisioning and optional workdir isolation (with force override).

• Documentation

  • Extensive CLI docs, design patterns, examples, and blog posts covering source-based versioning and retry behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

• Removed misleading claims about cost estimates and approval buttons (not part of this feature)
• Updated tagline to "Local = CI. Same command, run everywhere" for clarity
• Refocused description and benefits on eliminating wrapper scripts and glue code
• Fixed PRD reference: terraform-registry-migration → native-ci-integration

why

The roadmap entry misrepresented the Native CI/CD feature. Per PR #1891's blog post, the core value is replacing separate github-action-atmos-* actions with a single CLI that auto-detects CI and behaves identically locally and in CI. Removed unrelated claims about cost estimates and approval buttons.

references

• PR #1891: Native CI Integration with Summary Templates and Terraform Command Registry

Summary by CodeRabbit

• Documentation
  • Updated Public Roadmap to clarify Native CI/CD Support features, emphasizing environment auto-detection and streamlined CI workflows without wrapper scripts.
  • Expanded GitHub Actions milestone details to highlight native mode capabilities, including enhanced job summaries, resource visualization, and planned multi-provider support.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

• Implement generic credential prompting interface (CredentialPromptSpec, CredentialField) for multi-cloud extensibility
• Add AWS IAM User implementation that uses the generic interface
• Automatically detect InvalidClientTokenId error when AWS access keys are rotated or revoked
• Clear stale credentials from keyring and prompt for new ones inline during atmos auth login
• Fix session duration bug where configured 36h MFA sessions expired after 12h
• Add comprehensive error detection for ExpiredTokenException and AccessDenied with proper explanations and hints
• Add MFA-only re-prompt flow - when MFA token is invalid but long-lived credentials are still valid, only re-prompt for MFA token (not all credentials)
• Detect session credentials accidentally stored in keyring and prompt for new long-lived credentials
• Add warning message to auth whoami when credentials are invalid or expired with recovery instructions
• Add helpful tip to auth exec when subprocess fails, guiding users to refresh credentials
• Fix auth whoami to display proper session token expiration by preferring session credentials from files over long-lived keyring credentials
• Comprehensive test coverage (81.1% for pkg/auth/identities/aws)

why

• Users experienced persistent authentication failures after AWS credential rotation
• atmos auth logout + atmos auth login didn't resolve the issue because stale credentials remained in keyring
• Session duration from atmos auth user configure was not being preserved
• When MFA token expired, users had to re-enter ALL credentials instead of just the MFA token
• Session credentials accidentally stored in keyring would cause InvalidClientTokenId errors on GetSessionToken calls
• auth whoami showed incorrect authentication status without guidance on how to fix it
• auth exec failures left users guessing about the cause when credentials were expired
• auth whoami was not showing "Expires" field because it loaded long-lived credentials from keyring instead of session credentials from files
• Need extensible architecture for future Azure/GCP credential prompting support

User Experience

Single Command Recovery

$ atmos auth login dev-admin

⚠ AWS credentials are required for identity: dev-admin

AWS Access Key ID: AKIAXXXXXXXXXX
AWS Secret Access Key: ********
MFA ARN (optional): arn:aws:iam::123456789012:mfa/user
Session Duration (optional, default: 12h): 36h

✓ Credentials saved to keyring: dev-admin

Enter MFA Token: 123456

✓ Authentication successful!

MFA-Only Re-prompt (Session Expired)

When session expires but long-lived credentials are still valid:

$ atmos auth login dev-admin

Enter MFA Token: 123456    # Invalid/expired token

⚠ MFA token was invalid, prompting for new token

Enter MFA Token: 789012    # User enters new token

✓ Authentication successful!

Improved Whoami Status

The auth whoami command now shows session token expiration and displays a warning with recovery instructions when credentials are invalid:

$ atmos auth whoami dev-admin
✗ Current Authentication Status

  Provider      aws-user
  Identity      dev-admin
  Expires       2025-12-30 10:11:05 EST (expired)
  Last Updated  2025-12-30 09:55:34 EST

⚠ Credentials may be expired or invalid.
  Run 'atmos auth login --identity dev-admin' to refresh.

Auth Exec Guidance

When auth exec runs a command that fails due to expired credentials, it now provides a helpful tip:

$ atmos auth exec --identity dev-admin -- aws sts get-caller-identity
An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

 Tip  If credentials are expired, refresh with:
      atmos auth login --identity dev-admin

Error Detection and Response

Architecture

Introduces a generic credential prompting interface:

// pkg/auth/types/credential_prompt.go
type CredentialField struct {
    Name, Title, Description string
    Required, Secret         bool
    Default                  string
    Validator                func(string) error
}

type CredentialPromptSpec struct {
    IdentityName string
    CloudType    string  // "aws", "azure", "gcp"
    Fields       []CredentialField
}

type CredentialPromptFunc func(spec CredentialPromptSpec) (map[string]string, error)

Each identity type (AWS IAM User, Azure, GCP) can define its own credential fields, and the prompting UI is generic.

Session Credential Loading

The auth manager intelligently loads credentials:

1. First checks keyring for cached credentials
2. If keyring has long-lived credentials (no session token), also checks files for session credentials
3. Prefers session credentials from files when available (they have proper expiration info)
4. Falls back to keyring credentials if no session credentials exist in files

This ensures auth whoami displays accurate expiration times for session tokens.

Applies To

This enhancement applies to AWS IAM User identities (aws/user kind). Other identity types like AWS SSO, assume-role, and permission-set are not affected.

Test Coverage

• pkg/auth/identities/aws: 81.1% statement coverage
• All error scenarios have unit test coverage
• Integration tests with mock auth provider
• Tests for loadCredentialsWithFallback session credential preference
• Tests for loadSessionCredsFromFiles edge cases
• Tests for printWhoamiHuman warning message
• Tests for printAuthExecTip guidance message

Files Modified

Summary by CodeRabbit

• New Features

  • Inline credential prompting and single-command recovery for invalid/rotated AWS credentials, with MFA re-prompting and session-duration controls
  • Non-interactive contexts suppress prompts; session tokens preserved without overwriting long-lived credentials

• Bug Fixes

  • Better detection and user guidance for common AWS auth errors; tips shown on auth-exec failures

• Documentation

  • New PRD and blog post explaining recovery flows and UX

• Tests

  • Extensive test coverage for auth flows, STS errors, prompting, and caching behavior

_{✏️ Tip: You can customize this high-level summary in your review settings.}