cloudposse/atmos v1.205.1-rc.0

on GitHub

• Added comprehensive PRD for credential namespace isolation feature
• Addresses credential collision issue when same identity names are used across different repositories
• Documents hybrid namespace approach with environment variable, config file, and automatic path hash precedence

why

When engineers work with multiple customer repositories that use identical identity names (e.g., core-root/terraform), AWS credentials collide and cause cross-contamination. This PRD outlines the design for isolating credentials using repository-specific namespaces, preventing accidental use of the wrong customer's credentials.

references

• DEV-3960: Fix caching issue with super user identities between customers

Summary by CodeRabbit

• Documentation
  • Added three PRDs defining credential realm isolation: realm concept, selection precedence (env/config/automatic), naming/validation and sanitization rules.
  • Documented new per-realm credential storage layout and provider-specific Azure path and environment wiring.
  • Added migration guidance (breaking path change, no automatic migration), user-facing messaging, security considerations, testing guidance, and success metrics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

• Fixed Artifactory store integration by adding Flat=true parameter to JFrog SDK downloads and proper directory path handling
• Corrected store documentation to match actual implementation: fixed field names, store type names, and removed unsupported backends
• Added comprehensive integration tests for Artifactory store with mock HTTP server
• Added blog post announcing the fix

why

Customer reported retrieval issues with Artifactory store. Investigation revealed two problems:

1. Store code was missing JFrog SDK configuration needed for proper file downloads
2. Documentation contained errors that did not match the actual implementation (unsupported backends, incorrect field names)

The Artifactory GetKey method lacked the same configuration that the Get method had, causing downloads to fail. Documentation had outdated examples with unsupported stores (Vault, AWS Secrets Manager) and wrong field names (backend/config instead of type/options).

Customer-reported issue

Customer logs showed the exact problem this PR fixes:

[Info] Downloading "atmos_store/dev/myapp/private_ip" to "/tmp/atmos-artifactory.../dev/myapp/private_ip"
...
Error: failed to read file: open /tmp/atmos-artifactory.../private_ip: no such file or directory

Root cause: Without Flat=true, the JFrog SDK preserves the directory structure when downloading:

• SDK downloads to: /tmp/atmos-artifactory.../dev/myapp/private_ip (nested path)
• Code expects: /tmp/atmos-artifactory.../private_ip (flat path)

The fix: Adding downloadParams.Flat = true tells the SDK to download files directly to the temp directory with just the base filename, matching what the code expects.

The Get method already had this configuration (which is why !store with stack/component/key worked), but GetKey was missing it.

references

• All Artifactory store integration tests now pass
• Documentation is consistent with actual supported backends: aws-ssm-parameter-store, azure-key-vault, google-secret-manager, redis, artifactory
• Mock server properly validates JFrog SDK integration patterns including AQL search, checksum validation, and file path handling

Summary by CodeRabbit

• Bug Fixes

  • Fixed Artifactory retrieval to correctly handle nested paths and ensure consistent download behavior for Get/GetKey.

• Documentation

  • Updated Artifactory store guidance, repository recommendations, store backend identifiers, tutorials, examples, and added a blog post describing the fix and configuration guidance.

• Tests

  • Added comprehensive Artifactory integration tests and a deterministic Artifactory mock server for testing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

When using --chdir to change to a directory with its own atmos.yaml, Atmos now correctly uses ONLY that local config. Parent directory and git root searches are now properly treated as fallbacks and are skipped when local config exists.

• Fixed config loading to respect local config isolation when using --chdir
• Updated PRD to clarify parent/git-root searches are fallbacks
• Added comprehensive unit and CLI tests for config isolation behavior
• Updated test framework to properly handle --chdir flag in tests

why

Previously, atmos --chdir path/to/project describe config would unexpectedly include configuration from parent directories and the git root, causing wrong component paths and stack settings to be used in monorepo environments and test scenarios.

This fix ensures --chdir behaves as expected: as if you had run the command directly from that directory, searching parent directories and git root only as fallbacks when no local config exists.

references

Related to the PRD on config discovery behavior (docs/prd/git-root-discovery-default-behavior.md).

Summary by CodeRabbit

• Bug Fixes

  • Local Atmos configs now take precedence, preventing parent/git-root configs from being merged when a local config exists (improves --chdir isolation).

• Documentation

  • New blog post explaining config-loading order with --chdir, examples, and how to explicitly import parent configs.

• Tests

  • Added/expanded tests, fixtures, and snapshots to validate chdir config isolation and expected CLI output (including telemetry notice).

_{✏️ Tip: You can customize this high-level summary in your review settings.}