Add: backend generation for Terraform Cloud/Enterprise when !terraform.output function is used. @gitbluf (#2058)
**What** - Added Terraform Cloud backend support to `pkg/terraform/output` package - Added test coverageWhy
!terraform.outputfunction fails when components use Terraform Cloud/Enterprise backend becausegenerateBackendConfigfunction inpkg/terraform/outputpackage doesn't support cloud backend structure, causing the generation of the dependency component backend to default to the default backend resulting in an error.
Error output:
Error
Error: failed to get terraform output for component cluster in stack eks-cluster output cluster_version: failed to
execute terraform output for component cluster in stack eks-cluster terraform init failed: exit status 1 Error:
Unsupported backend type on backend.tf.json line 4, in terraform.backend: 4:
"cloud": { There is no explicit backend type named "cloud". To configure HCP
Terraform, declare a 'cloud' block instead.
Error
Error: exit status 1
- Terraform Cloud requires
terraform.cloudat top level, notterraform.backend.cloudlike other backend types
Currrent
{
"terraform": {
"backend": {
"cloud": {
"organization": "<org-name>",
"workspaces": {
"name": "terraform_workspace_name"
}
}
}
}
}
After the PR
"terraform": {
"cloud": {
"organization": "<org-name>",
"workspaces": {
"name": "terraform_workspace_name"
}
}
}
}
References
- Terraform Cloud backend documentation: https://developer.hashicorp.com/terraform/language/settings/terraform-cloud
- slack conversation
Summary by CodeRabbit
-
New Features
- Terraform Cloud backend support for !terraform.output with workspace-aware backend generation and token replacement; non‑Cloud backend behavior unchanged.
-
Tests
- Expanded cloud backend test coverage, including workspace token replacement scenarios and custom verification hooks.
-
Documentation
- Added blog post documenting Terraform Cloud backend behavior and example usage.
- Added a new blog author entry.
-
Chores
- Roadmap updated to mark Terraform Cloud backend support milestone as shipped.
feat: implement auth realm isolation with credential separation @Benbentwo (#2043)
## WhatImplement credential realm isolation for Auth to prevent credential collisions when engineers work with multiple repositories using identical identity names. Credentials are now stored in realm-isolated directories (~/.config/atmos/{realm}/), with realm computed from environment variables, configuration, or the config path hash.
Why
When multiple customer repositories use the same identity names (e.g., "aws-user", "dev-role"), Atmos credentials for different environments collide. Realm isolation ensures that credentials for "dev-role" from customer-A and customer-B are kept separate, preventing authentication failures and security issues.
Changes
- Add
SetRealm()method to Identity and Provider interfaces - Manager propagates realm to all identities/providers after construction
- All keyring backends include realm in credential keys (
atmos:{realm}:{alias}) - AWS file paths now always include realm:
~/.config/atmos/{realm}/aws/{provider}/{credentials,config} - Add
--all-realmsflag toatmos auth logoutto clear all Atmos credentials across all realms - Display realm and source in
atmos auth whoamioutput - Non-breaking: existing credentials in non-realm paths are discovered via workspace, users must re-authenticate
References
- Related to auth realm isolation PRD (#2033)
Summary by CodeRabbit
-
New Features
- Realm-scoped credential isolation to prevent credential collisions across repositories.
- New --all-realms flag to logout from all realms.
- CLI now shows active Realm (and its source) in atmos auth login and atmos auth whoami.
-
Configuration
- Realm precedence: ATMOS_AUTH_REALM env var → auth.realm in atmos.yaml → auto-generated from CLI config path.
-
Documentation
- Blog post and roadmap entry added.
-
Breaking Changes
- Credential storage/paths changed — re-authenticate with atmos auth login.
feat: Modernize Helmfile EKS integration @osterman (#1903)
## what- Make EKS integration opt-in by changing
use_eksdefault fromtruetofalse - Add
cluster_name_templatewith Go template syntax ({{ .vars.namespace }}-{{ .vars.stage }}-eks) - Add
cluster_nameconfig for explicit fixed cluster names - Add
--cluster-nameflag to override cluster name at runtime - Implement cluster name precedence: flag → config → template → pattern (deprecated)
- Deprecate
cluster_name_patternwith warning, recommendcluster_name_template - Deprecate
helm_aws_profile_patternwith warning, recommend--identityflag - Allow helmfile to work with existing kubeconfig (non-EKS: k3s, GKE, AKS)
why
These changes address DEV-2345 and DEV-2347 by modernizing the Helmfile EKS integration to be more flexible and align with Atmos's identity system. Users can now use helmfile with any Kubernetes cluster (not just EKS), have explicit control over cluster names, and use the standard --identity flag for AWS authentication instead of custom pattern configurations.
references
Summary by CodeRabbit
-
New Features
- Added
--cluster-nameCLI flag andcluster_name_templatefor flexible EKS cluster naming - Added
--identityflag for AWS authentication support
- Added
-
Configuration Changes
- EKS support is now opt-in;
use_eksdefaults to false - Established cluster name resolution precedence: flag → config → template → pattern
- EKS support is now opt-in;
-
Deprecations
helm_aws_profile_patterndeprecated; use--identityflag insteadcluster_name_patterndeprecated; usecluster_name_templateinstead