github cloudposse/atmos v1.215.0-rc.8
on GitHub

pre-release9 hours ago
feat: add `atmos pro commit` for server-side commits via GitHub App @osterman (#2298) ## what
  • Add new atmos pro commit CLI command that sends changed files to Atmos Pro, which creates commits server-side using its GitHub App installation — ensuring commits trigger CI workflows (unlike GITHUB_TOKEN commits)
  • Flexible staging control: --add "*.tf" for patterns, --all/-A for everything, or commit whatever is already staged
  • Built-in infinite loop prevention: automatically detects when running as atmos-pro[bot] and exits early
  • Client-side validation: path safety (.github/ rejection, traversal prevention), file size limits (2 MiB), max 200 changed files
  • Reuses existing OIDC authentication flow from pkg/pro/api_client.go
  • Introduces new atmos-pro blog tag and retroactively tags 3 existing Atmos Pro changelog entries
  • Full CLI docs, blog post announcement, and roadmap entry

why

  • Commits made with GITHUB_TOKEN in GitHub Actions don't trigger subsequent workflow runs — this is a deliberate GitHub limitation that blocks autofix patterns (e.g., terraform fmt + commit)
  • Teams previously needed third-party services like autofix.ci to work around this
  • Atmos Pro's GitHub App can create commits that trigger CI, and this command provides the CLI interface for that capability
  • The workflow never receives a write token — Atmos Pro controls exactly what gets committed

references

  • Replaces autofix.ci for autocommit workflows
  • Uses existing OIDC auth from pkg/pro/api_client.go (NewAtmosProAPIClientFromEnv)
  • API endpoint: POST /api/v1/git/commit

Summary by CodeRabbit

  • New Features

    • Added atmos pro commit for server-side GitHub commits with staging flags (--message, --comment, --add, --all), loop prevention, branch checks, file-size and changed-files safety limits, and stdout commit SHA.

  • Documentation

    • New CLI docs, blog post, roadmap entry, and tags with usage, GitHub Actions examples, flags, and safety guidance.

  • Usability

    • Improved input validation and clearer user-facing errors for commit and API failures.

  • Tests

    • Added unit and integration tests for commit flow, API client, DTO JSON, and validations.

  • Chores

    • CI workflow updated to run formatting fixes and invoke pro commit.
feat: Add terraform.workspace.prefix_separator setting for hierarchical state paths @aknysh (#2313) ## what
  • Adds a new terraform.workspace.prefix_separator setting in atmos.yaml that controls how / in component names is handled when Atmos auto-generates backend key prefixes
  • Default value "-" preserves backward compatibility (e.g. services/consulservices-consul)
  • Setting prefix_separator: "/" preserves directory hierarchy (e.g. services/consul stays services/consul)
  • Applies to all three supported backends: S3 (workspace_key_prefix), GCS (prefix), and Azure (key component)
  • Explicitly configured backend keys are never modified — the separator only affects auto-generated values

why

  • Teams with large component libraries (hundreds of components) organize them in directory hierarchies like services/consul, platform/eks, data/rds
  • With the default - separator, the state bucket becomes a flat listing of hundreds of dash-separated prefixes — making it difficult to navigate
  • Previously, the only workaround was setting workspace_key_prefix explicitly via Go templates in every component, bypassing the cleaner metadata.name mechanism
  • With prefix_separator: "/", the state bucket mirrors the component directory structure, giving users the same hierarchy in both their source tree and their state storage
  • The default "-" ensures no existing configurations are affected — users opt in explicitly

Configuration

# atmos.yaml
terraform:
  workspace:
    prefix_separator: "/"   # Preserve directory hierarchy in state paths

Before / After

Component Default ("-") With prefix_separator: "/"
services/consul services-consul/workspace/terraform.tfstate services/consul/workspace/terraform.tfstate
platform/eks platform-eks/workspace/terraform.tfstate platform/eks/workspace/terraform.tfstate

Implementation

  • WorkspaceConfig struct with PrefixSeparator field added to the Terraform schema
  • getWorkspacePrefixSeparator helper reads the configured separator (defaults to "-")
  • applyPrefixSeparator helper transforms component names — preserves / when separator is "/", replaces otherwise
  • All three backend setter functions (setS3BackendDefaults, setGCSBackendDefaults, setAzureBackendKey) updated to use the configured separator
  • All changed functions at 100% test coverage

Tests

  • 20+ new unit tests covering all backends, both separators, metadata.name with slashes, baseComponentName, explicit config passthrough, and end-to-end flow through processTerraformBackend
  • All pre-existing backend tests continue to pass (backward compatibility verified)

Documentation

  • PRD: docs/prd/terraform-workspace-key-prefix-slash-preservation.md
  • Blog post: website/blog/2026-04-11-workspace-prefix-separator.mdx
  • Roadmap entry added to the dx initiative

references

  • PRD: docs/prd/terraform-workspace-key-prefix-slash-preservation.md — full analysis, alternatives considered, migration guide
  • Blog post: website/blog/2026-04-11-workspace-prefix-separator.mdx
  • Affected code: internal/exec/stack_processor_backend.go — the three setter functions that auto-generate backend key prefixes

Summary by CodeRabbit

  • New Features

    • New configurable components.terraform.workspace.prefix_separator in atmos.yaml (default "-") to control Terraform backend key prefix formatting.

  • Documentation

    • Added PRD, website doc, and blog post describing the setting and migration guidance; updated roadmap entry.

  • Tests

    • Added unit/integration tests and updated CLI snapshots covering separator and backend-key behavior.

  • Chores

    • Bumped Google Cloud client versions and updated NOTICE license references; added link-check exclusion.

🚀 Enhancements

fix: Return upload errors instead of silently swallowing them @osterman (#2316) ## what
  • describe affected --upload and list instances --upload now return errors instead of silently swallowing them when the Atmos Pro API client cannot be created or the upload fails
  • describe affected --upload returns actionable hints guiding users to set ATMOS_PRO_TOKEN or ATMOS_PRO_WORKSPACE_ID
  • All Atmos Pro API requests now include a User-Agent header (atmos/<version> (<os>; <arch>)) instead of the Go default Go-http-client/1.1

why

  • Upload failures (misconfigured credentials, wrong workspace ID, server-side access denied) were invisible — the CLI logged a warning but returned success, making it impossible to diagnose issues like "workspace does not have access to repository"
  • The missing User-Agent header made it difficult to identify Atmos CLI traffic in server logs

references

  • Server-side error observed: Workspace does not have access to repository was logged server-side but never surfaced to the CLI user

Summary by CodeRabbit

  • Bug Fixes

    • Upload failures now propagate and halt commands instead of being silently skipped.
    • Pro API client creation now returns descriptive errors with authentication/workspace hints.

  • New Features

    • Pro API requests include User-Agent headers with version and system info.

  • Documentation

    • Added "Atmos Pro" doc with setup, OIDC guidance, CLI usage, env vars, and troubleshooting; added to CLI sidebar and navbar.

  • Tests

    • Added/updated tests to enforce explicit API client/auth failure handling.
Check out latest releases or
releases around cloudposse/atmos v1.215.0-rc.8

Don't miss a new atmos release

NewReleases is sending notifications on new releases.

Get notifications