cloudposse/atmos v1.217.0-rc.2

on GitHub

• Added --process-templates and --process-functions CLI flags (and ATMOS_PROCESS_TEMPLATES / ATMOS_PROCESS_FUNCTIONS env vars) to every atmos list subcommand that processes stack manifests: list instances, list components, list metadata, list sources, list stacks. Defaults are true, matching atmos describe affected / atmos describe stacks / atmos describe component.
• Clarified the flag descriptions that used to conflate YAML functions with Go template functions. --process-templates toggles Go templates (including atmos.Component(...)); --process-functions toggles YAML functions (!terraform.state, !terraform.output, !store, !aws.*, …).
• Fixed the underlying atmos list instances --upload hang in CI: per-component auth resolution in internal/exec/describe_stacks_component_processor.go was gated on processYamlFunctions only, so the template-only path (atmos.Component(...) inside Go templates) ran terraform init with an empty AuthContext against remote backends and failed with No valid credential sources found. Guard now fires when either templates or YAML functions will run.
• Refactored the per-component auth resolver for testability: extracted shouldResolvePerComponentAuth(...) predicate, resolveComponentAuthManager(...) method, and an injectable componentAuthManagerResolver field on describeStacksProcessor so the decision can be exercised without running real OIDC/STS.
• Threaded the two flags through InstancesCommandOptions / MetadataOptions in pkg/list/ and through both the matrix-format and tree-format branches of list_instances.go, so every output path of the same invocation honors the same flag values.
• Added three layers of regression coverage for each command that just got the flags (parser wiring, options struct, flag propagation to ExecuteDescribeStacks) plus a dedicated auth-guard regression suite (TestShouldResolvePerComponentAuth, TestResolveComponentAuthManager 6-row table, TestResolveComponentAuthManager_ResolverErrorFallsBackToParent).
• Documented the two flags on every affected atmos list command page, added a blog post announcing the feature, and added a shipped milestone to the Discoverability & List Commands roadmap initiative.
• Bumped Go modules to latest where compatible (aws-sdk-go-v2/service/s3 → 1.100.0, smithy-go → 1.25.1, anthropic-sdk-go → 1.38.0, hashicorp/terraform-exec → 0.25.1, posthog-go → 1.12.1, k8s.io/client-go → 0.36.0, plus many transitive indirects). Three transitive pins remain, now documented inline in go.mod: sentry-go v0.45.1 (cockroachdb/errors v1.12.0 still references the removed Extra field), gocloud.dev v0.41.0 (gomplate/v3 s3blob uses removed ConfigProvider), hairyhenderson/go-fsimpl v0.3.1 (transitive via the gocloud.dev pin).

why

• atmos list instances --upload was broken in CI for any repo whose component sections call atmos.Component(...) inside Go templates with a stack-level default identity — the exact shape used by the Atmos Pro release workflow. Users reported the command failing with No valid credential sources found while atmos describe affected --upload in the same workflow succeeded.
• Root cause: atmos.Component(...) is a Go template function, not a YAML function. The processor's per-component auth resolver assumed YAML functions were the only consumer of info.AuthContext and gated itself on processYamlFunctions. The template path reads the same AuthContext and shells out to terraform init + terraform output, so disabling per-component auth broke template-only invocations.
• Users expected atmos list flags to line up with atmos describe flags. They didn't: only list affected, list settings, and list values had the two knobs. A user workflow actually relied on --process-functions on list instances (where it didn't exist), which produced an unknown flag error and a confusing escape hatch. Adding the two flags everywhere the command processes stacks closes that gap.
• The flag rollout intentionally defaults both flags to true for parity. Users who run atmos list locally without tofu / terraform on $PATH can opt out with --process-functions=false or ATMOS_PROCESS_FUNCTIONS=false; the auth-guard fix above ensures the true, true default works end-to-end in CI.
• Module update was due. The three remaining pins are annotated so the next go get -u ./... pass doesn't trip over them blindly.

references

• Fix design doc: `docs/fixes/2026-04-24-list-instances-per-component-auth.md`
• Blog post: `website/blog/2026-04-24-list-process-flags.mdx`
• Roadmap milestone: `website/src/data/roadmap.js` (Discoverability & List Commands initiative)
• Previous related fix: `docs/fixes/2026-04-08-atmos-auth-identity-resolution-fixes.md` (Category A vs B caller split that this change builds on)

Summary by CodeRabbit

• New Features

  • Added --process-templates and --process-functions flags to list subcommands to control Go template vs YAML function processing (both default to enabled).

• Bug Fixes

  • Restored per-component authentication resolution when templates are processed, fixing upload failures in CI.

• Documentation

  • Updated CLI docs, added a blog post and roadmap entry describing the new flags and examples.

• Tests

  • Extensive new and updated unit/integration tests covering flag parsing, behavior permutations, and regressions.

• Chores

  • Updated NOTICE/license references, added missing license entries, bumped dependencies and example default version to 1.217.0.

why

• Improve documentation

Summary by CodeRabbit

• Documentation
  • Added docs and example configuration for new CI post-commit status summary options: component, add, change, and destroy (flags default to true in the example).
  • Clarified required permissions to enable these status checks (GitHub checks: write or a commit-status-scoped API token for GitLab).

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

• New Features
  • Bounded, configurable glob-pattern cache (TTL, max entries, empty-result toggle) with runtime metrics exposed via /debug/vars
  • Safer GitHub auth handling with host allowlisting and Authorization stripping on cross-host redirects
• Bug Fixes
  • Consistent non-nil empty-slice result for glob no-matches and improved cache correctness
• Documentation
  • Added changelog and minimum Go toolchain guidance (go.mod → Go 1.26+)
• Tests
  • Large suite of new tests across globbing, atomic writes, flags, and HTTP client
• Chores
  • New test-race Makefile target (race detector + shuffled execution)