#atmos (2024-01)
2024-01-03
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
What do you folks think about moving region
input variable to [providers.tf](http://providers.tf)
instead of in [variables.tf](http://variables.tf)
for upstream components ?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I figured it would be easier to keep [variables.tf](http://variables.tf)
specific for the component since region
seems more specific to [providers.tf](http://providers.tf)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I kind of like the idea. What do you think @Andriy Knysh (Cloud Posse) @Dan Miller (Cloud Posse)?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
It makes it easier to distribute the way we do with [context.tf](http://context.tf)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes, it makes it easier in almost all cases (some exceptions are when the other terraform resources besides the provider require a region, there are a few cases like that)
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Should we still deploy root components using the gbl
env or has that been replaced with the primary region?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I recall deploying account and account-map to gbl-root
but i want to deploy it to ue2-root
instead since gbl
isn’t a real region
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
gbl is a virtual region that signifies that the resources deployed to it are global in AWS
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for gbl environment, we still have a real AWS region
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can set it to the region you need in the _globals.yaml
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
then for global-region, should the non-virtual region be set to the primary region OR the region that aws uses which is us-east-1
for things like iam roles, aws iam identity center, etc
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
vars:
region: us-east-2
environment: gbl
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
environment: gbl
is for you (and Atmos) to know that you are deploying global resources in AWS, e.g. S3 buckets and Route53 DNS zones
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
region: us-east-2
is for those terraform components that actually need an AWS region even if the resources are global, e.g. S3 buckets are global, but need an AWS region anyway
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so region: us-east-2
is your primary region
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
i dont fully understand the why but to keep consistency with the atmos/cp refarch, ill set my environment: gbl
’s region to the primary region and deploy the root components to the virtual region gbl
instead of the primary region directly.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
for those AWS resources that need a specific region, e.g. CloudFront in us-east-1
for SSL cert, then that special region is defined in the component itself
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Thanks Andriy for the additional context
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
so gbl
is just for people to distinguish the component that are global in AWS. You ran commands like atmos terraform apply account -s core-gbl-root
and you se that account
component is a global resource in AWS, it does not require a region
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can name gbl
whatever you want, it’s configurable in the same file
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
and obviously, you are not forced to use global region at all
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can deploy account
and DNS zones by executing atmos terraform apply account -s core-ue2-root
if you want
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I know but im also afraid of hitting additional walls for my preference lol
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
gbl
is just a convention to tell people that those resources/components are global in AWS
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also, the resource IDs will have gbl
in them, so then you go to the AWS console and see something like acme-core-gbl-root-<my-resource-name>
, you know the resource with that ID is global in AWS
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
ya I like that the gbl
is in the name
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
the reason it claws at me is that i wonder if devs will accidentally deploy something in the global-region
file instead of the {region}
file because they think it’s global when it’s regional. I suppose more strict codeowners can help with that
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I thought we did discuss removing the global region but my memory is failing me. It may have been considered but tossed because global-region is still valuable
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Use JSON Schema and OPA policies to validate Components.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can write policies to prevent any components to be deployed in the environments that you don’t want them in
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Use JSON Schema and OPA policies to validate Components.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
you can also combine the OPA policies with the overrides
functionality https://atmos.tools/core-concepts/components/overrides#use-case-overrides-for-teams
Use the ‘overrides’ pattern to modify component(s) configuration and behavior in the current scope.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
e.g. add tags to all components per Team, then write OPA policies to act on those tags
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
can we write an opa to allowlist select components to be deployed only in the global-region ?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
that would probably solve it for me
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
yes, can be done (I can help)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
thanks Andriy!
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
it’s actually very easy: we can create an OPA policy to check the environment
variable, and add the plicy to all components that need to be in the global region. If environment
is not gbl
, the policy will fail
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
something simple like this:
errors["the component can only be provisioned in the 'gbl' environment"] {
input.vars.environment != "gbl"
}
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
then add the file to the components that need to be in gbl
, similar to this:
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Atmos supports Atmos Manifests Validation and Atmos Components Validation
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
components:
terraform:
my-component:
metadata:
# Point to the Terraform component
component: my-component
settings:
# Validation
# Supports JSON Schema and OPA policies
# All validation steps must succeed to allow the component to be provisioned
validation:
check-my-component-with-opa-policy:
schema_type: opa
# 'schema_path' can be an absolute path or a path relative to 'schemas.opa.base_path' defined in `atmos.yaml`
schema_path: "my-component/validate-my-component.rego"
description: Check 'my-component' component configuration using OPA policy
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
i believe @Dan Miller (Cloud Posse) or @Ben Smith (Cloud Posse) might be proponents of dropping the gbl
convention, but do not recall where that led. They might be able to add more context. It’s been brought up more than once in our ARB calls.
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
@Ben Smith (Cloud Posse) had a customer where they completely removed the gbl
region, but personally I think we ~need~ should use the gbl
region for components that don’t have a region or are globally defined
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
so yes removing the gbl
region is supported, but for remote-state lookups in several components you’ll likely have to overwrite the given region/environment
2024-01-04
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Found atmos on the map https://anvaka.github.io/map-of-github
This website shows a map of GitHub. Each dot is a project. Two dots within the same cluster are usually close to each other if multiple users frequently gave stars to both projects
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Heh, “Powershell Land”
This website shows a map of GitHub. Each dot is a project. Two dots within the same cluster are usually close to each other if multiple users frequently gave stars to both projects
2024-01-05
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
There are a few vulnerabilities that can be patched and they pass tests. Can these be merged?
https://github.com/cloudposse/atmos/pull/484 https://github.com/cloudposse/atmos/pull/494 https://github.com/cloudposse/atmos/pull/499 https://github.com/cloudposse/atmos/pull/503
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
484 resolves a high issue and the others resolve a moderate one
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
All the prs have a label of no-release
so they will go out on the next code release if they are merged prior
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
484 we can merge (although we have a PR whcih updates all the deps and will be merged in a day or two)
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the rest are indirect deps - they will get updated when the main deps are updated by executing go mod tidy
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
they will be overridden next time we run the command
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
they are deps of the main deps modules
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
ah very nice
2024-01-06
2024-01-07
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
How do we tie aws-team
roles to aws-sso
roles? I don’t see how in the readme of those components
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Ah a similar thread here
So I could use some assistance with understanding the whole “aws-teams” “aws-teams-roles” and “aws-sso” components.. Currently I have an account created in my org that I would like to enable a set of users access to create aws resources in using atmos.. I have setup this group with the AdministratorAccess permissions set tied to the account in question.. My issue arises in how I configure them with the identity account’s roles which is what is used by atmos. Now I only want this team to have Admin access for this one account only. Suggestions as to how I could go about this?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I chatted with him yesterday
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
an aws-team
Team grants an aws-sso
Permission Set access by trusted_permission_sets
https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-teams/variables.tf#L18
trusted_permission_sets = list(string)
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
specifically, those Permission Sets are the “Identity-role-Team” permission sets, defined here with aws-sso
https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-sso/policy-Identity-role-TeamAccess.tf
# This file generates a permission set for each role specified in var.target_identity_roles
# which is named "Identity<Role>TeamAccess" and grants access to only that role,
# plus ViewOnly access because it is difficult to navigate without any access at all.
data "aws_iam_policy_document" "assume_aws_team" {
for_each = local.enabled ? var.aws_teams_accessible : []
statement {
sid = "RoleAssumeRole"
effect = "Allow"
actions = [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession",
]
resources = ["*"]
/* For future reference, this tag-based restriction also works, based on
the fact that we always tag our IAM roles with the "Name" tag.
This could be used to control access based on some other tag, like "Category",
so is left here as an example.
condition {
test = "ForAllValues:StringEquals"
variable = "iam:ResourceTag/Name" # "Name" is the Tag Key
values = [format("%s-%s", module.role_prefix.id, each.value)]
}
resources = [
# This allows/restricts access to only IAM roles, not users or SSO roles
format("arn:aws:iam::%s:role/*", local.identity_account)
]
*/
}
}
module "role_map" {
source = "../account-map/modules/roles-to-principals"
teams = var.aws_teams_accessible
privileged = var.privileged
context = module.this.context
}
locals {
identity_access_permission_sets = [for role in var.aws_teams_accessible : {
name = module.role_map.team_permission_set_name_map[role],
description = format("Allow user to assume the %s Team role in the Identity account, which allows access to other accounts", replace(title(role), "-", ""))
relay_state = "",
session_duration = "",
tags = {},
inline_policy = data.aws_iam_policy_document.assume_aws_team[role].json
policy_attachments = ["arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"]
customer_managed_policy_attachments = []
}]
}
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
for example
in aws-sso
, you could have:
components:
terraform:
aws-sso:
vars:
...
aws_teams_accessible:
- "developers"
in aws-teams
have
components:
terraform:
aws-teams:
vars:
teams_config:
...
developers:
<<: *user-template
role_description: "developers team"
role_policy_arns:
- team_role_access
trusted_teams:
- admin
trusted_permission_sets: [ "IdentityDevelopersAccess" ]
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
the tricky part is that the list elements defined in aws_teams_accessible
are formatted into the “IdentityXAccess” string. In above, that would be developers
formatted to be IdentityDevelopersAccess
![Dan Miller (Cloud Posse) avatar](https://avatars.slack-edge.com/2021-08-12/2389147782305_5729c9d69c393852d209_72.jpg)
formatting comes from roles-to-principals here https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-sso/policy-Identity-role-TeamAccess.tf#L41-L48
module "role_map" {
source = "../account-map/modules/roles-to-principals"
teams = var.aws_teams_accessible
privileged = var.privileged
context = module.this.context
}
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
2024-01-08
![Aayush Harwani avatar](https://secure.gravatar.com/avatar/7e27bcc676021f2c94d0c099801ded39.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
while following this tutorial (https://atmos.tools/tutorials/first-aws-environment) I faced this issue - ✗ . [none] (HOST) 03-first-aws-environment ⨠ bin/random-pet.sh bin/random-pet.sh: line 10: golang-petname: command not found
Please help me with this.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
please use https://atmos.tools/category/quick-start
Take 30 minutes to learn the most important Atmos concepts.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
The Quick Start describes the configuration of this repo https://github.com/cloudposse/atmos/tree/master/examples/quick-start, which is a working/deployable example explaining how to start with Atmos
![Aayush Harwani avatar](https://secure.gravatar.com/avatar/7e27bcc676021f2c94d0c099801ded39.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
@Andriy Knysh (Cloud Posse) I tried quick-start also, but facing issue mentioned in screenshot. I am not able to find how to give providers and backend from stack configuration and can’t find anything in doc also regarding this.
![Aayush Harwani avatar](https://secure.gravatar.com/avatar/7e27bcc676021f2c94d0c099801ded39.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
please help me in resolving this.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Aayush Harwani please see this doc for how to configure TF backend with Atmos https://atmos.tools/quick-start/configure-terraform-backend/
In the previous steps, we’ve configured the vpc-flow-logs-bucket and vpc Terraform components to be provisioned into three AWS accounts
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
btw, we’ve updated the docs and the quick start example, see https://atmos.tools/category/quick-start
Take 30 minutes to learn the most important Atmos concepts.
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
also take a look at https://atmos.tools/design-patterns/
Atmos Design Patterns. Elements of Reusable Infrastructure Configuration
![Aayush Harwani avatar](https://secure.gravatar.com/avatar/7e27bcc676021f2c94d0c099801ded39.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
Thanks for helping out
2024-01-09
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@jose.amengual @RB updated docs fro atmos GHA
Updated docs for atmos GHA
• https://atmos.tools/integrations/github-actions/atmos-terraform-plan
• https://atmos.tools/integrations/github-actions/atmos-terraform-apply
• https://atmos.tools/integrations/github-actions/atmos-terraform-drift-detection
The Cloud Posse GitHub Action for “Atmos Terraform Plan” simplifies provisioning Terraform from within GitHub using workflows. Understand precisely what to expect from running a terraform plan from directly within the GitHub UI for any Pull Request.
The Cloud Posse GitHub Action for “Atmos Terraform Apply” simplifies provisioning Terraform entirely within GitHub Action workflows. It makes it very easy to understand exactly what happened directly within the GitHub UI.
The Cloud Posse GitHub Action for “Atmos Terraform Drift Detection” and “Atmos Terraform Drift Remediation” define a scalable pattern for detecting and remediating Terraform drift from within GitHub using workflows and Issues. “Atmos Terraform Drift Detection” will determine drifted Terraform state by running Atmos Terraform Plan and creating GitHub Issues for any drifted component and stack. Furthermore, “Atmos Terraform Drift Remediation” will run Atmos Terraform Apply for any open Issue if called and close the given Issue. With these two actions, we can fully support drift detection for Terraform directly within the GitHub UI.
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Thanks, I’ll check these out
The Cloud Posse GitHub Action for “Atmos Terraform Plan” simplifies provisioning Terraform from within GitHub using workflows. Understand precisely what to expect from running a terraform plan from directly within the GitHub UI for any Pull Request.
The Cloud Posse GitHub Action for “Atmos Terraform Apply” simplifies provisioning Terraform entirely within GitHub Action workflows. It makes it very easy to understand exactly what happened directly within the GitHub UI.
The Cloud Posse GitHub Action for “Atmos Terraform Drift Detection” and “Atmos Terraform Drift Remediation” define a scalable pattern for detecting and remediating Terraform drift from within GitHub using workflows and Issues. “Atmos Terraform Drift Detection” will determine drifted Terraform state by running Atmos Terraform Plan and creating GitHub Issues for any drifted component and stack. Furthermore, “Atmos Terraform Drift Remediation” will run Atmos Terraform Apply for any open Issue if called and close the given Issue. With these two actions, we can fully support drift detection for Terraform directly within the GitHub UI.
![jose.amengual avatar](https://secure.gravatar.com/avatar/32f267b819eac9e0ea6a8324b53064a0.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0024-72.png)
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.53.0 what
Update Atmos Manifest JSON Schema
https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json
Improve Atmos vendoring
https://atmos.tools/core-concepts/vendoring/ https://atmos.tools/cli/commands/vendor/pull/
Add…
what
Update Atmos Manifest JSON Schema
https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json
Improve Atmos vendoring
https://atmos.tools/core-concepts/vendoring/ https://a…
Use Atmos vendoring to make copies of 3rd-party components, stacks, and other artifacts in your own repo.
Use this command to pull sources and mixins from remote repositories for Terraform and Helmfile components and stacks.
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.53.0 what
Update Atmos Manifest JSON Schema
https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json
Improve Atmos vendoring
https://atmos.tools/core-concepts/vendoring/ https://atmos.tools/cli/commands/vendor/pull/
Add…
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
Atmos Design Patterns. Elements of Reusable Infrastructure Configuration
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
![Hans D avatar](https://secure.gravatar.com/avatar/4f534e0b78001931f441c8011a95edeb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0000-72.png)
seeing some familiar pieces …
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
2024-01-10
2024-01-11
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Could this security update get reviewed for circl
dependency ?
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
This resolves a high severity issue
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
i’ve merged the PR
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
this is actually not how it works in Go
, those are the deps of the deps
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
the main deps need to be updated by the authors
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
otherwise, they will be overridden every time we run go mod tidy
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Thanks for merging Andriy.
I cloned master
branch and ran go mod tidy
and updated neithergo.mod
nor go.sum
files
2024-01-12
2024-01-13
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
@Andriy Knysh (Cloud Posse) FYI – I just went to upgrade atmos, got your latest and great release maybe a minute after you pushed it out by chance, and hit this issue: https://github.com/cloudposse/atmos/issues/509
Describe the Bug
Latest release did not include all packages
CleanShot 2024-01-13 at 20 34 09@2x
Expected Behavior
Expect packages to exist so I can install.
Steps to Reproduce
- Try install atmos v1.54.0 via aqua
Screenshots
N/A
Environment
N/A
Additional Context
No response
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
we’ve been updating to GH Enterprise, and I believe this is an issue with the GH token during the transition. We’ll look into that
Describe the Bug
Latest release did not include all packages
CleanShot 2024-01-13 at 20 34 09@2x
Expected Behavior
Expect packages to exist so I can install.
Steps to Reproduce
- Try install atmos v1.54.0 via aqua
Screenshots
N/A
Environment
N/A
Additional Context
No response
![Andriy Knysh (Cloud Posse) avatar](https://avatars.slack-edge.com/2018-06-13/382332470551_54ed1a5d986e2068fd9c_72.jpg)
@Matt Gowie this was fixed https://github.com/cloudposse/atmos/releases/tag/v1.54.0
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Awesome — thanks Andriy!
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.54.0 what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
Detect the error exit code from the executed command and exit with that exit code Minor fixes and improvements in the docs
why
Detect the error exit code from…
what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
D…
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
2024-01-14
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.54.0 what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
Detect the error exit code from the executed command and exit with that exit code Minor fixes and improvements in the docs
why
Detect the error exit code from…
what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
D…
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
2024-01-15
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
I saw that spacelift has Gruntworks’ terragrunt native support (Jul 2023).
Is there native support for CloudPosse’s atmos on the roadmap?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Nope… although with Terragrunt, it required changes to Spacelift. With atmos, we run in Spacelift using vanilla terraform using our components for spacelift.
I saw that spacelift has Gruntworks’ terragrunt native support (Jul 2023).
Is there native support for CloudPosse’s atmos on the roadmap?
![mike186 avatar](https://secure.gravatar.com/avatar/6c971ef2ed2a42a9fa1048e63a16ce98.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0025-72.png)
as far as I’m concerned, atmos is natively supported on spacelift while you need to use custom settings to use gruntworks :)
According to spacelift we have ~1200 stacks (100% passing) and used more than 1.7 million minutes of atmos worker time including over 99k minutes of tracked runs over the last month. These are pretty typical monthly stats for us. Given that we run spacelift exclusively with atmos, every single stack, I very much feel like atmos is so completely, transparently, compatible and with Spacelift that Spacelift doesn’t need a setting for atmos.
![cool-doge](/assets/images/custom_emojis/cool-doge.gif)
![fiesta_parrot](/assets/images/custom_emojis/fiesta_parrot.gif)
![RB avatar](https://avatars.slack-edge.com/2020-02-26/958727689603_86844033e59114029b3c_72.png)
Oh wow. Thats a good screen cap for the spacelift module to prove out the module and spacelift’s scalability
![Matt Gowie avatar](https://avatars.slack-edge.com/2023-02-06/4762019351860_44dadfaff89f62cba646_72.jpg)
Glad to see this question come up!
My team and I were just discussing native Atmos support in Spacelift. The only thing that I see as non-native is the need for a custom image that has Atmos installed and the before_***
scripts around so they can be executed as those are required for Stacks to run successfully. We use our spacelift-atmos-runner for that purpose and were just discussing this topic in this PR.
I could see native support being a light lift to get added within Spacelift if they wanted to do so.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
I think Spacelift should support 2 modes of configuration. 1) the current terraform provider approach 2) a config file approach the way that every single modern CI/CD system works e.g. GitHub Actions (.github/workflows
), GitLab, CircleCI (.circleci
), Jenkins (Jenkinsfile
), Atlantis (atlantis.yml
), etc. If it supported the latter, we would just generate the native config from atmos configs.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Today, we support generating the atlantis.yml
from the Atmos stack configs.
2024-01-17
2024-01-18
2024-01-19
2024-01-21
2024-01-22
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.55.0 what
Add atmos describe workflows CLI command (https://atmos.tools/cli/commands/describe/workflows)
Update the –dry-run flag for atmos workflow CLI command
Add interactive UI for atmos workflow command (https://atmos.tools/cli/commands/workflow)
why
Use atmos describe workflows command to show all configured Atmos workflows…
what
Add atmos describe workflows CLI command (https://atmos.tools/cli/commands/describe/workflows)
Update the –dry-run flag for atmos workflow CLI command
Add interactive UI for atmos workf…
Use this command to show all configured Atmos workflows.
Use this command to perform sequential execution of atmos
and shell
commands defined as workflow steps.
2024-01-28
2024-01-29
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.56.0 what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Update demo tape
Update docs
why
Update workflows UX. Allow selecting a…
what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/comma…
Use this command to perform sequential execution of atmos
and shell
commands defined as workflow steps.
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
This brings some snazzy branding to atmos.
what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/comma…
Use this command to perform sequential execution of atmos
and shell
commands defined as workflow steps.
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
2024-01-30
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.56.1 what
Update demo.tape
why
Showcase the latest Atmos features introduced in https://github.com/cloudposse/atmos/releases/tag/v1.56.0
what
Update demo.tape
why
Showcase the latest Atmos features introduced in https://github.com/cloudposse/atmos/releases/tag/v1.56.0
what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/comma…
![Release notes from atmos avatar](https://a.slack-edge.com/80588/img/services/rss_72.png)
v1.56.1 what
Update demo.tape
why
Showcase the latest Atmos features introduced in https://github.com/cloudposse/atmos/releases/tag/v1.56.0
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)