#atmos (2024-01)
2024-01-03
What do you folks think about moving region
input variable to [providers.tf](http://providers.tf)
instead of in [variables.tf](http://variables.tf)
for upstream components ?
I figured it would be easier to keep [variables.tf](http://variables.tf)
specific for the component since region
seems more specific to [providers.tf](http://providers.tf)
I kind of like the idea. What do you think @Andriy Knysh (Cloud Posse) @Dan Miller (Cloud Posse)?
It makes it easier to distribute the way we do with [context.tf](http://context.tf)
yes, it makes it easier in almost all cases (some exceptions are when the other terraform resources besides the provider require a region, there are a few cases like that)
Should we still deploy root components using the gbl
env or has that been replaced with the primary region?
I recall deploying account and account-map to gbl-root
but i want to deploy it to ue2-root
instead since gbl
isn’t a real region
gbl is a virtual region that signifies that the resources deployed to it are global in AWS
for gbl environment, we still have a real AWS region
you can set it to the region you need in the _globals.yaml
then for global-region, should the non-virtual region be set to the primary region OR the region that aws uses which is us-east-1
for things like iam roles, aws iam identity center, etc
vars:
region: us-east-2
environment: gbl
environment: gbl
is for you (and Atmos) to know that you are deploying global resources in AWS, e.g. S3 buckets and Route53 DNS zones
region: us-east-2
is for those terraform components that actually need an AWS region even if the resources are global, e.g. S3 buckets are global, but need an AWS region anyway
so region: us-east-2
is your primary region
i dont fully understand the why but to keep consistency with the atmos/cp refarch, ill set my environment: gbl
’s region to the primary region and deploy the root components to the virtual region gbl
instead of the primary region directly.
for those AWS resources that need a specific region, e.g. CloudFront in us-east-1
for SSL cert, then that special region is defined in the component itself
Thanks Andriy for the additional context
so gbl
is just for people to distinguish the component that are global in AWS. You ran commands like atmos terraform apply account -s core-gbl-root
and you se that account
component is a global resource in AWS, it does not require a region
you can name gbl
whatever you want, it’s configurable in the same file
and obviously, you are not forced to use global region at all
you can deploy account
and DNS zones by executing atmos terraform apply account -s core-ue2-root
if you want
I know but im also afraid of hitting additional walls for my preference lol
gbl
is just a convention to tell people that those resources/components are global in AWS
also, the resource IDs will have gbl
in them, so then you go to the AWS console and see something like acme-core-gbl-root-<my-resource-name>
, you know the resource with that ID is global in AWS
ya I like that the gbl
is in the name
the reason it claws at me is that i wonder if devs will accidentally deploy something in the global-region
file instead of the {region}
file because they think it’s global when it’s regional. I suppose more strict codeowners can help with that
I thought we did discuss removing the global region but my memory is failing me. It may have been considered but tossed because global-region is still valuable
Use JSON Schema and OPA policies to validate Components.
you can write policies to prevent any components to be deployed in the environments that you don’t want them in
Use JSON Schema and OPA policies to validate Components.
you can also combine the OPA policies with the overrides
functionality https://atmos.tools/core-concepts/components/overrides#use-case-overrides-for-teams
Use the ‘overrides’ pattern to modify component(s) configuration and behavior in the current scope.
e.g. add tags to all components per Team, then write OPA policies to act on those tags
can we write an opa to allowlist select components to be deployed only in the global-region ?
that would probably solve it for me
yes, can be done (I can help)
thanks Andriy!
it’s actually very easy: we can create an OPA policy to check the environment
variable, and add the plicy to all components that need to be in the global region. If environment
is not gbl
, the policy will fail
something simple like this:
errors["the component can only be provisioned in the 'gbl' environment"] {
input.vars.environment != "gbl"
}
then add the file to the components that need to be in gbl
, similar to this:
Atmos supports Atmos Manifests Validation and Atmos Components Validation
components:
terraform:
my-component:
metadata:
# Point to the Terraform component
component: my-component
settings:
# Validation
# Supports JSON Schema and OPA policies
# All validation steps must succeed to allow the component to be provisioned
validation:
check-my-component-with-opa-policy:
schema_type: opa
# 'schema_path' can be an absolute path or a path relative to 'schemas.opa.base_path' defined in `atmos.yaml`
schema_path: "my-component/validate-my-component.rego"
description: Check 'my-component' component configuration using OPA policy
i believe @Dan Miller (Cloud Posse) or @Ben Smith (Cloud Posse) might be proponents of dropping the gbl
convention, but do not recall where that led. They might be able to add more context. It’s been brought up more than once in our ARB calls.
@Ben Smith (Cloud Posse) had a customer where they completely removed the gbl
region, but personally I think we ~need~ should use the gbl
region for components that don’t have a region or are globally defined
so yes removing the gbl
region is supported, but for remote-state lookups in several components you’ll likely have to overwrite the given region/environment
2024-01-04
Found atmos on the map https://anvaka.github.io/map-of-github
This website shows a map of GitHub. Each dot is a project. Two dots within the same cluster are usually close to each other if multiple users frequently gave stars to both projects
Heh, “Powershell Land”
This website shows a map of GitHub. Each dot is a project. Two dots within the same cluster are usually close to each other if multiple users frequently gave stars to both projects
2024-01-05
There are a few vulnerabilities that can be patched and they pass tests. Can these be merged?
https://github.com/cloudposse/atmos/pull/484 https://github.com/cloudposse/atmos/pull/494 https://github.com/cloudposse/atmos/pull/499 https://github.com/cloudposse/atmos/pull/503
484 resolves a high issue and the others resolve a moderate one
All the prs have a label of no-release
so they will go out on the next code release if they are merged prior
484 we can merge (although we have a PR whcih updates all the deps and will be merged in a day or two)
the rest are indirect deps - they will get updated when the main deps are updated by executing go mod tidy
they will be overridden next time we run the command
they are deps of the main deps modules
ah very nice
2024-01-06
2024-01-07
How do we tie aws-team
roles to aws-sso
roles? I don’t see how in the readme of those components
Ah a similar thread here
So I could use some assistance with understanding the whole “aws-teams” “aws-teams-roles” and “aws-sso” components.. Currently I have an account created in my org that I would like to enable a set of users access to create aws resources in using atmos.. I have setup this group with the AdministratorAccess permissions set tied to the account in question.. My issue arises in how I configure them with the identity account’s roles which is what is used by atmos. Now I only want this team to have Admin access for this one account only. Suggestions as to how I could go about this?
I chatted with him yesterday
an aws-team
Team grants an aws-sso
Permission Set access by trusted_permission_sets
https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-teams/variables.tf#L18
trusted_permission_sets = list(string)
specifically, those Permission Sets are the “Identity-role-Team” permission sets, defined here with aws-sso
https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-sso/policy-Identity-role-TeamAccess.tf
# This file generates a permission set for each role specified in var.target_identity_roles
# which is named "Identity<Role>TeamAccess" and grants access to only that role,
# plus ViewOnly access because it is difficult to navigate without any access at all.
data "aws_iam_policy_document" "assume_aws_team" {
for_each = local.enabled ? var.aws_teams_accessible : []
statement {
sid = "RoleAssumeRole"
effect = "Allow"
actions = [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession",
]
resources = ["*"]
/* For future reference, this tag-based restriction also works, based on
the fact that we always tag our IAM roles with the "Name" tag.
This could be used to control access based on some other tag, like "Category",
so is left here as an example.
condition {
test = "ForAllValues:StringEquals"
variable = "iam:ResourceTag/Name" # "Name" is the Tag Key
values = [format("%s-%s", module.role_prefix.id, each.value)]
}
resources = [
# This allows/restricts access to only IAM roles, not users or SSO roles
format("arn:aws:iam::%s:role/*", local.identity_account)
]
*/
}
}
module "role_map" {
source = "../account-map/modules/roles-to-principals"
teams = var.aws_teams_accessible
privileged = var.privileged
context = module.this.context
}
locals {
identity_access_permission_sets = [for role in var.aws_teams_accessible : {
name = module.role_map.team_permission_set_name_map[role],
description = format("Allow user to assume the %s Team role in the Identity account, which allows access to other accounts", replace(title(role), "-", ""))
relay_state = "",
session_duration = "",
tags = {},
inline_policy = data.aws_iam_policy_document.assume_aws_team[role].json
policy_attachments = ["arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"]
customer_managed_policy_attachments = []
}]
}
for example
in aws-sso
, you could have:
components:
terraform:
aws-sso:
vars:
...
aws_teams_accessible:
- "developers"
in aws-teams
have
components:
terraform:
aws-teams:
vars:
teams_config:
...
developers:
<<: *user-template
role_description: "developers team"
role_policy_arns:
- team_role_access
trusted_teams:
- admin
trusted_permission_sets: [ "IdentityDevelopersAccess" ]
the tricky part is that the list elements defined in aws_teams_accessible
are formatted into the “IdentityXAccess” string. In above, that would be developers
formatted to be IdentityDevelopersAccess
formatting comes from roles-to-principals here https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-sso/policy-Identity-role-TeamAccess.tf#L41-L48
module "role_map" {
source = "../account-map/modules/roles-to-principals"
teams = var.aws_teams_accessible
privileged = var.privileged
context = module.this.context
}
2024-01-08
while following this tutorial (https://atmos.tools/tutorials/first-aws-environment) I faced this issue - ✗ . [none] (HOST) 03-first-aws-environment ⨠ bin/random-pet.sh bin/random-pet.sh: line 10: golang-petname: command not found
Please help me with this.
please use https://atmos.tools/category/quick-start
Take 30 minutes to learn the most important Atmos concepts.
The Quick Start describes the configuration of this repo https://github.com/cloudposse/atmos/tree/master/examples/quick-start, which is a working/deployable example explaining how to start with Atmos
@Andriy Knysh (Cloud Posse) I tried quick-start also, but facing issue mentioned in screenshot. I am not able to find how to give providers and backend from stack configuration and can’t find anything in doc also regarding this.
please help me in resolving this.
@Aayush Harwani please see this doc for how to configure TF backend with Atmos https://atmos.tools/quick-start/configure-terraform-backend/
In the previous steps, we’ve configured the vpc-flow-logs-bucket and vpc Terraform components to be provisioned into three AWS accounts
btw, we’ve updated the docs and the quick start example, see https://atmos.tools/category/quick-start
Take 30 minutes to learn the most important Atmos concepts.
also take a look at https://atmos.tools/design-patterns/
Atmos Design Patterns. Elements of Reusable Infrastructure Configuration
Thanks for helping out
2024-01-09
@jose.amengual @RB updated docs fro atmos GHA
Updated docs for atmos GHA
• https://atmos.tools/integrations/github-actions/atmos-terraform-plan
• https://atmos.tools/integrations/github-actions/atmos-terraform-apply
• https://atmos.tools/integrations/github-actions/atmos-terraform-drift-detection
The Cloud Posse GitHub Action for “Atmos Terraform Plan” simplifies provisioning Terraform from within GitHub using workflows. Understand precisely what to expect from running a terraform plan from directly within the GitHub UI for any Pull Request.
The Cloud Posse GitHub Action for “Atmos Terraform Apply” simplifies provisioning Terraform entirely within GitHub Action workflows. It makes it very easy to understand exactly what happened directly within the GitHub UI.
The Cloud Posse GitHub Action for “Atmos Terraform Drift Detection” and “Atmos Terraform Drift Remediation” define a scalable pattern for detecting and remediating Terraform drift from within GitHub using workflows and Issues. “Atmos Terraform Drift Detection” will determine drifted Terraform state by running Atmos Terraform Plan and creating GitHub Issues for any drifted component and stack. Furthermore, “Atmos Terraform Drift Remediation” will run Atmos Terraform Apply for any open Issue if called and close the given Issue. With these two actions, we can fully support drift detection for Terraform directly within the GitHub UI.
Thanks, I’ll check these out
The Cloud Posse GitHub Action for “Atmos Terraform Plan” simplifies provisioning Terraform from within GitHub using workflows. Understand precisely what to expect from running a terraform plan from directly within the GitHub UI for any Pull Request.
The Cloud Posse GitHub Action for “Atmos Terraform Apply” simplifies provisioning Terraform entirely within GitHub Action workflows. It makes it very easy to understand exactly what happened directly within the GitHub UI.
The Cloud Posse GitHub Action for “Atmos Terraform Drift Detection” and “Atmos Terraform Drift Remediation” define a scalable pattern for detecting and remediating Terraform drift from within GitHub using workflows and Issues. “Atmos Terraform Drift Detection” will determine drifted Terraform state by running Atmos Terraform Plan and creating GitHub Issues for any drifted component and stack. Furthermore, “Atmos Terraform Drift Remediation” will run Atmos Terraform Apply for any open Issue if called and close the given Issue. With these two actions, we can fully support drift detection for Terraform directly within the GitHub UI.
v1.53.0 what
Update Atmos Manifest JSON Schema
https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json
Improve Atmos vendoring
https://atmos.tools/core-concepts/vendoring/ https://atmos.tools/cli/commands/vendor/pull/
Add…
what
Update Atmos Manifest JSON Schema
https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json
Improve Atmos vendoring
https://atmos.tools/core-concepts/vendoring/ https://a…
Use Atmos vendoring to make copies of 3rd-party components, stacks, and other artifacts in your own repo.
Use this command to pull sources and mixins from remote repositories for Terraform and Helmfile components and stacks.
v1.53.0 what
Update Atmos Manifest JSON Schema
https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json
Improve Atmos vendoring
https://atmos.tools/core-concepts/vendoring/ https://atmos.tools/cli/commands/vendor/pull/
Add…
Atmos Design Patterns. Elements of Reusable Infrastructure Configuration
in response to https://factoryfactoryfactory.net/
Explaining what’s wrong with modern software development by allegory.
seeing some familiar pieces …
2024-01-10
2024-01-11
Could this security update get reviewed for circl
dependency ?
This resolves a high severity issue
i’ve merged the PR
this is actually not how it works in Go
, those are the deps of the deps
the main deps need to be updated by the authors
otherwise, they will be overridden every time we run go mod tidy
Thanks for merging Andriy.
I cloned master
branch and ran go mod tidy
and updated neithergo.mod
nor go.sum
files
2024-01-12
2024-01-13
@Andriy Knysh (Cloud Posse) FYI – I just went to upgrade atmos, got your latest and great release maybe a minute after you pushed it out by chance, and hit this issue: https://github.com/cloudposse/atmos/issues/509
Describe the Bug
Latest release did not include all packages
CleanShot 2024-01-13 at 20 34 09@2x
Expected Behavior
Expect packages to exist so I can install.
Steps to Reproduce
- Try install atmos v1.54.0 via aqua
Screenshots
N/A
Environment
N/A
Additional Context
No response
we’ve been updating to GH Enterprise, and I believe this is an issue with the GH token during the transition. We’ll look into that
Describe the Bug
Latest release did not include all packages
CleanShot 2024-01-13 at 20 34 09@2x
Expected Behavior
Expect packages to exist so I can install.
Steps to Reproduce
- Try install atmos v1.54.0 via aqua
Screenshots
N/A
Environment
N/A
Additional Context
No response
@Matt Gowie this was fixed https://github.com/cloudposse/atmos/releases/tag/v1.54.0
Awesome — thanks Andriy!
v1.54.0 what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
Detect the error exit code from the executed command and exit with that exit code Minor fixes and improvements in the docs
why
Detect the error exit code from…
what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
D…
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
2024-01-14
v1.54.0 what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
Detect the error exit code from the executed command and exit with that exit code Minor fixes and improvements in the docs
why
Detect the error exit code from…
what
Atmos UX for atmos and atmos help CLI commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Other fixes and improvements to the atmos CLI and the docs:
D…
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
2024-01-15
I saw that spacelift has Gruntworks’ terragrunt native support (Jul 2023).
Is there native support for CloudPosse’s atmos on the roadmap?
Nope… although with Terragrunt, it required changes to Spacelift. With atmos, we run in Spacelift using vanilla terraform using our components for spacelift.
I saw that spacelift has Gruntworks’ terragrunt native support (Jul 2023).
Is there native support for CloudPosse’s atmos on the roadmap?
as far as I’m concerned, atmos is natively supported on spacelift while you need to use custom settings to use gruntworks :)
According to spacelift we have ~1200 stacks (100% passing) and used more than 1.7 million minutes of atmos worker time including over 99k minutes of tracked runs over the last month. These are pretty typical monthly stats for us. Given that we run spacelift exclusively with atmos, every single stack, I very much feel like atmos is so completely, transparently, compatible and with Spacelift that Spacelift doesn’t need a setting for atmos.
Oh wow. Thats a good screen cap for the spacelift module to prove out the module and spacelift’s scalability
Glad to see this question come up!
My team and I were just discussing native Atmos support in Spacelift. The only thing that I see as non-native is the need for a custom image that has Atmos installed and the before_***
scripts around so they can be executed as those are required for Stacks to run successfully. We use our spacelift-atmos-runner for that purpose and were just discussing this topic in this PR.
I could see native support being a light lift to get added within Spacelift if they wanted to do so.
I think Spacelift should support 2 modes of configuration. 1) the current terraform provider approach 2) a config file approach the way that every single modern CI/CD system works e.g. GitHub Actions (.github/workflows
), GitLab, CircleCI (.circleci
), Jenkins (Jenkinsfile
), Atlantis (atlantis.yml
), etc. If it supported the latter, we would just generate the native config from atmos configs.
Today, we support generating the atlantis.yml
from the Atmos stack configs.
2024-01-17
2024-01-18
2024-01-19
2024-01-21
2024-01-22
v1.55.0 what
Add atmos describe workflows CLI command (https://atmos.tools/cli/commands/describe/workflows)
Update the –dry-run flag for atmos workflow CLI command
Add interactive UI for atmos workflow command (https://atmos.tools/cli/commands/workflow)
why
Use atmos describe workflows command to show all configured Atmos workflows…
what
Add atmos describe workflows CLI command (https://atmos.tools/cli/commands/describe/workflows)
Update the –dry-run flag for atmos workflow CLI command
Add interactive UI for atmos workf…
Use this command to show all configured Atmos workflows.
Use this command to perform sequential execution of atmos
and shell
commands defined as workflow steps.
2024-01-28
2024-01-29
v1.56.0 what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/commands/help
Update demo tape
Update docs
why
Update workflows UX. Allow selecting a…
what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/comma…
Use this command to perform sequential execution of atmos
and shell
commands defined as workflow steps.
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
This brings some snazzy branding to atmos.
what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/comma…
Use this command to perform sequential execution of atmos
and shell
commands defined as workflow steps.
This command starts an interactive UI to select an Atmos command, component and stack. Press “Enter” to execute the command
Usage
2024-01-30
v1.56.1 what
Update demo.tape
why
Showcase the latest Atmos features introduced in https://github.com/cloudposse/atmos/releases/tag/v1.56.0
what
Update demo.tape
why
Showcase the latest Atmos features introduced in https://github.com/cloudposse/atmos/releases/tag/v1.56.0
what
Update workflows UX
https://atmos.tools/cli/commands/workflow
Update atmos, atmos –help and atmos version commands
https://atmos.tools/cli/commands/atmos https://atmos.tools/cli/comma…
v1.56.1 what
Update demo.tape
why
Showcase the latest Atmos features introduced in https://github.com/cloudposse/atmos/releases/tag/v1.56.0