#atmos (2024-10)
2024-10-01
hey I’m debuging some template and I notice that atmos is not updating correctly the error dose it cache the template result? if so is there a way to clear this?
@Andriy Knysh (Cloud Posse)
@Miguel Zablah Atmos caches the results of the atmos.Component functions only for the same component and stack, and only for one command execution. If you run atmos terraform ... again, it will not use the cached results anymore
Thanks it looks like I had an error on another file that is why I though it was maybe cache, thanks!
I’m having an issue, I’m using atmos to autogenerate the backend. I’m getting a Error: Backend configuration changed. I am not quite, as I don’t see Atmos making the backend
hmm atmos terraform generate backend is not making backend files, Any tips?
run validate stacks to see if you have a wrong yaml
all successful
and make sure the base_path is correct, and atmos cli can find the atmos.yaml
for backends to be auto-generated, you need to configure the following:
- In
atmos.yamlcomponents: terraform: # Can also be set using `ATMOS_COMPONENTS_TERRAFORM_AUTO_GENERATE_BACKEND_FILE` ENV var, or `--auto-generate-backend-file` command-line argument auto_generate_backend_file: true
• Configure the backend in YAML https://atmos.tools/quick-start/advanced/configure-terraform-backend/#configure-terraform-s3-backend-with-atmos
you need to have this config
terraform:
backend_type: s3
backend:
s3:
acl: "bucket-owner-full-control"
encrypt: true
bucket: "your-s3-bucket-name"
dynamodb_table: "your-dynamodb-table-name"
key: "terraform.tfstate"
region: "your-aws-region"
role_arn: "arn:aws:iam::<your account ID>:role/<IAM Role with permissions to access the Terraform backend>"
in the defaults for the Org (e.g. in stacks/orgs/acme/_defaults.yaml) if you have one backend for the entire Org
What is strange it was working, this is the error.
atmos terraform generate backend wazuh -s dev –logs-level debug template: all-atmos-sections35: executing “all-atmos-sections” at <atmos.Component>: error calling Component: exit status 1
Error: Backend configuration changed
A change in the backend configuration has been detected, which may require migrating existing state.
If you wish to attempt automatic migration of the state, use “terraform init -migrate-state”. If you wish to store the current configuration with no changes to the state, use “terraform init -reconfigure”.
try to remove the .terraform folder and run it again
Same error with the .terraform folder removed
Ahh ran with log_level trace, and found the issue
what was the issue?
The component had references for var in other components
removed .terraform in those other components
TY for trace
I should make a script to just clean-slate all those .terraform directories
Ya, we should have that as a built in command.
@Dennis DeMarco for now, instead of a script add a custom command to atmos
2024-10-02
Hi! I’m having an issue with this workflow:
cloudposse/github-action-atmos-affected-stacks
where it will do a plan for all stacks even when I got some disable stacks on the CI/CD and since one of the components is dependent of another it fails with.
I get the same error when running this locally:
atmos describe affected --include-settings=false --verbose=true
is there a way to skip a stack or mark it as ignore?
this is the error:
template: describe-stacks-all-sections:74:26: executing "describe-stacks-all-sections" at <concat ((atmos.Component "vpc" .stack).outputs.vpc_private_subnets) ((atmos.Component "vpc" .stack).outputs.vpc_public_subnets)>: error calling concat: runtime error: invalid memory address or nil pointer dereference
it’s complaining about this concat I do:
'{{ concat ((atmos.Component "vpc" .stack).outputs.vpc_private_subnets | default (list)) ((atmos.Component "vpc" .stack).outputs.vpc_public_subnets | default (list)) | toRawJson }}'
but this works when vpc is apply but since this stack is not being uses at the moment it fails
any idea how to fix this?
@Igor Rodionov
@Andriy Knysh (Cloud Posse)
@Miguel Zablah by “disabled component” do you mean you set enabled: false for it?
Yes
i see the issue. We’ll review and update it in the next Atmos release
That will be awesome since this is a blocker for us now
@Andriy Knysh (Cloud Posse) any ETL on this?
Hi @Miguel Zablah We don’t have an ETA yet. But should be soon
we’ll try to do it in the next few days
thanks!!
2024-10-03
Good morning, I’m new here but looks like a great community. I’ve been using various Cloud Posse modules for terraform for a while but am now trying to set up a new AWS account from scratch to learn the patterns for the higher level setup. I’ve run into a problem and am hoping for some help. I feel like its probably just a setting somewhere but for the life of me I can’t find it.
So I have been working through the Cold Start and have gotten through the account setup successfully but running the account-map commands is resulting in errors. I’ll walk through the steps I’ve tried in case my tweaks have confused the root issue… For reference, I am using all the latest versions of the various components mentioned and pulled them in again just before posting this.
- When I first ran the
atmos terraform deploy account-map -s core-gbl-rootcommand, I got an error that it was unable to find a stack file in the/stacks/orgsfolder. That was fine as I wasn’t using that folder but in the error message, it was clear that it was using a defaultatmos.yaml(this one) that includesorgs/**/*in theinclude_pathsand not the one that I have been using on my machine. I’ve spent a long time trying to get it to use my local yaml and finally gave up and just added an empty file in theorgsfolder to get passed that error. Then I get to a new error… - Now if I run the
planforaccount-mapI get what looks like a correct full plan and then a new error at the end:╷ │ Error: │ Could not find the component 'account' in the stack 'core-gbl-root'. │ Check that all the context variables are correctly defined in the stack manifests. │ Are the component and stack names correct? Did you forget an import? │ │ │ with module.accounts.data.utils_component_config.config[0], │ on .terraform/modules/accounts/modules/remote-state/main.tf line 1, in data "utils_component_config" "config": │ 1: data "utils_component_config" "config" { │ ╵ exit status 1If I run
atmos validate component account -s core-gbl-rootI get successful validations and the same with validatingaccount-map.
I’ve tried deleting the .terraform folders from both the accounts and account-map components and re-run the applies but get the same thing.
I’ve run with both Debug and Trace logs and am not seeing anything that points to where this error may be coming from.
I’ve been at this for hours yesterday and a few more hours this morning and decided it was time to seek some help.
Thanks for any advice!
@Andriy Knysh (Cloud Posse) @Jeremy G (Cloud Posse) @Dan Miller (Cloud Posse)
I think it could be related to the path of your atmos.yaml file, since you deal with remote-state and terraform-provider-utils Terraform provider. Check this: https://atmos.tools/quick-start/simple/configure-cli/#config-file-location
I thought it might be that but it is clearly registering my atmos.yaml file as it is in the main directory of my repo and i’ve found atmos to respond to settings there (such as the include/exclude paths and log levels) but the other terraform providers aren’t picking it up. (EDIT! Just saw the bit at the bottom… exploring now)
@Drew Fulton Terraform executes the provider code from the component directory (e.g. components/terraform/my-component). We don’t want to put atmos.yaml into each component directory, so we put it into one of the known places (as described in the doc) or we can use ENV vars, so both Atmos binary and the provider binary can find it
Got it! Is there a best practice for selecting where to put it to prevent duplication?
for Docker containers (geodesic is one of them), we put it in rootfs/usr/local/etc/atmos/atmos.yaml in the repo, and then in the Dockerfile we do
COPY rootfs/ /
so inside the container, it will be in usr/local/etc/atmos/atmos.yaml, which is a know path to Atmos and the provider
hi all, am fresh new to atmos. And i was quite mind blown why i have not discover this tool yet while still figuring my way into the documentation, I have a question about the components and stacks.
If i as an ops engineer were to create and standardise my own component in a repository to store all the standard “libraries” of components. Is it advisable if the stacks, and atmos.yaml be in a separate repository ?
Meaning, for a developer will only need to declare the various component inside a stacks folder of their own project’s repository. Like only need to write yaml files and not needing to deal/write terraform code.
We then during execution have a github workflow that clones the core component repository into the project repository, and then complete the infra related deployment. is that something supported ?
Yes, centrally defined components is best for larger organizations that might have multiple infrastructure repositories
However, it can also be burdensome when iterating quickly to have to push all changes via an upstream component git component registry
yeah, thanks for the input. We’re not a large organization, there will be some trade off we’ll have to consider, if we try to limit the devs to only work with yaml. Still early stages of exploring the capabilities of atmos.
2024-10-04
atlantis integration question, I have this config in atmos.yaml
project_templates:
project-1:
# generate a project entry for each component in every stack
name: "{tenant}-{stage}-{environment}-{component}"
workspace: "{workspace}"
dir: "./components/terraform/{component}"
terraform_version: v1.6.3
delete_source_branch_on_merge: true
plan_requirements: [undiverged]
apply_requirements: [mergeable,undiverged]
autoplan:
enabled: true
when_modified:
- '**/*.tf'
- "varfiles/{tenant}-{stage}-{environment}-{component}.tfvars.json"
- "backends/{tenant}-{stage}-{environment}-{component}.tf"
the plan_requirements field doesn’t seem to have any effect on the generated atlantis.yaml
there is a lot of options recently added that atmos might now recognize
although
plan_requirements: [undiverged]
apply_requirements: [mergeable,undiverged]
I think they can only be declared in the server side repo config repo.yaml
mmm no, they can can be declared in the atlantis.yaml
FYI is not recommended to allow users to override workflows, so it is much safer to configure workflows and repo options on the server side config and leave the atlantis.yaml as simple as possible
Yeah it make sense to have these values in server side repo config… I was trying some test scenarios and encountered the issue. in related question, the field ‘when_modified’ in atlantis.yaml .. I was trying to find some documentation about how it determines the modified files, just determined on if the file is modified in the PR?
file modified in the PR yes
is a regex used for autoplan
@jose.amengual another issue I am running in to with atlantis Have a question about the ‘when_modified’ field in the repo level config, we are using dynamic repo config generation and in the same way generating the var files for the project. The var files are not commited to the git repo, since it’s not commited I beleive the when_modified causes an issue by not planning the project. Removing the when_modified field from config doesn’t seem to help becuase of the default values. Do we have way to ignore this field and just plan the projects, regardless of modified file in the project
2024-10-05
trying to create a super simple example of atmos + cloudposse/modules to see if they will work for our needs. I’m using the s3-bucket but when I do a plan on it.. it prints out the terraform plan but that shows
│ Error: failed to find a match for the import '/opt/test/components/terraform/s3-bucket/stacks/orgs/**/*.yaml' ('/opt/test/components/terraform/s3-bucket/stacks/orgs' + '**/*.yaml')
I can’t make heads or tails of this error.. there are no stacks/orgs under the s3-bucket module when I pulled it in with atmos vendor pull
Thanks in advance
please DM me your config, i’ll review it
2024-10-06
Continuing from my understanding of the design pattern. Base on this screenshot. Can i ask few questions:
- The infrastructure repository holds all the atmos components, stacks, modules ?
- The application repository only requires to write the taskdef.json for deployment into ECS ?
- If there are additional infrastructure the application needs, example s3, dynamodb … etc. The approach is to get the developer to write a PR to the infrastructure repository first with the necessary “stack” information, prior to performing any application type deployment ?
Yes, they would open a PR and add the necessary components to the stack configuration.
…and prior to performing any application deployment that depends on it.
Cool, i think i begin to have clearer understanding on the Atmos mindset … thnks !!
2024-10-07
2024-10-08
I just now tried something that seemed to work. Since I’m using the “{stage}” name pattern inside atmos.yaml, I set a “vars.stage: dev” inside my dev.yaml stack file and it seemed to do the trick. Is this a correct pattern? Thanks!
@Andriy Knysh (Cloud Posse)
2024-10-09
Hey, on a setup like this:
import:
- catalog/keycloak/defaults
components:
terraform:
keycloak_route53_zones:
vars:
zones:
"[redacted]":
comment: "zone made for the keycloak sso"
keycloak_acm:
vars:
domain_name: [redacted]
zone_id: '{{ (atmos.Component "keycloak_route53_zones" .stack).outputs.zone_id }}'
My keycloak_acm component is failing to actually get the output of the one above it. Am I doing this fundamentally wrongly? The defaults.yaml being imported looks like this:
components:
terraform:
keycloak_route53_zones:
backend:
s3:
workspace_key_prefix: keycloak-route53-zones
metadata:
component: route53-zones
keycloak_acm:
backend:
s3:
workspace_key_prefix: keycloak-acm
metadata:
component: acm
depends_on:
- keycloak_route53_zones
Can you confirm that you see a valid zone_id as a terraform output of keycloak_route53_zones
and please make sure the component is provisioned
atmos.Component calls terraform output, so it must be in the state already
atmos terraform output keycloak_route53_zones -s aws-dev-us-east-1
gives me
zone_id = {
"redacted" = "redacted"
}
which is redacted but it is the zone subdomain as key and the id as value
aha, so it’s returning a map for the zone id
ah!
so I guess it should be
zone_id: '{{ (atmos.Component "keycloak_route53_zones" .stack).outputs.zone_id.value }}'
value is not correct
you should get the value by the map key using Go templates
{{ index .YourMap "yourKey" }}
zone_id: '{{ index (atmos.Component "keycloak_route53_zones" .stack).outputs.zone_id "<key>" }}'
there the key is the "redacted" in your example
It didn’t seem to work and for this case I just passed the zone id directly (like the actual value from the output). The error was that terraform complained that it should be less than 32 characters, which means that terraform understood my go template as an actual string and not a template. I run it with atmos terraform apply component -s stack after a successful plan creation
I passed the value directly because I don’t think the zone id will change in the future, but for other components this might be an issue for me. Maybe I should run it differently? I set the value exactly as suggested by Andriy
please send me your yaml config, i’ll take a look
Sure!
2024-10-10
Hello, me again……. component setting are arbitrary keys?
settings:
pepe:
does-not-like-sushi: true
can I do that?
yes
settings is a free form map
its the same as vars, but free form, participates in all the inheritance, meaning you can define it globally, per stack, per base component, per component, and then everything gets deep merged into the final map
Is there a way to inherit metadata for all components without having to create an abstract component? something that all component should have
imagine if this was added to something like atmos.yaml and CODEOWNERS only allow very few people to modify it
like having Sec rules for all components
no, metadata is not inherited, it’s per component
ok
because in metadata you specify all the base components for your component
Hi :wave: calling for help with configuring gcs backend. I’m bootstraping a GCP organization. I have a module that created a seed project with initial bits, including gcs bucket that I would like to use for storing tfstate files. I’ve run atmos configured with local tf backend for the init.
Now I’d like to move my backend from local to the bucket and move from there. I’ve added bucket configuration to _defaults.yaml for my org:
backend_type: gcs
backend:
gcs:
bucket: "bucket_name"
Unfortunately atmos says that this bucket doesn’t exist, despite I have copied a test file into the bucket
╷
│ Error: Error inspecting states in the "local" backend:
│ querying Cloud Storage failed: storage: bucket doesn't exist
Note that atmos never uses this backend. We generate a backend.tf.json file used by terraform
Could it be a GCP permissions issue
I am a organisation admin, have full access to the bucket, and besides Ive tested access to the bucket itself with cli.
Based on your screenshot the YAML is invalid.
the hint is it’s trying to use a “local” backend type.
terraform:
backend_type: gcs
backend:
gcs:
bucket: "tf-state"
Note in your YAML above, the whitespace is off
Terraform is attempting to use this: https://developer.hashicorp.com/terraform/language/backend/local
which indicates that the backend type is not getting set
Thanks Erik. I’ve double checked again everything.
I’ve tried to delete backend.tt.json file, disable auto_generate_backend_file and after that added backend configuration directly into module - same result.
That got me thinking something is not right with auth into GCP. Re-logged again with gcloud auth application-default login and now state is migrated into the bucket. Honestly no idea, I’ve logged in multiple times this day already. Even before posting here
maybe this is the kind of tax for changing whole workflow to atmos
can I vendor all the components using vendor.yaml? or do I have to set every component that I want to vendor?
@jose.amengual from where you want to vendor all the components?
from my iac repo
to another repo ( using atmos)
let me check
I did this :
apiVersion: atmos/v1
kind: AtmosVendorConfig
metadata:
name: iac-vendoring
description: Atmos vendoring manifest for Atmos-iac repo
spec:
# Import other vendor manifests, if necessary
imports: []
sources:
- source: "github.com/jamengual/pepe-iac.git/"
#version: "main"
targets:
- "./"
included_paths:
- "**/components/**"
- "**/*.md"
- "**/stacks/sandbox/**"
I was able to vendor components just fine
but not sandbox stack files for some reason
you need to add another item for the stacks folder separately
that’s how the glob lib that we are using works
we don’t like it and will revisit it, but currently it’s what it is
you mean something like :
sources:
- source: "github.com/jamengua/pepe-iac.git/"
#version: "main"
targets:
- "./"
included_paths:
- "**/components/**"
- "**/*.md"
- source: "github.com/jamengual/pepe-iac.git/"
#version: "main"
targets:
- "./stacks/sandbox/"
included_paths:
- "stacks/sandbox/*.yaml"
included_paths:
- "**/components/**"
- "**/*.md"
- "**/stacks/**"
- "**/stacks/sandbox/**"
try this ^
so this pulled all the stacks
- "**/stacks/**"
but it looks like I can’t pull a specific subfolder
hmm, so this "**/stacks/sandbox/**" does not work?
no
i guess you can use
- "**/stacks/**"
- "**/stacks/sandbox/**"
and exclude the other stacks in excluded_paths:
I could do that….but it makes it not very DRY
can you verbose the pull command?
atmos vendor pull --verbose
atmos vendor pull --verbose
Error: unknown flag: --verbose
Usage:
atmos vendor pull [flags]
Flags:
-c, --component string Only vendor the specified component: atmos vendor pull --component <component>
--dry-run atmos vendor pull --component <component> --dry-run
-h, --help help for pull
-s, --stack string Only vendor the specified stack: atmos vendor pull --stack <stack>
--tags string Only vendor the components that have the specified tags: atmos vendor pull --tags=dev,test
-t, --type string atmos vendor pull --component <component> --type=terraform|helmfile (default "terraform")
Global Flags:
--logs-file string The file to write Atmos logs to. Logs can be written to any file or any standard file descriptor, including '/dev/stdout', '/dev/stderr' and '/dev/null' (default "/dev/stdout")
--logs-level string Logs level. Supported log levels are Trace, Debug, Info, Warning, Off. If the log level is set to Off, Atmos will not log any messages (default "Info")
--redirect-stderr string File descriptor to redirect 'stderr' to. Errors can be redirected to any file or any standard file descriptor (including '/dev/null'): atmos <command> --redirect-stderr /dev/stdout
unknown flag: --verbose
goroutine 1 [running]:
runtime/debug.Stack()
runtime/debug/stack.go:26 +0x64
runtime/debug.PrintStack()
runtime/debug/stack.go:18 +0x1c
github.com/cloudposse/atmos/pkg/utils.LogError({0x10524c0c0, 0x140003edf10})
github.com/cloudposse/atmos/pkg/utils/log_utils.go:61 +0x18c
github.com/cloudposse/atmos/pkg/utils.LogErrorAndExit({0x10524c0c0, 0x140003edf10})
github.com/cloudposse/atmos/pkg/utils/log_utils.go:35 +0x30
main.main()
github.com/cloudposse/atmos/main.go:11 +0x24
Atmos 1.88.1 on darwin/arm64
oh sorry, try
ATMOS_LOGS_LEVEL=Trace atmos vendor pull
@jose.amengual also check out this example for using YAML anchors in vendor.yaml to DRY it up
https://github.com/cloudposse/atmos/blob/main/examples/demo-component-versions/vendor.yaml#L10-L20
could you pass an ENV variable as a value inside of the yaml?
like
excluded_paths:
- "**/production/**"
- "${EXCLUDE_PATHS}"
- "${EXCLUDE_PATH_2}"
- "${EXCLUDE_PATH_3}"
currently not, env vars in vendor.yaml are not supported
ok, Thanks guys
2024-10-11
what’s the best way to distinguish between custom components and vendored components from cloudposse?
I was thinking
Option 1) a unique namespace via a separate dir
e.g.
# cloudposse components
components/terraform
# internal components
components/terraform/internal
Option 2) a unique namespace via a prefix
# upstream component
components/terraform/ecr
# internal component
components/terraform/internal-ecr
Option 3) Unique key in component.yaml and enforce this file in all components
Option 4) Vendor internal components from an internal repo
This way the source will contain the other org instead of cloudposse so that can be used to distinguish
We’re actually looking into something imilar to this right now related to our refarch stack configs
For stack configs we’ve settled on stacks/vendor/cloudposse
For components, I would maybe suggest
components/vendor/cloudposse
The alternative is a top-level folder like vendor/cloudposse
which could contain stacks and components.
Thats for stack configs, what about terraform components ? Or do you think it would be for both stack configs and terraform components?
What our team dose this:
Vendor: components/terraform/vendor/{provider, ej. cloudposse}
Internal: components/terraform/{cloudProvider, Ej. AWS}/{componentName, Ej. VPC}
Thats for stack configs, what about terraform components ?
https://sweetops.slack.com/archives/C031919U8A0/p1728683594309549?thread_ts=1728675666.706109&cid=C031919U8A0ß
https://sweetops.slack.com/archives/C031919U8A0/p1728683609704999?thread_ts=1728675666.706109&cid=C031919U8A0
@burnzy is this working for you? https://github.com/cloudposse/terraform-yaml-stack-config/pull/95 @Jeremy G (Cloud Posse) is looking into something similar and we’ll likely get this merged. Sorry it fell through the cracks.
is it possible to vendor pull from a different repo?
I have my vendor.yaml
apiVersion: atmos/v1
kind: AtmosVendorConfig
metadata:
name: iac-vendoring
description: Atmos vendoring manifest for Atmos-iac repo
spec:
imports: []
sources:
- source: "<https://x-access-token>:${{ secrets.TOKEN }}@github.com/PEPE/pepe-iac.git"
#version: "main"
targets:
- "./"
included_paths:
- "**/components/**"
- "**/*.md"
- "**/stacks/**"
excluded_paths:
- "**/production/**"
I tried git:// but then tried to use ssh git, and this is running from a reusable action
I tried this locally and it works but in my local I have a ssh-config
if I run git clone using that url it clones just fine
I’m hitting this error on the go-git library now
// <https://github.com/go-git/go-git/blob/master/worktree.go>
func (w *Worktree) getModuleStatus() (Status, error) {
// ...
if w.r.ModulesPath == "" {
return nil, ErrModuleNotInitialized
}
if !filepath.IsAbs(w.r.ModulesPath) {
return nil, errors.New("relative paths require a module with a pwd")
}
// ...
}
I do not know if this is because vendir sources on http are not compatible with git?
2024-10-12
