atmos
134720,123
👽️
c0rey2 days ago
Hey everyone! Wondering if anyone else has seen this behavior:
We noticed that after a recent update to
The install path changed from
Workaround: Setting
Are we missing a configuration step for the wrapper, or is this a known issue with the latest release? Happy to provide workflow snippets or run logs if helpful. Thanks!
We noticed that after a recent update to
cloudposse/github-action-setup-atmos@v3, our atmos terraform deploy and atmos terraform apply commands in GitHub Actions started completing instantly (0 seconds, exit code 0) with no terraform output — no init, no plan, no apply.The install path changed from
/home/runner/work/_actions/cloudposse/github-action-setup-atmos/atmos to /opt/hostedtoolcache/atmos-wrapper/1.222.0/x64. Actions runs using the old path on July 3 worked fine (5-minute deploys); runs using the new wrapper path on July 4+ silently no-op.Workaround: Setting
install-wrapper: "false" resolves it — deploy commands run terraform as expected.Are we missing a configuration step for the wrapper, or is this a known issue with the latest release? Happy to provide workflow snippets or run logs if helpful. Thanks!
Zack2 days ago(edited)
@Erik Osterman (Cloud Posse) Do you know if you can set authentication for an oci JIT source component? Or if it's documented somewhere specific? Specifically a
terraform.$component.source.uriJuan Aguero4 days ago
so sick !


Maksym Vlasov5 days ago
Hi. Can you look into github.com/cloudposse/atmos/issues/2376 bug? It still exist in 1.222.0
Brandon10 days ago
Hello, I ran into an issue with Native CI in JIT vendored components, added a bug report for it: github.com/cloudposse/atmos/issues/2684
Basically if you source a component direct from github to use directly, and specify a workdir, the native ci planfile logic looks in the wrong spot for the planfile
Basically if you source a component direct from github to use directly, and specify a workdir, the native ci planfile logic looks in the wrong spot for the planfile
Bart Palmowski10 days ago
Hi, do you accept issues made by AI? I found a bug it seems and made codex to file the bug report here: github.com/cloudposse/atmos/issues/2680
Paavo Pokkinen13 days ago
Is there some command to apply all components in a specific stack? All flag applies all components in all stacks, not specific one.
Nick Dunn17 days ago
Hey, team. I think there might be a documentation snafu.
Here in the Native CI docs, it shows an example of how one can set up Github OIDC auth. This did not work. Atmos complained that the profile was not valid.
Fortunately,
Here in the Native CI docs, it shows an example of how one can set up Github OIDC auth. This did not work. Atmos complained that the profile was not valid.
auth:
providers:
github-oidc:
kind: github/oidc
region: us-east-1
identities:
plat-dev/terraform:
provider: github-oidc
role_arn: arn:aws:iam::111122223333:role/atmos-terraform
default: true # Use this identity unless a component overrides itFortunately,
atmos auth validate was pretty helpful and suggested useful changes, which I was later able to confirm in the more thorough auth section in the Atmos docs. I would humbly suggest that the example for the Native CI section should look something like this.auth:
providers:
github-oidc:
kind: github/oidc
region: us-east-1
spec:
audience: <http://sts.amazonaws.com|sts.amazonaws.com>
identities:
plat-dev/terraform:
kind: aws/assume-role
via:
provider: github-oidc
principal:
assume_role: arn:aws:iam::111122223333:role/atmos-terraform
default: true # Use this identity unless a component overrides itNick Dunn18 days ago(edited)
Hey, everyone. Random unimportant question.
I think I know the answer, considering the obvious focus of Atmos and Atmos Pro using Github/Gitlab. But I'm curious. Has the team ever considered a Kubernetes Operator approach similar to tofu-controller or burrito? We've been using Atmos for some time now, but we're also a heavy Kubernetes + ArgoCD shop. So, naturally, I found the approach intriguing.
I think I know the answer, considering the obvious focus of Atmos and Atmos Pro using Github/Gitlab. But I'm curious. Has the team ever considered a Kubernetes Operator approach similar to tofu-controller or burrito? We've been using Atmos for some time now, but we're also a heavy Kubernetes + ArgoCD shop. So, naturally, I found the approach intriguing.
Brandon21 days ago
hello, anyone able to confirm if planfile artifact storage to gh artifacts has been implemented as of v1.221.1?
erik22 days ago
We've published a media kit for atmos! If you've wanted some atmos logos, we got 'em.
https://atmos.tools/media-kit
https://atmos.tools/media-kit
Brian25 days ago(edited)
I’m looking forward to Atmos secrets management. We use Sealed Secrets for our application layer since everything runs on Kubernetes. Managing secrets as code makes deployments much more portable across regions and accounts.
However, for our infrastructure layer, secrets are stored in Secure SSM Parameters and Secrets Manager. The lack of portability has become a small pain point when managing a DR region, so I’ve been considering a move to SOPS. After another practice run of our DR runbook last week, I’m definitely making the switch soon. The timing of Atmos secrets management with SOPS support couldn’t have come at a better time.
However, for our infrastructure layer, secrets are stored in Secure SSM Parameters and Secrets Manager. The lack of portability has become a small pain point when managing a DR region, so I’ve been considering a move to SOPS. After another practice run of our DR runbook last week, I’m definitely making the switch soon. The timing of Atmos secrets management with SOPS support couldn’t have come at a better time.
Alexandre Feblot25 days ago
Btw, it's a really minor issue, but
I've had to make it available this way:
atmos ai skill does not support vscode natively, as it expect skills in some specific folders.I've had to make it available this way:
cd <my VScode workspace>
atmos ai skill install cloudposse/atmos -y --force
mkdir -p .github/skills && for d in ~/.atmos/skills/cloudposse/atmos/*/; do ln -sfn "$d" ".github/skills/$(basename "$d")"; doneerik27 days ago
I recorded a 20-minute overview of the Atmos Changelog covering all of the latest features that have come out over the past month.
https://us02web.zoom.us/clips/share/tQmxbpnfQxGWs-bpWl4sAA
• Atmos Git for GitOps — Manage repositories as first-class Atmos resources; clone, diff, commit, push, and publish generated artifacts through lifecycle hooks.
• Secrets Management — Declare component secret dependencies and manage secrets natively in Atmos.
• CI Caching — Cache toolchains, providers, modules, vendored components, and remote imports to accelerate local and CI runs.
• Terraform Registry Cache(Experimental) — Cache providers and modules for faster, reproducible, and more resilient builds.
• Terraform/OpenTofu RC Management(Experimental) — Define CLI runtime configuration in
• Terraform DAG Concurrency — Dependency-aware execution with concurrent planning and deterministic ordering.
• Interactive Workflows & Commands — 25+ interactive step types for building CLI wizards and guided workflows.
• Atmos Pro STS Tokens — Just-in-time GitHub tokens for CI access to private resources.
• Git Repository Metadata Functions — YAML functions exposing repository metadata.
•
• Install from Branches & Tags —
• Dotenv Support in
•
•
• ECR Public Authentication — Authenticated pulls from
https://atmos.tools/changelog
https://us02web.zoom.us/clips/share/tQmxbpnfQxGWs-bpWl4sAA
• Atmos Git for GitOps — Manage repositories as first-class Atmos resources; clone, diff, commit, push, and publish generated artifacts through lifecycle hooks.
• Secrets Management — Declare component secret dependencies and manage secrets natively in Atmos.
• CI Caching — Cache toolchains, providers, modules, vendored components, and remote imports to accelerate local and CI runs.
• Terraform Registry Cache(Experimental) — Cache providers and modules for faster, reproducible, and more resilient builds.
• Terraform/OpenTofu RC Management(Experimental) — Define CLI runtime configuration in
atmos.yaml; Atmos manages temporary RC files automatically.• Terraform DAG Concurrency — Dependency-aware execution with concurrent planning and deterministic ordering.
• Interactive Workflows & Commands — 25+ interactive step types for building CLI wizards and guided workflows.
• Atmos Pro STS Tokens — Just-in-time GitHub tokens for CI access to private resources.
• Git Repository Metadata Functions — YAML functions exposing repository metadata.
•
atmos.Resolve Template Function — Evaluate YAML functions inside templates.• Install from Branches & Tags —
--use-version supports Git refs directly.• Dotenv Support in
!include — Include .env files directly in YAML.•
!append YAML Function — Extend inherited lists.•
!unset YAML Function — Remove inherited configuration keys cleanly.• ECR Public Authentication — Authenticated pulls from
public.ecr.aws to avoid rate limits.https://atmos.tools/changelog
Brandon27 days ago
hello, we're trying to standardize on making every component declare a standard instance and a dr instance of said component. So under stacks/catalog/network/default.yaml for example, we'd declare our VPC twice referencing components/terraform/network as the component. Now under stacks/deploy/dev.yaml we import our stacks/catalog/network and in the dev.yaml, we'd like to be able to toggle that DR instance on or off. The idea is that every environment has to opt out of provisioning a DR environment. What approach would you recommend to address this? We've had trouble getting a variable passed over to the metadata.enabled because anything we pass gets converted to a string and enabled needs a bool
Thomas Spear27 days ago
Hi team, I recently started using the required_providers, required_version and providers atmos fields and wanted to share some findings and get a sense of whether I'm on the right track.
erikabout 1 month ago
In
1.221.0 you can now define your own custom components. https://atmos.tools/changelog/custom-component-typeserikabout 1 month ago
In atmos+pro, you can now mint short-lived narrowly scoped GitHub tokens that span repos. Think of it like AWS STS but for GitHub.
https://atmos-pro.com/changelog/2026-05-29-cross-repo-sts
This makes it trivial to read stack configs, source components, or really anything you do that needs a short-lived cross-repo token.
https://atmos-pro.com/changelog/2026-05-29-cross-repo-sts
This makes it trivial to read stack configs, source components, or really anything you do that needs a short-lived cross-repo token.
Paavo Pokkinenabout 1 month ago
I found some interesting design differences between my own GCP components vs. Cloud Posse AWS components. I designed my GCP components to always take explicit
Especially when tofu allows to use variables within provider blocks nowadays.
var.project_id , this concept of account_map is quite confusing. 😃Especially when tofu allows to use variables within provider blocks nowadays.
Matt Brownabout 1 month ago
is there an obvious way to exec/drop to a raw tty via a custom command? E.g. I'm trying to do something like:
but the exec seems to be within a subprocess itself, so doesn't replace atmos and the terminal gets all bunged up, most obviously if you try and Ctrl-C a command in the session, atmos itself takes teh Ctrl-C exits, and then the session ends with SIGPIPE 😞
Feels like a common need I would have thought, but I'm failing to find the right invocation in the docs...
commands:
name: ssh
steps:
- type: shell
output: raw
command: "exec aws ssm start-session --target {{ .Arguments.instance_id }}"but the exec seems to be within a subprocess itself, so doesn't replace atmos and the terminal gets all bunged up, most obviously if you try and Ctrl-C a command in the session, atmos itself takes teh Ctrl-C exits, and then the session ends with SIGPIPE 😞
Feels like a common need I would have thought, but I'm failing to find the right invocation in the docs...
Brianabout 1 month ago
Is
• https://atmos.tools/changelog/custom-commands-step-types
• https://atmos.tools/workflows#step-types
atmos interactive workflows released (v1.220.0)?• https://atmos.tools/changelog/custom-commands-step-types
• https://atmos.tools/workflows#step-types
Thomas Spearabout 1 month ago(edited)
Hi, is the atmos manifest schema updated with each release? I'm running 1.219.0 and I can see
Edit to clarify manifest schema, not json schema. I know I can comment out the schema from my atmos.yaml to bypass the error, but just curious how often is the online schema updated?
required_providers in the output from atmos describe stacks so I found the page mentioning this (a blog post) but can't seem to find anything in the actual documentation nor do I see the fields in the manifest schema, so after adding the providers as per the example, atmos describe stacks is tripping up because the stack yamls no longer validate against the manifest schema at https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.jsonEdit to clarify manifest schema, not json schema. I know I can comment out the schema from my atmos.yaml to bypass the error, but just curious how often is the online schema updated?
Miguel Zablahabout 1 month ago
Hey I have a question about
atmos toolchain on atmos release 1.220.0 there was an update to how the toolchain verifies downloaded packages, it now will do checksums and signature/attestations this is great but on the PR it mention that this should be no breaking but if the package only has checksums it will fail with 404 I believed this should be a warning unless this is intentionalerikabout 1 month ago
Coming to an atmos near you!
• Provider and Registry cache that works across all components
• Native GitHub Actions cache support (compatible with provider and registry cache and toolchain!)
• Custom Components (thanks @Ben Smith (Benbentwo) for validating)
• Native Secrets Management
• Provider and Registry cache that works across all components
• Native GitHub Actions cache support (compatible with provider and registry cache and toolchain!)
• Custom Components (thanks @Ben Smith (Benbentwo) for validating)
• Native Secrets Management
Yotaabout 1 month ago(edited)
Hello,
I finally took the time to test the command-adding feature. I added
I finally took the time to test the command-adding feature. I added
tflint, kics, trivy, checkov, and tfupdate in just a few lines. Atmos downloads the app and launches it in the right place. Really cool!Paavo Pokkinenabout 1 month ago
Can I combine yaml functions? I have some challenges passing JSON via !terraform.state, it gets turned into object, and I just want it as string.
erikabout 1 month ago(edited)
I'd like to give a massive shout out to @shirkevich for working closely with us to implement parallel/concurrent execution in Atmos. In the upcoming release, you can control concurrency of
e.g.
https://atmos.tools/changelog/terraform-dag-concurrency
--all and --affected for plan and apply operations.e.g.
atmos terraform plan --all -s prod --max-concurrency=4https://atmos.tools/changelog/terraform-dag-concurrency
Miguel Zablahabout 1 month ago
Hey guys
I have a question, Is there a way to filter out some global variables? for example I have configure region as a vars on the _defaults for the org but there is just 1 component where I will like to not pass that region to, is there a way to do this?
I have a question, Is there a way to filter out some global variables? for example I have configure region as a vars on the _defaults for the org but there is just 1 component where I will like to not pass that region to, is there a way to do this?
Josh Simmondsabout 1 month ago
With the recent shift toward native CI, and the deprecation of the GHAs (🥳 ) what's the current guidance for drift detection w/ native CI?
Nimrod Dicklerabout 1 month ago
Hey Guys,
I would like to know if support for aws secrets manager or encrypted params in param store is comming?
https://atmos.tools/stacks/sharing-state/stores
I would like to know if support for aws secrets manager or encrypted params in param store is comming?
https://atmos.tools/stacks/sharing-state/stores
erikabout 1 month ago
Upvote! https://www.reddit.com/r/Terraform/comments/1tr1hun/comment/oosbzmi/
(not sure who posted this, but thanks!)
(not sure who posted this, but thanks!)
Miguel Zablahabout 1 month ago
Hey!
I have open a new issue for ECR loging multiple times:
https://github.com/cloudposse/atmos/issues/2562
I have open a new issue for ECR loging multiple times:
https://github.com/cloudposse/atmos/issues/2562
Jan Ludvikabout 1 month ago
Hello, is there any way I can use variable in atlantis integration template? I don't want to add concept of
I tried workarounds with passing things like this but it didn't work
tenant or stage to our terraform when we have slightly different variables. Something like this: project_templates:
project-1:
name: "{{var.name}}-{{var.custom_name}}"I tried workarounds with passing things like this but it didn't work
vars:
custom_name: <value>
stage: {{ .vars.custom_name }}erikabout 1 month ago
For truly reproducible deployments, it would be… thats a good use case
RBabout 1 month ago
Is it fairly easy and recommended to start committing component terraform lockfiles using atmos?
erikabout 1 month ago
One of the annoying things about GitHub Actions is when you use the dynamic
There's a better way: https://atmos-pro.com/changelog/2026-05-29-commit-from-ci
GITHUB_TOKEN to commit files, those commits don't trigger github actions. If your workflows require checks to pass before merging, then you can't merge the PR. There a plenty of workarounds, all of them involve either managing your own GitHub App or creating a static PAT.There's a better way: https://atmos-pro.com/changelog/2026-05-29-commit-from-ci
Prashanth Dabout 1 month ago(edited)
support self-hosted Git hosts in describe affected
Please Review https://github.com/cloudposse/atmos/pull/2543
Please Review https://github.com/cloudposse/atmos/pull/2543
erikabout 2 months ago
Neat way to use Atmos Pro to review changes in a PR.
https://atmos-pro.com/changelog/2026-05-23-github-chatops
https://atmos-pro.com/changelog/2026-05-23-github-chatops
Alexandre Feblotabout 2 months ago
Using Atmos 1.220, one final change would be awesome to achieve what I'm at properly: Use local components for dev environments, while pinning these same components for prod environments. This allows to safely change component code in PR with impact only on dev, and restrict what affects prod to only the prod stack files and a prod catalog (see below) which can be protected by CODEOWNERS. This seems to be the only way to have dev and prod in the same repo while still allowing to vet dev changes with a usual GitHub PR approval process, while ensuring such changes can't change prod without a special approval enforced by the CODEOWNERS.
So, for each usual stacks/catalog/component/XXX.yaml, I also define:
stacks/catalog_prod/component/XXX.yaml as:
Those prod_components are the components imported by prod stacks.
The only remaining bit I'd like fixed is the hardcoded "v1.0.0" ref in the import line. I'd like to be able to use the same variable I use for the component source version, which is defined once, globally, for all components. Would that be possible anyhow?
So, for each usual stacks/catalog/component/XXX.yaml, I also define:
stacks/catalog_prod/component/XXX.yaml as:
import:
- <http://github.com/my-org/my-repo//stacks/catalog/XXX.yaml?ref=v1.0.0|github.com/my-org/my-repo//stacks/catalog/XXX.yaml?ref=v1.0.0> # ⚠️ TODO: use variable for git ref. unsupported yet
components:
terraform:
XXX/base:
source:
uri: <http://github.com/my-org/my-repo//components/terraform/XXX|github.com/my-org/my-repo//components/terraform/XXX>
version: "{{ .settings.context.deployment_repo_version }}"Those prod_components are the components imported by prod stacks.
The only remaining bit I'd like fixed is the hardcoded "v1.0.0" ref in the import line. I'd like to be able to use the same variable I use for the component source version, which is defined once, globally, for all components. Would that be possible anyhow?
erikabout 2 months ago
Anyone have experience with
https://github.com/cloudposse/atmos/pull/2534
Feedback welcome on this proposed enhancement to Atmos.
This does a few things
1. introduces a new
2. supports lifecycle hooks, so these can run automatically
3. supports passing your already configured backend for terraform to tfmigrate for idempotent migration
Why? Ever run into errors like this because a provider was deleted from the state? Migrations can help with that.
tfmigratehttps://github.com/cloudposse/atmos/pull/2534
Feedback welcome on this proposed enhancement to Atmos.
This does a few things
1. introduces a new
atmos terraform migrate command that calls tfmigrate2. supports lifecycle hooks, so these can run automatically
3. supports passing your already configured backend for terraform to tfmigrate for idempotent migration
Why? Ever run into errors like this because a provider was deleted from the state? Migrations can help with that.
Error: failed to read provider configuration schema for <http://registry.opentofu.org/cloudposse/template|registry.opentofu.org/cloudposse/template>: failed to instantiate provider "<http://registry.opentofu.org/cloudposse/template|registry.opentofu.org/cloudposse/template>" to obtain schema: unavailable provider "<http://registry.opentofu.org/cloudposse/template|registry.opentofu.org/cloudposse/template>"erikabout 2 months ago
Brandonabout 2 months ago
Hi there, can someone please clarify atmos vendors feature? It looks similar to the terrafrom/source block from terragrunt where terragrunt can pull the module from the registry/github at runtime and feed your values/inputs keeping your component directory folder clean in source control. However, it seems atmos needs an
atmos vendor pull run before I run plan/apply commands right?Brianabout 2 months ago(edited)
A sudo review of 2-4 steps. Only dependency were and . Rating: 9.5/10 ⭐️ .
atmos: Atmos Native CI is awesome. Great job @Erik Osterman (Cloud Posse) and team. To implement CI, it's basically two workflows (eg, tf plan, and tf apply) each with two jobs thats has 2 atmos jqAlexandre Feblotabout 2 months ago
Hi, Are you updating homebrew actively as part of your release process, or is homebrew pulling from your releases?
It's still referencing version 1.218 as the latest one. That's unusual, after 6 days.
https://formulae.brew.sh/formula/atmos#default
It's still referencing version 1.218 as the latest one. That's unusual, after 6 days.
https://formulae.brew.sh/formula/atmos#default
Jonathanabout 2 months ago(edited)
good morning, just submitted https://github.com/cloudposse/atmos/issues/2485 - let me know if there are any questions or concerns
Thomas Spearabout 2 months ago
11:10:02 Error
11:10:02
11:10:02 **Error:** Atmos manifest JSON Schema validation error in the file
11:10:02 'azure/eastus/prd/app-47.yaml': { "valid": false,
11:10:02 "errors": [ { "keywordLocation": "", "absoluteKeywordLocation":
11:10:02 "<https://json.schemastore.org/atmos-manifest.json#>", "instanceLocation": "",
11:10:02 "error": "doesn't validate with <https://json.schemastore.org/atmos->
11:10:02 manifest.json#" }, { "keywordLocation": "/type", "absoluteKeywordLocation":
11:10:02 "<https://json.schemastore.org/atmos-manifest.json#/type>", "instanceLocation":
11:10:02 "", "error": "expected object, but got null" } ] }This appears to happen while running
atmos describe stacks --process-templates=false when we have a json schema configured for any stack and atmos encounters a stack yaml that is fully commented outThomas Spearabout 2 months ago
https://atmos.tools/cli/configuration/ai/tools
Suggestion (new feature request)
We have our repo structured:
We'd like to configure the lowest environment so that ai has full permissions there but read only in dev and higher.
Suggestion (new feature request)
We have our repo structured:
components/
terraform/
stacks/
azure/
<region>/
<environment>/
<stack>.yamlWe'd like to configure the lowest environment so that ai has full permissions there but read only in dev and higher.
Dan Miller (tembo)about 2 months ago
has there been a change to user auth flow for
atmos auth login? Now I get a redirect to sign in in the browser rather than with my access keysZackabout 2 months ago
❓️ Is there a 15 minute builtin cooldown if atmos fails to download a source when JIT-ing?