fix: Enable YAML function authentication in terraform commands with --identity flag

NOTICE

@@ -163,7 +163,7 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/aws/aws-sdk-go-v2/service/ssm
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.66.4/service/ssm/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.67.0/service/ssm/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/service/sso
     License: Apache-2.0
@@ -732,7 +732,7 @@ BSD LICENSED DEPENDENCIES
 
   - golang.org/x/oauth2
     License: BSD-3-Clause
-    URL: https://cs.opensource.google/go/x/oauth2/+/v0.32.0:LICENSE
+    URL: https://cs.opensource.google/go/x/oauth2/+/v0.33.0:LICENSE
 
   - golang.org/x/sync
     License: BSD-3-Clause

cmd/describe.go

@@ -20,13 +20,12 @@ func init() {
 	// when processing YAML template functions (!terraform.state, !terraform.output).
 	// By default, all describe commands execute YAML functions and Go templates unless
 	// disabled with --process-functions=false or --process-templates=false flags.
-	describeCmd.PersistentFlags().StringP("identity", "i", "", "Specify the identity to authenticate to before describing. Use without value to interactively select.")
-
-	// Set NoOptDefVal to enable optional flag value for interactive identity selection.
-	// When --identity is used without a value, it will receive IdentityFlagSelectValue.
-	if identityFlag := describeCmd.PersistentFlags().Lookup("identity"); identityFlag != nil {
-		identityFlag.NoOptDefVal = IdentityFlagSelectValue
-	}
+	//
+	// NOTE: NoOptDefVal is NOT used here to avoid Cobra parsing issues with commands
+	// that have positional arguments. When NoOptDefVal is set and a space-separated value
+	// is used (--identity value), Cobra misinterprets the value as a subcommand/positional arg.
+	// Users should use --identity=select or similar for interactive selection.
+	describeCmd.PersistentFlags().StringP("identity", "i", "", "Specify the identity to authenticate with before describing")
 
 	// Register shell completion for identity flag.
 	AddIdentityCompletion(describeCmd)

cmd/identity_flag.go

@@ -1,18 +1,12 @@
 package cmd
 
 import (
-	"context"
-	"errors"
-	"fmt"
 	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
-	errUtils "github.com/cloudposse/atmos/errors"
 	"github.com/cloudposse/atmos/pkg/auth"
-	"github.com/cloudposse/atmos/pkg/auth/credentials"
-	"github.com/cloudposse/atmos/pkg/auth/validation"
 	cfg "github.com/cloudposse/atmos/pkg/config"
 	"github.com/cloudposse/atmos/pkg/schema"
 )
@@ -133,45 +127,12 @@ func extractIdentityFromArgs(args []string) string {
 // Returns nil if identityName is empty (no authentication requested).
 // Returns error if identityName is provided but auth is not configured in atmos.yaml.
 // This helper reduces nested complexity in describe commands.
+//
+// This function delegates to auth.CreateAndAuthenticateManager to ensure consistent
+// authentication behavior across CLI commands and internal execution logic.
 func CreateAuthManagerFromIdentity(
 	identityName string,
 	authConfig *schema.AuthConfig,
 ) (auth.AuthManager, error) {
-	if identityName == "" {
-		return nil, nil
-	}
-
-	// Check if auth is configured when --identity flag is provided.
-	if authConfig == nil || len(authConfig.Identities) == 0 {
-		return nil, fmt.Errorf("%w: the --identity flag requires authentication to be configured in atmos.yaml with at least one identity", errUtils.ErrAuthNotConfigured)
-	}
-
-	// Create a ConfigAndStacksInfo for the auth manager to populate with AuthContext.
-	authStackInfo := &schema.ConfigAndStacksInfo{
-		AuthContext: &schema.AuthContext{},
-	}
-
-	credStore := credentials.NewCredentialStore()
-	validator := validation.NewValidator()
-	authManager, err := auth.NewAuthManager(authConfig, credStore, validator, authStackInfo)
-	if err != nil {
-		return nil, errors.Join(errUtils.ErrFailedToInitializeAuthManager, err)
-	}
-
-	// Handle interactive selection.
-	forceSelect := identityName == IdentityFlagSelectValue
-	if forceSelect {
-		identityName, err = authManager.GetDefaultIdentity(forceSelect)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// Authenticate.
-	_, err = authManager.Authenticate(context.Background(), identityName)
-	if err != nil {
-		return nil, err
-	}
-
-	return authManager, nil
+	return auth.CreateAndAuthenticateManager(identityName, authConfig, IdentityFlagSelectValue)
 }

cmd/root.go

@@ -286,8 +286,10 @@ var RootCmd = &cobra.Command{
 	},
 }
 
-// setupLogger configures the global logger based on the provided Atmos configuration.
-func setupLogger(atmosConfig *schema.AtmosConfiguration) {
+// SetupLogger configures the global logger based on the provided Atmos configuration.
+//
+//nolint:revive,cyclop // Function complexity is acceptable for logger configuration.
+func SetupLogger(atmosConfig *schema.AtmosConfiguration) {
 	switch atmosConfig.Logs.Level {
 	case "Trace":
 		log.SetLevel(log.TraceLevel)
@@ -577,7 +579,7 @@ func Execute() error {
 	}
 
 	// Set the log level for the charmbracelet/log package based on the atmosConfig.
-	setupLogger(&atmosConfig)
+	SetupLogger(&atmosConfig)
 
 	var err error
 	// If CLI configuration was found, process its custom commands and command aliases.

cmd/root_test.go

@@ -162,7 +162,7 @@ func TestSetupLogger_TraceLevel(t *testing.T) {
 				},
 			}
 
-			setupLogger(cfg)
+			SetupLogger(cfg)
 			assert.Equal(t, tt.expectedLevel, log.GetLevel(),
 				"Expected level %v for config %q", tt.expectedLevel, tt.configLevel)
 		})
@@ -228,7 +228,7 @@ func TestSetupLogger_TraceVisibility(t *testing.T) {
 					Terminal: schema.Terminal{},
 				},
 			}
-			setupLogger(cfg)
+			SetupLogger(cfg)
 
 			// Test trace visibility.
 			buf.Reset()
@@ -281,7 +281,7 @@ func TestSetupLogger_TraceLevelFromEnvironment(t *testing.T) {
 			Terminal: schema.Terminal{},
 		},
 	}
-	setupLogger(cfg)
+	SetupLogger(cfg)
 
 	assert.Equal(t, log.TraceLevel, log.GetLevel(),
 		"Should set trace level from environment variable")
@@ -309,10 +309,10 @@ func TestSetupLogger_NoColorWithTraceLevel(t *testing.T) {
 	}
 
 	// Mock the IsColorEnabled to return false.
-	// Since we can't easily mock it, we'll just test that setupLogger doesn't panic.
+	// Since we can't easily mock it, we'll just test that SetupLogger doesn't panic.
 	assert.NotPanics(t, func() {
-		setupLogger(cfg)
-	}, "setupLogger should not panic with trace level and no color")
+		SetupLogger(cfg)
+	}, "SetupLogger should not panic with trace level and no color")
 
 	assert.Equal(t, log.TraceLevel, log.GetLevel(),
 		"Trace level should be set even with no color")