feat: export AWS_REGION from atmos auth env when configured

[osterman]

what

• Export AWS_REGION and AWS_DEFAULT_REGION from the Environment() method of all AWS identities
• Region is only exported when explicitly configured, not default fallback values
• Enables external tools (aws cli, direct terraform, etc.) to access region after sourcing atmos auth env

why

When using atmos auth env to export credentials for external tools (aws cli, direct terraform runs), users also need access to the configured region. This completes the credential export for external tool usage.

Note: For atmos commands (atmos terraform plan, etc.), region is automatically injected - no sourcing required.

references

Related to auth environment variable configuration. Blog post and PRD documentation included.

Summary by CodeRabbit

Release Notes

• New Features

  • AWS_REGION and AWS_DEFAULT_REGION environment variables now exported from atmos auth env when region is configured in identity settings
  • Azure Portal console access support added

• Documentation

  • Updated profile structure to directory-based format
  • Enhanced authentication configuration documentation for multiple identity types
  • Clarified provider and identity configuration options

• CLI Changes

  • profile-list command output simplified; removed TYPE column

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[github-actions]

Warning

Release Documentation Required

This PR is labeled minor or major and requires documentation updates:

• Changelog entry ✅
• Roadmap update - Update website/src/data/roadmap.js with the new milestone

Alternatively: If this change doesn't require release documentation, remove the minor or major label.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces region resolution and environment export functionality across AWS identity types. A new AuthManager interface adds two methods (ResolvePrincipalSetting and ResolveProviderConfig) to enable identity chain traversal. AWS identities now export AWS_REGION and AWS_DEFAULT_REGION environment variables when region is explicitly configured, with supporting test mocks and comprehensive test coverage.

Changes

Cohort / File(s)	Summary
Interface and Manager Core pkg/auth/types/interfaces.go, pkg/auth/types/mock_interfaces.go, pkg/auth/manager.go, pkg/auth/manager_test.go	Added ResolvePrincipalSetting and ResolveProviderConfig methods to AuthManager interface. Manager implementation traverses identity chains to resolve principal settings and provider configs. 184 lines of new tests covering resolution behavior across identity chains.
AWS Identity Region Resolution pkg/auth/identities/aws/assume_role.go, pkg/auth/identities/aws/assume_root.go, pkg/auth/identities/aws/permission_set.go, pkg/auth/identities/aws/user.go	Added internal resolveRegion() helper to each identity type, determining region via manager chain traversal or fallback to cached/principal config. Environment() now conditionally exports AWS_REGION and AWS_DEFAULT_REGION when region is resolved.
AWS Identity Region Tests pkg/auth/identities/aws/assume_role_test.go, pkg/auth/identities/aws/assume_root_test.go, pkg/auth/identities/aws/permission_set_extended_test.go, pkg/auth/identities/aws/user_test.go	Comprehensive test coverage for region handling: with/without region scenarios, manager nil vs. present, principal setting retrieval, provider config fallback, edge cases (empty string, non-string types). 573 lines added across all identity test files.
Test Mock Implementations cmd/auth_console_test.go, pkg/auth/hooks_test.go, pkg/auth/providers/aws/saml_test.go, internal/exec/terraform_output_utils.go	Added ResolvePrincipalSetting and ResolveProviderConfig stub methods to multiple test mock types, returning (nil, false) to satisfy interface requirements without altering test behavior.
Auth Context Wrapper Tests internal/exec/terraform_output_authcontext_wrapper_test.go	New tests verify wrapper's ResolvePrincipalSetting and ResolveProviderConfig methods return (nil, false), confirming no access to identity/provider configuration.
Schema and Documentation docs/prd/aws-auth-file-isolation.md	AWSAuthContext struct now includes Region field. Documentation clarifies AWS_REGION and AWS_DEFAULT_REGION export behavior (only when region explicitly configured, no default fallback).
Integration Tests and Fixtures tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml, tests/yaml_functions_integration_test.go, cmd/auth_integration_test.go	Added test fixture entry and integration test verifying stack configurations can reference AWS_REGION via !env function. Test assertion refactored to reference SupportedFormats constant.
CLI Documentation Updates website/docs/cli/commands/auth/*.mdx, website/docs/cli/commands/profile/*.mdx, website/docs/cli/configuration/auth/*.mdx	Extensive doc updates: Azure Portal console access now supported, GCP coming soon. Profile documentation migrated to directory-based model only (removed inline profiles). Auth configuration examples updated with new identity types (AWS Assume Root, Azure Subscription) and per-profile file structure.
Profile Documentation website/docs/cli/configuration/profiles.mdx	Clarified profiles are defined as directories containing configuration files (removed mention of inline profile support).
Roadmap and Blog website/src/data/roadmap.js, website/blog/2026-01-12-auth-env-region-export.mdx	Roadmap progress updated to 85%. Added shipped milestones for "Azure Portal console access" and "AWS_REGION and AWS_DEFAULT_REGION export". New blog post documents region export feature, scenarios, and usage examples.
Minor Updates errors/errors.go, internal/exec/packer.go, internal/exec/packer_output.go	Added ErrWriteFile error sentinel. Removed comment above packer component-locked check. Updated Packer manifest error message format.

Sequence Diagram(s)

sequenceDiagram
    participant Identity as AWS Identity<br/>(assume_role, etc)
    participant Manager as Auth Manager
    participant Chain as Identity Chain
    participant Provider as Provider Config
    
    Identity->>Identity: Environment() called
    Identity->>Identity: resolveRegion() invoked
    
    alt Manager is available
        Identity->>Manager: ResolvePrincipalSetting(name, "region")
        Manager->>Chain: Traverse identity chain backward
        Chain-->>Manager: Return principal setting or nil
        
        alt Principal setting found and non-empty
            Manager-->>Identity: Return region value
        else Principal setting not found
            Identity->>Manager: ResolveProviderConfig(name)
            Manager->>Chain: Get root provider from chain
            Chain-->>Manager: Return provider config
            Manager-->>Identity: Return provider region or nil
        end
    else Manager is nil
        Identity->>Identity: Fall back to cached region<br/>or principal config
    end
    
    Identity->>Identity: Set AWS_REGION and<br/>AWS_DEFAULT_REGION if resolved
    Identity-->>Identity: Return environment map

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

The changes introduce consistent region resolution patterns across multiple AWS identity types with moderate repetition, supplemented by comprehensive test coverage and documentation updates. While affecting many files, the logic patterns are similar across identity implementations, and test additions follow established mocking conventions. Documentation changes span varied content but don't alter functional logic.

Possibly related PRs

• fix: Improve AWS credential isolation and auth error propagation #1712: Adds identical ResolvePrincipalSetting and ResolveProviderConfig methods to AuthManager interface and implementations, directly complementing this PR's core functionality.
• Bugfix: auth identities should default load the AWS Environment vars (if AWS based identities) #1623: Modifies AWS identity Environment() method logic in assume_role.go, overlapping with region resolution changes in this PR.
• fix: Resolve assume role issues and improve error handling #1938: Modifies authContextWrapper in internal/exec/terraform_output_utils.go with stub method implementations for the same interface methods.

Suggested reviewers

• osterman
• milldr

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.69% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: exporting AWS_REGION from atmos auth env when configured, which is the core objective of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch osterman/auth-env-vars-research

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 91.76471% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.40%. Comparing base (acf68be) to head (fe317ca).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/auth/manager.go	80.76%	3 Missing and 2 partials ⚠️
internal/exec/packer_output.go	0.00%	1 Missing ⚠️
pkg/auth/identities/aws/assume_role.go	94.11%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1955      +/-   ##
==========================================
+ Coverage   75.37%   75.40%   +0.03%     
==========================================
  Files         792      792              
  Lines       73435    73513      +78     
==========================================
+ Hits        55350    55434      +84     
+ Misses      14574    14571       -3     
+ Partials     3511     3508       -3     

Flag	Coverage Δ
unittests	75.40% <91.76%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
errors/errors.go	100.00% <ø> (ø)
internal/exec/packer.go	60.38% <ø> (ø)
internal/exec/terraform_output_utils.go	100.00% <100.00%> (ø)
pkg/auth/identities/aws/assume_root.go	86.25% <100.00%> (+0.79%)	⬆️
pkg/auth/identities/aws/permission_set.go	73.82% <100.00%> (+1.17%)	⬆️
pkg/auth/identities/aws/user.go	82.37% <100.00%> (+0.11%)	⬆️
internal/exec/packer_output.go	48.97% <0.00%> (ø)
pkg/auth/identities/aws/assume_role.go	80.12% <94.11%> (+1.03%)	⬆️
pkg/auth/manager.go	80.76% <80.76%> (ø)

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds conditional export of AWS_REGION and AWS_DEFAULT_REGION environment variables from AWS identity configurations when a region is explicitly configured. The Environment() method now includes these region variables alongside existing credentials-file-based variables, with comprehensive test coverage and documentation updates reflecting the new behavior.

Changes

Cohort / File(s)	Summary
AWS Identity Region Export Implementation pkg/auth/identities/aws/assume_role.go, pkg/auth/identities/aws/assume_root.go, pkg/auth/identities/aws/permission_set.go, pkg/auth/identities/aws/user.go	Adds conditional logic to Environment() method: when region is explicitly configured (non-empty), AWS_REGION and AWS_DEFAULT_REGION are injected into the environment map. Change applied consistently across all four identity types.
AWS Identity Region Export Tests pkg/auth/identities/aws/assume_role_test.go, pkg/auth/identities/aws/assume_root_test.go, pkg/auth/identities/aws/permission_set_extended_test.go, pkg/auth/identities/aws/user_test.go	Adds paired test cases for each identity type: *_WithRegion verifies AWS_REGION and AWS_DEFAULT_REGION are set when region configured; *_WithoutRegion verifies they're absent when region is unconfigured.
AWS Auth PRD and Blog Documentation docs/prd/aws-auth-file-isolation.md, website/blog/2025-01-12-auth-env-region-export.mdx	Updates AWS auth documentation to describe new Environment() method that exports AWS_REGION and AWS_DEFAULT_REGION conditionally. Documents behavior when region is explicitly configured vs. default fallback handling.
Integration Testing tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml, tests/yaml_functions_integration_test.go	Adds test fixture variable using !env AWS_REGION and corresponding integration test verifying aws_region can be accessed in stack configurations via environment variable reference.
CLI Documentation Updates website/docs/cli/commands/auth/auth-login.mdx, website/docs/cli/commands/auth/console.mdx, website/docs/cli/commands/profile/profile-list.mdx, website/docs/cli/commands/profile/profile-show.mdx, website/docs/cli/commands/profile/usage.mdx	Updates various command documentation: clarifies EKS integration status, updates Azure provider support status, removes profile type from output, simplifies profile documentation to directory-based model only.
Auth Configuration Documentation website/docs/cli/configuration/auth/identities.mdx, website/docs/cli/configuration/auth/index.mdx, website/docs/cli/configuration/auth/providers.mdx, website/docs/cli/configuration/profiles.mdx	Updates authentication and profile documentation: adds aws/assume-root and azure/subscription identity types, restructures profile model to directory-based approach, removes IAM Identity Center tag support and SAML idp_arn references.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(auth): add aws/assume-root identity for centralized root access #1828 — Modifies AWS identities' Environment() behavior to set AWS_REGION and AWS_DEFAULT_REGION in pkg/auth/identities/aws files.
• docs: Add identity provider file isolation PRDs #1792 — Directly related as both update docs/prd/aws-auth-file-isolation.md and address AWS auth file-isolation design.
• Bugfix: auth identities should default load the AWS Environment vars (if AWS based identities) #1623 — Modifies same AWS identity Environment() implementations across assume_role, permission_set, and related files.

Suggested reviewers

• aknysh

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.88% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the primary change: exporting AWS_REGION from atmos auth env when configured. It's specific, concise, and directly reflects the main feature addition across all AWS identity types.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch osterman/auth-env-vars-research

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @website/docs/cli/commands/auth/console.mdx:
- Around line 244-245: Update the Troubleshooting sentence that currently reads
"Azure and GCP support is coming soon." to reflect the current status: change it
to state that Azure is supported (e.g., "Azure is supported; see above for
details") and that GCP is still planned/coming in a future release (e.g., "GCP
support is planned"). Locate the sentence in the Troubleshooting section that
mentions "Azure and GCP support is coming soon" and replace it with a concise
line indicating Azure ✅ Supported and GCP 🚧 Planned, keeping wording consistent
with the table above.

🧹 Nitpick comments (1)

website/docs/cli/configuration/auth/index.mdx (1)

229-246: Minor: platform/auth.yaml example may be incomplete.

The platform profile example (lines 229-240) only shows a provider configuration without any identities. While this could be intentional (to show providers can be defined separately), it differs from the developer and ci examples which show complete identity configurations. Consider adding a brief comment or identity to maintain consistency.

Consider adding an identity or note

 <File title="profiles/platform/auth.yaml">
 ```yaml
 auth:
   providers:
     company-sso:
       kind: aws/iam-identity-center
       region: us-east-1
       start_url: https://company.awsapps.com/start
       session:
         duration: 8h
+  # Identities can be defined here or in the main atmos.yaml
+  # and will reference this provider

```

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0495d26 and 4da2059.

📒 Files selected for processing (21)

• docs/prd/aws-auth-file-isolation.md
• pkg/auth/identities/aws/assume_role.go
• pkg/auth/identities/aws/assume_role_test.go
• pkg/auth/identities/aws/assume_root.go
• pkg/auth/identities/aws/assume_root_test.go
• pkg/auth/identities/aws/permission_set.go
• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/user.go
• pkg/auth/identities/aws/user_test.go
• tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml
• tests/yaml_functions_integration_test.go
• website/blog/2025-01-12-auth-env-region-export.mdx
• website/docs/cli/commands/auth/auth-login.mdx
• website/docs/cli/commands/auth/console.mdx
• website/docs/cli/commands/profile/profile-list.mdx
• website/docs/cli/commands/profile/profile-show.mdx
• website/docs/cli/commands/profile/usage.mdx
• website/docs/cli/configuration/auth/identities.mdx
• website/docs/cli/configuration/auth/index.mdx
• website/docs/cli/configuration/auth/providers.mdx
• website/docs/cli/configuration/profiles.mdx

💤 Files with no reviewable changes (1)

• website/docs/cli/configuration/auth/providers.mdx

🧰 Additional context used

📓 Path-based instructions (7)

**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: Use Viper for managing configuration, environment variables, and flags in CLI commands
Use interfaces for external dependencies to facilitate mocking and consider using testify/mock for creating mock implementations
All code must pass golangci-lint checks
Follow Go's error handling idioms: use meaningful error messages, wrap errors with context using fmt.Errorf("context: %w", err), and consider using custom error types for domain-specific errors
Follow standard Go coding style: use gofmt and goimports to format code, prefer short descriptive variable names, use kebab-case for command-line flags, and snake_case for environment variables
Document all exported functions, types, and methods following Go's documentation conventions
Document complex logic with inline comments in Go code
Support configuration via files, environment variables, and flags following the precedence order: flags > environment variables > config file > defaults
Provide clear error messages to users, include troubleshooting hints when appropriate, and log detailed errors for debugging

**/*.go: All comments must end with periods (enforced by godot linter) in Go code
Organize imports into three groups separated by blank lines, sorted alphabetically: Go stdlib, 3rd-party (NOT cloudposse/atmos), then Atmos packages with maintained aliases (cfg, log, u, errUtils)
All errors MUST be wrapped using static errors defined in errors/errors.go - use errors.Join for combining errors, fmt.Errorf with %w for context, and errors.Is() for error checking
Never manually create mocks - use go.uber.org/mock/mockgen with //go:generate directives in Go code
Keep files small and focused - under 600 lines with one cmd/impl per file, co-locate tests, never use //revive:disable:file-length-limit
Use colors from pkg/ui/theme/colors.go for all UI theming in Go code
Code must be compatible with Linux, macOS, and Windows - use SDKs over binaries, use filepath.Join() instead of h...

Files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/assume_root.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/user.go
• pkg/auth/identities/aws/assume_root_test.go
• pkg/auth/identities/aws/assume_role.go
• pkg/auth/identities/aws/permission_set.go
• tests/yaml_functions_integration_test.go
• pkg/auth/identities/aws/assume_role_test.go

**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests targeting >80% code coverage for all packages
Use table-driven tests for testing multiple scenarios in Go
Include integration tests for command flows and test CLI end-to-end when possible with test fixtures

Prefer unit tests with mocks over integration tests - use interfaces and dependency injection for testability, generate mocks with go.uber.org/mock/mockgen, use table-driven tests, target >80% coverage

Files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/assume_root_test.go
• tests/yaml_functions_integration_test.go
• pkg/auth/identities/aws/assume_role_test.go

**/{pkg,internal,cmd}/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Add defer perf.Track(atmosConfig, "pkg.FuncName")() plus blank line to all public functions, using nil if no atmosConfig param - exceptions: trivial getters/setters, command constructors, simple factories, functions delegating to tracked functions

Files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/assume_root.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/user.go
• pkg/auth/identities/aws/assume_root_test.go
• pkg/auth/identities/aws/assume_role.go
• pkg/auth/identities/aws/permission_set.go
• pkg/auth/identities/aws/assume_role_test.go

website/**

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

website/**: Update website documentation in the website/ directory when adding new features, ensure consistency between CLI help text and website documentation, and follow the website's documentation structure and style
Keep website code in the website/ directory, follow the existing website architecture and style, and test website changes locally before committing
Keep CLI documentation and website documentation in sync and document new features on the website with examples and use cases

Files:

• website/blog/2025-01-12-auth-env-region-export.mdx
• website/docs/cli/commands/profile/profile-list.mdx
• website/docs/cli/commands/auth/console.mdx
• website/docs/cli/commands/profile/usage.mdx
• website/docs/cli/commands/profile/profile-show.mdx
• website/docs/cli/configuration/profiles.mdx
• website/docs/cli/configuration/auth/index.mdx
• website/docs/cli/commands/auth/auth-login.mdx
• website/docs/cli/configuration/auth/identities.mdx

website/blog/*.mdx

📄 CodeRabbit inference engine (CLAUDE.md)

PRs labeled minor or major MUST include a blog post at website/blog/YYYY-MM-DD-feature-name.mdx with YAML frontmatter, using only tags defined in website/blog/tags.yml

Files:

• website/blog/2025-01-12-auth-env-region-export.mdx

website/docs/cli/commands/**/*.mdx

📄 CodeRabbit inference engine (CLAUDE.md)

All CLI command documentation MUST include: frontmatter, Intro component, Screengrab, Usage section, Arguments/Flags in <dl> format, and Examples section

Files:

• website/docs/cli/commands/profile/profile-list.mdx
• website/docs/cli/commands/auth/console.mdx
• website/docs/cli/commands/profile/usage.mdx
• website/docs/cli/commands/profile/profile-show.mdx
• website/docs/cli/commands/auth/auth-login.mdx

docs/prd/**/*.md

📄 CodeRabbit inference engine (CLAUDE.md)

Place all Product Requirement Documents (PRDs) in docs/prd/ using kebab-case filenames

Files:

• docs/prd/aws-auth-file-isolation.md

🧠 Learnings (34)

📓 Common learnings

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

📚 Learning: 2025-11-11T03:47:45.878Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: toolchain/add_test.go:67-77
Timestamp: 2025-11-11T03:47:45.878Z
Learning: In the cloudposse/atmos codebase, tests should prefer t.Setenv for environment variable setup/teardown instead of os.Setenv/Unsetenv to ensure test-scoped isolation.

Applied to files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/assume_root_test.go
• tests/yaml_functions_integration_test.go
• docs/prd/aws-auth-file-isolation.md
• pkg/auth/identities/aws/assume_role_test.go

📚 Learning: 2025-11-11T03:47:59.576Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: toolchain/which_test.go:166-223
Timestamp: 2025-11-11T03:47:59.576Z
Learning: In the cloudposse/atmos repo, tests that manipulate environment variables should use testing.T.Setenv for automatic setup/teardown instead of os.Setenv/Unsetenv.

Applied to files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/assume_root_test.go
• tests/yaml_functions_integration_test.go
• docs/prd/aws-auth-file-isolation.md
• pkg/auth/identities/aws/assume_role_test.go

📚 Learning: 2025-08-15T14:43:41.030Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1352
File: pkg/store/artifactory_store_test.go:108-113
Timestamp: 2025-08-15T14:43:41.030Z
Learning: In test files for the atmos project, it's acceptable to ignore errors from os.Setenv/Unsetenv operations during test environment setup and teardown, as these are controlled test scenarios.

Applied to files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/assume_root_test.go
• tests/yaml_functions_integration_test.go

📚 Learning: 2025-12-13T06:10:25.156Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: internal/exec/workflow_utils.go:0-0
Timestamp: 2025-12-13T06:10:25.156Z
Learning: Atmos workflows: In internal/exec/workflow_utils.go ExecuteWorkflow, non-identity steps intentionally use baseWorkflowEnv, which is constructed from the parent environment with PATH modifications for the toolchain. Avoid appending os.Environ() again; prefer documenting this behavior and testing that standard environment variables are preserved.

Applied to files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/assume_root.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/user.go
• pkg/auth/identities/aws/assume_root_test.go
• pkg/auth/identities/aws/assume_role.go
• pkg/auth/identities/aws/permission_set.go
• tests/yaml_functions_integration_test.go
• docs/prd/aws-auth-file-isolation.md
• pkg/auth/identities/aws/assume_role_test.go

📚 Learning: 2025-12-21T04:10:29.030Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1891
File: internal/exec/describe_affected.go:468-468
Timestamp: 2025-12-21T04:10:29.030Z
Learning: In Go, package-level declarations (constants, variables, types, and functions) are visible to all files in the same package without imports. During reviews in cloudposse/atmos (and similar Go codebases), before suggesting to declare a new identifier, first check if it already exists in another file of the same package. If it exists, you can avoid adding a new declaration; if not, proceed with a proper package-level declaration. 

Applied to files:

• pkg/auth/identities/aws/permission_set_extended_test.go
• pkg/auth/identities/aws/assume_root.go
• pkg/auth/identities/aws/user_test.go
• pkg/auth/identities/aws/user.go
• pkg/auth/identities/aws/assume_root_test.go
• pkg/auth/identities/aws/assume_role.go
• pkg/auth/identities/aws/permission_set.go
• tests/yaml_functions_integration_test.go
• pkg/auth/identities/aws/assume_role_test.go

📚 Learning: 2025-09-13T16:39:20.007Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: cmd/markdown/atmos_toolchain_aliases.md:2-4
Timestamp: 2025-09-13T16:39:20.007Z
Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.

Applied to files:

• website/blog/2025-01-12-auth-env-region-export.mdx
• website/docs/cli/commands/profile/usage.mdx
• docs/prd/aws-auth-file-isolation.md
• website/docs/cli/configuration/profiles.mdx

📚 Learning: 2025-09-10T17:34:52.568Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/providers/github/oidc.go:96-100
Timestamp: 2025-09-10T17:34:52.568Z
Learning: The ATMOS_ environment variable binding guideline applies to Atmos configuration variables, not external service-required environment variables like GitHub Actions OIDC variables (GITHUB_ACTIONS, ACTIONS_ID_TOKEN_*) which must use their standard names.

Applied to files:

• website/blog/2025-01-12-auth-env-region-export.mdx
• docs/prd/aws-auth-file-isolation.md
• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2025-09-07T18:07:00.549Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1452
File: cmd/auth_login.go:43-44
Timestamp: 2025-09-07T18:07:00.549Z
Learning: In the atmos project, the identity flag is defined as a persistent flag on the auth root command (cmd/auth.go), making it available to all auth subcommands without needing to be redefined in each individual subcommand.

Applied to files:

• website/blog/2025-01-12-auth-env-region-export.mdx
• docs/prd/aws-auth-file-isolation.md
• website/docs/cli/commands/auth/auth-login.mdx

📚 Learning: 2025-09-10T21:17:55.273Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: toolchain/http_client_test.go:3-10
Timestamp: 2025-09-10T21:17:55.273Z
Learning: In the cloudposse/atmos repository, imports should never be changed as per samtholiya's coding guidelines.

Applied to files:

• website/blog/2025-01-12-auth-env-region-export.mdx
• docs/prd/aws-auth-file-isolation.md

📚 Learning: 2025-01-19T15:49:15.593Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 955
File: tests/snapshots/TestCLICommands_atmos_validate_editorconfig_--help.stdout.golden:0-0
Timestamp: 2025-01-19T15:49:15.593Z
Learning: In future commits, the help text for Atmos CLI commands should be limited to only show component and stack parameters for commands that actually use them. This applies to the example usage section in command help text.

Applied to files:

• website/blog/2025-01-12-auth-env-region-export.mdx
• website/docs/cli/commands/profile/usage.mdx

📚 Learning: 2025-08-29T20:57:35.423Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1433
File: cmd/theme_list.go:33-36
Timestamp: 2025-08-29T20:57:35.423Z
Learning: In the Atmos codebase, avoid using viper.SetEnvPrefix("ATMOS") with viper.AutomaticEnv() because canonical environment variable names are not exclusive to Atmos and could cause conflicts. Instead, use selective environment variable binding through the setEnv function in pkg/config/load.go with bindEnv(v, "config.key", "ENV_VAR_NAME") for specific environment variables.

Applied to files:

• pkg/auth/identities/aws/permission_set.go

📚 Learning: 2025-01-19T22:30:27.600Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2025-01-19T22:30:27.600Z
Learning: The Atmos YAML function `!env` is used to retrieve environment variables and assign them to sections in stack manifests. It supports both simple types (string, number, boolean) and complex types (JSON-encoded lists, maps, objects).

Applied to files:

• tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml
• tests/yaml_functions_integration_test.go

📚 Learning: 2024-12-01T00:33:20.298Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 810
File: examples/tests/stacks/catalog/terraform/template-functions-test2/defaults.yaml:28-32
Timestamp: 2024-12-01T00:33:20.298Z
Learning: In `examples/tests/stacks/catalog/terraform/template-functions-test2/defaults.yaml`, `!exec atmos terraform output` is used in examples to demonstrate its usage, even though `!terraform.output` is the recommended approach according to the documentation.

Applied to files:

• tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml
• tests/yaml_functions_integration_test.go

📚 Learning: 2026-01-09T04:49:35.038Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1907
File: demos/fixtures/acme/stacks/catalog/api.yaml:1-29
Timestamp: 2026-01-09T04:49:35.038Z
Learning: In the cloudposse/atmos demos/fixtures, components can provide Terraform outputs via `remote_state_backend.static` configuration blocks instead of traditional Terraform output blocks. This pattern is used for demo/fixture purposes to simulate cross-component state references without deploying actual infrastructure. The `!terraform.state` YAML function reads from these static backends.

Applied to files:

• tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml

📚 Learning: 2025-04-25T20:54:19.701Z

Learnt from: mcalhoun
Repo: cloudposse/atmos PR: 963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.

Applied to files:

• website/docs/cli/commands/auth/console.mdx
• docs/prd/aws-auth-file-isolation.md
• website/docs/cli/configuration/auth/index.mdx
• website/docs/cli/configuration/auth/identities.mdx

📚 Learning: 2025-01-25T15:21:40.413Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: examples/demo-atmos-cli-imports/atmos.yaml:8-8
Timestamp: 2025-01-25T15:21:40.413Z
Learning: In Atmos, when a directory is specified for configuration loading (e.g., in the `import` section of atmos.yaml), all files within that directory should be treated as Atmos configurations. Do not suggest restricting file extensions in directory-based glob patterns.

Applied to files:

• website/docs/cli/commands/profile/usage.mdx
• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2024-10-23T22:11:41.077Z

Learnt from: haitham911
Repo: cloudposse/atmos PR: 727
File: internal/exec/path_utils.go:145-146
Timestamp: 2024-10-23T22:11:41.077Z
Learning: In the `atmos` project, the preference is to print relative paths in log messages instead of full paths.

Applied to files:

• website/docs/cli/commands/profile/usage.mdx

📚 Learning: 2024-11-25T17:17:15.703Z

Learnt from: RoseSecurity
Repo: cloudposse/atmos PR: 797
File: pkg/list/atmos.yaml:213-214
Timestamp: 2024-11-25T17:17:15.703Z
Learning: The file `pkg/list/atmos.yaml` is primarily intended for testing purposes.

Applied to files:

• website/docs/cli/commands/profile/usage.mdx
• docs/prd/aws-auth-file-isolation.md

📚 Learning: 2024-12-11T18:40:12.808Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 844
File: cmd/helmfile.go:37-37
Timestamp: 2024-12-11T18:40:12.808Z
Learning: In the atmos project, `cliConfig` is initialized within the `cmd` package in `root.go` and can be used in other command files.

Applied to files:

• website/docs/cli/commands/profile/usage.mdx
• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2025-11-24T17:35:37.209Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-11-24T17:35:37.209Z
Learning: Applies to **/*_test.go : Include integration tests for command flows and test CLI end-to-end when possible with test fixtures

Applied to files:

• tests/yaml_functions_integration_test.go

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: The atmos codebase has a custom extension to *testing.T that provides a Chdir method, allowing test functions to call t.Chdir() to change working directories during tests. This is used consistently across test files in the codebase.

Applied to files:

• tests/yaml_functions_integration_test.go

📚 Learning: 2025-12-13T03:21:35.786Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1813
File: cmd/terraform/shell.go:28-73
Timestamp: 2025-12-13T03:21:35.786Z
Learning: In Atmos, when calling cfg.InitCliConfig, you must first populate the schema.ConfigAndStacksInfo struct with global flag values using flags.ParseGlobalFlags(cmd, v) rather than passing an empty struct. The LoadConfig function (pkg/config/load.go) reads config selection fields (AtmosConfigFilesFromArg, AtmosConfigDirsFromArg, BasePath, ProfilesFromArg) directly from the ConfigAndStacksInfo struct, NOT from Viper. Passing an empty struct causes config selection flags (--base-path, --config, --config-path, --profile) to be silently ignored. Correct pattern: parse flags → populate struct → call InitCliConfig. See cmd/terraform/plan_diff.go for reference implementation.

Applied to files:

• tests/yaml_functions_integration_test.go
• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2025-11-08T19:56:18.660Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1697
File: internal/exec/oci_utils.go:0-0
Timestamp: 2025-11-08T19:56:18.660Z
Learning: In the Atmos codebase, when a function receives an `*schema.AtmosConfiguration` parameter, it should read configuration values from `atmosConfig.Settings` fields rather than using direct `os.Getenv()` or `viper.GetString()` calls. The Atmos pattern is: viper.BindEnv in cmd/root.go binds environment variables → Viper unmarshals into atmosConfig.Settings via mapstructure → business logic reads from the Settings struct. This provides centralized config management, respects precedence, and enables testability. Example: `atmosConfig.Settings.AtmosGithubToken` instead of `os.Getenv("ATMOS_GITHUB_TOKEN")` in functions like `getGHCRAuth` in internal/exec/oci_utils.go.

Applied to files:

• tests/yaml_functions_integration_test.go
• docs/prd/aws-auth-file-isolation.md
• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2025-11-24T17:35:37.209Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-11-24T17:35:37.209Z
Learning: Applies to **/*_test.go : Use table-driven tests for testing multiple scenarios in Go

Applied to files:

• tests/yaml_functions_integration_test.go

📚 Learning: 2025-09-25T01:02:48.697Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/manager.go:304-312
Timestamp: 2025-09-25T01:02:48.697Z
Learning: The auth manager in pkg/auth/manager.go should remain cloud-agnostic and not contain AWS-specific logic or references to specific cloud providers. Keep the manager generic and extensible.

Applied to files:

• docs/prd/aws-auth-file-isolation.md

📚 Learning: 2025-11-10T20:03:56.875Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1775
File: pkg/auth/providers/aws/sso_provisioning.go:40-79
Timestamp: 2025-11-10T20:03:56.875Z
Learning: In the Atmos AWS SSO provider (pkg/auth/providers/aws/sso_provisioning.go), the OAuth access token from the AWS SSO device flow is intentionally stored in the `AccessKeyID` field of `AWSCredentials` during authentication. This token is then extracted and used for ListAccounts and ListAccountRoles API calls during identity provisioning. This design reuses the existing `AWSCredentials` type for token transport rather than creating a separate credential type.

Applied to files:

• docs/prd/aws-auth-file-isolation.md

📚 Learning: 2024-11-12T03:15:15.627Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 775
File: examples/quick-start-advanced/Dockerfile:9-9
Timestamp: 2024-11-12T03:15:15.627Z
Learning: It is acceptable to set `ARG ATMOS_VERSION` to a future version like `1.105.0` in `examples/quick-start-advanced/Dockerfile` if that will be the next release.

Applied to files:

• docs/prd/aws-auth-file-isolation.md

📚 Learning: 2025-12-13T06:07:34.794Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:34.794Z
Learning: For docs in the cloudposse/atmos repository under docs/prd/, markdownlint issues MD040, MD010, and MD034 should be deferred to a separate documentation cleanup commit and must not block the current PR. If needed, address these issues in a follow-up PR dedicated to documentation improvements.

Applied to files:

• docs/prd/aws-auth-file-isolation.md

📚 Learning: 2025-10-11T19:12:38.832Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1599
File: tests/snapshots/TestCLICommands_atmos_workflow_invalid_step_type.stderr.golden:0-0
Timestamp: 2025-10-11T19:12:38.832Z
Learning: Usage Examples sections in error output are appropriate for command usage errors (incorrect syntax, missing arguments, invalid flags) but not for configuration validation errors (malformed workflow files, invalid settings in atmos.yaml). Configuration errors should focus on explaining what's wrong with the config, not command usage patterns.

Applied to files:

• website/docs/cli/commands/profile/profile-show.mdx

📚 Learning: 2025-12-13T06:07:37.766Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

Applied to files:

• website/docs/cli/configuration/profiles.mdx

📚 Learning: 2025-11-07T14:52:55.217Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1761
File: docs/prd/claude-agent-architecture.md:331-439
Timestamp: 2025-11-07T14:52:55.217Z
Learning: In the cloudposse/atmos repository, Claude agents are used as interactive tools, not in automated/headless CI/CD contexts. Agent documentation and patterns should assume synchronous human interaction.

Applied to files:

• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2024-12-12T15:15:46.457Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: examples/demo-atmos-cli-imports/atmos.yaml:7-7
Timestamp: 2024-12-12T15:15:46.457Z
Learning: In example configuration files, such as `examples/demo-atmos-cli-imports/atmos.yaml`, it's acceptable to use `refs/heads/main` in remote URLs.

Applied to files:

• website/docs/cli/configuration/auth/index.mdx

📚 Learning: 2025-01-09T19:53:29.847Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

Applied to files:

• website/docs/cli/commands/auth/auth-login.mdx

🧬 Code graph analysis (6)

pkg/auth/identities/aws/permission_set_extended_test.go (3)

pkg/auth/identities/aws/permission_set.go (1)

• NewPermissionSetIdentity (39-48)

pkg/auth/types/interfaces.go (1)

• Identity (121-170)

pkg/schema/schema_auth.go (2)

• Identity (50-60)
• Principal (70-73)

pkg/auth/identities/aws/user_test.go (3)

pkg/auth/identities/aws/user.go (1)

• NewUserIdentity (47-59)

pkg/auth/types/interfaces.go (1)

• Identity (121-170)

pkg/schema/schema_auth.go (1)

• Identity (50-60)

pkg/auth/identities/aws/assume_root_test.go (1)

pkg/auth/types/interfaces.go (1)

• Identity (121-170)

pkg/auth/identities/aws/permission_set.go (1)

pkg/schema/schema_auth.go (1)

• Principal (70-73)

tests/yaml_functions_integration_test.go (2)

pkg/schema/schema.go (1)

• ConfigAndStacksInfo (727-824)

internal/exec/describe_component.go (1)

• ExecuteDescribeComponentParams (203-210)

pkg/auth/identities/aws/assume_role_test.go (1)

pkg/auth/types/interfaces.go (2)

• Identity (121-170)
• Provider (56-98)

🪛 LanguageTool

website/blog/2025-01-12-auth-env-region-export.mdx

[style] ~53-~53: To elevate your writing, try using a synonym here.
Context: ...reak existing scripts ## Get Involved Found an issue or have a feature request? [Op...

(FIND_LOCATE)

docs/prd/aws-auth-file-isolation.md

[typographical] ~104-~104: To join two clauses or introduce examples, consider using an em dash.
Context: ...y name for consistency AWS_REGION - Region from identity/provider configurat...

(DASH_RULE)

---

[typographical] ~111-~111: To join two clauses or introduce examples, consider using an em dash.
Context: ...fault fallback AWS_DEFAULT_REGION - Same as AWS_REGION (for SDK compatibilit...

(DASH_RULE)

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (27)

website/docs/cli/commands/auth/console.mdx (1)

234-236: Looks good. The heading and description correctly narrow scope to GCP-only for the "coming soon" section now that Azure is supported.

tests/fixtures/scenarios/yaml-functions-in-lists/stacks/test-yaml-functions.yaml (1)

77-79: Good test fixture addition.

This test case validates that !env AWS_REGION can be referenced in stack configurations when the region is exported via atmos auth env. Clear comments explain the intent.

website/docs/cli/configuration/profiles.mdx (1)

21-21: Documentation accurately reflects directory-based profile model.

The updated KeyPoint aligns with the broader documentation changes describing profiles as directories containing configuration files.

tests/yaml_functions_integration_test.go (2)

21-23: Correct use of t.Setenv for test isolation.

Using t.Setenv ensures automatic cleanup after the test completes, following the project's testing conventions.

---

29-53: Well-structured test for AWS_REGION environment variable reference.

The test correctly validates that stack configurations using !env AWS_REGION load without errors. The comments appropriately clarify that !env functions are resolved at execution time, not during describe.

pkg/auth/identities/aws/assume_role.go (1)

382-387: Clean implementation of conditional region export.

Exports AWS_REGION and AWS_DEFAULT_REGION only when explicitly configured, avoiding exposure of internal defaults. The placement after file-based env vars and before identity config env vars maintains proper precedence.

pkg/auth/identities/aws/assume_root.go (1)

310-315: Consistent region export implementation.

Mirrors the pattern in assume_role.go. The conditional export ensures only explicitly configured regions are exposed, maintaining consistency across AWS identity types.

website/docs/cli/commands/profile/profile-list.mdx (1)

62-69: Clean documentation update.

Table output examples now consistently show the directory-based profile model across all formats. The removal of the TYPE column aligns with the broader shift toward directory-based profiles.

website/docs/cli/commands/auth/auth-login.mdx (1)

98-104: Good expectation setting.

Narrowing the header to ECR and adding the EKS "coming soon" note prevents user confusion. Clear communication about feature availability.

pkg/auth/identities/aws/permission_set_extended_test.go (1)

37-74: Solid test coverage for region environment behavior.

Both positive and negative cases are covered. The descriptive assertion messages will help debug failures. Tests correctly verify the "explicit config only" behavior documented in the PR.

pkg/auth/identities/aws/user.go (1)

659-664: Clean region export implementation.

The conditional export aligns with PR objectives - region is exported only when explicitly configured, not from defaults. Comment explains the use case clearly. Pattern matches other AWS identity types.

pkg/auth/identities/aws/permission_set.go (1)

189-194: Consistent region export for permission-set identity.

Implementation mirrors the user identity pattern. Reading from Principal["region"] is appropriate for this identity type. The comment clearly explains the intentional behavior.

pkg/auth/identities/aws/user_test.go (1)

58-85: Well-structured tests for region export behavior.

Both tests correctly validate the conditional region export logic. The explicit absence check using map key existence (_, hasRegion := env["AWS_REGION"]) is the right approach to verify variables aren't set when unconfigured.

website/docs/cli/commands/profile/profile-show.mdx (1)

39-39: Clean simplification.

Removing the "type" aspect aligns with the directory-only profile model. The documentation accurately reflects the updated output format.

pkg/auth/identities/aws/assume_role_test.go (1)

87-123: Consistent test coverage for assume-role region handling.

Tests correctly verify the Environment() method respects the region field on the identity struct. The pattern mirrors the user identity tests, maintaining consistency across identity types.

pkg/auth/identities/aws/assume_root_test.go (1)

449-493: Completes the region test coverage across all AWS identity types.

Good to see consistent test patterns across user, assume-role, and assume-root identities. The ca-central-1 region choice adds variety while validating the same logic path.

website/docs/cli/commands/profile/usage.mdx (1)

37-37: Clear statement on profile structure.

The single-sentence explanation effectively communicates the directory-based profile model. Removing inline profile complexity simplifies the mental model for users.

website/blog/2025-01-12-auth-env-region-export.mdx (2)

8-50: Clean, informative blog post.

Good structure covering what changed, when users need it, and when they don't. The distinction between external tools needing atmos auth env vs. atmos commands auto-injecting region is helpful.

---

1-6: No issues found. The enhancement tag is properly defined in website/blog/tags.yml.

website/docs/cli/configuration/auth/index.mdx (2)

182-193: Good documentation of directory-based profile structure.

The profile directory layout is clear and the examples are well organized.

---

195-227: Profile examples are consistent.

The developer and ci profile examples properly demonstrate the auth configuration pattern.

website/docs/cli/configuration/auth/identities.mdx (3)

96-141: Solid documentation for AWS Assume Root identity.

The assume-root identity type is well documented with clear required fields, optional duration, and the list of supported task policies. The note about Organizations prerequisites is helpful.

---

182-219: Good Azure subscription identity documentation.

Clear explanation of the identity type with required and optional fields. The note about environment variable implications for Terraform is useful context.

---

339-421: Profile section is consistent with auth index.

The directory-based profile structure and examples align well with the main auth documentation. Good consistency across files.

docs/prd/aws-auth-file-isolation.md (3)

104-115: Clear documentation of region environment variables.

Good explanation of AWS_REGION and AWS_DEFAULT_REGION behavior, including the explicit configuration requirement and SDK compatibility notes.

---

246-254: Well-documented Environment() method behavior.

The conditional export behavior is clearly explained - always exports file/profile vars, conditionally exports region vars only when explicitly configured. The note about no default fallback is important for user understanding.

---

559-559: Changelog entry looks good.

The entry accurately summarizes the feature addition with the appropriate version and date.

[mergify]

Warning

This PR exceeds the recommended limit of 1,000 lines.

Large PRs are difficult to review and may be rejected due to their size.

Please verify that this PR does not address multiple issues.
Consider refactoring it into smaller, more focused PRs to facilitate a smoother review process.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/auth/manager.go`:
- Around line 721-737: In manager.ResolvePrincipalSetting, avoid comparing
interface{} to a string (val != "") which can panic for non-string types;
instead check val != nil then use a type assertion on val.(string): if it's a
string ensure it's not empty before returning, otherwise for non-string (maps,
structs, etc.) treat any non-nil value as present and return it; update the
check around identity.Principal[key] and val to implement this safe branching so
you don't perform invalid interface comparisons.

🧹 Nitpick comments (4)

pkg/auth/identities/aws/assume_root_test.go (1)

1472-1478: Please switch mockAuthManager to mockgen.
This expands a hand-rolled mock. The repo guideline is to use go.uber.org/mock/mockgen with a go:generate directive instead of manual mocks. As per coding guidelines, please convert this mock to a generated one.

pkg/auth/identities/aws/permission_set_extended_test.go (1)

37-173: Consider table-driven coverage for the region Environment cases.
There’s a lot of repeated setup across these four cases; a table-driven test would be leaner and easier to extend.

As per coding guidelines, consider consolidating these scenarios into a table-driven test.

website/docs/cli/configuration/auth/index.mdx (1)

182-245: Clarify where shared providers are defined in the profile examples.
The developer profile references company-sso but the provider isn’t shown in that file; a short note that providers can live in base config/shared profile would reduce confusion.

website/docs/cli/configuration/auth/identities.mdx (1)

96-218: Add a note about provider definition inheritance in profile examples.
These snippets reference company-sso/github-oidc without showing where those providers are defined. A brief note that providers can live in base config or a shared profile would make the examples self-explanatory.

Also applies to: 341-407

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@cmd/env/env.go`:
- Around line 154-209: The build fails because stdlib packages used in
formatDotenv/formatGitHub/writeEnvToFile/sortedKeys (fmt, os, sort, and strings)
are not imported and defaultFileMode is undefined; add the missing imports (fmt,
os, sort — ensure strings is already imported) to the file's import block and
define or reuse an existing file-permission constant for defaultFileMode (e.g.,
0644) so writeEnvToFile can call os.OpenFile without errors; update references
to defaultFileMode accordingly.

In `@pkg/auth/manager.go`:
- Around line 753-756: The doc comment for ResolveProviderConfig is missing
terminal periods on two lines; update the comment above the
ResolveProviderConfig declaration so each sentence ends with a period (e.g.,
"ResolveProviderConfig returns the provider configuration at the root of the
identity's authentication chain." and "This allows identities to access
provider-level settings without knowing the specific provider name."). Ensure
the comment remains grammatically intact and ends with periods to satisfy godot
compliance.

In `@website/blog/2025-01-12-auth-env-region-export.mdx`:
- Around line 1-12: The truncate marker in the MDX post (slug
"auth-env-region-export", title "AWS Region Now Exported by atmos auth env")
uses a JSX comment {/* truncate */}; replace it with an HTML comment <!--
truncate --> so the site generator recognizes the truncate point; update the
marker text exactly to <!-- truncate --> in the document header/body where the
current JSX marker appears.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@website/src/data/roadmap.js`:
- Line 161: Update the roadmap entry object with label 'AWS_REGION export from
`atmos auth env`' to reflect that the command exports both AWS_REGION and
AWS_DEFAULT_REGION: modify the label/description/benefits (and changelog or any
related fields if present) to explicitly mention AWS_DEFAULT_REGION alongside
AWS_REGION so the text matches actual behavior implemented in the PR (e.g.,
"Export AWS_REGION and AWS_DEFAULT_REGION..." and update the benefits text
similarly).
- Line 150: Update the shipped milestone object with label 'Azure Portal console
access' to include the required pr and changelog fields per roadmap guidelines:
add a pr property with the PR URL or number and a changelog property with the
changelog slug (e.g., 'cli-azure-console' or the real slug used), so the object
now contains label, status, quarter, docs, description, benefits, pr, and
changelog; locate and modify the milestone object that has label 'Azure Portal
console access' in website/src/data/roadmap.js.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@website/blog/2025-01-12-auth-env-region-export.mdx`:
- Around line 1-6: The post filename uses 2025-01-12 but should match the PR
date; rename the file 2025-01-12-auth-env-region-export.mdx to
2026-01-12-auth-env-region-export.mdx (and update any references such as slug or
links if present) so the filename date matches the actual publication/PR date;
locate the file by its current filename and adjust any internal references that
rely on the filename.

🧹 Nitpick comments (1)

pkg/auth/identities/aws/assume_role_test.go (1)

1266-1336: Consider extracting shared mock to a test helper file.

mockResolveAuthManager is well-implemented and reused by assume_root_test.go. If this pattern grows, consider moving it to a shared test_helpers.go or similar to reduce duplication and make the dependency explicit.

Not blocking - the current approach works fine with Go's package-level visibility.

[github-actions]

These changes were released in v1.204.1-rc.6.