docs: Add identity provider file isolation PRDs#1792
Conversation
Document the universal file isolation pattern for all identity providers and specific implementations for AWS (reference) and Azure (planned). This establishes the architectural pattern for credential isolation that protects developer's personal hobby accounts from Atmos-managed enterprise/customer credentials. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Warning This PR exceeds the recommended limit of 1,000 lines.Large PRs are difficult to review and may be rejected due to their size. Please verify that this PR does not address multiple issues. |
Dependency Review✅ No vulnerabilities or license issues found.Scanned FilesNone |
|
Warning Rate limit exceeded@osterman has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 24 minutes and 3 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds a universal file-isolation PRD plus AWS and Azure-specific implementations; introduces Azure file-manager, setup and environment APIs, XDG-compliant per-provider credential directories, and documentation for migration, testing, and security. No runtime behavior changes outside the introduced provider files and docs. Changes
Sequence Diagram(s)sequenceDiagram
participant Caller as Caller (login flow)
participant Setup as SetupFiles / SetAuthContext
participant FileMgr as AzureFileManager
participant EnvPrep as PrepareEnvironment
participant Runtime as Tool / CLI
Note over Caller,Setup: Authentication initiation
Caller->>Setup: Write credential files (SetupFiles)
Setup->>FileMgr: Resolve paths, write files, lock if needed
FileMgr-->>Setup: Return created paths / metadata
Setup->>EnvPrep: Build PrepareEnvironmentConfig (ConfigDir, IDs, env)
EnvPrep->>FileMgr: Use base/display paths for env mapping
EnvPrep-->>Caller: Return env map (e.g., AZURE_CONFIG_DIR, ARM_*)
Caller->>Runtime: Spawn tool/CLI with returned env
Runtime-->>FileMgr: Read provider-specific files via redirected env
Note right of FileMgr: Cleanup/DeleteIdentity may be called asynchronously
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Areas requiring extra attention:
Suggested labels
Suggested reviewers
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
docs/prd/auth-file-isolation-pattern.md (1)
53-112: Specify language identifiers on fenced code blocks.Lines 53, 66, 91, and 106 contain fenced code blocks without language specifiers. Add the appropriate language identifier (e.g.,
```bashor```yamlor```go) to improve readability and enable syntax highlighting.docs/prd/aws-auth-file-isolation.md (1)
33-112: Specify language identifiers on all fenced code blocks.Lines 33, 52, 267, 288, and 375 contain fenced code blocks without language identifiers. For example, line 33 should open with
```bashor similar. This ensures proper syntax highlighting across all three PRD documents.docs/prd/azure-auth-file-isolation.md (1)
169-1231: Specify language identifiers on all fenced code blocks.Lines 169, 180, 193, 955, 1006, and 1231 contain fenced code blocks without language identifiers. Add appropriate markers (
```bash,```go,```yaml, etc.) to enable syntax highlighting. This is especially important for the extensive Go code examples in the architecture sections.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (3)
docs/prd/auth-file-isolation-pattern.md(1 hunks)docs/prd/aws-auth-file-isolation.md(1 hunks)docs/prd/azure-auth-file-isolation.md(1 hunks)
🧰 Additional context used
🧠 Learnings (9)
📓 Common learnings
Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.
Learnt from: mcalhoun
Repo: cloudposse/atmos PR: 963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.
Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: Final XDG Base Directory Specification implementation for atmos toolchain is complete and verified: toolchain/xdg_cache.go provides GetXDGCacheDir() and GetXDGTempCacheDir() functions, all hardcoded ~/.cache/tools-cache paths have been replaced with XDG-compliant paths using ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback), and tests have been updated to expect the new path structure.
Applied to files:
docs/prd/auth-file-isolation-pattern.mddocs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: XDG Base Directory Specification compliance implementation for atmos toolchain is complete: created toolchain/xdg_cache.go with GetXDGCacheDir() and GetXDGTempCacheDir() functions, updated toolchain/installer.go and cmd/toolchain_clean.go to use these XDG helpers, and changed all cache paths from hardcoded ~/.cache/tools-cache to XDG-compliant ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback).
Applied to files:
docs/prd/auth-file-isolation-pattern.mddocs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-11-10T20:03:56.875Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1775
File: pkg/auth/providers/aws/sso_provisioning.go:40-79
Timestamp: 2025-11-10T20:03:56.875Z
Learning: In the Atmos AWS SSO provider (pkg/auth/providers/aws/sso_provisioning.go), the OAuth access token from the AWS SSO device flow is intentionally stored in the `AccessKeyID` field of `AWSCredentials` during authentication. This token is then extracted and used for ListAccounts and ListAccountRoles API calls during identity provisioning. This design reuses the existing `AWSCredentials` type for token transport rather than creating a separate credential type.
Applied to files:
docs/prd/aws-auth-file-isolation.md
📚 Learning: 2025-04-25T20:54:19.701Z
Learnt from: mcalhoun
Repo: cloudposse/atmos PR: 963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.
Applied to files:
docs/prd/aws-auth-file-isolation.md
📚 Learning: 2025-11-08T19:56:18.660Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1697
File: internal/exec/oci_utils.go:0-0
Timestamp: 2025-11-08T19:56:18.660Z
Learning: In the Atmos codebase, when a function receives an `*schema.AtmosConfiguration` parameter, it should read configuration values from `atmosConfig.Settings` fields rather than using direct `os.Getenv()` or `viper.GetString()` calls. The Atmos pattern is: viper.BindEnv in cmd/root.go binds environment variables → Viper unmarshals into atmosConfig.Settings via mapstructure → business logic reads from the Settings struct. This provides centralized config management, respects precedence, and enables testability. Example: `atmosConfig.Settings.AtmosGithubToken` instead of `os.Getenv("ATMOS_GITHUB_TOKEN")` in functions like `getGHCRAuth` in internal/exec/oci_utils.go.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain has been updated to follow XDG Base Directory Specification with helper functions GetXDGCacheDir() and GetXDGTempCacheDir() in toolchain/xdg_cache.go, using XDG_CACHE_HOME when set and falling back to ~/.cache/atmos-toolchain, making it consistent with atmos core's XDG compliance.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain XDG compliance implementation is complete with GetXDGCacheDir() and GetXDGTempCacheDir() functions in toolchain/xdg_cache.go, updated installer.go and toolchain_clean.go to use these helpers, and changed cache paths from ~/.cache/tools-cache to ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain when XDG_CACHE_HOME is not set).
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain should follow XDG Base Directory Specification like the rest of atmos core, using XDG_CACHE_HOME environment variable when available and falling back to ~/.cache when not set, instead of hardcoding ~/.cache/tools-cache paths.
Applied to files:
docs/prd/azure-auth-file-isolation.md
🪛 LanguageTool
docs/prd/auth-file-isolation-pattern.md
[style] ~28-~28: Since ownership is already implied, this phrasing may be redundant.
Context: ...nal configuration. Most developers have their own hobby accounts for personal use that ar...
(PRP_OWN)
[typographical] ~62-~62: In American English, use a period after an abbreviation.
Context: ... tell which credentials came from Atmos vs manual configuration - ❌ **Configuratio...
(MISSING_PERIOD_AFTER_ABBREVIATION)
[grammar] ~136-~136: Please add a punctuation mark at the end of paragraph.
Context: ...r-specific identifiers required for SDK operation 4. **Terraform/Tool Compatibility Vari...
(PUNCTUATION_PARAGRAPH_END)
[style] ~463-~463: You have used the passive voice repeatedly in nearby sentences. To make your writing clearer and easier to read, consider using active voice.
Context: ...ility variables are set - Test input is not mutated (returns new map) 4. **Integration Tes...
(REP_PASSIVE_VOICE)
docs/prd/aws-auth-file-isolation.md
[grammar] ~22-~22: Please add a punctuation mark at the end of paragraph.
Context: ...illing the wrong customer or unexpected costs **Why Standard AWS CLI Configuration I...
(PUNCTUATION_PARAGRAPH_END)
[grammar] ~29-~29: Please add a punctuation mark at the end of paragraph.
Context: ...- ❌ No physical separation—just logical profiles **Atmos Solution: Physical File Isolat...
(PUNCTUATION_PARAGRAPH_END)
[style] ~156-~156: Since ownership is already implied, this phrasing may be redundant.
Context: ...NI File Structure:** Each provider has its own credentials and config files that can c...
(PRP_OWN)
[grammar] ~386-~386: Please add a punctuation mark at the end of paragraph.
Context: ...n be active in different shell sessions simultaneously ### 5. Shell Session Scoping **Enviro...
(PUNCTUATION_PARAGRAPH_END)
docs/prd/azure-auth-file-isolation.md
[style] ~18-~18: Since ownership is already implied, this phrasing may be redundant.
Context: ...sonal hobby accounts**: Developers have their own Azure subscriptions for personal projec...
(PRP_OWN)
[style] ~247-~247: Consider using the typographical ellipsis character here instead.
Context: ... Same logic flow | | Auth Context | AWSAuthContext{...} | AzureAuthContext{...} | Parallel ...
(ELLIPSIS)
[style] ~247-~247: Consider using the typographical ellipsis character here instead.
Context: ...uth Context** | AWSAuthContext{...} | AzureAuthContext{...} | Parallel schemas | | **Clean Logout...
(ELLIPSIS)
[grammar] ~929-~929: Please add a punctuation mark at the end of paragraph.
Context: ... - Provider-specific variables for tool integration Examples: | Provider | Primary Is...
(PUNCTUATION_PARAGRAPH_END)
🪛 markdownlint-cli2 (0.18.1)
docs/prd/auth-file-isolation-pattern.md
53-53: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
66-66: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
91-91: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
106-106: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
docs/prd/aws-auth-file-isolation.md
33-33: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
52-52: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
267-267: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
288-288: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
375-375: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
docs/prd/azure-auth-file-isolation.md
169-169: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
180-180: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
193-193: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
955-955: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1231-1231: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)
- GitHub Check: Build (macos)
- GitHub Check: Build (windows)
- GitHub Check: Build (linux)
- GitHub Check: autofix
- GitHub Check: Lint (golangci)
- GitHub Check: Analyze (go)
- GitHub Check: Analyze (go)
- GitHub Check: Analyze (go)
- GitHub Check: Lint (golangci)
- GitHub Check: Lint (golangci)
- GitHub Check: Review Dependency Licenses
- GitHub Check: Summary
🔇 Additional comments (7)
docs/prd/auth-file-isolation-pattern.md (3)
1-10: Document hierarchy and scope are clear.The executive summary effectively frames the universal pattern with concrete principle ("All identity provider implementations MUST use XDG-compliant, provider-scoped directories"). The design philosophy section logically connects security requirements to real-world scenarios. Well structured.
150-300: Code architecture patterns provide actionable implementation guidance.The four required components (File Manager, Setup Functions, Environment Preparation, AuthContext Schema) are well-defined with concrete interfaces and constructor patterns. The constructor pattern sections (lines 186–217) show good attention to precedence rules and path resolution. AWS and Azure docs can follow this template confidently.
513-521: Cross-document references verified as valid.All four internal PRDs referenced in lines 515–519 exist in the repository:
xdg-base-directory-specification.md✓auth-context-multi-identity.md✓aws-auth-file-isolation.md✓azure-auth-file-isolation.md✓No broken documentation links detected.
docs/prd/aws-auth-file-isolation.md (2)
1-50: Real-world use case is compelling and well-motivated.The multi-customer cloud operations scenario (lines 11–47) effectively establishes why file isolation matters. The before/after comparison (lines 287–305) shows concrete risks. This context justifies the physical isolation approach for practitioners.
501-517: Adherence table clearly maps AWS to universal pattern.The matrix (lines 505–517) demonstrates alignment with each requirement from the universal pattern PRD. Status checks (✅) provide confidence that AWS is a working reference implementation. This table structure should be replicated in the Azure PRD for consistency.
docs/prd/azure-auth-file-isolation.md (2)
11-120: Problem statement and environment variable analysis are thorough.Lines 11–120 effectively establish why Azure file isolation is needed and provide concrete before/after scenarios. The environment variable support table (lines 76–91) clearly shows that Azure SDK natively supports
AZURE_CONFIG_DIRfor isolation. This foundation is strong.
1-10: Executive summary and design goals align well with universal pattern.Lines 1–9 establish Azure's role as the first post-AWS implementation of the universal pattern. The problem statement (lines 11–120) is concrete and compelling. Design goals (lines 121–137) map cleanly to the universal pattern requirements. This is a strong foundation for the implementation work ahead.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1792 +/- ##
==========================================
+ Coverage 70.61% 70.66% +0.04%
==========================================
Files 451 451
Lines 42367 42367
==========================================
+ Hits 29916 29937 +21
+ Misses 9922 9902 -20
+ Partials 2529 2528 -1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Address CodeRabbit review feedback by adding appropriate language specifiers (text, bash, go, yaml, ini) to all fenced code blocks for proper syntax highlighting. Fixes MD040 markdown linting violations. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
docs/prd/aws-auth-file-isolation.md (1)
7-7: Update status to reflect PR review state, not post-merge deployment.Line 7 marks this as "✅ Implemented" with line 9 claiming it "successfully implements" XDG compliance. However, this PRD documents code that's still in active review (PR #1792) and not yet merged to main. The status should reflect the actual state to avoid misleading readers.
Align with the Azure PRD approach (line 7 of
azure-auth-file-isolation.mduses "🚧 Planned") and update to "🚧 In Review" or similar wording that accurately reflects ongoing work.-**Status:** ✅ **Implemented** - This PRD documents the existing AWS implementation. +**Status:** 🚧 **In Review** - This PRD documents the AWS implementation under review in PR #1792.Also update line 9 to avoid claiming deployment:
-**Key Achievement:** AWS successfully implements XDG-compliant credential isolation with physically separate configuration files, making it **provably impossible** to accidentally use the wrong customer's credentials when working with multiple client environments. +**Key Achievement:** AWS implementation provides XDG-compliant credential isolation with physically separate configuration files, making it **provably impossible** to accidentally use the wrong customer's credentials when working with multiple client environments.Also applies to: 9-9
🧹 Nitpick comments (3)
docs/prd/aws-auth-file-isolation.md (1)
22-22: Optional: Add terminal punctuation to paragraph-ending bullets for formal consistency.Lines 22, 29, and 386 end with bullets/descriptions lacking terminal punctuation. While markdown typically doesn't require this, adding periods would align with formal documentation conventions.
Also applies to: 29-29, 386-386
docs/prd/azure-auth-file-isolation.md (1)
436-436: Add language specifiers to fenced code blocks for proper syntax highlighting.Lines 436, 664, 820, 875, 961, and 1231 have code blocks with missing or incorrect language tags. For example:
- Line 961: Migration output should be
\``bash`- Line 1231: YAML config should be
\``yaml`- Lines 436, 664, 820, 875: Should be
\``gonot```text`This improves documentation readability and syntax highlighting in renderers.
-```text -// AzureFileManager code +```go +// AzureFileManager codeAlso applies to: 664-664, 820-820, 875-875, 961-961, 1231-1231
docs/prd/auth-file-isolation-pattern.md (1)
62-62: Minor grammar and style suggestions for formal documentation polish.
- Line 62: Add period after "vs" abbreviation: "vs. manual configuration"
- Line 136: Add terminal punctuation to paragraph
- Line 463: Line uses passive voice ("are set") - could strengthen with active voice ("the provider sets")
These are optional refinements for a more formal tone.
Also applies to: 136-136, 463-463
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (3)
docs/prd/auth-file-isolation-pattern.md(1 hunks)docs/prd/aws-auth-file-isolation.md(1 hunks)docs/prd/azure-auth-file-isolation.md(1 hunks)
🧰 Additional context used
🧠 Learnings (10)
📓 Common learnings
Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.
Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.
Learnt from: mcalhoun
Repo: cloudposse/atmos PR: 963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.
📚 Learning: 2025-09-25T01:02:48.697Z
Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/manager.go:304-312
Timestamp: 2025-09-25T01:02:48.697Z
Learning: The auth manager in pkg/auth/manager.go should remain cloud-agnostic and not contain AWS-specific logic or references to specific cloud providers. Keep the manager generic and extensible.
Applied to files:
docs/prd/azure-auth-file-isolation.mddocs/prd/aws-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: XDG Base Directory Specification compliance implementation for atmos toolchain is complete: created toolchain/xdg_cache.go with GetXDGCacheDir() and GetXDGTempCacheDir() functions, updated toolchain/installer.go and cmd/toolchain_clean.go to use these XDG helpers, and changed all cache paths from hardcoded ~/.cache/tools-cache to XDG-compliant ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback).
Applied to files:
docs/prd/azure-auth-file-isolation.mddocs/prd/auth-file-isolation-pattern.md
📚 Learning: 2025-11-08T19:56:18.660Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1697
File: internal/exec/oci_utils.go:0-0
Timestamp: 2025-11-08T19:56:18.660Z
Learning: In the Atmos codebase, when a function receives an `*schema.AtmosConfiguration` parameter, it should read configuration values from `atmosConfig.Settings` fields rather than using direct `os.Getenv()` or `viper.GetString()` calls. The Atmos pattern is: viper.BindEnv in cmd/root.go binds environment variables → Viper unmarshals into atmosConfig.Settings via mapstructure → business logic reads from the Settings struct. This provides centralized config management, respects precedence, and enables testability. Example: `atmosConfig.Settings.AtmosGithubToken` instead of `os.Getenv("ATMOS_GITHUB_TOKEN")` in functions like `getGHCRAuth` in internal/exec/oci_utils.go.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: Final XDG Base Directory Specification implementation for atmos toolchain is complete and verified: toolchain/xdg_cache.go provides GetXDGCacheDir() and GetXDGTempCacheDir() functions, all hardcoded ~/.cache/tools-cache paths have been replaced with XDG-compliant paths using ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback), and tests have been updated to expect the new path structure.
Applied to files:
docs/prd/azure-auth-file-isolation.mddocs/prd/auth-file-isolation-pattern.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain has been updated to follow XDG Base Directory Specification with helper functions GetXDGCacheDir() and GetXDGTempCacheDir() in toolchain/xdg_cache.go, using XDG_CACHE_HOME when set and falling back to ~/.cache/atmos-toolchain, making it consistent with atmos core's XDG compliance.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain XDG compliance implementation is complete with GetXDGCacheDir() and GetXDGTempCacheDir() functions in toolchain/xdg_cache.go, updated installer.go and toolchain_clean.go to use these helpers, and changed cache paths from ~/.cache/tools-cache to ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain when XDG_CACHE_HOME is not set).
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-01-25T03:51:57.689Z
Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.
Applied to files:
docs/prd/auth-file-isolation-pattern.md
📚 Learning: 2025-11-10T20:03:56.875Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1775
File: pkg/auth/providers/aws/sso_provisioning.go:40-79
Timestamp: 2025-11-10T20:03:56.875Z
Learning: In the Atmos AWS SSO provider (pkg/auth/providers/aws/sso_provisioning.go), the OAuth access token from the AWS SSO device flow is intentionally stored in the `AccessKeyID` field of `AWSCredentials` during authentication. This token is then extracted and used for ListAccounts and ListAccountRoles API calls during identity provisioning. This design reuses the existing `AWSCredentials` type for token transport rather than creating a separate credential type.
Applied to files:
docs/prd/aws-auth-file-isolation.md
📚 Learning: 2025-04-25T20:54:19.701Z
Learnt from: mcalhoun
Repo: cloudposse/atmos PR: 963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.
Applied to files:
docs/prd/aws-auth-file-isolation.md
🪛 LanguageTool
docs/prd/azure-auth-file-isolation.md
[style] ~18-~18: Since ownership is already implied, this phrasing may be redundant.
Context: ...sonal hobby accounts**: Developers have their own Azure subscriptions for personal projec...
(PRP_OWN)
[style] ~247-~247: Consider using the typographical ellipsis character here instead.
Context: ... Same logic flow | | Auth Context | AWSAuthContext{...} | AzureAuthContext{...} | Parallel ...
(ELLIPSIS)
[style] ~247-~247: Consider using the typographical ellipsis character here instead.
Context: ...uth Context** | AWSAuthContext{...} | AzureAuthContext{...} | Parallel schemas | | **Clean Logout...
(ELLIPSIS)
[grammar] ~960-~960: Please add a punctuation mark at the end of paragraph.
Context: ...atmos/azure/azure-oidc/msal_token_cache.json ``` **Migration Command (Optional):...
(PUNCTUATION_PARAGRAPH_END)
docs/prd/auth-file-isolation-pattern.md
[style] ~28-~28: Since ownership is already implied, this phrasing may be redundant.
Context: ...nal configuration. Most developers have their own hobby accounts for personal use that ar...
(PRP_OWN)
[typographical] ~62-~62: In American English, use a period after an abbreviation.
Context: ... tell which credentials came from Atmos vs manual configuration - ❌ **Configuratio...
(MISSING_PERIOD_AFTER_ABBREVIATION)
[grammar] ~136-~136: Please add a punctuation mark at the end of paragraph.
Context: ...r-specific identifiers required for SDK operation 4. **Terraform/Tool Compatibility Vari...
(PUNCTUATION_PARAGRAPH_END)
[style] ~463-~463: You have used the passive voice repeatedly in nearby sentences. To make your writing clearer and easier to read, consider using active voice.
Context: ...ility variables are set - Test input is not mutated (returns new map) 4. **Integration Tes...
(REP_PASSIVE_VOICE)
docs/prd/aws-auth-file-isolation.md
[grammar] ~22-~22: Please add a punctuation mark at the end of paragraph.
Context: ...illing the wrong customer or unexpected costs **Why Standard AWS CLI Configuration I...
(PUNCTUATION_PARAGRAPH_END)
[grammar] ~29-~29: Please add a punctuation mark at the end of paragraph.
Context: ...- ❌ No physical separation—just logical profiles **Atmos Solution: Physical File Isolat...
(PUNCTUATION_PARAGRAPH_END)
[style] ~156-~156: Since ownership is already implied, this phrasing may be redundant.
Context: ...NI File Structure:** Each provider has its own credentials and config files that can c...
(PRP_OWN)
[grammar] ~386-~386: Please add a punctuation mark at the end of paragraph.
Context: ...n be active in different shell sessions simultaneously ### 5. Shell Session Scoping **Enviro...
(PUNCTUATION_PARAGRAPH_END)
🪛 markdownlint-cli2 (0.18.1)
docs/prd/azure-auth-file-isolation.md
961-961: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1231-1231: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
- GitHub Check: Build (linux)
- GitHub Check: Build (macos)
- GitHub Check: Build (windows)
- GitHub Check: autofix
- GitHub Check: Lint (golangci)
- GitHub Check: Analyze (go)
- GitHub Check: Review Dependency Licenses
- GitHub Check: Summary
🔇 Additional comments (6)
docs/prd/aws-auth-file-isolation.md (1)
128-189: Technical documentation is thorough and well-structured.The file manager architecture (lines 128-189), auth context schema (lines 238-260), and environment variable strategy (lines 85-117) are clearly documented. File locking mechanism, INI comment preservation, and credential path resolution patterns are all technically accurate and properly justified.
Also applies to: 238-260
docs/prd/azure-auth-file-isolation.md (2)
230-250: AWS-to-Azure implementation mapping is clear and helpful.The comparison table (lines 230-250) effectively shows both the parallel architecture and necessary provider-specific differences. The notes on key differences (lines 251-257) help readers understand why Azure's
AZURE_CONFIG_DIRapproach differs from AWS's file-based approach.
1258-1294: Implementation checklist is well-organized and actionable.The phased approach (core infrastructure → provider integration → migration → documentation → future providers) provides a clear roadmap. This structure helps implementers understand dependencies and sequences work appropriately.
docs/prd/auth-file-isolation-pattern.md (3)
37-83: Real-world scenario effectively motivates the pattern.The developer workflow example (lines 37-83) with before/after comparison clearly shows why isolation matters. The contrast between mixed credentials (anti-pattern) and isolated directories (correct pattern) makes the security model tangible.
149-296: Code architecture patterns provide clear templates for new providers.The required components (file manager, setup functions, environment preparation, auth context) are well-defined with concrete Go examples. The 6-step workflow (lines 325-403) guides implementers through the process logically.
Also applies to: 325-403
494-511: Migration strategy is pragmatic and backward-compatible.The three-phase approach (dual-path → optional migration tool → eventual XDG-only) allows gradual adoption without breaking existing workflows. Marking Phase 3 "future" appropriately defers the breaking change decision.
- Add "strings" import to AzureFileManager code example - Fix incorrect closing fence from ```text to ``` Addresses CodeRabbit review feedback on lines 268-436. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
docs/prd/azure-auth-file-isolation.md (1)
941-987: Migration strategy thoughtfully balances compatibility with progress.Phasing the rollout (backward compat → dual-path → XDG-only) protects existing workflows while incentivizing migration. The warning message (lines 955–962) is user-friendly, and the optional migration command (lines 964–987) lowers friction.
Suggestion: In Phase 2 (dual-path support), clarify which files get read from both locations. For example, explicitly state whether the MSAL cache read tries
~/.config/atmos/azure/.../msal_token_cache.jsonfirst, then falls back to~/.azure/msal_token_cache.json. This ensures implementers don't introduce subtle bugs in fallback logic.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
docs/prd/azure-auth-file-isolation.md(1 hunks)
🧰 Additional context used
🧠 Learnings (15)
📓 Common learnings
Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.
Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.
Learnt from: mcalhoun
Repo: cloudposse/atmos PR: 963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.
📚 Learning: 2025-09-25T01:02:48.697Z
Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/manager.go:304-312
Timestamp: 2025-09-25T01:02:48.697Z
Learning: The auth manager in pkg/auth/manager.go should remain cloud-agnostic and not contain AWS-specific logic or references to specific cloud providers. Keep the manager generic and extensible.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2024-12-02T21:26:32.337Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: pkg/config/config.go:478-483
Timestamp: 2024-12-02T21:26:32.337Z
Learning: In the 'atmos' project, when reviewing Go code like `pkg/config/config.go`, avoid suggesting file size checks after downloading remote configs if such checks aren't implemented elsewhere in the codebase.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2024-10-23T21:36:40.262Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 740
File: cmd/cmd_utils.go:340-359
Timestamp: 2024-10-23T21:36:40.262Z
Learning: In the Go codebase for Atmos, when reviewing functions like `checkAtmosConfig` in `cmd/cmd_utils.go`, avoid suggesting refactoring to return errors instead of calling `os.Exit` if such changes would significantly increase the scope due to the need to update multiple call sites.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2024-12-12T15:17:45.245Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: examples/demo-atmos.d/atmos.d/tools/helmfile.yml:10-10
Timestamp: 2024-12-12T15:17:45.245Z
Learning: In `examples/demo-atmos.d/atmos.d/tools/helmfile.yml`, when suggesting changes to `kubeconfig_path`, ensure that the values use valid Go template syntax.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-04-04T02:03:23.676Z
Learnt from: aknysh
Repo: cloudposse/atmos PR: 1185
File: internal/exec/yaml_func_store.go:26-26
Timestamp: 2025-04-04T02:03:23.676Z
Learning: The Atmos codebase currently uses `log.Fatal` for error handling in multiple places. The maintainers are aware this isn't an ideal pattern (should only be used in main() or init() functions) and plan to address it comprehensively in a separate PR. CodeRabbit should not flag these issues or push for immediate changes until that refactoring is complete.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2024-10-28T01:51:30.811Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 727
File: internal/exec/terraform_clean.go:329-332
Timestamp: 2024-10-28T01:51:30.811Z
Learning: In the Atmos Go code, when deleting directories or handling file paths (e.g., in `terraform_clean.go`), always resolve the absolute path using `filepath.Abs` and use the logger `u.LogWarning` for logging messages instead of using `fmt.Printf`.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-10T22:38:42.212Z
Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/identities/aws/user.go:141-145
Timestamp: 2025-09-10T22:38:42.212Z
Learning: The user confirmed that the errors package has an error string wrapping format, contradicting the previous learning about ErrWrappingFormat being invalid. The current usage of fmt.Errorf(errUtils.ErrWrappingFormat, errUtils.ErrAuthAwsFileManagerFailed, err) appears to be the correct pattern.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-10-10T23:51:36.597Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1599
File: internal/exec/terraform.go:394-402
Timestamp: 2025-10-10T23:51:36.597Z
Learning: In Atmos (internal/exec/terraform.go), when adding OpenTofu-specific flags like `--var-file` for `init`, do not gate them based on command name (e.g., checking if `info.Command == "tofu"` or `info.Command == "opentofu"`) because command names don't reliably indicate the actual binary being executed (symlinks, aliases). Instead, document the OpenTofu requirement in code comments and documentation, trusting users who enable the feature (e.g., `PassVars`) to ensure their terraform command points to an OpenTofu binary.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-01-07T20:38:09.618Z
Learnt from: samtholiya
Repo: cloudposse/atmos PR: 896
File: cmd/editor_config.go:37-40
Timestamp: 2025-01-07T20:38:09.618Z
Learning: Error handling suggestion for `cmd.Help()` in `cmd/editor_config.go` was deferred as the code is planned for future modifications.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-11-08T19:56:18.660Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1697
File: internal/exec/oci_utils.go:0-0
Timestamp: 2025-11-08T19:56:18.660Z
Learning: In the Atmos codebase, when a function receives an `*schema.AtmosConfiguration` parameter, it should read configuration values from `atmosConfig.Settings` fields rather than using direct `os.Getenv()` or `viper.GetString()` calls. The Atmos pattern is: viper.BindEnv in cmd/root.go binds environment variables → Viper unmarshals into atmosConfig.Settings via mapstructure → business logic reads from the Settings struct. This provides centralized config management, respects precedence, and enables testability. Example: `atmosConfig.Settings.AtmosGithubToken` instead of `os.Getenv("ATMOS_GITHUB_TOKEN")` in functions like `getGHCRAuth` in internal/exec/oci_utils.go.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain has been updated to follow XDG Base Directory Specification with helper functions GetXDGCacheDir() and GetXDGTempCacheDir() in toolchain/xdg_cache.go, using XDG_CACHE_HOME when set and falling back to ~/.cache/atmos-toolchain, making it consistent with atmos core's XDG compliance.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: Final XDG Base Directory Specification implementation for atmos toolchain is complete and verified: toolchain/xdg_cache.go provides GetXDGCacheDir() and GetXDGTempCacheDir() functions, all hardcoded ~/.cache/tools-cache paths have been replaced with XDG-compliant paths using ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback), and tests have been updated to expect the new path structure.
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: XDG Base Directory Specification compliance implementation for atmos toolchain is complete: created toolchain/xdg_cache.go with GetXDGCacheDir() and GetXDGTempCacheDir() functions, updated toolchain/installer.go and cmd/toolchain_clean.go to use these XDG helpers, and changed all cache paths from hardcoded ~/.cache/tools-cache to XDG-compliant ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback).
Applied to files:
docs/prd/azure-auth-file-isolation.md
📚 Learning: 2025-09-08T01:25:44.958Z
Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain XDG compliance implementation is complete with GetXDGCacheDir() and GetXDGTempCacheDir() functions in toolchain/xdg_cache.go, updated installer.go and toolchain_clean.go to use these helpers, and changed cache paths from ~/.cache/tools-cache to ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain when XDG_CACHE_HOME is not set).
Applied to files:
docs/prd/azure-auth-file-isolation.md
🪛 LanguageTool
docs/prd/azure-auth-file-isolation.md
[style] ~18-~18: Since ownership is already implied, this phrasing may be redundant.
Context: ...sonal hobby accounts**: Developers have their own Azure subscriptions for personal projec...
(PRP_OWN)
[style] ~247-~247: Consider using the typographical ellipsis character here instead.
Context: ... Same logic flow | | Auth Context | AWSAuthContext{...} | AzureAuthContext{...} | Parallel ...
(ELLIPSIS)
[style] ~247-~247: Consider using the typographical ellipsis character here instead.
Context: ...uth Context** | AWSAuthContext{...} | AzureAuthContext{...} | Parallel schemas | | **Clean Logout...
(ELLIPSIS)
[grammar] ~961-~961: Please add a punctuation mark at the end of paragraph.
Context: ...atmos/azure/azure-oidc/msal_token_cache.json ``` **Migration Command (Optional):...
(PUNCTUATION_PARAGRAPH_END)
🪛 markdownlint-cli2 (0.18.1)
docs/prd/azure-auth-file-isolation.md
962-962: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
1232-1232: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
- GitHub Check: Build (linux)
- GitHub Check: Build (macos)
- GitHub Check: Build (windows)
- GitHub Check: Review Dependency Licenses
- GitHub Check: autofix
- GitHub Check: Analyze (go)
- GitHub Check: Lint (golangci)
- GitHub Check: Summary
🔇 Additional comments (8)
docs/prd/azure-auth-file-isolation.md (8)
3-10: Strong PRD foundation with clear problem statement and goals.The executive summary and problem statement effectively establish the security model: isolating Atmos-managed credentials from user's personal configs. The before/after developer scenarios (lines 52–67) clearly illustrate the pain point. Structuring around the AWS reference implementation (lines 234–249) makes the universal pattern intent clear and actionable.
268-437: File manager architecture is clean and matches AWS pattern.The
AzureFileManagerstructure (lines 297–336) properly encapsulates base directory logic, respects XDG with fallback, and handles custombasePathfrom provider config. The method set (GetProviderDir, GetMSALCachePath, GetProfilePath, etc.) mirrors the AWS equivalent, establishing your universal pattern well. Error handling is sound, and logging at lines 390–407 follows codebase conventions.One note: verify that the
homedir.Expand()call at line 318 and GetDisplayPath logic at lines 375–381 align with how the existingpkg/config/homedirpackage is used elsewhere in the codebase—avoid duplication.
473-589: Setup functions establish clear separation of concerns.
SetupFiles()ensures directory structure, andSetAuthContext()populates the auth context with provider-specific paths—good layering. TheSetAuthContextParamsstruct (lines 521–529) cleanly groups related arguments. ThegetComponentLocationOverride()helper (lines 591–613) handles stack inheritance well.One check: verify that
SetAuthContextParamsdoesn't conflict with existing setup patterns elsewhere inpkg/auth/cloud/aws/setup.go. If AWS already defines a similar params struct, consider unifying or cross-referencing to establish your universal pattern.
615-665: Environment variable derivation is comprehensive and well-commented.
SetEnvironmentVariables()correctly clears conflicting vars (viaproblematicAzureEnvVarslist—note: not shown in pseudocode, but referenced) and setsAZURE_CONFIG_DIR, subscription ID, tenant ID, andARM_USE_CLI=true. The comment at lines 751–757 explains whyARM_USE_CLI=trueis necessary—excellent rationale.Minor: Verify that the
problematicAzureEnvVarslist (referenced at line 716) is defined somewhere in the actual implementation—it's not shown here but is critical for isolation correctness. Ensure it includes all credential env vars that could conflict with Atmos-managed credentials.
878-940: Universal pattern architecture is extensible and well-documented.The
FileManagerinterface (lines 887–906), setup function patterns (lines 912–921), and environment variable conventions (lines 925–940) establish a solid foundation for new providers. The AWS-to-Azure-to-GCP/GitHub table clearly shows how providers diverge (directory vs. files, tenant+subscription vs. project IDs, etc.), making it easy for future implementers to adapt.One gentle note: The interface is flexible but leaves provider-specific quirks (token formats, permission schemes, cache semantics) to each implementation. That's fine for a pattern PRD, but you may want to add a brief paragraph noting that future implementations should document any deviations and consider whether they can be abstracted further—this encourages convergence over time.
998-1166: Testing strategy covers core flows with good isolation practices.Unit tests exercise file manager path resolution, setup context population, and environment variable manipulation. The integration test (lines 1114–1166) verifies the full flow end-to-end using
TempDirfor hermetic isolation and environment overrides. Test coverage for cleanup (lines 1159–1164) is important and present.Minor suggestion: During Phase 2 implementation, add tests for the legacy path fallback behavior (reading from
~/.azure/when Atmos paths don't exist). This ensures the migration path doesn't introduce silent failures or unexpected precedence.
1-1330: Well-structured PRD that establishes a clear foundation for provider integration.This document effectively documents the Azure implementation while establishing a reusable pattern for future providers. The rationale for XDG-compliant isolation is clear, the AWS-to-Azure mapping is instructive, and the implementation roadmap (pseudocode + testing + migration phases) is actionable. The universal pattern section creates a template that GCP and GitHub implementations can follow.
The document aligns well with existing learnings around cloud-agnostic auth management and XDG compliance patterns used elsewhere in Atmos. It's thorough without being prescriptive about implementation details that should evolve during coding.
962-962: Add language specifier to bash code block.Line 962 is a fenced code block that should declare its language for proper syntax highlighting.
-\`\`\` +\`\`\`bash $ atmos auth migrate azure⛔ Skipped due to learnings
Learnt from: samtholiya Repo: cloudposse/atmos PR: 1466 File: cmd/markdown/atmos_toolchain_aliases.md:2-4 Timestamp: 2025-09-13T16:39:20.007Z Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.
- Fix bash block closing from ```text to ``` on line 68 - Remove duplicate closing fence after YAML block on line 1232 Addresses CodeRabbit review feedback. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
These changes were released in v1.199.0-rc.1. |
what
why
aws configure,az login,gcloud init. Atmos must never modify these personal accounts.~/.azure/which breaks developer's personal Azure CLI setup. This PRD documents the required changes to match AWS pattern.Key architectural decision: Atmos-managed credentials go in
~/.config/atmos/{cloud}/, personal credentials stay in default locations (~/.aws/,~/.azure/,~/.config/gcloud/).references
AWS_SHARED_CREDENTIALS_FILEandAWS_CONFIG_FILEAZURE_CONFIG_DIRenvironment variable for isolationSummary by CodeRabbit