Add Atmos Validation Policy Execution Context. Update docs

[aknysh]

what

• Add Atmos Validation Policy Execution Context
• Update docs
• Add unit tests

why

Policy Execution Context

Atmos allows enforcing custom governance rules based on metadata about Atmos commands and provides a powerful
policy evaluation mechanism by passing structured metadata to OPA policies at runtime.

This metadata enables fine-grained control over when certain actions (like terraform apply) are allowed or denied,
based on the context in which they're executed.

Policy Metadata

When Atmos runs a command, it supplies an input object to OPA policies that contains detailed contextual information, such as:

• cli_args: a list of the command line arguments and flags (e.g., executing the atmos terraform apply command will generate the ["terraform", "apply"] list)
• vars: a map of variables passed to the command, either via the stack config files or CLI flags
• other contextual attributes such as the stack and component names

Policy Execution Context Example

Below is an OPA policy rule to enforce infrastructure governance during command execution.
Specifically, this rule blocks the execution of atmos terraform apply if the variable foo is set to the string "foo".

# 'package atmos' is required in all Atmos OPA policies
package atmos

# Atmos looks for the 'errors' (array of strings) output from all OPA policies
# If the 'errors' output contains one or more error messages, Atmos considers the policy failed

# Don't allow `terraform apply` if the `foo` variable is set to `foo`
# The `input` map contains the `cli_args` attribute (a list of the command line arguments and flags)
errors[message] {
    count(input.cli_args) >= 2
    input.cli_args[0] == "terraform"
    input.cli_args[1] == "apply"
    input.vars.foo == "foo"
    message = "the component can't be applied if the 'foo' variable is set to 'foo'"
}

The rule checks if:

• The cli_args list has at least two items
• The command (first item in the cli_args list) is terraform
• The subcommand (second item in the cli_args list) is apply
• The variable foo is set to "foo"

If all conditions are true, the rule generates an error message.

The generated error message is added to the errors array.
Atmos interprets the presence of any messages in errors as a policy violation and blocks the operation with the
following error:

the component can't be applied if the 'foo' variable is set to 'foo'

exit status 1

Summary by CodeRabbit

• New Features
  • Added support for passing CLI arguments context to validation policies, enabling advanced policy enforcement based on command-line input.
  • Introduced new test scenarios and configuration files for stack validation using Open Policy Agent (OPA) policies.
• Bug Fixes
  • Improved handling and filtering of CLI arguments to ensure accurate context is provided to validation logic.
• Documentation
  • Added detailed documentation on policy execution context for OPA integration.
  • Updated CLI command documentation metadata and integration guides.
• Tests
  • Added new tests for stack validation and describe stacks command execution.
• Chores
  • Upgraded Atmos version to 1.177.0 in relevant configurations.
  • Removed obsolete debugging statements and improved code comments.

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

📝 Walkthrough

Walkthrough

This update introduces a new CliArgs field to the ConfigAndStacksInfo struct, ensuring command-line arguments are explicitly tracked and passed through execution flows. Several command execution functions now assign this field. New OPA validation tests and fixtures are added, alongside minor Dockerfile and documentation updates.

Changes

Files/Paths	Change Summary
pkg/schema/schema.go	Added CliArgs []string field to ConfigAndStacksInfo struct.
internal/exec/describe_affected.go internal/exec/describe_component.go internal/exec/describe_dependents.go internal/exec/describe_stacks.go internal/exec/describe_workflows.go internal/exec/helmfile_generate_varfile.go internal/exec/terraform.go internal/exec/terraform_generate_backend.go internal/exec/terraform_generate_backends.go internal/exec/terraform_generate_planfile.go internal/exec/terraform_generate_varfile.go internal/exec/terraform_generate_varfiles.go	Set the new CliArgs field in various command execution functions, explicitly recording CLI arguments for each command context.
internal/exec/utils.go	Updated argument processing to concatenate CliArgs and AdditionalArgsAndFlags, filtering out empty strings before assignment.
cmd/helmfile.go	Moved a package import and set info.CliArgs before executing the Helmfile command.
internal/exec/describe_config.go	Only blank line changes around imports; no logic modified.
internal/exec/stack_processor_utils.go	Removed a debugging print statement.
internal/exec/terraform_test.go	Added TestExecuteTerraform_OpaValidation to test OPA validation logic for Terraform commands.
internal/exec/describe_stacks_test.go	Added TestExecuteDescribeStacksCmd to test the describe stacks command execution with environment setup and CLI flags.
examples/quick-start-advanced/Dockerfile website/docs/integrations/atlantis.mdx	Updated ATMOS_VERSION from 1.176.0 to 1.177.0.
tests/fixtures/scenarios/atmos-stacks-validation/atmos.yaml	Added new Atmos configuration file with component, stack, logging, and schema validation settings.
tests/fixtures/scenarios/atmos-stacks-validation/stacks/deploy/nonprod.yaml	Added new YAML manifest defining variables and a Terraform component with OPA validation.
tests/fixtures/scenarios/atmos-stacks-validation/stacks/schemas/opa/validate-component.rego	Added new OPA policy to deny terraform apply if variable foo is "foo".
website/docs/core-concepts/validate/opa.mdx	Added documentation section on Atmos OPA policy execution context, with examples.
website/docs/cli/commands/list/list-settings.mdx	Updated documentation frontmatter metadata for sidebar labeling and page ID.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI
    participant CommandExecutor
    participant ConfigAndStacksInfo
    participant OPAValidator

    User->>CLI: Run command (e.g., atmos terraform apply)
    CLI->>CommandExecutor: Parse and dispatch command
    CommandExecutor->>ConfigAndStacksInfo: Set CliArgs with command/subcommand
    CommandExecutor->>OPAValidator: Pass ConfigAndStacksInfo (with CliArgs, vars, etc.)
    OPAValidator-->>CommandExecutor: Policy decision (allow/deny)
    CommandExecutor-->>CLI: Output result
    CLI-->>User: Display result or error

Loading

Possibly related PRs

• Validate Terraform input variables using OPA policies #977: Related changes involving setting CliArgs in command execution flows and OPA validation integration.

Suggested reviewers

• osterman
• aknysh

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 30th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0999f74 and 401b747.

📒 Files selected for processing (1)

• go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or @auto-summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @auto-title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

tests/fixtures/scenarios/atmos-stacks-validation/stacks/schemas/opa/validate-component.rego (1)

1-17: Good OPA policy example for validation context.

The policy effectively demonstrates how to use the new CLI command context metadata to implement conditional validation rules. It's well-commented and illustrates the intended use case.

Consider adding the recommended import rego.v1 statement at the top of the file to ensure compatibility with future OPA versions:

# 'package atmos' is required in all `atmos` OPA policies
package atmos
+import rego.v1

🧰 Tools

🪛 Regal (0.33.1)

[error] 2-2: Directory structure should mirror package

(idiomatic)

---

[error] 2-2: Use import rego.v1

(imports)

website/docs/core-concepts/validate/opa.mdx (1)

181-187: Tighten up bullet punctuation
Consider using an em dash instead of a hyphen in your bullets for a cleaner look. For example:

- - `cli_command`: the main Atmos command being run, such as `terraform` or `helmfile`
+ - `cli_command` — the main Atmos command being run, such as `terraform` or `helmfile`

🧰 Tools

🪛 LanguageTool

[uncategorized] ~183-~183: Loose punctuation mark.
Context: ...l information, such as: - cli_command: the main Atmos command being run, such ...

(UNLIKELY_OPENING_PUNCTUATION)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b6c2077 and 49156e2.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (25)

• cmd/helmfile.go (2 hunks)
• examples/quick-start-advanced/Dockerfile (1 hunks)
• go.mod (4 hunks)
• internal/exec/describe_affected.go (1 hunks)
• internal/exec/describe_component.go (1 hunks)
• internal/exec/describe_config.go (1 hunks)
• internal/exec/describe_dependents.go (1 hunks)
• internal/exec/describe_stacks.go (1 hunks)
• internal/exec/describe_workflows.go (1 hunks)
• internal/exec/helmfile_generate_varfile.go (1 hunks)
• internal/exec/terraform.go (1 hunks)
• internal/exec/terraform_generate_backend.go (1 hunks)
• internal/exec/terraform_generate_backends.go (1 hunks)
• internal/exec/terraform_generate_planfile.go (1 hunks)
• internal/exec/terraform_generate_varfile.go (1 hunks)
• internal/exec/terraform_generate_varfiles.go (1 hunks)
• internal/exec/terraform_test.go (1 hunks)
• internal/exec/utils.go (1 hunks)
• pkg/config/const.go (1 hunks)
• pkg/schema/schema.go (1 hunks)
• tests/fixtures/scenarios/atmos-stacks-validation/atmos.yaml (1 hunks)
• tests/fixtures/scenarios/atmos-stacks-validation/stacks/deploy/nonprod.yaml (1 hunks)
• tests/fixtures/scenarios/atmos-stacks-validation/stacks/schemas/opa/validate-component.rego (1 hunks)
• website/docs/core-concepts/validate/opa.mdx (1 hunks)
• website/docs/integrations/atlantis.mdx (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

internal/exec/helmfile_generate_varfile.go (1)

Learnt from: Listener430
PR: cloudposse/atmos#825
File: internal/exec/helmfile_generate_varfile.go:28-31
Timestamp: 2024-12-07T16:16:13.038Z
Learning: In `internal/exec/helmfile_generate_varfile.go`, the `--help` command (`./atmos helmfile generate varfile --help`) works correctly without requiring stack configurations, and the only change needed was to make `ProcessCommandLineArgs` exportable by capitalizing its name.

examples/quick-start-advanced/Dockerfile (1)

Learnt from: aknysh
PR: cloudposse/atmos#775
File: examples/quick-start-advanced/Dockerfile:9-9
Timestamp: 2024-11-12T03:15:15.627Z
Learning: It is acceptable to set `ARG ATMOS_VERSION` to a future version like `1.105.0` in `examples/quick-start-advanced/Dockerfile` if that will be the next release.

tests/fixtures/scenarios/atmos-stacks-validation/atmos.yaml (1)

Learnt from: RoseSecurity
PR: cloudposse/atmos#797
File: pkg/list/atmos.yaml:213-214
Timestamp: 2024-11-25T17:17:15.703Z
Learning: The file `pkg/list/atmos.yaml` is primarily intended for testing purposes.

🧬 Code Graph Analysis (1)

internal/exec/utils.go (1)

pkg/config/const.go (3)

• CliCommandSectionName (75-75)
• CliSubCommandSectionName (76-76)
• CliSubCommand2SectionName (77-77)

🪛 Regal (0.33.1)

tests/fixtures/scenarios/atmos-stacks-validation/stacks/schemas/opa/validate-component.rego

[error] 2-2: Directory structure should mirror package

(idiomatic)

---

[error] 2-2: Use import rego.v1

(imports)

🪛 LanguageTool

website/docs/core-concepts/validate/opa.mdx

[uncategorized] ~183-~183: Loose punctuation mark.
Context: ...l information, such as: - cli_command: the main Atmos command being run, such ...

(UNLIKELY_OPENING_PUNCTUATION)

---

[typographical] ~192-~192: Consider using a typographic close quote here.
Context: ...the variable foo is set to the string "foo". <File title="validate-component....

(EN_QUOTES)

---

[typographical] ~204-~204: To join two clauses or introduce examples, consider using an em dash.
Context: ... following attributes: # - cli_command - Atmos command, e.g. terraform, `helmfi...

(DASH_RULE)

---

[style] ~204-~204: A comma is missing here.
Context: ...tes: # - cli_command - Atmos command, e.g. terraform, helmfile (as in `atmos t...

(EG_NO_COMMA)

---

[style] ~204-~204: Consider using the typographical ellipsis character here instead.
Context: ...nd, e.g. terraform, helmfile (as in atmos terraform ...) # - cli_subcommand - subcommand, e...

(ELLIPSIS)

---

[typographical] ~204-~204: To join two clauses or introduce examples, consider using an em dash.
Context: ...helmfile (as in atmos terraform ...) # - cli_subcommand - subcommand, e.g. `ap...

(DASH_RULE)

---

[typographical] ~205-~205: To join two clauses or introduce examples, consider using an em dash.
Context: ...mos terraform ...) # - cli_subcommand- subcommand, e.g.apply, plan, gene...

(DASH_RULE)

---

[style] ~205-~205: A comma is missing here.
Context: ....) # - cli_subcommand- subcommand, e.g.apply, plan, generate(as inatm...

(EG_NO_COMMA)

---

[typographical] ~205-~205: To join two clauses or introduce examples, consider using an em dash.
Context: ...enerate(as inatmos terraform apply) # - cli_subcommand2- subcommand2, e.g....

(DASH_RULE)

---

[typographical] ~206-~206: To join two clauses or introduce examples, consider using an em dash.
Context: ... terraform apply) # - cli_subcommand2- subcommand2, e.g.varfile, varfiles`...

(DASH_RULE)

---

[style] ~206-~206: A comma is missing here.
Context: ...) # - cli_subcommand2 - subcommand2, e.g. varfile, varfiles, planfile (as i...

(EG_NO_COMMA)

---

[typographical] ~208-~208: Consider using a typographic close quote here.
Context: ...age] { input.cli_command == "terraform" input.cli_subcommand == "apply" inp...

(EN_QUOTES)

---

[typographical] ~209-~209: Consider using a typographic close quote here.
Context: ...raform" input.cli_subcommand == "apply" input.vars.foo == "foo" message = "...

(EN_QUOTES)

---

[typographical] ~210-~210: Consider using a typographic close quote here.
Context: ...mand == "apply" input.vars.foo == "foo" message = "the component can't be app...

(EN_QUOTES)

---

[typographical] ~211-~211: Consider using a typographic close quote here.
Context: ...ed if the 'foo' variable is set to 'foo'" } ``` The policy receives a st...

(EN_QUOTES)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: Acceptance Tests (macos-latest, macos)
• GitHub Check: Acceptance Tests (windows-latest, windows)
• GitHub Check: Acceptance Tests (ubuntu-latest, linux)
• GitHub Check: [localstack] demo-localstack
• GitHub Check: Summary

🔇 Additional comments (34)

website/docs/integrations/atlantis.mdx (1)

676-676: Bump ATMOS_VERSION for GitHub Action
Updated to 1.177.0 to align with the new release.

internal/exec/describe_config.go (1)

7-7: Skip formatting-only change.
Adjusted blank line around imports without functional impact.

internal/exec/describe_dependents.go (1)

25-26: Propagate CLI command context
Assigning info.CliCommand = "describe" and info.CliSubCommand = "dependents" ensures that OPA policies receive the correct execution context.

internal/exec/describe_component.go (1)

152-153: Propagate CLI command context
Setting CliCommand and CliSubCommand to "describe" and "component" ensures correct CLI metadata for downstream policies and logging.

internal/exec/terraform_generate_varfile.go (1)

51-53: Propagate full CLI command hierarchy
By setting CliCommand, CliSubCommand, and CliSubCommand2 to "terraform", "generate", and "varfile", the execution context is fully captured for OPA validation.

examples/quick-start-advanced/Dockerfile (1)

9-9: Approve version bump in Dockerfile.
Updating ARG ATMOS_VERSION to 1.177.0 correctly aligns the example image with the new release that includes the validation policy execution context feature.

internal/exec/describe_affected.go (1)

213-214: Record CLI context for describe affected.
Setting info.CliCommand = "describe" and info.CliSubCommand = "affected" ensures the command and subcommand are captured in the execution context for OPA policy evaluation.

pkg/schema/schema.go (1)

482-484: Add fields for CLI execution context.
Introducing CliCommand, CliSubCommand, and CliSubCommand2 in ConfigAndStacksInfo is exactly what's needed to propagate the command metadata into policies. The placement and naming are consistent with the rest of the struct.

internal/exec/describe_stacks.go (1)

23-24: Capture CLI context for describe stacks.
Explicitly assigning info.CliCommand = "describe" and info.CliSubCommand = "stacks" correctly logs the context for downstream OPA validations.

internal/exec/terraform_generate_backends.go (1)

24-27: Embed CLI metadata for terraform generate backends.
Setting info.CliCommand = "terraform", info.CliSubCommand = "generate", and info.CliSubCommand2 = "backends" captures the full CLI invocation context, enabling precise policy enforcement.

internal/exec/describe_workflows.go (1)

19-20: Good addition of command context metadata

The inclusion of CLI command context fields enhances policy execution context for OPA validation. These fields allow policies to make decisions based on the specific command being executed.

internal/exec/terraform_generate_backend.go (1)

52-54: Command context metadata properly added

These CLI command context fields correctly identify the command hierarchy and align with the new Atmos Validation Policy Execution Context feature. The explicit setting of these fields ensures that OPA policies have the right information about the command being executed.

internal/exec/helmfile_generate_varfile.go (1)

36-38: Good implementation of command context fields

The CLI command context fields are properly set for the helmfile generate varfile command. This follows the same pattern implemented across other commands, providing consistent metadata for policy validation.

internal/exec/terraform_generate_planfile.go (1)

80-82: Command context metadata correctly implemented

The CLI command context fields accurately capture the command hierarchy for terraform generate planfile. This maintains consistency with how command context is tracked across the Atmos codebase and supports the new policy validation capabilities.

internal/exec/terraform_generate_varfiles.go (1)

24-26: Good addition of CLI command context

This adds necessary CLI command context fields to the info struct, which will be available for OPA policies. This pattern is consistently applied across command handlers.

cmd/helmfile.go (2)

4-5: Import reordering looks good

Moving the cobra import to the top of the import block improves readability.

---

33-34: Good addition of CLI command context

Setting CliCommand and CliSubCommand fields will make this command context available to OPA policies for validation.

internal/exec/utils.go (1)

655-657: Appropriate addition of command context to component section

This change adds CLI command metadata to the component section, which makes it available to OPA policies. This is the key integration point where the command context captured in the command handlers is made available for policy validation.

internal/exec/terraform.go (1)

39-41: Good addition of CLI command context

Sets CLI command context fields at the start of the function, consistent with the pattern in other command handlers. Unlike the other handlers which use hardcoded strings, this properly uses the existing subcommand values from the info struct, which handles the variety of terraform subcommands.

pkg/config/const.go (1)

75-77: Consistent addition of CLI command context constants.

The new constants follow the existing naming convention and properly define the CLI command context fields used for policy validation.

go.mod (1)

35-35: Dependency version updates look good.

These updates bump several dependencies to newer versions, which likely includes security fixes and stability improvements needed for the new CLI metadata functionality.

Also applies to: 162-164, 291-291, 326-326

internal/exec/terraform_test.go (1)

401-439: Well-structured test for OPA validation.

This test effectively verifies that:

1. The terraform plan command passes validation
2. The terraform apply command is blocked by the OPA policy when foo is set to "foo"

The test correctly sets up the necessary context fields and validates that the CLI command context is properly passed to OPA policies during execution.

website/docs/core-concepts/validate/opa.mdx (4)

171-178: Great addition of Policy Execution Context
This section clearly introduces the purpose and power of passing structured CLI metadata to OPA policies at runtime.

---

194-214: Example policy is clear and accurate
The Rego snippet concisely demonstrates how to block terraform apply when foo == "foo". It aligns with the code implementation and will be easy for users to adapt.

🧰 Tools

🪛 LanguageTool

[typographical] ~204-~204: To join two clauses or introduce examples, consider using an em dash.
Context: ... following attributes: # - cli_command - Atmos command, e.g. terraform, `helmfi...

(DASH_RULE)

---

[style] ~204-~204: A comma is missing here.
Context: ...tes: # - cli_command - Atmos command, e.g. terraform, helmfile (as in `atmos t...

(EG_NO_COMMA)

---

[style] ~204-~204: Consider using the typographical ellipsis character here instead.
Context: ...nd, e.g. terraform, helmfile (as in atmos terraform ...) # - cli_subcommand - subcommand, e...

(ELLIPSIS)

---

[typographical] ~204-~204: To join two clauses or introduce examples, consider using an em dash.
Context: ...helmfile (as in atmos terraform ...) # - cli_subcommand - subcommand, e.g. `ap...

(DASH_RULE)

---

[typographical] ~205-~205: To join two clauses or introduce examples, consider using an em dash.
Context: ...mos terraform ...) # - cli_subcommand- subcommand, e.g.apply, plan, gene...

(DASH_RULE)

---

[style] ~205-~205: A comma is missing here.
Context: ....) # - cli_subcommand- subcommand, e.g.apply, plan, generate(as inatm...

(EG_NO_COMMA)

---

[typographical] ~205-~205: To join two clauses or introduce examples, consider using an em dash.
Context: ...enerate(as inatmos terraform apply) # - cli_subcommand2- subcommand2, e.g....

(DASH_RULE)

---

[typographical] ~206-~206: To join two clauses or introduce examples, consider using an em dash.
Context: ... terraform apply) # - cli_subcommand2- subcommand2, e.g.varfile, varfiles`...

(DASH_RULE)

---

[style] ~206-~206: A comma is missing here.
Context: ...) # - cli_subcommand2 - subcommand2, e.g. varfile, varfiles, planfile (as i...

(EG_NO_COMMA)

---

[typographical] ~208-~208: Consider using a typographic close quote here.
Context: ...age] { input.cli_command == "terraform" input.cli_subcommand == "apply" inp...

(EN_QUOTES)

---

[typographical] ~209-~209: Consider using a typographic close quote here.
Context: ...raform" input.cli_subcommand == "apply" input.vars.foo == "foo" message = "...

(EN_QUOTES)

---

[typographical] ~210-~210: Consider using a typographic close quote here.
Context: ...mand == "apply" input.vars.foo == "foo" message = "the component can't be app...

(EN_QUOTES)

---

[typographical] ~211-~211: Consider using a typographic close quote here.
Context: ...ed if the 'foo' variable is set to 'foo'" } ``` The policy receives a st...

(EN_QUOTES)

---

216-224: Useful explanation of policy inputs
The prose after the code block reinforces what attributes are available in input. It’s clear and on point.

---

232-239: Terminal output example is spot-on
The example error message and exit status match the policy logic, helping users visualize the failure.

tests/fixtures/scenarios/atmos-stacks-validation/stacks/deploy/nonprod.yaml (4)

1-5: Correct schema annotation and variable setup
The $schema directive is properly set, and stage: nonprod clearly identifies the environment.

---

6-13: Component structure and metadata look good
The mock component is defined cleanly, and the validation block is in the right place.

---

15-20: OPA validation parameters are accurate
schema_type, schema_path, and description fields are correctly configured for this scenario.

---

21-23: Test variables are appropriately defined
Including foo, bar, and baz sets up the test case to trigger the policy only on apply.

tests/fixtures/scenarios/atmos-stacks-validation/atmos.yaml (4)

1-10: Base path and Terraform component settings are correct
base_path: "./" and the terraform component options (disable auto-approve, enable init/reconfigure) match the test requirements.

---

11-18: Stacks configuration is precise
The included_paths, excluded_paths, and name_template ({{ .vars.stage }}) correctly target the nonprod scenario.

---

19-22: Logging setup is appropriate for tests
Output to /dev/stderr at Info level ensures visibility without cluttering stdout.

---

23-40: Schema directories and manifest paths align with fixtures
JSONSchema, OPA, and Atmos-manifest schema paths are set correctly relative to the scenario directory.

[codecov]

Codecov Report

Attention: Patch coverage is 60.00000% with 12 lines in your changes missing coverage. Please review.

Project coverage is 48.80%. Comparing base (77f7487) to head (401b747).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/exec/describe_affected.go	0.00%	2 Missing ⚠️
internal/exec/describe_dependents.go	0.00%	2 Missing ⚠️
internal/exec/describe_workflows.go	0.00%	2 Missing ⚠️
internal/exec/terraform_generate_backends.go	0.00%	2 Missing ⚠️
internal/exec/terraform_generate_varfiles.go	0.00%	2 Missing ⚠️
cmd/helmfile.go	0.00%	1 Missing ⚠️
internal/exec/helmfile_generate_varfile.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1261      +/-   ##
==========================================
+ Coverage   48.54%   48.80%   +0.26%     
==========================================
  Files         233      233              
  Lines       25480    25505      +25     
==========================================
+ Hits        12368    12447      +79     
+ Misses      11512    11434      -78     
- Partials     1600     1624      +24     

Flag	Coverage Δ
unittests	48.80% <60.00%> (+0.26%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

internal/exec/describe_stacks_test.go (2)

13-67: Well-structured test for the describe stacks command.

This test effectively validates that the ExecuteDescribeStacksCmd function can be executed without errors, which is good. It sets up the proper environment, creates a realistic command with all necessary flags, and verifies successful execution.

Consider enhancing this test to specifically verify that the new CLI command context fields (CliCommand="describe" and CliSubCommand="stacks") are correctly set and propagated to the validation policy execution context. This would more directly test the core functionality being added in this PR.

---

65-66: Consider adding more specific assertions.

While the basic test ensures the command executes without error, it would be stronger to add assertions that specifically validate the new validation policy execution context functionality being added in this PR.

For example, you could:

1. Mock or capture the validation policy execution context
2. Assert that CliCommand is set to "describe" and CliSubCommand is set to "stacks"
3. Verify this context is correctly passed to any validation functions

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 49156e2 and 5d8bb3e.

📒 Files selected for processing (3)

• internal/exec/describe_stacks.go (3 hunks)
• internal/exec/describe_stacks_test.go (1 hunks)
• website/docs/cli/commands/list/list-settings.mdx (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• website/docs/cli/commands/list/list-settings.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/exec/describe_stacks.go

🧰 Additional context used

🧠 Learnings (1)

internal/exec/describe_stacks_test.go (1)

Learnt from: Cerebrovinny
PR: cloudposse/atmos#764
File: internal/exec/describe_stacks.go:289-295
Timestamp: 2024-11-13T21:37:07.852Z
Learning: In the `internal/exec/describe_stacks.go` file of the `atmos` project written in Go, avoid extracting the stack name handling logic into a helper function within the `ExecuteDescribeStacks` method, even if the logic appears duplicated.

🧬 Code Graph Analysis (1)

internal/exec/describe_stacks_test.go (2)

internal/exec/describe_stacks.go (1)

• ExecuteDescribeStacksCmd (17-148)

pkg/utils/markdown_utils.go (1)

• PrintErrorMarkdownAndExit (87-89)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (4)

internal/exec/describe_stacks_test.go (4)

16-20: Environment variables are properly set.

Good job setting up the test environment variables. The test uses the validation-specific fixtures path which aligns well with testing the new validation policy execution context feature.

---

22-27: Clean test teardown using defer.

Proper cleanup of environment variables ensures test isolation. This is a good practice that prevents test pollution.

---

34-39: Error handling follows project conventions.

The error handling using PrintErrorMarkdownAndExit matches the project's error reporting pattern. This ensures consistent user experience during testing and actual CLI usage.

---

42-62: Command flags match the production command.

All necessary flags for the describe stacks command are properly configured. This comprehensive setup ensures the test accurately simulates real-world usage.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76723d9 and 0bbcb1e.

📒 Files selected for processing (16)

• cmd/helmfile.go (2 hunks)
• internal/exec/describe_affected.go (1 hunks)
• internal/exec/describe_component.go (1 hunks)
• internal/exec/describe_dependents.go (1 hunks)
• internal/exec/describe_stacks.go (3 hunks)
• internal/exec/describe_workflows.go (1 hunks)
• internal/exec/helmfile_generate_varfile.go (1 hunks)
• internal/exec/stack_processor_utils.go (0 hunks)
• internal/exec/terraform.go (1 hunks)
• internal/exec/terraform_generate_backend.go (1 hunks)
• internal/exec/terraform_generate_backends.go (1 hunks)
• internal/exec/terraform_generate_planfile.go (1 hunks)
• internal/exec/terraform_generate_varfile.go (1 hunks)
• internal/exec/terraform_generate_varfiles.go (1 hunks)
• internal/exec/utils.go (1 hunks)
• pkg/schema/schema.go (1 hunks)

💤 Files with no reviewable changes (1)

• internal/exec/stack_processor_utils.go

✅ Files skipped from review due to trivial changes (1)

• internal/exec/terraform_generate_varfiles.go

🚧 Files skipped from review as they are similar to previous changes (13)

• internal/exec/describe_dependents.go
• internal/exec/describe_component.go
• internal/exec/terraform_generate_backends.go
• cmd/helmfile.go
• internal/exec/terraform_generate_varfile.go
• internal/exec/describe_workflows.go
• internal/exec/terraform_generate_backend.go
• internal/exec/describe_affected.go
• internal/exec/helmfile_generate_varfile.go
• pkg/schema/schema.go
• internal/exec/terraform.go
• internal/exec/terraform_generate_planfile.go
• internal/exec/describe_stacks.go

🧰 Additional context used

🧬 Code Graph Analysis (1)

internal/exec/utils.go (1)

pkg/config/const.go (1)

• CliArgsSectionName (72-72)

🪛 GitHub Check: golangci-lint

internal/exec/utils.go

[failure] 639-639:
appendAssign: append result not assigned to the same slice

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

[mergify]

💥 This pull request now has conflicts. Could you fix it @aknysh? 🙏