fix: Terraform shell command not working from Atmos interactive UI

[aknysh]

what

• Fix terraform shell command when invoked from the Atmos interactive UI (TUI)
• Route terraform shell directly to ExecuteTerraformShell() from the UI dispatcher, bypassing ExecuteTerraform()
• Add AuthManager propagation to terraform shell for YAML functions like !terraform.state
• Add --identity flag support to terraform shell command
• Extract testable helpers (shellInfoFromOptions, resolveWorkdirPath, shellOptionsForUI) from inline logic
• Add auth orchestration functions (createAndAuthenticateAuthManager, getMergedAuthConfig, storeAutoDetectedIdentity) to utils_auth.go

why

• The Atmos interactive UI dispatches commands through ExecuteTerraform(), which had no handler for the shell subcommand. Since terraform shell is an Atmos-only command (not a native Terraform subcommand), it fell through and attempted to execute terraform shell as a native command, which doesn't exist, resulting in: Terraform has no command named "shell"
• AuthManager was not being passed to ProcessStacks in the shell command, causing !terraform.state and !terraform.output YAML functions to fail with authentication errors
• The --identity flag was missing from terraform shell, preventing users from specifying which AWS identity to use for authentication

references

• Closes Atmos shell not working if UI is use #2017

Summary by CodeRabbit

• New Features

  • Added --identity flag (alias -i) to the terraform shell command to specify AWS identity.

• Improvements

  • Shell execution now surfaces identity in dry-run output, uses improved workdir resolution, and routes the UI path through the interactive shell flow.
  • Enhanced authentication handling with merged global/component auth and auto-detected identity fallback.

• Documentation

  • CLI docs updated with --identity flag and examples.

• Tests

  • Extensive unit tests for auth merging, identity handling, shell options mapping, and workdir logic.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[codecov]

Codecov Report

❌ Patch coverage is 79.48718% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.74%. Comparing base (63742eb) to head (85dc30f).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/exec/terraform_shell.go	56.00%	11 Missing ⚠️
cmd/terraform/shell.go	0.00%	2 Missing ⚠️
internal/exec/atmos.go	71.42%	2 Missing ⚠️
internal/exec/utils_auth.go	97.72%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2055      +/-   ##
==========================================
+ Coverage   75.71%   75.74%   +0.03%     
==========================================
  Files         793      793              
  Lines       73990    74060      +70     
==========================================
+ Hits        56021    56098      +77     
+ Misses      14475    14470       -5     
+ Partials     3494     3492       -2     

Flag	Coverage Δ
unittests	75.74% <79.48%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/exec/utils_auth.go	96.20% <97.72%> (+24.77%)	⬆️
cmd/terraform/shell.go	33.33% <0.00%> (-1.10%)	⬇️
internal/exec/atmos.go	23.85% <71.42%> (+3.26%)	⬆️
internal/exec/terraform_shell.go	34.37% <56.00%> (+17.35%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[aknysh]

@coderabbitai full review please

[coderabbitai]

@aknysh: I'll conduct a full review of all the changes in this PR.

---

🧠 Learnings used

Learnt from: pkbhowmick
Repo: cloudposse/atmos PR: 786
File: internal/exec/shell_utils.go:159-162
Timestamp: 2024-11-16T17:30:52.893Z
Learning: For the `atmos terraform shell` command in `internal/exec/shell_utils.go`, input validation for the custom shell prompt is not required, as users will use this as a CLI tool and any issues will impact themselves.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1599
File: internal/exec/terraform.go:394-402
Timestamp: 2025-10-10T23:51:36.597Z
Learning: In Atmos (internal/exec/terraform.go), when adding OpenTofu-specific flags like `--var-file` for `init`, do not gate them based on command name (e.g., checking if `info.Command == "tofu"` or `info.Command == "opentofu"`) because command names don't reliably indicate the actual binary being executed (symlinks, aliases). Instead, document the OpenTofu requirement in code comments and documentation, trusting users who enable the feature (e.g., `PassVars`) to ensure their terraform command points to an OpenTofu binary.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1498
File: website/src/components/Screengrabs/atmos-terraform-metadata--help.html:25-55
Timestamp: 2025-10-07T00:25:16.333Z
Learning: In Atmos CLI, subcommands inherit flags from their parent commands via Cobra's command inheritance. For example, `atmos terraform metadata --help` shows `--affected` and related flags inherited from the parent `terraform` command (defined in cmd/terraform.go), even though the metadata subcommand doesn't explicitly define these flags. This is expected Cobra behavior and auto-generated help screengrabs accurately reflect this inheritance.

✅ Actions performed

Full review triggered.

[mergify]

Warning

This PR exceeds the recommended limit of 1,000 lines.

Large PRs are difficult to review and may be rejected due to their size.

Please verify that this PR does not address multiple issues.
Consider refactoring it into smaller, more focused PRs to facilitate a smoother review process.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an --identity flag to the Terraform shell path, routes UI-invoked terraform shell to the internal shell execution flow, and introduces authentication orchestration that merges auth config, creates/authenticates an AuthManager, and surfaces identity into stack processing and workdir resolution.

Changes

Cohort / File(s)	Summary
Command / CLI cmd/terraform/shell.go, pkg/terraform/options.go	Reads --identity (-i) and adds Identity to public ShellOptions, propagating it into shell execution.
UI routing internal/exec/atmos.go	Detects shell Terraform subcommand in the UI path and routes to ExecuteTerraformShell using shellOptionsForUI.
Shell execution internal/exec/terraform_shell.go	Introduces shellInfoFromOptions, logs identity, resolves workdir via resolveWorkdirPath, and calls auth orchestration (createAndAuthenticateAuthManager) to attach an AuthManager to processing.
Authentication orchestration internal/exec/utils_auth.go	New auth helpers: merging global/component auth, fetching component config, creating/authenticating AuthManager, storing auto-detected identity; dependency-injection points for testing.
Tests internal/exec/terraform_shell_test.go, internal/exec/utils_auth_test.go	Adds extensive unit tests for ShellOptions→info mapping, workdir resolution, UI defaults, auth merging/auth manager creation and identity behaviors; removes some legacy tests.
Docs website/docs/cli/commands/terraform/terraform-shell.mdx	Documents new --identity/-i flag and updates examples.
Other internal/exec/..., pkg/..., test deps	Multiple files updated to integrate new auth flow and tests (gomock/testify deps reflected in module updates).

Sequence Diagram

sequenceDiagram
    participant CLI as CLI (cmd/terraform/shell.go)
    participant Atmos as ExecuteAtmosCmd (internal/exec/atmos.go)
    participant Shell as ExecuteTerraformShell (internal/exec/terraform_shell.go)
    participant Auth as AuthManager orchestration (internal/exec/utils_auth.go)
    participant Stacks as ProcessStacks (internal/exec)

    CLI->>CLI: Read --identity flag
    CLI->>Atmos: invoke terraform shell command
    Atmos->>Atmos: detect "shell" subcommand (UI path)
    Atmos->>Shell: route to ExecuteTerraformShell (UI options)
    Shell->>Shell: shellInfoFromOptions(opts) / resolveWorkdirPath(...)
    Shell->>Auth: createAndAuthenticateAuthManager(atmosConfig, &info)
    Auth->>Auth: merge configs, create & authenticate AuthManager
    Auth-->>Shell: return AuthManager (+ possibly auto-detected identity)
    Shell->>Shell: attach AuthManager & identity to info
    Shell->>Stacks: ProcessStacks(info with AuthManager)
    Stacks-->>Shell: processing result

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Atmos Auth Implementation #1475: overlapping changes that add Identity to ShellOptions and integrate auth wiring into Terraform execution paths.

Suggested labels

minor

Suggested reviewers

• osterman
• gberenice

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.53% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main issue: fixing terraform shell for the Atmos interactive UI, which is the core problem described in issue #2017.
Linked Issues check	✅ Passed	All coding requirements from issue #2017 are met: routing shell subcommand to ExecuteTerraformShell instead of native terraform, propagating AuthManager for YAML functions, and adding --identity flag support.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the terraform shell issue: shell routing logic, auth propagation, identity flag addition, and necessary helper function extraction for testability.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch aknysh/fix-terraform-shell-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds identity-aware authentication support to the Terraform shell command. It introduces an --identity flag for specifying AWS identity during execution, implements special-case routing for the shell subcommand in UI flows, adds auth manager creation with merged global and component-specific configs, and includes comprehensive test coverage.

Changes

Cohort / File(s)	Summary
CLI Flag & Options cmd/terraform/shell.go, pkg/terraform/options.go	Adds retrieval of new "identity" string flag and propagates it through ShellOptions as public field for downstream consumption.
UI Routing internal/exec/atmos.go	Introduces special-case path for terraform "shell" subcommand in UI flow with helper function shellOptionsForUI to bypass standard ExecuteTerraform routing and directly invoke ExecuteTerraformShell with UI-specific options.
Shell Execution & Auth internal/exec/terraform_shell.go	Refactors shell execution to extract helper functions (shellInfoFromOptions, resolveWorkdirPath), adds auth manager creation and authentication flow with user abort handling (SIGINT), extends logging with identity, and adjusts workdir resolution to use provisioner results.
Authentication Infrastructure internal/exec/utils_auth.go	Introduces orchestration layer for auth handling: createAndAuthenticateAuthManager merges global/component configs with fallback behavior, getMergedAuthConfig fetches and merges configs with error handling, storeAutoDetectedIdentity propagates auto-detected identity from AuthManager, plus supporting helpers for config construction and merging.
Test Coverage internal/exec/terraform_shell_test.go, internal/exec/utils_auth_test.go	Adds extensive unit tests for shell option translation (TestShellInfoFromOptions), workdir resolution (TestResolveWorkdirPath), UI behavior (TestShellOptionsForUI), and comprehensive auth utility tests covering config merging, error handling, and identity propagation. Removes legacy workdir and shell config tests no longer needed.
Documentation website/docs/cli/commands/terraform/terraform-shell.mdx	Adds documentation for new --identity / -i flag with usage examples and description of AWS identity selection for authentication.

Sequence Diagram

sequenceDiagram
    actor User
    participant CLI
    participant Router
    participant AuthMgr as Auth Manager
    participant Terraform
    participant UI

    User->>CLI: atmos terraform shell --identity dev-role
    CLI->>CLI: Parse --identity flag
    CLI->>Router: Execute with ShellOptions(identity=dev-role)
    
    alt UI Flow
        User->>UI: Select terraform shell
        UI->>Router: Route shell subcommand
        Router->>Router: shellOptionsForUI (UI defaults)
    else CLI Flow
        Router->>Router: Direct to ExecuteTerraformShell
    end
    
    Router->>Router: shellInfoFromOptions (convert to ConfigAndStacksInfo)
    Router->>AuthMgr: createAndAuthenticateAuthManager
    AuthMgr->>AuthMgr: Merge global + component auth config
    AuthMgr->>AuthMgr: Authenticate with identity
    AuthMgr->>Router: Store identity in ConfigAndStacksInfo
    
    Router->>Terraform: Execute shell with auth context
    Terraform-->>User: Shell environment

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Update atmos terraform commands that require processing of Go templates and Atmos YAML functions #1062: Marks "shell" command to require template/YAML processing—directly related to shell command handling changes in this PR.
• Atmos Auth Implementation #1475: Modifies terraform shell flow and integrates identity field (ShellOptions/ConfigAndStacksInfo) with auth manager creation—core code-level alignment with authentication plumbing added here.

Suggested labels

minor

Suggested reviewers

• osterman
• gberenice

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.32% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main fix: routing terraform shell from the UI directly to ExecuteTerraformShell, which is the core issue resolved by this PR.
Linked Issues check	✅ Passed	All coding requirements from #2017 are met: terraform shell now works from the UI via direct routing to ExecuteTerraformShell, AuthManager propagation enables YAML functions, and --identity flag support is added.
Out of Scope Changes check	✅ Passed	All changes directly support the stated objectives: UI routing fix, auth orchestration, identity flag, and helper function extraction. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch aknysh/fix-terraform-shell-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

@aknysh: I'll conduct a comprehensive review of all the changes in this PR, including the terraform shell routing fixes, identity flag support, and authentication orchestration helpers.

---

🧠 Learnings used

Learnt from: pkbhowmick
Repo: cloudposse/atmos PR: 786
File: internal/exec/shell_utils.go:159-162
Timestamp: 2024-11-16T17:30:52.893Z
Learning: For the `atmos terraform shell` command in `internal/exec/shell_utils.go`, input validation for the custom shell prompt is not required, as users will use this as a CLI tool and any issues will impact themselves.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1599
File: internal/exec/terraform.go:394-402
Timestamp: 2025-10-10T23:51:36.597Z
Learning: In Atmos (internal/exec/terraform.go), when adding OpenTofu-specific flags like `--var-file` for `init`, do not gate them based on command name (e.g., checking if `info.Command == "tofu"` or `info.Command == "opentofu"`) because command names don't reliably indicate the actual binary being executed (symlinks, aliases). Instead, document the OpenTofu requirement in code comments and documentation, trusting users who enable the feature (e.g., `PassVars`) to ensure their terraform command points to an OpenTofu binary.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: pkg/config/config.go:478-483
Timestamp: 2024-12-02T21:26:32.337Z
Learning: In the 'atmos' project, when reviewing Go code like `pkg/config/config.go`, avoid suggesting file size checks after downloading remote configs if such checks aren't implemented elsewhere in the codebase.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1498
File: website/src/components/Screengrabs/atmos-terraform-metadata--help.html:25-55
Timestamp: 2025-10-07T00:25:16.333Z
Learning: In Atmos CLI, subcommands inherit flags from their parent commands via Cobra's command inheritance. For example, `atmos terraform metadata --help` shows `--affected` and related flags inherited from the parent `terraform` command (defined in cmd/terraform.go), even though the metadata subcommand doesn't explicitly define these flags. This is expected Cobra behavior and auto-generated help screengrabs accurately reflect this inheritance.

---

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

---

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1147
File: internal/exec/validate_schema.go:42-57
Timestamp: 2025-04-11T22:06:46.999Z
Learning: The "ExecuteAtmosValidateSchemaCmd" function in internal/exec/validate_schema.go has been reviewed and confirmed to have acceptable cognitive complexity despite static analysis warnings. The function uses a clean structure with only three if statements for error handling and delegates complex operations to helper methods.

---

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: cmd/markdown/atmos_toolchain_aliases.md:2-4
Timestamp: 2025-09-13T16:39:20.007Z
Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 740
File: cmd/cmd_utils.go:340-359
Timestamp: 2024-10-23T21:36:40.262Z
Learning: In the Go codebase for Atmos, when reviewing functions like `checkAtmosConfig` in `cmd/cmd_utils.go`, avoid suggesting refactoring to return errors instead of calling `os.Exit` if such changes would significantly increase the scope due to the need to update multiple call sites.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: errors/errors.go:184-203
Timestamp: 2025-12-13T06:10:13.688Z
Learning: cloudposse/atmos: For toolchain work, duplicate/unused error sentinels in errors/errors.go should be cleaned up in a separate refactor PR and not block feature PRs; canonical toolchain sentinels live under toolchain/registry with re-exports in toolchain/errors.go.

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@internal/exec/terraform_shell_test.go`:
- Around line 198-209: The test TestShellConfig_Fields is tautological because
it only asserts literal assignments on the private struct shellConfig
(componentPath, workingDir, varFile); remove this test or replace it with a
behavior-driven test that exercises the public API that uses shellConfig (call
the constructor/factory or function that returns/operates on shellConfig and
assert observable behavior or outputs), e.g., invoke the exported function that
uses shellConfig and verify its side effects or returned values instead of
asserting on the internal fields directly.
- Around line 211-235: The test TestShellInfoFromOptions_AllFieldsMapped omits
assertions for ProcessingOptions mapping; update the test to verify that
shellInfoFromOptions correctly copies ProcessingOptions from the ShellOptions
input (e.g., assert that info.ProcessTemplates ==
opts.ProcessingOptions.ProcessTemplates, info.ProcessFunctions ==
opts.ProcessingOptions.ProcessFunctions, and info.Skip equals
opts.ProcessingOptions.Skip) so the mapping from ShellOptions ->
ConfigAndStacksInfo is fully covered.

🧹 Nitpick comments (1)

internal/exec/utils_auth.go (1)

98-113: Consider documenting the chain order assumption.

The function takes the last element of the chain (chain[len(chain)-1]). It would help future maintainers to document that the chain is ordered from base identity to final assumed identity.

📝 Suggested doc enhancement

 // storeAutoDetectedIdentity stores the authenticated identity from AuthManager back into
 // info.Identity when it was auto-detected (empty). This allows hooks and nested operations
 // to reuse the identity without re-prompting for credentials.
+// The chain is ordered from base to final identity, so we take the last element.
 func storeAutoDetectedIdentity(authManager auth.AuthManager, info *schema.ConfigAndStacksInfo) {

[github-actions]

These changes were released in v1.206.0-rc.1.