feat: add required field to identities for multi-account Terraform components (#2180)

* feat: support concurrent identities for multi-account Terraform components via auth.needs

Add `auth.needs` field to component auth config, enabling components to declare
which identities they require. All listed identities are authenticated before
Terraform runs, with their profiles written to the shared credentials file.
The first identity becomes primary (sets AWS_PROFILE). This fixes CI failures
when using multiple AWS provider aliases (e.g., hub-spoke networking) with OIDC,
where only one profile was previously written to the credentials file.

Changes:
- Add Needs field to AuthConfig schema with comprehensive documentation
- Update resolveTargetIdentityName() to prioritize auth.needs first entry as primary
- Add authenticateAdditionalIdentities() for non-primary identity authentication with non-fatal error handling
- Call authenticateAdditionalIdentities() from authenticateAndWriteEnv() after primary auth succeeds
- Add 7 test cases covering needs list resolution, CLI override, fallback, success auth, skipping primary, non-fatal errors, and empty needs

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* feat: add auth section to stack manifest JSON schema

Add the `auth` definition to the Atmos stack manifest JSON schema, including
the new `needs` field, along with `realm`, `providers`, `identities`, and
`integrations`. Reference it from `terraform_component_manifest` so IDE
autocompletion and schema validation recognize the component-level auth config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add needs field to all auth JSON schemas with validation tests

Update all three copies of the manifest schema to include auth.needs:
- pkg/datafetcher/schema (source, already had auth definition)
- website/static/schemas (published, add needs/realm/integrations to component_auth)
- tests/fixtures/schemas (test fixture, same as website)

Add schema validation tests:
- TestManifestSchema_AuthDefinitionExists: verify auth definition in embedded schema
- TestManifestSchema_AuthNeedsField: verify needs is array of strings
- TestManifestSchema_ValidAuthConfig: validate realistic auth configs against schema
- TestAuthConfig_Needs: struct-level tests for Needs field
- TestAuthConfig_NeedsWithMapstructure: verify Needs works with full AuthConfig

Also changed component_auth additionalProperties from false to true to allow
fields like logs, keyring, and realm that exist in the Go struct.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add blog post, roadmap milestone, and docs page for auth.needs

Add announcement blog post for the auth.needs feature enabling concurrent
identity authentication for multi-account Terraform components. Update the
roadmap with a shipped milestone and add a dedicated documentation page
at /cli/configuration/auth/needs with configuration examples and behavior
reference.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: align embedded auth schema with structured definitions and allow slash-delimited identity names

The embedded manifest schema had a loose auth definition with unstructured
providers/identities, while the website and fixture schemas used rich structured
definitions. This aligns all three copies and widens the identity/provider key
pattern to accept slash-delimited names like core/network.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: make auth.needs purely additive — default identity stays primary

Previously, the first entry in auth.needs became the primary identity,
requiring users to re-list the default. Now the default identity is always
primary, and needs only lists additional identities. If no default exists,
the first needs entry becomes the primary as a fallback.

Precedence: --identity CLI flag > default identity > needs[0] > error

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: discriminate sentinel errors in resolveTargetIdentityName

GetDefaultIdentity can return multiple error types beyond ErrNoDefaultIdentity
(e.g., ErrUserAborted, ErrIdentitySelectionRequiresTTY). Previously all errors
fell through to the auth.needs fallback, masking real failures. Now only
ErrNoDefaultIdentity triggers the fallback; other errors are returned immediately.

Also properly surfaces decodeAuthConfigFromStack errors instead of silently
ignoring them, and documents the Azure credential overwrite limitation for
multi-identity scenarios.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: replace auth.needs with per-identity required field

Move the multi-identity declaration from a centralized `auth.needs`
string array on AuthConfig to a `required: true` boolean on each
Identity. Required identities are automatically authenticated without
prompting. The `required` field is orthogonal to `default`: default
sets the primary identity, required means auto-authenticate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing ComponentAuthConfig fields and clarify docs examples

Add Realm and Integrations fields to ComponentAuthConfig struct to match
the JSON schema, preventing silent data loss during unmarshalling. Mark
aws/assume-role examples in blog and docs as partial overrides with notes
linking to full identity configuration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: harden schema validation tests with safe type assertions and negative case

- Convert bare type assertions to two-value form with require.True for
  clear failure messages instead of cryptic panics
- Add negative test case: identity with string "required" field rejected
  by JSON schema (validates the expectErr path)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: aknysh <andriy.knysh@gmail.com>

Author: 3 people

pkg/auth/hooks.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -25,7 +26,10 @@ type (
 	Validator       = types.Validator
 )
 
-const hookOpTerraformPreHook = "TerraformPreHook"
+const (
+	hookOpTerraformPreHook = "TerraformPreHook"
+	identityKey            = "identity"
+)
 
 // TerraformPreHook runs before Terraform commands to set up authentication.
 func TerraformPreHook(atmosConfig *schema.AtmosConfiguration, stackInfo *schema.ConfigAndStacksInfo) error {
@@ -86,20 +90,24 @@ func decodeAuthConfigFromStack(stackInfo *schema.ConfigAndStacksInfo) (schema.Au
 }
 
 func resolveTargetIdentityName(stackInfo *schema.ConfigAndStacksInfo, authManager types.AuthManager) (string, error) {
+	// CLI --identity flag takes precedence.
 	if stackInfo.Identity != "" {
 		return stackInfo.Identity, nil
 	}
-	// Hooks don't have CLI flags, so never force selection here.
+
+	// Default identity from config is primary when available.
 	name, err := authManager.GetDefaultIdentity(false)
-	if err != nil {
-		errUtils.CheckErrorAndPrint(errUtils.ErrDefaultIdentity, hookOpTerraformPreHook, "failed to get default identity")
-		return "", errUtils.ErrDefaultIdentity
+	if err == nil && name != "" {
+		return name, nil
 	}
-	if name == "" {
-		errUtils.CheckErrorAndPrint(errUtils.ErrNoDefaultIdentity, hookOpTerraformPreHook, "Use the identity flag or specify an identity as default.")
-		return "", errUtils.ErrNoDefaultIdentity
+	if err != nil && !errors.Is(err, errUtils.ErrNoDefaultIdentity) {
+		return "", err
 	}
-	return name, nil
+
+	// No default identity found — error out.
+	// The "required" field is about auto-authentication, not primary selection.
+	errUtils.CheckErrorAndPrint(errUtils.ErrNoDefaultIdentity, hookOpTerraformPreHook, "Use the identity flag or specify an identity as default.")
+	return "", errUtils.ErrNoDefaultIdentity
 }
 
 // isAuthenticationDisabled checks if authentication has been explicitly disabled.
@@ -115,6 +123,10 @@ func authenticateAndWriteEnv(ctx context.Context, authManager types.AuthManager,
 	}
 	log.Debug("Authentication successful", "identity", whoami.Identity, "expiration", whoami.Expiration)
 
+	// Authenticate additional required identities so their profiles exist in the shared credentials file.
+	// This is needed for Terraform components that use multiple AWS provider aliases.
+	authenticateAdditionalIdentities(ctx, authManager, identityName)
+
 	// Convert ComponentEnvSection to env list for PrepareShellEnvironment.
 	// This includes any component-specific env vars already set in the stack config.
 	baseEnvList := componentEnvSectionToList(stackInfo.ComponentEnvSection)
@@ -144,6 +156,31 @@ func authenticateAndWriteEnv(ctx context.Context, authManager types.AuthManager,
 	return nil
 }
 
+// authenticateAdditionalIdentities authenticates non-primary identities marked as required.
+// Failures are non-fatal: errors are logged as warnings but don't fail the hook.
+// This ensures all required profiles exist in the shared credentials file for Terraform
+// components that use multiple AWS provider aliases (e.g., hub-spoke networking).
+//
+// TODO: Azure credentials are keyed by provider name, not identity. If two identities
+// share the same Azure provider name, the second will overwrite the first. AWS merges
+// profiles into INI sections and GCP isolates by directory, so they handle this correctly.
+// Consider adopting a per-identity storage strategy for Azure if multi-identity Azure
+// support becomes a requirement.
+func authenticateAdditionalIdentities(ctx context.Context, authManager types.AuthManager,
+	primaryIdentity string,
+) {
+	for name, identity := range authManager.GetIdentities() {
+		if !identity.Required || strings.EqualFold(name, primaryIdentity) {
+			continue
+		}
+		log.Debug("Authenticating additional required identity", identityKey, name)
+		if _, err := authManager.Authenticate(ctx, name); err != nil {
+			log.Warn("Failed to authenticate additional identity (non-fatal)",
+				identityKey, name, "error", err)
+		}
+	}
+}
+
 // componentEnvSectionToList converts ComponentEnvSection map to environment variable list.
 func componentEnvSectionToList(envSection map[string]any) []string {
 	var envList []string

pkg/auth/hooks_required_test.go

@@ -0,0 +1,181 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	errUtils "github.com/cloudposse/atmos/errors"
+	"github.com/cloudposse/atmos/pkg/auth/types"
+	"github.com/cloudposse/atmos/pkg/schema"
+)
+
+// trackingAuthManager extends stubAuthManager with call tracking for required identity tests.
+type trackingAuthManager struct {
+	stubAuthManager
+	authenticatedIdentities []string
+	failIdentities          map[string]error
+}
+
+func (t *trackingAuthManager) Authenticate(ctx context.Context, identityName string) (*types.WhoamiInfo, error) {
+	t.authenticatedIdentities = append(t.authenticatedIdentities, identityName)
+	if err, ok := t.failIdentities[identityName]; ok {
+		return nil, err
+	}
+	return t.whoami, nil
+}
+
+func TestResolveTargetIdentityName_DefaultWinsOverRequired(t *testing.T) {
+	stack := &schema.ConfigAndStacksInfo{}
+	mgr := &stubAuthManager{defaultIdentity: "some-default"}
+
+	name, err := resolveTargetIdentityName(stack, mgr)
+	assert.NoError(t, err)
+	assert.Equal(t, "some-default", name, "default identity should be primary even when required identities exist")
+}
+
+func TestResolveTargetIdentityName_NoDefaultErrorsEvenWithRequired(t *testing.T) {
+	stack := &schema.ConfigAndStacksInfo{}
+	mgr := &stubAuthManager{
+		defaultIdentity: "",
+		identities: map[string]schema.Identity{
+			"core-network": {Kind: "aws/assume-role", Required: true},
+			"plat-prod":    {Kind: "aws/assume-role", Required: true},
+		},
+	}
+
+	_, err := resolveTargetIdentityName(stack, mgr)
+	assert.ErrorIs(t, err, errUtils.ErrNoDefaultIdentity, "should error when no default, even if required identities exist")
+}
+
+func TestResolveTargetIdentityName_CliOverridesDefault(t *testing.T) {
+	stack := &schema.ConfigAndStacksInfo{Identity: "override-identity"}
+	mgr := &stubAuthManager{defaultIdentity: "some-default"}
+
+	name, err := resolveTargetIdentityName(stack, mgr)
+	assert.NoError(t, err)
+	assert.Equal(t, "override-identity", name, "CLI --identity flag should take precedence")
+}
+
+func TestResolveTargetIdentityName_NoDefaultNoRequired(t *testing.T) {
+	stack := &schema.ConfigAndStacksInfo{}
+	mgr := &stubAuthManager{defaultIdentity: ""}
+
+	_, err := resolveTargetIdentityName(stack, mgr)
+	assert.ErrorIs(t, err, errUtils.ErrNoDefaultIdentity, "should error when no default and no required")
+}
+
+func TestAuthenticateAdditionalIdentities_RequiredSuccess(t *testing.T) {
+	mgr := &trackingAuthManager{
+		stubAuthManager: stubAuthManager{
+			whoami: &types.WhoamiInfo{Provider: "p", Identity: "i"},
+			identities: map[string]schema.Identity{
+				"primary":   {Kind: "aws/assume-role", Required: true},
+				"secondary": {Kind: "aws/assume-role", Required: true},
+				"tertiary":  {Kind: "aws/assume-role", Required: true},
+			},
+		},
+	}
+
+	authenticateAdditionalIdentities(context.Background(), mgr, "primary")
+
+	assert.Contains(t, mgr.authenticatedIdentities, "secondary",
+		"should authenticate required non-primary identities")
+	assert.Contains(t, mgr.authenticatedIdentities, "tertiary",
+		"should authenticate required non-primary identities")
+	assert.NotContains(t, mgr.authenticatedIdentities, "primary",
+		"primary identity should not be re-authenticated")
+}
+
+func TestAuthenticateAdditionalIdentities_SkipsNonRequired(t *testing.T) {
+	mgr := &trackingAuthManager{
+		stubAuthManager: stubAuthManager{
+			whoami: &types.WhoamiInfo{Provider: "p", Identity: "i"},
+			identities: map[string]schema.Identity{
+				"primary":       {Kind: "aws/assume-role", Required: true},
+				"optional":      {Kind: "aws/assume-role", Required: false},
+				"also-required": {Kind: "aws/assume-role", Required: true},
+			},
+		},
+	}
+
+	authenticateAdditionalIdentities(context.Background(), mgr, "primary")
+
+	assert.Contains(t, mgr.authenticatedIdentities, "also-required",
+		"should authenticate required identities")
+	assert.NotContains(t, mgr.authenticatedIdentities, "optional",
+		"should skip non-required identities")
+}
+
+func TestAuthenticateAdditionalIdentities_SkipsPrimary(t *testing.T) {
+	mgr := &trackingAuthManager{
+		stubAuthManager: stubAuthManager{
+			whoami: &types.WhoamiInfo{Provider: "p", Identity: "i"},
+			identities: map[string]schema.Identity{
+				"primary":   {Kind: "aws/assume-role", Required: true},
+				"secondary": {Kind: "aws/assume-role", Required: true},
+			},
+		},
+	}
+
+	authenticateAdditionalIdentities(context.Background(), mgr, "primary")
+
+	for _, id := range mgr.authenticatedIdentities {
+		assert.NotEqual(t, "primary", id, "primary identity should not be re-authenticated")
+	}
+}
+
+func TestAuthenticateAdditionalIdentities_NonFatal(t *testing.T) {
+	mgr := &trackingAuthManager{
+		stubAuthManager: stubAuthManager{
+			whoami: &types.WhoamiInfo{Provider: "p", Identity: "i"},
+			identities: map[string]schema.Identity{
+				"primary":    {Kind: "aws/assume-role", Required: true},
+				"fail-id":    {Kind: "aws/assume-role", Required: true},
+				"success-id": {Kind: "aws/assume-role", Required: true},
+			},
+		},
+		failIdentities: map[string]error{
+			"fail-id": fmt.Errorf("simulated auth failure"),
+		},
+	}
+
+	// Should not panic or return error — failures are non-fatal.
+	authenticateAdditionalIdentities(context.Background(), mgr, "primary")
+
+	// Both identities should have been attempted despite the failure.
+	assert.Contains(t, mgr.authenticatedIdentities, "fail-id",
+		"failed identity should still be attempted")
+	assert.Contains(t, mgr.authenticatedIdentities, "success-id",
+		"subsequent identities should be attempted after a failure")
+}
+
+func TestAuthenticateAdditionalIdentities_NoRequired(t *testing.T) {
+	mgr := &trackingAuthManager{
+		stubAuthManager: stubAuthManager{
+			whoami: &types.WhoamiInfo{Provider: "p", Identity: "i"},
+			identities: map[string]schema.Identity{
+				"identity-a": {Kind: "aws/assume-role"},
+				"identity-b": {Kind: "aws/assume-role"},
+			},
+		},
+	}
+
+	authenticateAdditionalIdentities(context.Background(), mgr, "primary")
+
+	assert.Empty(t, mgr.authenticatedIdentities, "no identities should be authenticated when none are required")
+}
+
+func TestAuthenticateAdditionalIdentities_EmptyIdentities(t *testing.T) {
+	mgr := &trackingAuthManager{
+		stubAuthManager: stubAuthManager{
+			whoami: &types.WhoamiInfo{Provider: "p", Identity: "i"},
+		},
+	}
+
+	authenticateAdditionalIdentities(context.Background(), mgr, "primary")
+
+	assert.Empty(t, mgr.authenticatedIdentities, "no identities should be authenticated when identities map is empty")
+}

pkg/auth/hooks_test.go

@@ -19,7 +19,8 @@ type stubAuthManager struct {
 	defaultIdentity string
 	defaultErr      error
 	whoami          *types.WhoamiInfo
-	envVars         map[string]string // Environment variables to return from GetEnvironmentVariables
+	envVars         map[string]string          // Environment variables to return from GetEnvironmentVariables.
+	identities      map[string]schema.Identity // Identities to return from GetIdentities.
 }
 
 func (s *stubAuthManager) Authenticate(ctx context.Context, identityName string) (*types.WhoamiInfo, error) {
@@ -54,6 +55,9 @@ func (s *stubAuthManager) GetStackInfo() *schema.ConfigAndStacksInfo {
 }
 func (s *stubAuthManager) ListProviders() []string { return []string{"prov"} }
 func (s *stubAuthManager) GetIdentities() map[string]schema.Identity {
+	if s.identities != nil {
+		return s.identities
+	}
 	return map[string]schema.Identity{}
 }