fix: thread auth identity through describe/list affected for S3 state reads

[osterman]

what

• Thread AuthManager through the entire describe affected call chain so ExecuteDescribeStacks receives the identity credentials instead of nil
• Fix GetTerraformState to use the resolved component-specific AuthContext for S3 backend reads instead of the (potentially nil) passed-in authContext
• Add per-component identity resolution in ExecuteDescribeStacks gated behind processYamlFunctions, so each component can use its own identity for !terraform.state reads
• Wire the --identity / -i flag through the list affected command, which had the flag registered (inherited from listCmd) but never read it or created an AuthManager

why

• Customer reported atmos list affected --ref refs/heads/main failing with S3 auth errors despite valid atmos auth identity
• Debug logs showed resolveAuthManagerForNestedComponent correctly created per-component AuthManagers, but the credentials were never used for the actual S3 GetObject call
• Four independent bugs: (1) AuthManager dropped in describe affected call chain, (2) GetTerraformState ignored resolved AuthContext for backend reads, (3) no per-component identity resolution in ExecuteDescribeStacks, (4) list affected never read the --identity flag
• Running inside atmos auth shell worked because it sets ATMOS_IDENTITY env var (viper fallback), but explicit -i admin-account was silently ignored by list affected

references

• docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md — detailed fix documentation
• docs/fixes/nested-terraform-state-auth-context-propagation.md — original nested auth fix
• docs/fixes/2026-03-03-yaml-functions-auth-multi-component.md — multi-component auth fix

Summary by CodeRabbit

• New Features

  • Added --identity flag to list affected for explicit identity selection.

• Bug Fixes

  • Ensure authentication context is propagated into affected/describe flows.
  • Terraform backend state reads now use the resolved identity/auth for S3.
  • Per-component identity resolution applied during stack processing.

• Documentation

  • Added end-to-end fix description for affected/describe identity handling.

• Tests

  • Added and updated tests covering identity parsing and auth-manager propagation.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 09f7bc9.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR threads an AuthManager (derived from a CLI --identity / ATMOS_IDENTITY) through the list affected and describe affected flows, adding identity flag handling, creating/authenticating an AuthManager early, and propagating it into describe/stack/state helpers and component processing so backend reads use the resolved auth context.

Changes

Cohort / File(s)	Summary
CLI / Command Options cmd/list/affected.go, pkg/list/list_affected.go	Added IdentityName to AffectedOptions/AffectedCommandOptions; read/normalize --identity or env, create/authenticate an AuthManager during list affected execution and pass it into downstream logic.
Describe-Affected Signatures internal/exec/describe_affected.go, internal/exec/describe_affected_helpers.go, internal/exec/describe_affected_utils.go, internal/exec/describe_affected_utils_2.go	Extended ExecuteDescribeAffected* / executeDescribeAffected / addDependentsToAffected signatures to accept authManager and propagated it through all execution paths.
Component & Stack Processing internal/exec/describe_stacks_component_processor.go, internal/exec/describe_stacks_authmanager_propagation_test.go	Defer auth propagation until per-component resolution when YAML functions enabled; resolve per-component AuthManager and attach its AuthContext to stack info. Added test covering no per-component auth when YAML processing disabled.
Terraform State Handling internal/exec/terraform_state_utils.go	Use resolved per-component AuthContext (when available) for Terraform backend reads instead of the original passed context.
Affected Discovery / Graph Integration internal/exec/terraform_affected.go, internal/exec/terraform_affected_graph.go, internal/exec/atlantis_generate_repo_config.go	Thread args.AuthManager into ExecuteDescribeAffected* calls and dependent-augmentation calls across repo-path/clone/checkout flows.
Tests & Tooling internal/exec/describe_affected_test.go, internal/exec/describe_affected_utils_test.go, pkg/describe/describe_affected_test.go, pkg/list/list_affected_test.go, tests/describe_affected_include_test.go, cmd/list/affected_test.go, pkg/ai/tools/atmos/describe_affected.go	Updated many tests and tool wrapper calls to pass the new authManager parameter (often nil in tests); added tests for IdentityName parsing and AuthManager propagation; updated AI tool wrapper to pass nil auth.
Docs docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md	Added documentation describing the end-to-end fix and signature changes for auth/identity propagation in affected/describe flows.

Sequence Diagram

sequenceDiagram
    participant CLI as CLI Command
    participant AuthMgr as AuthManager
    participant List as ListAffected
    participant Describe as DescribeAffected
    participant Proc as ComponentProcessor
    participant TF as TerraformState

    CLI->>CLI: read & normalize --identity
    CLI->>AuthMgr: create & authenticate (identity)
    CLI->>List: ExecuteListAffected(opts + AuthManager)
    List->>Describe: ExecuteDescribeAffected(..., AuthManager)
    Describe->>Proc: processComponentEntry(component, AuthManager)
    Proc->>Proc: resolve per-component AuthManager (when YAML funcs enabled)
    Proc->>TF: GetTerraformState(..., resolved AuthContext)
    TF-->>Describe: return state
    Describe-->>List: affected components
    List-->>CLI: output results

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Fix authentication in YAML template functions and add --identity flag to describe commands #1742 — Adds/propagates --identity and threads AuthManager through describe/affected flows (strong overlap in intent and call-site changes).
• fix: Terraform shell command not working from Atmos interactive UI #2055 — Adds --identity support and creates/authenticates an AuthManager for exec paths; similar AuthManager creation/propagation logic.
• fix(auth): normalize ATMOS_IDENTITY=false (issue #1931) #1935 — Related identity normalization changes (NormalizeIdentityValue) and consumption of ATMOS_IDENTITY across CLI paths.

Suggested reviewers

• osterman

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 70.21% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: threading authentication identity through the describe/list affected code paths for S3 state reads.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch osterman/identity-backend-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/exec/terraform_affected_graph.go (1)

6-6: ⚠️ Potential issue | 🟡 Minor

Inconsistent logger import.

Line 6 uses log "github.com/charmbracelet/log" while the codebase standard is log "github.com/cloudposse/atmos/pkg/logger". This could lead to inconsistent logging behavior and missing structured log features.

As per coding guidelines: "Organize imports in three groups separated by blank lines, sorted alphabetically: 1) Go stdlib, 2) 3rd-party (NOT cloudposse/atmos), 3) Atmos packages. Maintain standard aliases: cfg, log, u, errUtils."

Proposed fix

-	log "github.com/charmbracelet/log"
+	log "github.com/cloudposse/atmos/pkg/logger"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/exec/terraform_affected_graph.go` at line 6, Replace the incorrect
third-party logger import alias `log "github.com/charmbracelet/log"` with the
project-standard `log "github.com/cloudposse/atmos/pkg/logger"` and reorganize
the import block into three groups (stdlib, third-party, Atmos packages) sorted
alphabetically with blank lines between groups; ensure standard alias usage for
Atmos imports (e.g., `cfg`, `log`, `u`, `errUtils`) so any references to the
`log` alias in this file (e.g., calls to log.*) use the correct structured
logger.

🧹 Nitpick comments (3)

docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md (2)

86-87: Add punctuation at end of list item.

Static analysis flagged the missing punctuation.

-- `terraform_affected.go` passes `args.AuthManager`
+- `terraform_affected.go` passes `args.AuthManager`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md` around
lines 86 - 87, The list item "- `terraform_affected.go` passes
`args.AuthManager`" is missing terminal punctuation; update that list entry to
end with a period (or the project's preferred punctuation) so it reads, for
example, "- `terraform_affected.go` passes `args.AuthManager`." to satisfy
static analysis and maintain consistency.

---

44-49: Add language specifier to fenced code block.

The code block showing the call chain should have a language specifier for consistency.

-```
+```text
 DescribeAffectedCmdArgs.AuthManager (has value)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md` around
lines 44 - 49, Update the fenced code block that shows the call chain so it
includes a language specifier (e.g., ```text) before the block; specifically
modify the block containing "DescribeAffectedCmdArgs.AuthManager (has value)"
and the subsequent lines referencing Execute(), executeDescribeAffected(), and
ExecuteDescribeStacks(...) to start with a language-tagged fence (for example
```text) to match repository formatting conventions.

internal/exec/describe_affected_helpers.go (1)

29-43: Consider consolidating these long signatures with an options struct.

These APIs are getting parameter-heavy, and adding auth expanded that further. Wrapping the mutable toggles/deps into an options struct (or functional options) would reduce call-site fragility and make future identity-related additions safer.

♻️ Suggested direction (minimal shape)

+type DescribeAffectedOptions struct {
+    IncludeSpaceliftAdminStacks bool
+    IncludeSettings             bool
+    Stack                       string
+    ProcessTemplates            bool
+    ProcessYAMLFunctions        bool
+    Skip                        []string
+    ExcludeLocked               bool
+    AuthManager                 auth.AuthManager
+}
-
-func ExecuteDescribeAffectedWithTargetRefClone(
-    atmosConfig *schema.AtmosConfiguration,
-    ref string,
-    sha string,
-    sshKeyPath string,
-    sshKeyPassword string,
-    includeSpaceliftAdminStacks bool,
-    includeSettings bool,
-    stack string,
-    processTemplates bool,
-    processYamlFunctions bool,
-    skip []string,
-    excludeLocked bool,
-    authManager auth.AuthManager,
-) ([]schema.Affected, *plumbing.Reference, *plumbing.Reference, string, error) {
+func ExecuteDescribeAffectedWithTargetRefClone(
+    atmosConfig *schema.AtmosConfiguration,
+    ref string,
+    sha string,
+    sshKeyPath string,
+    sshKeyPassword string,
+    opts DescribeAffectedOptions,
+) ([]schema.Affected, *plumbing.Reference, *plumbing.Reference, string, error) {

As per coding guidelines, "Use functional options pattern for configuration instead of functions with many parameters.".

Also applies to: 190-202, 280-291

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/exec/describe_affected_helpers.go` around lines 29 - 43, The
ExecuteDescribeAffectedWithTargetRefClone signature is too long and should be
replaced with an options struct (or functional options) to group toggles, paths,
and dependencies: create a DescribeAffectedOptions struct (fields: Ref, SHA,
SSHKeyPath, SSHKeyPassword, IncludeSpaceliftAdminStacks, IncludeSettings, Stack,
ProcessTemplates, ProcessYamlFunctions, Skip []string, ExcludeLocked,
AuthManager auth.AuthManager, etc.), change the function signature to
ExecuteDescribeAffectedWithTargetRefClone(atmosConfig
*schema.AtmosConfiguration, opts DescribeAffectedOptions) ([]schema.Affected,
*plumbing.Reference, *plumbing.Reference, string, error), update callers to
construct and pass the options struct (or provide helpers to build it), and
apply the same refactor to the other affected entry points mentioned
(consolidate their parameter lists into the same or similar options type) so
future additions become non-breaking.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@internal/exec/terraform_affected_graph.go`:
- Line 6: Replace the incorrect third-party logger import alias `log
"github.com/charmbracelet/log"` with the project-standard `log
"github.com/cloudposse/atmos/pkg/logger"` and reorganize the import block into
three groups (stdlib, third-party, Atmos packages) sorted alphabetically with
blank lines between groups; ensure standard alias usage for Atmos imports (e.g.,
`cfg`, `log`, `u`, `errUtils`) so any references to the `log` alias in this file
(e.g., calls to log.*) use the correct structured logger.

---

Nitpick comments:
In `@docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md`:
- Around line 86-87: The list item "- `terraform_affected.go` passes
`args.AuthManager`" is missing terminal punctuation; update that list entry to
end with a period (or the project's preferred punctuation) so it reads, for
example, "- `terraform_affected.go` passes `args.AuthManager`." to satisfy
static analysis and maintain consistency.
- Around line 44-49: Update the fenced code block that shows the call chain so
it includes a language specifier (e.g., ```text) before the block; specifically
modify the block containing "DescribeAffectedCmdArgs.AuthManager (has value)"
and the subsequent lines referencing Execute(), executeDescribeAffected(), and
ExecuteDescribeStacks(...) to start with a language-tagged fence (for example
```text) to match repository formatting conventions.

In `@internal/exec/describe_affected_helpers.go`:
- Around line 29-43: The ExecuteDescribeAffectedWithTargetRefClone signature is
too long and should be replaced with an options struct (or functional options)
to group toggles, paths, and dependencies: create a DescribeAffectedOptions
struct (fields: Ref, SHA, SSHKeyPath, SSHKeyPassword,
IncludeSpaceliftAdminStacks, IncludeSettings, Stack, ProcessTemplates,
ProcessYamlFunctions, Skip []string, ExcludeLocked, AuthManager
auth.AuthManager, etc.), change the function signature to
ExecuteDescribeAffectedWithTargetRefClone(atmosConfig
*schema.AtmosConfiguration, opts DescribeAffectedOptions) ([]schema.Affected,
*plumbing.Reference, *plumbing.Reference, string, error), update callers to
construct and pass the options struct (or provide helpers to build it), and
apply the same refactor to the other affected entry points mentioned
(consolidate their parameter lists into the same or similar options type) so
future additions become non-breaking.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5ed6bcbd-6c2b-49c0-ad13-538796566a30

📥 Commits

Reviewing files that changed from the base of the PR and between f941c79 and 0a20498.

📒 Files selected for processing (17)

• cmd/list/affected.go
• docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md
• internal/exec/atlantis_generate_repo_config.go
• internal/exec/describe_affected.go
• internal/exec/describe_affected_helpers.go
• internal/exec/describe_affected_test.go
• internal/exec/describe_affected_utils.go
• internal/exec/describe_affected_utils_2.go
• internal/exec/describe_affected_utils_test.go
• internal/exec/describe_stacks_component_processor.go
• internal/exec/terraform_affected.go
• internal/exec/terraform_affected_graph.go
• internal/exec/terraform_state_utils.go
• pkg/ai/tools/atmos/describe_affected.go
• pkg/describe/describe_affected_test.go
• pkg/list/list_affected.go
• tests/describe_affected_include_test.go

[codecov]

Codecov Report

❌ Patch coverage is 49.09091% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.22%. Comparing base (42f9a5c) to head (09f7bc9).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/list/list_affected.go	0.00%	12 Missing ⚠️
cmd/list/affected.go	0.00%	8 Missing ⚠️
...ternal/exec/describe_stacks_component_processor.go	50.00%	3 Missing and 1 partial ⚠️
internal/exec/terraform_affected_graph.go	50.00%	2 Missing ⚠️
internal/exec/atlantis_generate_repo_config.go	66.66%	1 Missing ⚠️
internal/exec/describe_affected_helpers.go	66.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2250      +/-   ##
==========================================
+ Coverage   77.18%   77.22%   +0.03%     
==========================================
  Files        1015     1015              
  Lines       96021    96065      +44     
==========================================
+ Hits        74117    74182      +65     
+ Misses      17713    17695      -18     
+ Partials     4191     4188       -3     

Flag	Coverage Δ
unittests	77.22% <49.09%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/exec/describe_affected.go	57.62% <100.00%> (+0.54%)	⬆️
internal/exec/describe_affected_utils.go	78.70% <100.00%> (+3.22%)	⬆️
internal/exec/describe_affected_utils_2.go	78.26% <100.00%> (ø)
internal/exec/terraform_affected.go	91.91% <100.00%> (+0.34%)	⬆️
internal/exec/terraform_state_utils.go	75.00% <100.00%> (+1.56%)	⬆️
pkg/ai/tools/atmos/describe_affected.go	62.33% <100.00%> (+0.49%)	⬆️
internal/exec/atlantis_generate_repo_config.go	60.18% <66.66%> (+4.35%)	⬆️
internal/exec/describe_affected_helpers.go	41.13% <66.66%> (+0.49%)	⬆️
internal/exec/terraform_affected_graph.go	51.04% <50.00%> (+0.33%)	⬆️
...ternal/exec/describe_stacks_component_processor.go	95.33% <50.00%> (-0.92%)	⬇️
... and 2 more

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (1)

cmd/list/affected_test.go (1)

152-158: Test doesn't replicate full production logic—missing normalization step.

The comment says "Replicate the logic from affectedCmd.RunE" but the production code at cmd/list/affected.go:71 applies cfg.NormalizeIdentityValue(identityName) after reading from flag/viper. This test omits that step.

For accuracy, either:

1. Add the normalization call to truly replicate production behavior, or
2. Update the comment to clarify it only tests precedence, not the full identity resolution path.

Option 1: Include normalization

 			// Replicate the logic from affectedCmd.RunE.
 			var identityName string
 			if cmd.Flags().Changed("identity") {
 				identityName, _ = cmd.Flags().GetString("identity")
 			} else {
 				identityName = v.GetString("identity")
 			}
+			identityName = cfg.NormalizeIdentityValue(identityName)

This would require adding the cfg import.

Option 2: Clarify the comment

-			// Replicate the logic from affectedCmd.RunE.
+			// Replicate the flag/viper precedence logic (normalization tested separately).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/list/affected_test.go` around lines 152 - 158, The test's identity
resolution block (reading identityName via cmd.Flags().GetString and
v.GetString) omits the production normalization step used in affectedCmd.RunE;
call cfg.NormalizeIdentityValue(identityName) after determining identityName
(and add the cfg import) so the test mirrors production behavior, or
alternatively update the test comment to state it only verifies precedence and
does not perform normalization—prefer adding the normalization call to fully
replicate affectedCmd.RunE's logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@cmd/list/affected_test.go`:
- Around line 152-158: The test's identity resolution block (reading
identityName via cmd.Flags().GetString and v.GetString) omits the production
normalization step used in affectedCmd.RunE; call
cfg.NormalizeIdentityValue(identityName) after determining identityName (and add
the cfg import) so the test mirrors production behavior, or alternatively update
the test comment to state it only verifies precedence and does not perform
normalization—prefer adding the normalization call to fully replicate
affectedCmd.RunE's logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e67d6af0-a8ea-4199-8ee5-b003fc4c4145

📥 Commits

Reviewing files that changed from the base of the PR and between 0a20498 and 09f7bc9.

📒 Files selected for processing (3)

• cmd/list/affected_test.go
• internal/exec/describe_stacks_authmanager_propagation_test.go
• pkg/list/list_affected_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/list/list_affected_test.go

[github-actions]

These changes were released in v1.212.1-rc.0.

[github-actions]

These changes were released in v1.213.0-test.4.

[github-actions]

These changes were released in v1.212.1-rc.1.