feat: Support Component Lock with metadata.locked

[milldr]

what

• Added support for metadata.locked with components

# Lock a production database component to prevent accidental changes
components:
  terraform:
    rds:
      metadata:
        locked: true
      vars:
        name: production-database

• Separate atmos CLI tests into many files: tests/test_cases.yaml --> tests/test-cases/*.yaml

why

• The metadata.locked parameter prevents changes to a component while still allowing read operations. When a component is locked, operations that would modify infrastructure (like terraform apply) are blocked, while read-only operations (like terraform plan) remain available. By default, components are unlocked. Setting metadata.locked to true prevents any change operations.

references

• DEV-2849
• Depends on chore: Separate Test Fixtures from Examples #918

Summary by CodeRabbit

Release Notes

• New Features

  • Added component locking functionality to prevent unintended modifications
  • Components can now be locked to restrict changes while allowing read operations

• Documentation

  • Updated documentation to explain how to lock components in stack configurations
  • Added new schema definitions for component locking metadata

• Improvements

  • Enhanced control flow for Terraform and Helmfile operations
  • Introduced new validation checks to prevent modifications to locked components

• Test Cases

  • Added test scenarios to validate component locking behavior
  • Verified deployment and planning operations for locked and unlocked components

[coderabbitai]

Warning

Rate limit exceeded

@milldr has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 4 minutes and 20 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 43f3cb5 and 3dbfc55.

📒 Files selected for processing (1)

• internal/exec/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1 hunks)

📝 Walkthrough

Walkthrough

The pull request introduces a new metadata.locked feature for Atmos stacks, enabling component locking to prevent modifications while maintaining read access. The changes span multiple files across the project, implementing a comprehensive mechanism to restrict modification commands for locked components in Terraform and Helmfile contexts. The implementation ensures that locked components can be viewed but not altered, with clear error messaging when modification attempts are made.

Changes

File	Change Summary
internal/exec/helmfile.go	Added locking check to prevent modification commands on locked components
internal/exec/stack_utils.go	Updated ProcessComponentMetadata to return component lock status
internal/exec/terraform.go	Implemented locking check to restrict destructive Terraform commands
internal/exec/utils.go	Modified to process and store component lock information
pkg/schema/schema.go	Added ComponentIsLocked boolean field to ConfigAndStacksInfo struct
website/docs/core-concepts/stacks/define-components.mdx	Added documentation for metadata.locked parameter

Assessment against linked issues

Objective	Addressed	Explanation
Implement metadata.locked	✅
Prevent apply and deploy on locked stacks	✅
Default to unlocked	✅
Update documentation	✅

Suggested reviewers

• @aknysh
• @Gowiem
• @osterman

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or @auto-summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @auto-title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

internal/exec/utils.go (2)

135-135: Maintain consistent ordering.

It might be clearer to set ComponentIsLocked immediately after setting ComponentIsEnabled to group similar fields and make the code more readable.

133     componentMetadata, baseComponentName, componentIsAbstract, componentIsEnabled, componentIsLocked := ProcessComponentMetadata(component, componentSection)
134     configAndStacksInfo.ComponentIsEnabled = componentIsEnabled
-135     configAndStacksInfo.ComponentIsLocked = componentIsLocked
+135     configAndStacksInfo.ComponentIsLocked  = componentIsLocked

---

606-606: Similar comment on consistent ordering.

For consistency, consider placing ComponentIsLocked right after setting ComponentIsEnabled.

603     _, baseComponentName, _, componentIsEnabled, componentIsLocked := ProcessComponentMetadata(configAndStacksInfo.ComponentFromArg, configAndStacksInfo.ComponentSection)
604     configAndStacksInfo.BaseComponentPath = baseComponentName
605     configAndStacksInfo.ComponentIsEnabled = componentIsEnabled
-606     configAndStacksInfo.ComponentIsLocked = componentIsLocked
+607     configAndStacksInfo.ComponentIsLocked  = componentIsLocked

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 02ec47e and 08bc176.

📒 Files selected for processing (7)

• internal/exec/helmfile.go (1 hunks)
• internal/exec/stack_utils.go (3 hunks)
• internal/exec/terraform.go (1 hunks)
• internal/exec/utils.go (2 hunks)
• pkg/schema/schema.go (1 hunks)
• pkg/spacelift/spacelift_stack_processor.go (1 hunks)
• website/docs/core-concepts/stacks/define-components.mdx (1 hunks)

🔇 Additional comments (12)

internal/exec/stack_utils.go (5)

58-58: Nicely expanded comment.

Clear documentation improves maintainability. Good job clarifying that we also check the locked state here.

---

62-62: Expanded return signature.

Returning the locked state is consistent with the rest of the code. This ensures that callers can decide how to handle a locked component.

---

66-66: Good default initialization.

Setting componentIsLocked to false by default is intuitive. Components remain unlocked unless explicitly stated otherwise.

---

86-90: Conditional assignment of locked state.

The logic for reading locked from metadata is straightforward. This effectively flags components as locked in subsequent checks.

---

103-103: Returning locked status.

Including componentIsLocked in the returned tuple finalizes the integration. This is well-aligned with the updated usage across the codebase.

internal/exec/helmfile.go (1)

97-105: Locked component guard.

Preventing modification commands for locked components is consistent with the PR’s objective. This ensures safer state management.

pkg/spacelift/spacelift_stack_processor.go (1)

175-175: Ignored locked state.

Using the underscore indicates ignoring the locked flag here. If needed later, it can be utilized without disrupting existing code.

internal/exec/terraform.go (1)

125-134: Locked component enforcement.

Smart to prevent destructive commands on locked components. This matches the approach in the Helmfile logic.

pkg/schema/schema.go (1)

234-234: Great introduction of the locked field.

Adding ComponentIsLocked provides a clear way to track and enforce locking at the schema level.

internal/exec/utils.go (2)

133-133: Good job capturing the locked status.

Storing componentIsLocked immediately after retrieving it from ProcessComponentMetadata ensures the correct flow of information.

---

603-603: Good reuse of ProcessComponentMetadata.

This ensures that the locked status is always determined at the same time as abstract/enabled status.

website/docs/core-concepts/stacks/define-components.mdx (1)

237-259: Helpful new section.

Documenting metadata.locked clarifies how teams can control authorized usage. The example is concise and demonstrates a real-life scenario for safeguarding critical infrastructure.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (6)

examples/demo-metadata/atmos.yaml (1)

10-10: Clean up the battlefield - remove trailing spaces.

There are trailing spaces at the end of line 10.

-  
+

🧰 Tools

🪛 yamllint (1.35.1)

[error] 10-10: trailing spaces

(trailing-spaces)

examples/demo-metadata/components/terraform/myapp/main.tf (1)

11-16: STRENGTHEN YOUR DEFENSES, BRAVE ONE!

While the HTTP data source is functional, we can make it more resilient in battle:

 data "http" "weather" {
   url = local.url
   request_headers = {
     User-Agent = "curl"
   }
+  retry {
+    attempts     = 3
+    min_delay_ms = 1000
+    max_delay_ms = 5000
+  }
+  timeout = "10"
 }

examples/demo-metadata/components/terraform/myapp/outputs.tf (1)

1-27: WELL-STRUCTURED OUTPUTS, BUT LET'S POLISH OUR PROCLAMATIONS!

Your output structure is strong, but let's refine the descriptions for clarity:

 output "location" {
   value       = var.location
-  description = "Location of the weather report."
+  description = "Location for the weather report"
 }

 output "lang" {
   value       = var.lang
-  description = "Language which the weather is displayed."
+  description = "Language in which the weather is displayed"
 }

 output "units" {
   value       = var.units
-  description = "Units the weather is displayed."
+  description = "Units in which the weather is displayed"
 }

examples/demo-metadata/components/terraform/myapp/variables.tf (1)

1-34: STRONG VARIABLE DECLARATIONS, FELLOW WARRIOR!

Your variable structure is robust, but let's enhance the clarity of our battle plan:

1. Improve descriptions:

 variable "location" {
-  description = "Location for which the weather."
+  description = "Location for which to fetch the weather report"
 }

2. Consider adding validation rules for critical variables:

 variable "stage" {
   description = "Stage where it will be deployed"
   type        = string
+  validation {
+    condition     = contains(["dev", "staging", "prod"], var.stage)
+    error_message = "Stage must be one of: dev, staging, prod."
+  }
 }

 variable "units" {
   description = "Units in which the weather is displayed."
   type        = string
   default     = "m"
+  validation {
+    condition     = contains(["m", "u", "M"], var.units)
+    error_message = "Units must be one of: m (metric), u (USCS), M (metric with wind in m/s)."
+  }
 }

tests/test_cases.yaml (1)

219-233: Excellent negative test case for locked component protection!

The test effectively validates that locked components cannot be modified, with a clear error message. Consider adding additional test cases for:

• Read-only operations (like plan) on locked components
• Other commands that should be blocked on locked components

examples/demo-metadata/components/terraform/myapp/README.md (1)

1-14: Add component locking information to features section

Since this example is in the demo-metadata directory and is used in the locking test cases, consider adding information about the component locking feature to demonstrate real-world usage of metadata.locked.

🧰 Tools

🪛 LanguageTool

[typographical] ~3-~3: Consider using typographic quotation marks here.
Context: ...aform Weather Component This Terraform "root" module fetches weather information for ...

(EN_QUOTES)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08bc176 and 2938bdc.

📒 Files selected for processing (11)

• examples/demo-metadata/.gitignore (1 hunks)
• examples/demo-metadata/atmos.yaml (1 hunks)
• examples/demo-metadata/components/terraform/myapp/README.md (1 hunks)
• examples/demo-metadata/components/terraform/myapp/main.tf (1 hunks)
• examples/demo-metadata/components/terraform/myapp/outputs.tf (1 hunks)
• examples/demo-metadata/components/terraform/myapp/variables.tf (1 hunks)
• examples/demo-metadata/components/terraform/myapp/versions.tf (1 hunks)
• examples/demo-metadata/stacks/catalog/myapp.yaml (1 hunks)
• examples/demo-metadata/stacks/deploy/nonprod.yaml (1 hunks)
• examples/demo-metadata/stacks/deploy/prod.yaml (1 hunks)
• tests/test_cases.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• examples/demo-metadata/components/terraform/myapp/versions.tf
• examples/demo-metadata/stacks/catalog/myapp.yaml
• examples/demo-metadata/.gitignore

🧰 Additional context used

🪛 yamllint (1.35.1)

examples/demo-metadata/atmos.yaml

[error] 10-10: trailing spaces

(trailing-spaces)

🪛 LanguageTool

examples/demo-metadata/components/terraform/myapp/README.md

[typographical] ~3-~3: Consider using typographic quotation marks here.
Context: ...aform Weather Component This Terraform "root" module fetches weather information for ...

(EN_QUOTES)

---

[uncategorized] ~34-~34: Loose punctuation mark.
Context: ... where it will be deployed. - location: Location for which the weather is repor...

(UNLIKELY_OPENING_PUNCTUATION)

---

[typographical] ~34-~34: Consider using typographic quotation marks here.
Context: ...ich the weather is reported. Default is "Los Angeles". - options: Options to customize the ...

(EN_QUOTES)

---

[uncategorized] ~35-~35: Loose punctuation mark.
Context: ...d. Default is "Los Angeles". - options: Options to customize the output. Defaul...

(UNLIKELY_OPENING_PUNCTUATION)

---

[typographical] ~35-~35: Consider using a typographic opening quote here.
Context: ...ons to customize the output. Default is "0T". - format: Specifies the output fo...

(EN_QUOTES)

---

[typographical] ~35-~35: Consider using a typographic close quote here.
Context: ... to customize the output. Default is "0T". - format: Specifies the output forma...

(EN_QUOTES)

---

[uncategorized] ~36-~36: Loose punctuation mark.
Context: ... the output. Default is "0T". - format: Specifies the output format. Default is...

(UNLIKELY_OPENING_PUNCTUATION)

---

[typographical] ~36-~36: Consider using a typographic opening quote here.
Context: ...Specifies the output format. Default is "v2". - lang: Language in which the wea...

(EN_QUOTES)

---

[typographical] ~36-~36: Consider using a typographic close quote here.
Context: ...cifies the output format. Default is "v2". - lang: Language in which the weathe...

(EN_QUOTES)

---

[uncategorized] ~37-~37: Loose punctuation mark.
Context: ...output format. Default is "v2". - lang: Language in which the weather will be d...

(UNLIKELY_OPENING_PUNCTUATION)

---

[typographical] ~37-~37: Consider using typographic quotation marks here.
Context: ...e weather will be displayed. Default is "en". - units: Units in which the weather ...

(EN_QUOTES)

---

[uncategorized] ~38-~38: Loose punctuation mark.
Context: ...be displayed. Default is "en". - units: Units in which the weather will be disp...

(UNLIKELY_OPENING_PUNCTUATION)

---

[typographical] ~38-~38: Consider using typographic quotation marks here.
Context: ...e weather will be displayed. Default is "m". ### Outputs - weather: The fetched ...

(EN_QUOTES)

---

[uncategorized] ~42-~42: Loose punctuation mark.
Context: ...ther: The fetched weather data. - url: Requested URL. - stage`: Stage of depl...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~43-~43: Loose punctuation mark.
Context: ... data. - url: Requested URL. - stage: Stage of deployment. - location: Loca...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~44-~44: Loose punctuation mark.
Context: ...tage: Stage of deployment. - location: Location of the reported weather. - la...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~45-~45: Loose punctuation mark.
Context: ...cation of the reported weather. - lang: Language used for weather data. - `unit...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~46-~46: Loose punctuation mark.
Context: ...anguage used for weather data. - units: Units of measurement for the weather da...

(UNLIKELY_OPENING_PUNCTUATION)

🔇 Additional comments (6)

examples/demo-metadata/stacks/deploy/nonprod.yaml (1)

1-14: Well-structured nonprod configuration, warrior!

The configuration follows best practices with schema validation and clear environment-specific settings. The absence of component locking is appropriate for a nonprod environment where changes are expected.

examples/demo-metadata/stacks/deploy/prod.yaml (1)

12-13: Strong protection for production components, commander!

The metadata.locked: true setting effectively prevents accidental modifications to the production component while maintaining read access. This aligns perfectly with the PR's objective of enhancing deployment safety.

examples/demo-metadata/atmos.yaml (2)

6-9: Battle-hardened terraform configuration, strategist!

The configuration demonstrates strong security consciousness with:

• apply_auto_approve: false requiring explicit approval
• deploy_run_init: true ensuring proper initialization
• init_run_reconfigure: true maintaining configuration consistency

---

13-16: Well-defined stack boundaries, tactician!

The stack configuration effectively manages deployment scope through:

• Explicit inclusion of deploy paths
• Strategic exclusion of defaults

examples/demo-metadata/components/terraform/myapp/main.tf (1)

1-9: STRONG WORK, WARRIOR! URL construction is well-fortified!

The URL construction shows excellent defensive programming with proper URL encoding for all parameters. This is the way of the secure warrior!

Let's verify the URL construction with this battle plan:

✅ Verification successful

VICTORY! All variables are properly declared and documented, brave warrior!

The verification shows that all variables used in the URL construction (location, options, format, lang, and units) are properly defined in the corresponding variables.tf file with clear descriptions. This ensures robust and maintainable code structure.

The battle-tested URL construction can proceed with confidence!

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify that all variables used in the URL construction are properly defined
rg -A 1 'variable "(location|options|format|lang|units)"' .

Length of output: 4016

tests/test_cases.yaml (1)

201-217: Strong test case for unlocked component deployment!

The test case effectively validates that terraform deploy works as expected on unlocked components. The assertions are well-structured, checking both successful execution and clean stderr output.

Let's verify the test environment is properly set up:

✅ Verification successful

Test environment is properly configured for unlocked component validation!

The test case is well-structured and the environment is correctly set up:

• Component myapp is properly defined in the catalog with default configuration
• The nonprod stack correctly imports and overrides the component settings
• No lock files are present, confirming the component is indeed unlocked
• The test's working directory and component name align with the actual configuration

This verification confirms that the test case will effectively validate terraform deployment behavior for unlocked components. Stand strong, warrior! Your test shall guard against unwanted regressions.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the demo-metadata example directory contains necessary component configuration
fd -t f "stack.y*ml" examples/demo-metadata/stacks/ -x cat {} \; | grep -A 5 "myapp:"

Length of output: 88

---

Script:

#!/bin/bash
# Let's check if the directory exists and list its contents
ls -la examples/demo-metadata/stacks/

# Check for any yaml files in the examples/demo-metadata directory and its subdirectories
fd -e yml -e yaml . examples/demo-metadata/

# Let's try to find any references to myapp in yaml files
rg -l "myapp" examples/demo-metadata/

Length of output: 669

---

Script:

#!/bin/bash
# Let's check the content of the relevant files to verify the myapp component configuration
cat examples/demo-metadata/stacks/catalog/myapp.yaml
cat examples/demo-metadata/stacks/deploy/nonprod.yaml

# Also check if there are any lock files that might affect the component
fd -e lock.hcl . examples/demo-metadata/

Length of output: 661

[mergify]

💥 This pull request now has conflicts. Could you fix it @milldr? 🙏

[aknysh]

@milldr thanks, looks good, please address a few comments

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

examples/quick-start-advanced/stacks/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1)

353-355: Well structured schema addition for component locking!

The locked property is well-placed in the metadata section and maintains backward compatibility. The description effectively communicates its purpose.

Consider enhancing the description to be more specific about which operations are considered "modifications" vs "read operations". Here's a suggested improvement:

-          "description": "Flag to lock the component and prevent modifications while allowing read operations"
+          "description": "Flag to lock the component. When true, prevents destructive operations (apply, deploy, destroy) while allowing read-only operations (plan, diff)"

website/static/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1)

352-356: Well structured implementation of the component locking mechanism!

The locked property is well-positioned within the metadata section, making it available to both Terraform and Helmfile components. The boolean type and clear description effectively communicate its purpose.

However, consider adding examples in the schema description to illustrate common use cases:

         "locked": {
           "type": "boolean",
-          "description": "Flag to lock the component and prevent modifications while allowing read operations"
+          "description": "Flag to lock the component and prevent modifications while allowing read operations. Example: Set to 'true' to prevent accidental changes to production components while still allowing 'plan' operations"
         }

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 880240e and d85e9cd.

📒 Files selected for processing (4)

• .gitignore (1 hunks)
• examples/quick-start-advanced/stacks/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1 hunks)
• tests/fixtures/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1 hunks)
• website/static/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .gitignore

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/fixtures/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Acceptance Tests (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (1)

website/static/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json (1)

352-356: Verify schema integration with component implementations

Let's ensure the schema changes are properly integrated with the component implementations.

✅ Verification successful

Schema integration verified and properly implemented

The metadata.locked schema property is correctly integrated with both Terraform and Helmfile component implementations, with consistent behavior for blocking modifications while allowing read operations.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of metadata.locked across the codebase

# Check for metadata.locked references in Go files
echo "Checking Go implementations..."
rg -t go "metadata.*locked" -A 5

# Check for metadata.locked usage in test files
echo "Checking test files..."
rg -g "*.y*ml" "metadata:" -A 10

# Check for any potential validation implementations
echo "Checking validation implementations..."
rg -t go "ValidateComponent.*lock" -A 5

Length of output: 68559

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

website/docs/core-concepts/stacks/define-components.mdx (1)

237-258: Consider adding error message examples

The documentation would benefit from showing example error messages that users will encounter when attempting to modify a locked component. This would help users understand how the feature manifests in practice.

Consider adding a section like this:

  Using the `metadata.locked` flag helps protect critical infrastructure from unintended modifications while still allowing teams to inspect and review the configuration.
+ 
+ When attempting to modify a locked component, users will see an error message similar to:
+ ```
+ Error: Component "rds" is locked and cannot be modified
+ The component has been marked as locked using metadata.locked. This is to prevent
+ accidental changes. To modify this component, first unlock it by setting
+ metadata.locked: false
+ ```

tests/fixtures/scenarios/metadata/atmos.yaml (2)

3-10: Remove trailing whitespace, warrior!

A true spartan's code is clean and precise. There's a trailing space on line 10 that needs to be removed.

-  
+

🧰 Tools

🪛 yamllint (1.35.1)

[error] 10-10: trailing spaces

(trailing-spaces)

---

11-17: Consider adding example of locked component configuration.

For the glory of clear documentation! Since this fixture tests metadata features, it would be beneficial to include an example of the new metadata.locked configuration to demonstrate its usage.

Example addition:

stacks:
  components:
    example:
      metadata:
        locked: true

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47720b2 and 43f3cb5.

📒 Files selected for processing (5)

• internal/exec/terraform.go (1 hunks)
• internal/exec/utils.go (2 hunks)
• pkg/schema/schema.go (1 hunks)
• tests/fixtures/scenarios/metadata/atmos.yaml (1 hunks)
• website/docs/core-concepts/stacks/define-components.mdx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• internal/exec/terraform.go
• pkg/schema/schema.go

🧰 Additional context used

📓 Learnings (1)

tests/fixtures/scenarios/metadata/atmos.yaml (1)

Learnt from: aknysh
PR: cloudposse/atmos#0
File: :0-0
Timestamp: 2025-01-10T15:18:27.794Z
Learning: The `atmos validate stacks` command now uses an embedded JSON Schema by default for validating Atmos manifests, falling back to the schema specified in `atmos.yaml` or via command-line flags if provided.

🪛 yamllint (1.35.1)

tests/fixtures/scenarios/metadata/atmos.yaml

[error] 10-10: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Acceptance Tests (macos-latest, macos)
• GitHub Check: Acceptance Tests (windows-latest, windows)
• GitHub Check: [localstack] demo-localstack
• GitHub Check: Summary

🔇 Additional comments (8)

website/docs/core-concepts/stacks/define-components.mdx (3)

238-240: Well-structured documentation addition!

The introduction clearly explains the purpose and scope of the metadata.locked feature. The documentation follows the established pattern of the file and integrates seamlessly with the existing content.

---

242-244: Important state management clarification!

The info note effectively prevents potential misunderstandings about the feature's impact on Terraform state. This is crucial for users to understand the boundaries of the locking mechanism.

---

248-256: Excellent example implementation!

The example effectively demonstrates the feature using a real-world scenario (production database) that immediately communicates the value proposition to users.

tests/fixtures/scenarios/metadata/atmos.yaml (3)

1-2: LGTM! Base path configuration is clear and concise.

---

19-21: Strong logging configuration, commander!

The log settings are well-chosen for testing purposes. Directing logs to stderr with Info level will help track the component locking behavior effectively.

---

1-21: Consider schema validation strategy.

Based on the past discussions and learnings, there are two paths forward for schema validation:

1. Wait for the embedded JSON Schema implementation
2. Explicitly specify the schema location

What's your preference, commander? We can assist with either approach.

Would you like help implementing either:

1. A temporary schema location configuration
2. Integration with the upcoming embedded schema feature

🧰 Tools

🪛 yamllint (1.35.1)

[error] 10-10: trailing spaces

(trailing-spaces)

internal/exec/utils.go (2)

156-158: Clean implementation of component locking state!

The addition of componentIsLocked follows Go's idiomatic patterns and integrates well with the existing configuration processing logic.

---

614-617: Verify the component lock state usage.

The implementation looks good. Let's verify how this locked state is used in the codebase to ensure proper enforcement of the locking mechanism.

Run the following script to check the usage of ComponentIsLocked:

✅ Verification successful

Component lock state implementation verified and complete

The lock state is properly enforced for both Terraform and Helmfile components, blocking modification commands while allowing read-only operations. Implementation is consistent and robust across the codebase.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check how ComponentIsLocked is used to enforce component locking

# Search for direct references to ComponentIsLocked
echo "=== Direct references to ComponentIsLocked ==="
rg -A 5 "ComponentIsLocked"

# Search for potential enforcement points in Terraform and Helmfile execution
echo -e "\n=== Potential enforcement in Terraform/Helmfile execution ==="
rg -A 10 "ExecuteTerraform|ExecuteHelmfile"

Length of output: 17806

[mergify]

💥 This pull request now has conflicts. Could you fix it @milldr? 🙏