cloudposse
diff --git a/‎examples/snippets/.claude/skills/README.md‎
Lines changed: 55 additions & 0 deletions b/‎examples/snippets/.claude/skills/README.md‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎examples/snippets/.claude/skills/account-map-migration/SKILL.md‎
Lines changed: 172 additions & 0 deletions b/‎examples/snippets/.claude/skills/account-map-migration/SKILL.md‎
Lines changed: 172 additions & 0 deletions
diff --git a/‎examples/snippets/.claude/skills/atmos-auth/SKILL.md‎
Lines changed: 117 additions & 0 deletions b/‎examples/snippets/.claude/skills/atmos-auth/SKILL.md‎
Lines changed: 117 additions & 0 deletions
@@ -0,0 +1,55 @@
+# Claude Skills
+
+This directory contains skills that provide Claude with detailed guidance for specific tasks. Skills are automatically
+invoked based on their descriptions when relevant to your request.
+
+## Available Skills
+
+| Skill                   | Description                                                                             |
+| ----------------------- | --------------------------------------------------------------------------------------- |
+| `developing-components` | Creating new Terraform components, modifying existing ones, setting up catalog defaults |
+| `atmos-auth`            | Authenticating with AWS via Atmos, SSO login, troubleshooting permission errors         |
+| `atmos-functions`       | Wiring cross-component dependencies with `!terraform.state` or `!terraform.output`      |
+| `debugging-atmos`       | Troubleshooting Atmos errors, inspecting resolved configuration with `describe stacks`  |
+| `account-map-migration` | Removing account-map dependencies, using static account mappings, bypass pattern        |
+
+## How Skills Work
+
+Skills are **model-invoked** - Claude automatically decides when to use them based on:
+
+1. The skill's `description` field in the YAML frontmatter
+2. The context of your request
+
+You don't need to explicitly invoke skills. Just describe what you're trying to do and Claude will use the relevant
+skill if applicable.
+
+## Skill Structure
+
+Each skill is a directory containing a `SKILL.md` file:
+
+```
+skills/
+├── skill-name/
+│   └── SKILL.md
+```
+
+The `SKILL.md` file has YAML frontmatter with `name` and `description`, followed by detailed instructions in Markdown.
+
+## Adding New Skills
+
+1. Create a new directory under `.claude/skills/`
+2. Add a `SKILL.md` file with frontmatter:
+   ```yaml
+   ---
+   name: skill-name
+   description: >-
+     Brief description of what this skill does and when to use it. Include trigger words that would indicate this skill
+     is relevant.
+   ---
+   ```
+3. Add detailed instructions in Markdown
+4. Update `CLAUDE.md` to reference the new skill in the Skills table
+
+## References
+
+- [Claude Code Skills Documentation](https://code.claude.com/docs/en/skills)
@@ -0,0 +1,172 @@
+---
+name: account-map-migration
+description: >-
+  Use when fixing legacy account-map component references or creating new components. Covers migration from dynamic
+  account-map lookups to static account_map variable. Use when you see account-map remote-state references or need to
+  set up provider configuration for a new component.
+---
+
+# Account Map Migration
+
+This repository has migrated away from the `account-map` component to use Atmos Auth for authentication. Instead of
+dynamically looking up account IDs via the account-map component's remote state, we use a static `account_map` variable
+defined in `stacks/orgs/acme/_defaults.yaml`.
+
+## Why We Migrated
+
+The legacy `account-map` component pattern required:
+
+1. Deploying account-map component first (chicken-and-egg problem)
+2. Remote state lookups for every component that needed account IDs
+3. Complex `providers.tf` with remote-state module calls
+4. Cross-account state access permissions
+
+The new pattern:
+
+1. Static account map defined once in stack defaults
+2. No remote state dependencies for account lookups
+3. Simpler provider configuration
+4. Works with Atmos Auth for authentication
+
+## Key Configuration
+
+### Stack Defaults
+
+The account map is defined in `stacks/orgs/acme/_defaults.yaml`:
+
+```yaml
+vars:
+  account_map_enabled: false
+  account_map:
+    full_account_map:
+      acme-core-root: "111111111111"
+      acme-core-audit: "222222222222"
+      acme-core-auto: "333333333333"
+      acme-plat-dev: "444444444444"
+      acme-plat-staging: "555555555555"
+      acme-plat-prod: "666666666666"
+      # ... all accounts
+    iam_role_arn_templates:
+      terraform: "arn:aws:iam::%s:role/acme-core-gbl-auto-terraform"
+    audit_account_account_name: "acme-core-audit"
+    root_account_account_name: "acme-core-root"
+```
+
+### Vendored providers.tf
+
+Components use a vendored `providers.tf` from Atmos mixins that includes:
+
+- `account_map_enabled` and `account_map` variables
+- Provider configuration that uses the static account map
+- Dummy `iam_roles` module for legacy compatibility
+
+**Vendoring is configured in each component's `component.yaml`:**
+
+```yaml
+# components/terraform/<component-name>/component.yaml
+apiVersion: atmos/v1
+kind: ComponentVendorConfig
+spec:
+  source:
+    uri: github.com/cloudposse-terraform-components/aws-<component>.git//src?ref={{ .Version }}
+    version: v1.x.x
+    included_paths:
+      - "**/**"
+    excluded_paths:
+      - "providers.tf" # Exclude upstream providers.tf
+  mixins:
+    # Vendor the providers.tf with account-map support
+    - uri: https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/{{ .Version }}/src/mixins/provider-without-account-map.tf
+      version: v0.3.0
+      filename: providers.tf
+    - uri: https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/{{ .Version }}/src/mixins/account-verification.mixin.tf
+      version: v0.3.0
+      filename: account-verification.mixin.tf
+```
+
+**Key points:**
+
+- The upstream `providers.tf` is excluded via `excluded_paths`
+- The `provider-without-account-map.tf` mixin is vendored as `providers.tf`
+- This mixin includes the `account_map_enabled` and `account_map` variables
+
+**To vendor (or re-vendor) the component:**
+
+```bash
+atmos vendor pull -c <component-name>
+```
+
+The vendored `providers.tf` handles all account map logic automatically. You don't need to manually add these variables
+to `variables.tf` - they're included in `providers.tf`.
+
+## Migration Checklist
+
+When migrating a component or creating a new one:
+
+1. **Vendor providers.tf** - Run `atmos vendor pull -c <component-name>` to get the latest providers.tf with account map
+   support
+2. **Update remote-state.tf** - If the component has a `remote-state.tf` that references account-map, update it to use
+   the bypass pattern (see below)
+3. **Verify catalog** - Ensure `account_map_enabled: false` is set (inherited from `_defaults.yaml`)
+4. **Test** - Run `atmos terraform plan` to verify
+
+### Bypass Pattern for remote-state.tf
+
+If a component has a `remote-state.tf` with an account-map lookup, update it to use `bypass` and `defaults`:
+
+```hcl
+module "account_map" {
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.8.0"
+
+  component   = "account-map"
+  tenant      = var.account_map_enabled ? coalesce(var.account_map_tenant, module.this.tenant) : null
+  environment = var.account_map_enabled ? var.account_map_environment : null
+  stage       = var.account_map_enabled ? var.account_map_stage : null
+
+  context = module.this.context
+
+  # When account_map is disabled, bypass remote state and use the static account_map variable
+  bypass   = !var.account_map_enabled
+  defaults = var.account_map
+}
+```
+
+**Key points:**
+
+- `bypass = !var.account_map_enabled` - Skips remote state lookup when disabled
+- `defaults = var.account_map` - Uses the static account_map variable instead
+- `module.account_map.outputs` works the same regardless of bypass - returns `defaults` when bypassed
+
+## Identifying Legacy References
+
+Search for components still using the old pattern:
+
+```bash
+# Find remote-state references to account-map
+grep -r "account-map" components/terraform/*/remote-state.tf
+
+# Find components without account_map_enabled variable
+for dir in components/terraform/*/; do
+  if ! grep -q "account_map_enabled" "$dir/variables.tf" 2>/dev/null; then
+    echo "Missing: $dir"
+  fi
+done
+```
+
+## Reference Implementations
+
+See these components for the current pattern:
+
+- `components/terraform/vpc/` - Standard component with account_map
+- `components/terraform/ecr/` - Component with cross-account access
+
+## New Components
+
+When creating new components, the migrated pattern is automatic:
+
+1. **Vendor providers.tf** - Run `atmos vendor pull -c <component-name>` to get providers.tf with account map support
+2. **Inherit stack defaults** - `account_map_enabled: false` is inherited from `_defaults.yaml`
+3. **Use Atmos functions** - Use `!terraform.state` for cross-component dependencies instead of remote-state.tf
+
+See the `developing-components` skill for full component creation guidance.
@@ -0,0 +1,117 @@
+---
+name: atmos-auth
+description: >-
+  Use when authenticating with AWS via Atmos. Covers ATMOS_PROFILE setup, SSO login, and how Atmos automatically assumes
+  the correct identity per stack. Use for authentication setup, SSO login issues, and permission errors.
+---
+
+# Atmos Auth
+
+Atmos Auth handles AWS authentication automatically based on your profile and the target stack.
+
+## Quick Start
+
+```bash
+# Set your profile (required for all atmos commands)
+# Use your assigned profile: devops, developers, or managers
+export ATMOS_PROFILE=<your-profile>
+
+# Authenticate via SSO provider (preferred - triggers browser SSO)
+atmos auth login --provider acme-sso
+
+# Alternative: authenticate by specifying any identity (also triggers browser SSO)
+atmos auth login --identity core-auto/terraform
+
+# Run commands - Atmos auto-selects the correct identity per stack
+atmos terraform plan vpc -s plat-use2-dev
+```
+
+## How It Works
+
+1. **Set your profile**: `export ATMOS_PROFILE=<profile-name>` (or prefix each command)
+2. **Authenticate when needed**: Atmos authenticates per-stack automatically. If credentials are expired, it will
+   launch the IDP to sign in, or you can manually trigger SSO login.
+3. **Run commands**: Atmos automatically assumes the correct identity for each stack based on the stack name.
+
+When you run `atmos terraform plan <component> -s <stack>`, Atmos:
+
+1. Renders all stack config, then determines the default identity for the stack
+2. If there's a single default identity (e.g., `plat-dev/terraform`), it's selected automatically
+3. Looks up that identity name in your profile to get the actual credentials
+4. Assumes the configured Permission Set in the target account
+5. Runs the Terraform command with those credentials
+
+## Identity Configuration
+
+Each stack defines its default identity in its `_defaults.yaml` file:
+
+```yaml
+# stacks/orgs/acme/plat/dev/_defaults.yaml
+auth:
+  identities:
+    plat-dev/terraform:
+      default: true
+```
+
+The identity name (`plat-dev/terraform`) is resolved by your profile to determine the actual AWS credentials to use.
+
+## Profiles
+
+Profiles are defined in `profiles/<profile-name>/atmos.yaml`. Each maps identities to Permission Sets:
+
+| Profile      | Core Accounts        | Platform Dev/Sandbox | Platform Staging/Prod |
+| ------------ | -------------------- | -------------------- | --------------------- |
+| `devops`     | TerraformApplyAccess | TerraformApplyAccess | TerraformApplyAccess  |
+| `developers` | TerraformStateAccess | TerraformApplyAccess | TerraformPlanAccess   |
+| `managers`   | TerraformStateAccess | TerraformPlanAccess  | TerraformPlanAccess   |
+
+**Permission Set capabilities:**
+
+- `TerraformApplyAccess` - Full plan and apply
+- `TerraformPlanAccess` - Plan only (no apply)
+- `TerraformStateAccess` - Read state only (for cross-account references)
+
+## Identity Naming Convention
+
+Identities follow the pattern: `<tenant>-<stage>/terraform`
+
+Examples:
+
+- `plat-dev/terraform` - Platform dev account
+- `core-auto/terraform` - Core automation account
+- `plat-prod/terraform` - Platform production account
+
+## Special Cases
+
+**superadmin profile**: IAM user with MFA for breakglass access. Avoid unless SSO is unavailable.
+
+**github-plan profile**: OIDC-based authentication for CI/CD plan operations. Uses planner roles with read-only access.
+
+**github-apply profile**: OIDC-based authentication for CI/CD apply operations. Uses terraform roles with full access.
+Only used from main branch after PR merge.
+
+## Troubleshooting
+
+If authentication fails:
+
+1. Verify `ATMOS_PROFILE` is set: `echo $ATMOS_PROFILE`
+2. Re-authenticate: `atmos auth login --provider acme-sso` (or `--identity core-auto/terraform`)
+3. Check you have the required Permission Set in AWS IAM Identity Center
+4. Verify the identity exists in `profiles/$ATMOS_PROFILE/atmos.yaml`
+
+## Debugging Authentication Issues
+
+For authentication-specific debugging:
+
+```bash
+# Enable debug logging to see auth flow
+ATMOS_LOGS_LEVEL=debug atmos terraform plan <component> -s <stack>
+```
+
+Look for:
+
+- Identity resolution (`<tenant>-<stage>/terraform`)
+- SSO token retrieval
+- Role assumption errors
+
+For general Atmos debugging (configuration, variables, stack resolution), see the `debugging-atmos` skill.