Cloud Posse
Cannot vendor github-actions-iam-role mixin #94
Answered
by
milldr
jochem725
asked this question in
Essential Support
-
|
On our latest reference architecture version, the vendor workflow fails when trying to vendor the github-actions-iam-role mixin. # 'ecr' component vendoring config
# 'component.yaml' in the component folder is processed by the 'atmos' commands
# 'atmos vendor pull -c ecr' or 'atmos vendor pull --component ecr'
apiVersion: atmos/v1
kind: ComponentVendorConfig
spec:
source:
# 'uri' supports all protocols (local files, Git, Mercurial, HTTP, HTTPS, Amazon S3, Google GCP),
# and all URL and archive formats as described in https://github.com/hashicorp/go-getter
# In 'uri', Golang templates are supported https://pkg.go.dev/text/template
# If 'version' is provided, '{{ .Version }}' will be replaced with the 'version' value before pulling the files from 'uri'
uri: github.com/cloudposse-terraform-components/aws-ecr.git//src?ref={{ .Version }}
version: v1.538.4
# Only include the files that match the 'included_paths' patterns
# If 'included_paths' is not specified, all files will be matched except those that match the patterns from 'excluded_paths'
# 'included_paths' support POSIX-style Globs for file names/paths (double-star `**` is supported)
# https://en.wikipedia.org/wiki/Glob_(programming)
# https://github.com/bmatcuk/doublestar#patterns
included_paths:
- "**/**"
# Exclude the files that match any of the 'excluded_paths' patterns
# Note that we are excluding 'context.tf' since a newer version of it will be downloaded using 'mixins'
# 'excluded_paths' support POSIX-style Globs for file names/paths (double-star `**` is supported)
excluded_paths: []
# Mixins override files from 'source' with the same 'filename' (e.g. 'context.tf' will override 'context.tf' from the 'source')
# All mixins are processed in the order they are declared in the list.
mixins:
# https://github.com/hashicorp/go-getter/issues/98
- uri: https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/{{ .Version }}/src/mixins/github-actions-iam-role/github-actions-iam-role.mixin.tf
version: v1.538.4
filename: github-actions-iam-role.mixin.tf
- uri: https://raw.githubusercontent.com/cloudposse-terraform-components/aws-ecr/refs/tags/{{ .Version }}/mixins/github-actions-iam-policy.tf
version: v1.538.4
filename: github-actions-iam-policy.tfIf I update the version to Is this the correct approach? |
Beta Was this translation helpful? Give feedback.
Answered by
milldr
Sep 2, 2025
Replies: 1 comment
-
|
Good catch, that's a mistake in the vendor config. The shared GitHub OIDC role mixin lives in the separate cloudposse-terraform-components/mixins repo and uses its own versioning, not the component’s version. The correct approach is to pin the mixin to its repo version (e.g., apiVersion: atmos/v1
kind: ComponentVendorConfig
spec:
source:
# 'uri' supports all protocols (local files, Git, Mercurial, HTTP, HTTPS, Amazon S3, Google GCP),
# and all URL and archive formats as described in https://github.com/hashicorp/go-getter
# In 'uri', Golang templates are supported https://pkg.go.dev/text/template
# If 'version' is provided, '{{ .Version }}' will be replaced with the 'version' value before pulling the files from 'uri'
uri: github.com/cloudposse-terraform-components/aws-ecr.git//src?ref={{ .Version }}
version: v1.538.4
# Only include the files that match the 'included_paths' patterns
# If 'included_paths' is not specified, all files will be matched except those that match the patterns from 'excluded_paths'
# 'included_paths' support POSIX-style Globs for file names/paths (double-star `**` is supported)
# https://en.wikipedia.org/wiki/Glob_(programming)
# https://github.com/bmatcuk/doublestar#patterns
included_paths:
- "**/**"
# Exclude the files that match any of the 'excluded_paths' patterns
# Note that we are excluding 'context.tf' since a newer version of it will be downloaded using 'mixins'
# 'excluded_paths' support POSIX-style Globs for file names/paths (double-star `**` is supported)
excluded_paths: []
# Mixins override files from 'source' with the same 'filename' (e.g. 'context.tf' will override 'context.tf' from the 'source')
# All mixins are processed in the order they are declared in the list.
mixins:
# https://github.com/hashicorp/go-getter/issues/98
- uri: https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/{{ .Version }}/src/mixins/github-actions-iam-role/github-actions-iam-role.mixin.tf
version: v0.1.0
filename: github-actions-iam-role.mixin.tf
- uri: https://raw.githubusercontent.com/cloudposse-terraform-components/aws-ecr/refs/tags/{{ .Version }}/mixins/github-actions-iam-policy.tf
version: v1.538.4
filename: github-actions-iam-policy.tf |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
jochem725
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Good catch, that's a mistake in the vendor config. The shared GitHub OIDC role mixin lives in the separate cloudposse-terraform-components/mixins repo and uses its own versioning, not the component’s version. The correct approach is to pin the mixin to its repo version (e.g.,
v0.1.0) while keeping the ECR component atv1.538.4.