fix: Consolidate credential retrieval logic to fix terraform auth

CLAUDE.md

@@ -312,14 +312,43 @@ See `docs/developing-atmos-commands.md` and `docs/prd/command-registry-pattern.m
 ### Documentation (MANDATORY)
 All cmds/flags need Docusaurus docs in `website/docs/cli/commands/`. Use `<dl>` for args/flags. Build: `cd website && npm run build`
 
+**Verifying Documentation Links (MANDATORY):**
+Before adding links to documentation pages, ALWAYS verify the correct URL:
+
+```bash
+# Example: Finding the correct URL for auth user configure command
+# Step 1: Find the doc file
+find website/docs/cli/commands -name "*user-configure*"
+# Output: website/docs/cli/commands/auth/auth-user-configure.mdx
+
+# Step 2: Check the slug in frontmatter
+head -10 website/docs/cli/commands/auth/auth-user-configure.mdx | grep slug
+# Output: slug: /cli/commands/auth/auth-user-configure
+
+# Step 3: Verify by checking existing links
+grep -r "/cli/commands/auth/auth-user-configure" website/docs/
+```
+
+**Common mistakes:**
+- Using command name instead of filename (e.g., `/cli/commands/auth/atmos_auth` when file is `usage.mdx`)
+- Not checking the `slug` frontmatter which can override default URLs
+- Guessing URLs instead of verifying against existing documentation structure
+
+**Correct approach:**
+1. Find the target doc file: `find website/docs/cli/commands -name "*keyword*"`
+2. Check for `slug:` in frontmatter: `head -10 <file> | grep slug`
+3. If no slug, URL is path from `docs/` without extension (e.g., `auth-user-configure.mdx` → `/cli/commands/auth/auth-user-configure`)
+4. Verify by searching for existing links: `grep -r "<url>" website/docs/`
+
 ### PRD Documentation (MANDATORY)
 All Product Requirement Documents (PRDs) MUST be placed in `docs/prd/`. Use kebab-case filenames. Examples: `command-registry-pattern.md`, `error-handling-strategy.md`, `testing-strategy.md`
 
 ### Pull Requests (MANDATORY)
 Follow template (what/why/references).
 
 **Blog Posts (CI Enforced):**
-- PRs labeled `minor` or `major` MUST include blog post in `website/blog/YYYY-MM-DD-feature-name.md`
+- PRs labeled `minor` or `major` MUST include blog post in `website/blog/YYYY-MM-DD-feature-name.mdx`
+- Blog posts must use `.mdx` extension with YAML front matter
 - Include `<!--truncate-->` after intro paragraph
 - Tag `feature`/`enhancement`/`bugfix` (user-facing) or `contributors` (internal changes)
 - CI will fail without blog post

cmd/auth.go

@@ -8,7 +8,8 @@ import (
 )
 
 const (
-	IdentityFlagName = "identity"
+	IdentityFlagName        = "identity"
+	IdentityFlagSelectValue = "__SELECT__" // Special value when --identity is used without argument.
 )
 
 // authCmd groups authentication-related subcommands.
@@ -23,7 +24,15 @@ var authCmd = &cobra.Command{
 func init() {
 	// Avoid adding "stack" at the group level unless subcommands require it.
 	// AddStackCompletion(authCmd)
-	authCmd.PersistentFlags().StringP(IdentityFlagName, "i", "", "Specify the target identity to assume.")
+	authCmd.PersistentFlags().StringP(IdentityFlagName, "i", "", "Specify the target identity to assume. Use without value to interactively select.")
+
+	// Set NoOptDefVal to enable optional flag value.
+	// When --identity is used without a value, it will receive IdentityFlagSelectValue.
+	identityFlag := authCmd.PersistentFlags().Lookup(IdentityFlagName)
+	if identityFlag != nil {
+		identityFlag.NoOptDefVal = IdentityFlagSelectValue
+	}
+
 	// Bind to Viper and env (flags > env > config > defaults).
 	if err := viper.BindEnv(IdentityFlagName, "ATMOS_IDENTITY", "IDENTITY"); err != nil {
 		log.Trace("Failed to bind identity environment variables", "error", err)

cmd/auth_console.go

@@ -240,11 +240,15 @@ func resolveIdentityName(cmd *cobra.Command, authManager types.AuthManager) (str
 	defer perf.Track(nil, "cmd.resolveIdentityName")()
 
 	identityName, _ := cmd.Flags().GetString(IdentityFlagName)
-	if identityName != "" {
+
+	// Check if user wants to interactively select identity.
+	forceSelect := identityName == IdentityFlagSelectValue
+
+	if identityName != "" && !forceSelect {
 		return identityName, nil
 	}
 
-	identityName, err := authManager.GetDefaultIdentity()
+	identityName, err := authManager.GetDefaultIdentity(forceSelect)
 	if err != nil {
 		return "", fmt.Errorf("%w: failed to get default identity: %w", errUtils.ErrAuthConsole, err)
 	}

cmd/auth_console_test.go

@@ -593,7 +593,7 @@ func (m *mockAuthManagerForProvider) Authenticate(ctx context.Context, identityN
 	return nil, errors.New("not implemented")
 }
 
-func (m *mockAuthManagerForProvider) GetDefaultIdentity() (string, error) {
+func (m *mockAuthManagerForProvider) GetDefaultIdentity(_ bool) (string, error) {
 	return "", errors.New("not implemented")
 }
 
@@ -675,7 +675,7 @@ func (m *mockAuthManagerForIdentity) Authenticate(ctx context.Context, identityN
 	return nil, errors.New("not implemented")
 }
 
-func (m *mockAuthManagerForIdentity) GetDefaultIdentity() (string, error) {
+func (m *mockAuthManagerForIdentity) GetDefaultIdentity(_ bool) (string, error) {
 	if m.defaultErr != nil {
 		return "", m.defaultErr
 	}

cmd/auth_env.go

@@ -50,8 +50,12 @@ var authEnvCmd = &cobra.Command{
 
 		// Get identity from flag or use default
 		identityName, _ := cmd.Flags().GetString("identity")
-		if identityName == "" {
-			defaultIdentity, err := authManager.GetDefaultIdentity()
+
+		// Check if user wants to interactively select identity.
+		forceSelect := identityName == IdentityFlagSelectValue
+
+		if identityName == "" || forceSelect {
+			defaultIdentity, err := authManager.GetDefaultIdentity(forceSelect)
 			if err != nil {
 				return fmt.Errorf("no default identity configured and no identity specified: %w", err)
 			}

cmd/auth_exec.go

@@ -66,8 +66,12 @@ func executeAuthExecCommandCore(cmd *cobra.Command, args []string) error {
 
 	// Get identity from flag or use default
 	identityName, _ := cmd.Flags().GetString("identity")
-	if identityName == "" {
-		defaultIdentity, err := authManager.GetDefaultIdentity()
+
+	// Check if user wants to interactively select identity.
+	forceSelect := identityName == IdentityFlagSelectValue
+
+	if identityName == "" || forceSelect {
+		defaultIdentity, err := authManager.GetDefaultIdentity(forceSelect)
 		if err != nil {
 			return errors.Join(errUtils.ErrNoDefaultIdentity, err)
 		}

cmd/auth_integration_test.go

@@ -68,7 +68,7 @@ func TestAuthCLIIntegrationWithCloudProvider(t *testing.T) {
 		assert.NotNil(t, authManager)
 
 		// Test GetDefaultIdentity
-		defaultIdentity, err := authManager.GetDefaultIdentity()
+		defaultIdentity, err := authManager.GetDefaultIdentity(false)
 		require.NoError(t, err)
 		assert.Equal(t, "test-identity", defaultIdentity)
 

cmd/auth_login.go

@@ -57,9 +57,13 @@ func executeAuthLoginCommand(cmd *cobra.Command, args []string) error {
 		identityName = viper.GetString(IdentityFlagName)
 	}
 
+	// Check if user wants to interactively select identity.
+	forceSelect := identityName == IdentityFlagSelectValue
+
 	// If no identity specified, get the default identity (which prompts if needed).
-	if identityName == "" {
-		identityName, err = authManager.GetDefaultIdentity()
+	// If --identity flag was used without value, forceSelect will be true.
+	if identityName == "" || forceSelect {
+		identityName, err = authManager.GetDefaultIdentity(forceSelect)
 		if err != nil {
 			return errors.Join(errUtils.ErrDefaultIdentity, err)
 		}

cmd/auth_logout.go

@@ -30,9 +30,11 @@ This command removes:
   • AWS credential files (~/.aws/atmos/<provider>/credentials)
   • AWS config files (~/.aws/atmos/<provider>/config)
 
-You can specify the identity to logout using either:
-  • Positional argument: atmos auth logout <identity>
-  • Flag: atmos auth logout --identity <identity>
+You can specify what to logout:
+  • Specific identity: atmos auth logout <identity>
+  • All identities: atmos auth logout --all
+  • Specific provider: atmos auth logout --provider <provider>
+  • Interactive mode: atmos auth logout (no arguments)
 
 Note: This only removes local credentials. Your browser session with the
 identity provider (AWS SSO, Okta, etc.) may still be active. To completely
@@ -62,6 +64,7 @@ func executeAuthLogoutCommand(cmd *cobra.Command, args []string) error {
 
 	// Get flags.
 	providerFlag, _ := cmd.Flags().GetString("provider")
+	allFlag, _ := cmd.Flags().GetBool("all")
 	dryRun, _ := cmd.Flags().GetBool("dry-run")
 
 	// Get identity from flag or positional argument.
@@ -74,6 +77,11 @@ func executeAuthLogoutCommand(cmd *cobra.Command, args []string) error {
 	ctx := context.Background()
 
 	// Determine what to logout.
+	if allFlag {
+		// Logout all identities.
+		return performLogoutAll(ctx, authManager, dryRun)
+	}
+
 	if providerFlag != "" {
 		// Logout specific provider.
 		return performProviderLogout(ctx, authManager, providerFlag, dryRun)
@@ -132,16 +140,16 @@ func performIdentityLogout(ctx context.Context, authManager auth.AuthManager, id
 	if err := authManager.Logout(ctx, identityName); err != nil {
 		// Check if it's a partial logout.
 		if errors.Is(err, errUtils.ErrPartialLogout) {
-			u.PrintfMarkdownToTUI("\n%s Logged out **%s** with warnings\n\n", theme.Styles.Checkmark, identityName)
+			u.PrintfMessageToTUI("\n%s Logged out %s with warnings\n\n", theme.Styles.Checkmark, identityName)
 			u.PrintfMessageToTUI("Some credentials could not be removed:\n")
 			u.PrintfMessageToTUI("  %v\n\n", err)
 		} else {
-			u.PrintfMarkdownToTUI("\n%s Failed to log out **%s**\n\n", theme.Styles.XMark, identityName)
+			u.PrintfMessageToTUI("\n%s Failed to log out %s\n\n", theme.Styles.XMark, identityName)
 			u.PrintfMessageToTUI("Error: %v\n\n", err)
 			return err
 		}
 	} else {
-		u.PrintfMarkdownToTUI("\n%s Logged out **%s**\n\n", theme.Styles.Checkmark, identityName)
+		u.PrintfMessageToTUI("\n%s Logged out %s\n\n", theme.Styles.Checkmark, identityName)
 	}
 
 	// Display browser session warning.
@@ -200,7 +208,7 @@ func performProviderLogout(ctx context.Context, authManager auth.AuthManager, pr
 		return err
 	}
 
-	u.PrintfMarkdownToTUI("\n%s Logged out provider **%s** (%d identities)\n\n", theme.Styles.Checkmark, providerName, len(identitiesForProvider))
+	u.PrintfMessageToTUI("\n%s Logged out provider %s (%d identities)\n\n", theme.Styles.Checkmark, providerName, len(identitiesForProvider))
 
 	// Display browser session warning.
 	displayBrowserWarning()
@@ -350,6 +358,7 @@ func displayBrowserWarning() {
 
 func init() {
 	authLogoutCmd.Flags().String("provider", "", "Logout from specific provider")
+	authLogoutCmd.Flags().Bool("all", false, "Logout from all identities and providers")
 	authLogoutCmd.Flags().Bool("dry-run", false, "Preview what would be removed without deleting")
 	authCmd.AddCommand(authLogoutCmd)
 }

cmd/auth_logout_test.go

@@ -375,3 +375,72 @@ func TestExecuteAuthLogoutCommand_SupportsIdentityFlag(t *testing.T) {
 		})
 	}
 }
+
+func TestPerformLogoutAll_WithAllFlag(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	tests := []struct {
+		name          string
+		dryRun        bool
+		setupMocks    func(*types.MockAuthManager)
+		expectedError error
+	}{
+		{
+			name:   "all flag triggers logout all",
+			dryRun: false,
+			setupMocks: func(m *types.MockAuthManager) {
+				m.EXPECT().LogoutAll(gomock.Any()).Return(nil)
+				m.EXPECT().GetIdentities().Return(map[string]schema.Identity{
+					"identity1": {Kind: "aws/permission-set"},
+					"identity2": {Kind: "aws/user"},
+				})
+			},
+			expectedError: nil,
+		},
+		{
+			name:   "all flag with dry run",
+			dryRun: true,
+			setupMocks: func(m *types.MockAuthManager) {
+				m.EXPECT().GetProviders().Return(map[string]schema.Provider{
+					"provider1": {},
+				})
+				m.EXPECT().GetFilesDisplayPath("provider1").Return("/home/user/.config/atmos")
+			},
+			expectedError: nil,
+		},
+		{
+			name:   "all flag with partial logout",
+			dryRun: false,
+			setupMocks: func(m *types.MockAuthManager) {
+				m.EXPECT().LogoutAll(gomock.Any()).Return(errUtils.ErrPartialLogout)
+			},
+			expectedError: nil, // Partial logout treated as success.
+		},
+		{
+			name:   "all flag with logout failure",
+			dryRun: false,
+			setupMocks: func(m *types.MockAuthManager) {
+				m.EXPECT().LogoutAll(gomock.Any()).Return(errUtils.ErrLogoutFailed)
+			},
+			expectedError: errUtils.ErrLogoutFailed,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockManager := types.NewMockAuthManager(ctrl)
+			tt.setupMocks(mockManager)
+
+			ctx := context.Background()
+			err := performLogoutAll(ctx, mockManager, tt.dryRun)
+
+			if tt.expectedError != nil {
+				assert.Error(t, err)
+				assert.ErrorIs(t, err, tt.expectedError)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

cmd/auth_shell.go

@@ -75,8 +75,12 @@ func executeAuthShellCommandCore(cmd *cobra.Command, args []string) error {
 
 	// Get identity from viper (respects CLI → ENV → config precedence).
 	identityName := viper.GetString(IdentityFlagName)
-	if identityName == "" {
-		defaultIdentity, err := authManager.GetDefaultIdentity()
+
+	// Check if user wants to interactively select identity.
+	forceSelect := identityName == IdentityFlagSelectValue
+
+	if identityName == "" || forceSelect {
+		defaultIdentity, err := authManager.GetDefaultIdentity(forceSelect)
 		if err != nil {
 			return errors.Join(errUtils.ErrNoDefaultIdentity, err)
 		}

cmd/auth_whoami.go

@@ -134,10 +134,15 @@ func loadAuthManager() (authTypes.AuthManager, error) {
 
 func identityFromFlagOrDefault(cmd *cobra.Command, authManager authTypes.AuthManager) (string, error) {
 	identityName, _ := cmd.Flags().GetString("identity")
-	if identityName != "" {
+
+	// Check if user wants to interactively select identity.
+	forceSelect := identityName == IdentityFlagSelectValue
+
+	if identityName != "" && !forceSelect {
 		return identityName, nil
 	}
-	defaultIdentity, err := authManager.GetDefaultIdentity()
+
+	defaultIdentity, err := authManager.GetDefaultIdentity(forceSelect)
 	if err != nil {
 		return "", fmt.Errorf("%w: no default identity configured and no identity specified: %v", errUtils.ErrInvalidAuthConfig, err)
 	}

cmd/terraform_commands.go

@@ -275,7 +275,13 @@ func attachTerraformCommands(parentCmd *cobra.Command) {
 	parentCmd.PersistentFlags().Bool("process-templates", true, "Enable/disable Go template processing in Atmos stack manifests when executing terraform commands")
 	parentCmd.PersistentFlags().Bool("process-functions", true, "Enable/disable YAML functions processing in Atmos stack manifests when executing terraform commands")
 	parentCmd.PersistentFlags().StringSlice("skip", nil, "Skip executing specific YAML functions in the Atmos stack manifests when executing terraform commands")
-	parentCmd.PersistentFlags().StringP("identity", "i", "", "Specify the identity to authenticate to before running Terraform commands")
+	parentCmd.PersistentFlags().StringP("identity", "i", "", "Specify the identity to authenticate to before running Terraform commands. Use without value to interactively select.")
+
+	// Set NoOptDefVal to enable optional flag value for identity.
+	// When --identity is used without a value, it will receive IdentityFlagSelectValue.
+	if identityFlag := parentCmd.PersistentFlags().Lookup("identity"); identityFlag != nil {
+		identityFlag.NoOptDefVal = IdentityFlagSelectValue
+	}
 
 	parentCmd.PersistentFlags().StringP("query", "q", "", "Execute `atmos terraform <command>` on the components filtered by a YQ expression, in all stacks or in a specific stack")
 	parentCmd.PersistentFlags().StringSlice("components", nil, "Filter by specific components")