atmos-vendoring
Atmos Component Vendoring
Vendoring copies external components, stacks, and other artifacts into your repository. This gives you full control over when and how dependencies change, with visibility through git diff, an immutable audit trail, and the ability to apply emergency patches without waiting for upstream releases.
Why Vendor
Terraform root modules must exist locally -- they cannot be pulled from remote sources at runtime the way child modules can. Vendoring makes this explicit: you copy the code once, commit it, and control when updates happen. This provides:
- Visibility: See actual code changes via
git diff, not just version bumps. - Audit trail: Every update is a commit with full history for compliance.
- Emergency agility: Patch vulnerabilities immediately without waiting for upstream.
- Developer experience: Full IDE navigation, grep across all code, better onboarding.
- Deployment reliability: No network dependencies during
terraform apply.
Types of Vendoring
Atmos supports two approaches:
- Vendor Configuration (
vendor.yaml): A centralized manifest listing all dependencies. This is the recommended approach.
More from cloudposse/atmos
atmos-design-patterns
Design patterns: stack organization, component catalogs, inheritance, configuration composition, version management, layered configuration
15atmos-config
Project configuration: atmos.yaml structure, all sections, discovery, merging, base paths, settings, imports, profiles
12atmos-workflows
Workflow automation: multi-step workflows, Go template support, cross-component orchestration
12atmos-helmfile
Helmfile orchestration: sync/apply/destroy/diff, Kubernetes deployments, varfile generation, EKS integration, source management
12atmos-stores
Store backends: AWS SSM, Azure Key Vault, Google Secret Manager, Redis, Artifactory configuration, hooks integration, cross-component data sharing
11atmos-stacks
Stack configuration: imports, inheritance, deep merging, locals, vars, settings, metadata, overrides
10