Update README.yaml with AI

[goruha]

what

• Update README.yaml

why

• Use atmos to generate readme

Summary by CodeRabbit

• Documentation

  • Overhauled README, README.yaml and src/README: clearer usage, compatibility (2.8.2+), Embedded/External networking, TGW hub/spoke examples, testing instructions, and many wording/formatting fixes.
  • Added AGENTS.md with repository guidelines.

• Chores

  • Added atmos.yaml for shared Atmos configuration.
  • Updated .gitignore to ignore .cache and .atmos.
  • Simplified Makefile by removing remote build harness inclusion and the test target.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds Atmos configuration and a new AGENTS.md; broadens .gitignore entries; removes Makefile build-harness and test/all targets; and substantially rewrites and expands documentation (README.md, README.yaml, src/README.md). No runtime code changes.

Changes

Cohort / File(s)	Summary of changes
Documentation & guidelines README.md, README.yaml, src/README.md, AGENTS.md	Large documentation rework: clarified component purpose and compatibility, added usage and testing instructions (Atmos/Terratest), expanded Defaults and TGW hub/spoke examples, updated references, and added contributor/project guidelines in AGENTS.md.
Repository configuration .gitignore	Broadened ignore patterns: replaced directory-only .atmos/ with .atmos and added .cache; added trailing newline.
Build & tooling Makefile	Removed remote build-harness include and removed all and test:: targets/recipes.
Project scaffolding atmos.yaml	Added Atmos configuration importing shared terraform-component settings and enabling centralized README generation and custom commands.

Sequence Diagram(s)

(omitted — changes are documentation/configuration only; no control-flow or runtime feature introduced)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Initial V2 Release Candidate #30 — Overlapping edits to README(s), atmos.yaml, and .gitignore; likely related documentation/config refactor.

Suggested labels

needs-test

Suggested reviewers

• milldr

Poem

I twitch my whiskers at README’s new light,
Burrows mapped by Atmos, tidy and bright;
Makefile quiet, the test drum stilled—
Docs now hop where networks are filled.
I stash a .cache and hum with delight. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 74e2c98 and 3efe0f8.

📒 Files selected for processing (1)

• README.yaml (7 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch migration/20251908

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

README.md (1)

17-23: Update the generator banner to Atmos (not build-harness).

PR objective states: “Use Atmos to generate readme.” The banner still instructs using build-harness/Makefile. Replace with Atmos instructions to avoid confusing contributors.

Proposed replacement:

-  ** This file was automatically generated by the `cloudposse/build-harness`.
-  ** 1) Make all changes to `README.yaml`
-  ** 2) Run `make init` (you only need to do this once)
-  ** 3) Run`make readme` to rebuild this file.
+  ** This file is automatically generated by Atmos.
+  ** 1) Make all changes to `README.yaml`
+  ** 2) Run `atmos docs generate readme` to rebuild this file.

src/README.md (2)

85-123: External networking example: discourage use of the default VPC security group and show alternatives

Using a VPC’s default security group is generally discouraged. Suggest a dedicated SG or allow the template to create one. Also, include an example using Atmos !terraform.output to pull IDs from dependent stacks.

-        # There are other ways to get the vpc_id, subnet_ids, and security_group_id.
-        # Hardcode
-        # Use Atmos KV Store
-        # Use atmos !terraform.output yaml function
+        # There are multiple ways to supply vpc_id, subnet_ids, and (optionally) security_group_id.
+        # Prefer a dedicated security group for runners; avoid the VPC's default SG.
+        # Options:
+        # - Hardcode (for demos only)
+        # - Use Atmos KV Store (!store)
+        # - Use Atmos !terraform.output to read outputs of dependent stacks
@@
-        vpc_id: !store auto/ssm vpc vpc_id
-        subnet_ids: !store auto/ssm vpc private_subnet_ids
-        security_group_id: !store auto/ssm vpc default_security_group_id
+        vpc_id: !store auto/ssm vpc vpc_id
+        subnet_ids: !store auto/ssm vpc private_subnet_ids
+        # Option A: reference a dedicated SG published to the KV store
+        # security_group_id: !store auto/ssm runs-on security_group_id
+        # Option B: omit `security_group_id` to let RunsOn create one, then consume the unified output later
+        # (see Outputs.security_group_id below)
+        # Option C: use !terraform.output from a `security-group` stack/component
+        # security_group_id: !terraform.output catalog/security-group/runs-on security_group_id

---

348-350: Add alt text to image (markdownlint MD045)
The image has no alt text. Add descriptive alt text to satisfy accessibility and linting.

-[<img src="https://cloudposse.com/logo-300x69.svg" height="32" align="right"/>](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-runs-on&utm_content=)
+[<img alt="Cloud Posse" src="https://cloudposse.com/logo-300x69.svg" height="32" align="right"/>](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-runs-on&utm_content=)

🧹 Nitpick comments (17)

AGENTS.md (2)

11-17: Tighten wording; fix grammar and bare URL.

• “To install atmos read this docs …” → “To install Atmos, see the installation guide.”
• Replace the bare URL with Markdown link (MD034).
• Use “GitHub” capitalization consistently.

Suggested edits:

- - To install atmos read this docs https://github.com/cloudposse/atmos
+ - To install Atmos, see the installation guide: https://github.com/cloudposse/atmos
- - `atmos docs generate readme`: Regenerate `README.md` from `README.yaml` and terraform source.
+ - `atmos docs generate readme`: Regenerate `README.md` from `README.yaml` and Terraform source.
- - `atmos docs generate readme-simple`: Regenerate `src/README.md` from `README.yaml` and terraform source.
+ - `atmos docs generate readme-simple`: Regenerate `src/README.md` from `README.yaml` and Terraform source.
- - `atmos test run`: Run Terratest suite in `test/` (uses Atmos fixtures; creates and destroys AWS resources).
+ - `atmos test run`: Run the Terratest suite in `test/` (uses Atmos fixtures; creates and destroys AWS resources).
- - Pre-commit locally: `pre-commit install && pre-commit run -a` (runs `terraform_fmt`, `terraform_docs`, `tflint`).
+ - Pre-commit locally: `pre-commit install && pre-commit run -a` (runs `terraform_fmt`, `terraform_docs`, `tflint`).
- - TFLint plugin setup: `tflint --init` (uses `.tflint.hcl`).
+ - TFLint plugin setup: `tflint --init` (uses `.tflint.hcl`).

---

23-27: Small clarity improvement for test locations.

Consider clarifying the directory structure to avoid ambiguity when adding scenarios.

- - Location/naming: put tests in `test/` and name files `*_test.go`. Add scenarios under `test/fixtures/stacks/catalog/usecase/`.
+ - Location/naming: place tests under `test/` with files named `*_test.go`. Add scenarios under `test/fixtures/stacks/catalog/<usecase>/`.

README.yaml (5)

32-40: Good, concise component description; add a direct link to the GitHub App docs.

You reference installation later under “Helpful links.” Consider adding a direct link here to reduce friction.

-  See the RunsOn documentation for GitHub App installation and configuration details.
+  See the RunsOn documentation for GitHub App installation and configuration details:
+  https://runs-on.com/guides/install/

---

81-85: Embedded networking: add a concrete example of minimal params.

Consider adding a note that when networking_stack: embedded is used, vpc_id, subnet_ids, and security_group_id must not be set, and point out the CloudFormation outputs are exported for downstream use.

+  Note: Do not set `vpc_id`, `subnet_ids`, or `security_group_id` when using embedded networking.
+  The CloudFormation stack exports the created VPC, subnets, and `RunsOnSecurityGroupId` for downstream consumption.

---

139-145: Mention unified security group handling to simplify external mode.

Based on how the component exposes RunsOnSecurityGroupId from the CloudFormation output, consumers often don’t need to pass security_group_id explicitly if they read it from the stack outputs. Consider adding:

-          # There are other ways to get the vpc_id, subnet_ids, and security_group_id.
+          # There are other ways to get the vpc_id, subnet_ids, and security_group_id.
+          # Tip: You can read `RunsOnSecurityGroupId` from the CloudFormation stack outputs to avoid hardcoding SGs.

---

147-208: Deprecation guidance: add “What to use instead” and expected EoL timeline.

The TGW section is clearly marked deprecated. To help operators plan, add:

• A pointer to the recommended replacement pattern (e.g., peering or VPC Lattice, if applicable).
• A note on when the deprecated path will stop receiving updates.

No diff provided since the specifics may vary; happy to propose text if you share the migration target.

---

261-281: Fill in missing descriptions in the references block.

The description fields are empty. Short one-liners improve readability.

Example:

-  - name: RunsOn
-    description: ""
+  - name: RunsOn
+    description: Product documentation and architecture

README.md (2)

45-47: Capitalize “GitHub” correctly.

Small branding nit.

-> Works with [Github Actions](https://atmos.tools/integrations/github-actions/), [Atlantis](https://atmos.tools/integrations/atlantis), or [Spacelift](https://atmos.tools/integrations/spacelift).
+> Works with [GitHub Actions](https://atmos.tools/integrations/github-actions/), [Atlantis](https://atmos.tools/integrations/atlantis), or [Spacelift](https://atmos.tools/integrations/spacelift).

---

50-51: Add alt text to the demo GIF (MD045).

-> <img src="https://github.com/cloudposse/atmos/blob/main/docs/demo.gif?raw=true"/><br/>
+> <img alt="Atmos demo" src="https://github.com/cloudposse/atmos/blob/main/docs/demo.gif?raw=true"/><br/>

src/README.md (8)

10-14: Tighten intro and link the GitHub App install step inline

Consider linking the install guide directly where you mention the RunsOn GitHub App and clarify that registration must occur after the CloudFormation stack completes.

-This component provisions RunsOn for GitHub Actions self-hosted runners. After deploying this
-component, install the RunsOn GitHub App in your organization to enable runner registration.
-See the RunsOn documentation for GitHub App installation and configuration details.
+This component provisions RunsOn for GitHub Actions self‑hosted runners. After the CloudFormation stack completes,
+install the RunsOn GitHub App in your organization to enable runner registration
+([installation guide](https://runs-on.com/guides/install/#3-github-app-registration)).

---

16-16: Version requirement vs. pinned template URL—request confirmation

Docs require “2.8.2 or newer” while the example pins 2.8.3 below. If any inputs/outputs used here rely on 2.8.3, update this line to “2.8.3 or newer”; otherwise, keep 2.8.2 and add a brief note that 2.8.3 is an example pin.

---

39-39: Make template URL easier to maintain and call out region considerations

• CloudFormation can fetch templates cross‑region, but some orgs prefer hosting in their own region/bucket. Add a short note to avoid confusion.
• Optionally, show how to override via Atmos vars rather than hardcoding in defaults.

-        template_url: https://runs-on.s3.eu-west-1.amazonaws.com/cloudformation/template-v2.8.3.yaml
+        # Tip: Use your own S3 bucket/region if mirroring the template internally.
+        # Override via stack vars to bump versions without editing shared defaults.
+        template_url: https://runs-on.s3.eu-west-1.amazonaws.com/cloudformation/template-v2.8.3.yaml

---

45-51: Clarify SSH guidance and tighten language

Minor editorial pass: emphasize SSM as the preferred access method and reduce the informal parenthetical.

-          # With the default value of SSHAllowed: true, the runners that are placed in a public subnet
-          # will allow ingress on port 22. This is highly abused (scanners running constantly looking for vulnerable SSH servers)
-          # and should not be allowed. If you need access to the runners, use Session Manager (SSM).
+          # With SSHAllowed: true, runners in public subnets allow ingress on port 22, which is frequently probed.
+          # Keep SSHAllowed: false and use AWS Systems Manager Session Manager (SSM) for access instead.

---

53-56: Defaulting Private to false may surprise users

Given most environments prefer private subnets by default, consider recommending Private: always as a safer baseline in the example (users can override per workflow).

-          Private: false # always | true | false - Always will default place in private subnet, true will place in private subnet if tag `private=true` present on workflow, false will place in public subnet
+          Private: always # always | true | false - Prefer private subnets by default; override per workflow with `private=true` when using `true`.

---

59-66: Embedded networking: add CIDR overlap caution

When creating a new VPC, it helps to remind users to avoid overlapping CIDRs with peered networks/TGW domains to prevent route conflicts.

-Set the `VpcCidrBlock` parameter to the CIDR block of the VPC that will be created.
+Set the `VpcCidrBlock` parameter to the CIDR block of the VPC that will be created.
+Ensure it does not overlap with existing or planned peered/TGW‑connected networks.

Also applies to: 82-83

---

125-131: Mark TGW section as deprecated with brief guidance

The header notes “(DEPRECATED)” but the body reads as current guidance. Add an explicit note and point readers to the preferred pattern.

-(DEPRECATED) Configuring with Transit Gateway
+(DEPRECATED) Configuring with Transit Gateway
+
+Note: This approach is retained for backwards compatibility. Prefer using the standalone `tgw/hub` and `tgw/spoke`
+Cloud Posse components and consume this component’s VPC/SG outputs as described below.

---

295-305: Call out the unified security group output for downstream rules

Per prior learnings, consumers should reference the component’s security_group_id output when adding SG rules, regardless of embedded/external networking. Add a sentence to make this explicit.

 | <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | Security group rules. These are either added to the security passed in, or added to the security group created when var.security\_group\_id is not set. Types include `ingress` and `egress`. | <pre>list(object({<br/>    type        = string<br/>    from_port   = number<br/>    to_port     = number<br/>    protocol    = string<br/>    cidr_blocks = list(string)<br/>  }))</pre> | `null` | no |
+<br/>When referencing this security group from other components, use the unified `outputs.security_group_id` from this component.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 87c5ecc and 74e2c98.

📒 Files selected for processing (7)

• .gitignore (1 hunks)
• AGENTS.md (1 hunks)
• Makefile (0 hunks)
• README.md (13 hunks)
• README.yaml (9 hunks)
• atmos.yaml (1 hunks)
• src/README.md (10 hunks)

💤 Files with no reviewable changes (1)

• Makefile

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-05-27T16:32:35.338Z

Learnt from: dudymas
PR: cloudposse-terraform-components/aws-runs-on#19
File: src/main.tf:82-92
Timestamp: 2025-05-27T16:32:35.338Z
Learning: In the aws-runs-on Terraform component, the CloudFormation stack receives either an external security group ID (via ExternalVpcSecurityGroupId parameter) or a newly created security group ID and outputs the security group ID it's using via RunsOnSecurityGroupId. This means local.security_group_id from the CloudFormation output is the correct unified reference for security group rules in all deployment modes (embedded/external networking), eliminating the need for complex conditional logic in Terraform locals.

Applied to files:

• README.md
• src/README.md
• README.yaml

🪛 LanguageTool

AGENTS.md

[grammar] ~10-~10: There might be a mistake here.
Context: ...## Build, Test, and Development Commands - To install atmos read this docs https://...

(QB_NEW_EN)

---

[grammar] ~12-~12: There might be a mistake here.
Context: ...from README.yaml and terraform source. - atmos docs generate readme-simple: Regenerate src/README.md from `READM...

(QB_NEW_EN)

---

[grammar] ~13-~13: There might be a mistake here.
Context: ...from README.yaml and terraform source. - atmos test run: Run Terratest suite in test/ (uses A...

(QB_NEW_EN)

---

[grammar] ~15-~15: There might be a mistake here.
Context: ...aform_fmt, terraform_docs, tflint). - TFLint plugin setup: tflint --init` (us...

(QB_NEW_EN)

---

[grammar] ~20-~20: There might be a mistake here.
Context: ...ed with Cloud Posse null-label patterns. - Lint/format: terraform fmt -recursive,...

(QB_NEW_EN)

---

[grammar] ~28-~28: There might be a mistake here.
Context: ...es. ## Commit & Pull Request Guidelines - Commits: follow Conventional Commits (e....

(QB_NEW_EN)

README.md

[grammar] ~43-~43: There might be a mistake here.
Context: ...newer due to output changes. > [!TIP] > #### 👽 Use Atmos with Terraform > Cloud Poss...

(QB_NEW_EN)

---

[grammar] ~45-~45: There might be a mistake here.
Context: ...P] > #### 👽 Use Atmos with Terraform > Cloud Posse uses [atmos](https://atmos....

(QB_NEW_EN)

---

[grammar] ~45-~45: There might be a mistake here.
Context: ...iple environments using Terraform.
> Works with [Github Actions](https://at...

(QB_NEW_EN)

---

[grammar] ~168-~168: There might be a mistake here.
Context: ...), the outputs of this component include the same outputs as the vpc component ...

(QB_NEW_EN)

---

[grammar] ~281-~281: There might be a mistake here.
Context: ...ns-on # ... ``` > [!IMPORTANT] > In Cloud Posse's examples, we avoid pi...

(QB_NEW_EN)

---

[grammar] ~297-~297: There might be a mistake here.
Context: ... --> ## Requirements | Name | Version | |------|---------| | <a name="requiremen...

(QB_NEW_EN)

---

[grammar] ~298-~298: There might be a mistake here.
Context: ...s | Name | Version | |------|---------| | [...

(QB_NEW_EN)

---

[grammar] ~299-~299: There might be a mistake here.
Context: ...m](#requirement_terraform) | >= 1.0.0 | | [aws](#...

(QB_NEW_EN)

---

[grammar] ~304-~304: There might be a mistake here.
Context: ....0.0 | ## Providers | Name | Version | |------|---------| | <a name="provider_a...

(QB_NEW_EN)

---

[grammar] ~305-~305: There might be a mistake here.
Context: ...s | Name | Version | |------|---------| | [aws](#pro...

(QB_NEW_EN)

---

[grammar] ~310-~310: There might be a mistake here.
Context: ... ## Modules | Name | Source | Version | |------|--------|---------| | <a name="m...

(QB_NEW_EN)

---

[grammar] ~311-~311: There might be a mistake here.
Context: ... | Version | |------|--------|---------| | ...

(QB_NEW_EN)

---

[grammar] ~312-~312: There might be a mistake here.
Context: ...posse/cloudformation-stack/aws | 0.7.1 | | [iam...

(QB_NEW_EN)

---

[grammar] ~313-~313: There might be a mistake here.
Context: ...y) | cloudposse/iam-policy/aws | 2.0.2 | | [iam_...

(QB_NEW_EN)

---

[grammar] ~314-~314: There might be a mistake here.
Context: ...../account-map/modules/iam-roles | n/a | | [...

(QB_NEW_EN)

---

[grammar] ~339-~339: There might be a mistake here.
Context: ... 'dev', 'UAT' | string | null | no | | [...

(QB_NEW_EN)

---

[grammar] ~342-~342: There might be a mistake here.
Context: ...resent. | list(string) | null | no | | ...

(QB_NEW_EN)

---

[grammar] ~346-~346: There might be a mistake here.
Context: ...obally unique | string | null | no | | ...

(QB_NEW_EN)

---

[grammar] ~348-~348: There might be a mistake here.
Context: ...DELETE|string|"ROLLBACK"` | no | | [param...

(QB_NEW_EN)

---

[grammar] ~349-~349: There might be a mistake here.
Context: ...it","ABC") | map(string) | {} | no | | [poli...

(QB_NEW_EN)

---

[grammar] ~350-~350: There might be a mistake here.
Context: ...ack policy body | string | "" | no | | </...

(QB_NEW_EN)

---

[grammar] ~355-~355: There might be a mistake here.
Context: ...y', 'release' | string | null | no | | [subne...

(QB_NEW_EN)

---

[grammar] ~356-~356: There might be a mistake here.
Context: ...net IDs | list(string) | null | no | | [tags](#inpu...

(QB_NEW_EN)

---

[grammar] ~389-~389: There might be a mistake here.
Context: ...les used by our reference architectures. - Atmos - Atmos is l...

(QB_NEW_EN)

---

[grammar] ~397-~397: There might be a mistake here.
Context: ...nks. - RunsOn - - [Install RunsOn GitHub App](https://runs-...

(QB_NEW_EN)

---

[grammar] ~398-~398: There might be a mistake here.
Context: ...es/install/#3-github-app-registration) - - [RunsOn Changelog](https://runs-on.com/ch...

(QB_NEW_EN)

---

[grammar] ~399-~399: There might be a mistake here.
Context: ...gelog](https://runs-on.com/changelog/) - - [Embedded vs External Networking](https:/...

(QB_NEW_EN)

---

[grammar] ~400-~400: There might be a mistake here.
Context: ....com/networking/embedded-vs-external/) - - [Cloud Posse TGW Hub component](https://d...

(QB_NEW_EN)

---

[grammar] ~401-~401: There might be a mistake here.
Context: ...e.com/components/library/aws/tgw/hub/) - - [Cloud Posse TGW Spoke component](https:/...

(QB_NEW_EN)

---

[grammar] ~479-~479: There might be a mistake here.
Context: ...ructure validation. Setup dependencies: - Install Atmos ([installation guide](http...

(QB_NEW_EN)

src/README.md

[grammar] ~128-~128: There might be a mistake here.
Context: ...), the outputs of this component include the same outputs as the vpc component ...

(QB_NEW_EN)

🪛 markdownlint-cli2 (0.17.2)

AGENTS.md

11-11: Bare URL used

(MD034, no-bare-urls)

README.md

50-50: Images should have alternate text (alt text)

(MD045, no-alt-text)

src/README.md

348-348: Images should have alternate text (alt text)

(MD045, no-alt-text)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (11)

.gitignore (2)

10-12: Good call adding Atmos-related ignores.

Adding .cache and .atmos aligns the repo with Atmos workflows and keeps generated artifacts out of version control.

---

10-12: Mirror these ignores in .dockerignore to reduce build context size.

The header notes these should also be in .dockerignore. Ensure .cache and .atmos are listed there as well to avoid sending them to the Docker daemon.

Would you like me to open a follow-up PR to update .dockerignore?

atmos.yaml (1)

10-11: Incorrect repository suggestion in Atmos import configuration

I’ve verified that the Atmos preset actually lives in the cloudposse-terraform-components/.github repository (branch main), and the raw URL using refs/heads/main resolves with HTTP 200. The alternative repo cloudposse/.github does not contain this file (HTTP 404). Additionally, GitHub’s raw content service supports full ref names like refs/heads/main, so the existing URL is both correct and functional.

• File: atmos.yaml (around line 10)
• Confirmed import URL is valid:

  https://raw.githubusercontent.com/cloudposse-terraform-components/.github/refs/heads/main/.github/atmos/terraform-component.yaml
  

• Optional: For readability, you can replace refs/heads/main with the more common main segment. This is purely stylistic and not required for functionality:

  import:
  -  https://raw.githubusercontent.com/cloudposse-terraform-components/.github/refs/heads/main/.github/atmos/terraform-component.yaml
  +  https://raw.githubusercontent.com/cloudposse-terraform-components/.github/main/.github/atmos/terraform-component.yaml  # optional: use conventional branch path

Likely an incorrect or invalid review comment.

README.yaml (2)

61-61: Confirm the example template URL is valid and accessible.

Ensure template-v2.8.3.yaml exists and is the desired baseline for new users; otherwise, adjust to a known-good version.

No content change required if confirmed; this is a verification request.

---

39-40: Align compatibility note with the pinned template version

You currently state “Requires RunsOn CloudFormation template version 2.8.2 or newer,” but the examples reference template-v2.8.3.yaml. To avoid confusion, please choose one of the following:

• Raise the requirement to “2.8.3 or newer,” or
• Pin the examples back to template-v2.8.2.yaml

Suggested diff if you opt for 2.8.3:

-  Compatibility: Requires RunsOn CloudFormation template version 2.8.2 or newer due to output changes.
+  Compatibility: Requires RunsOn CloudFormation template version 2.8.3 or newer due to output changes.

README.md (4)

79-80: Confirm pinned template version exists; keep in sync with README.yaml.

You pin template-v2.8.3.yaml here and in README.yaml. Verify availability (and consider adding a short note to check the changelog for the latest).

No change if confirmed; this is a verification checkpoint.

---

486-498: Go version likely too far ahead; pick a currently supported baseline.

“Go 1.24+ or newer” may be premature. Recommend pinning to a currently available major.minor (for example, 1.22+ or 1.23+) and revisiting periodically.

- - Install Go [1.24+ or newer](https://go.dev/doc/install)
+ - Install Go [1.22+ or newer](https://go.dev/doc/install)

If you prefer, I can check the latest stable Go version and update this.

---

314-315: Module iam_roles source path is correct

The README specifies the source for iam_roles as ../account-map/modules/iam-roles, which exactly matches the path used in your Terraform code (src/providers.tf:17). No changes are necessary here—please disregard the earlier reference to src/main.tf.

---

299-307: AWS provider constraints are consistent

The aws version bounds in README.md (≥ 4.9.0, < 6.0.0 at lines 299–307) exactly match those declared in src/versions.tf under required_providers.aws (version = ">= 4.9.0, < 6.0.0"). No updates are needed.

src/README.md (2)

241-327: Docs tables look auto‑generated—LGTM

The markdownlint guard rails are set properly around the generated Terraform docs block. No action needed.

---

260-265: Documentation modules and resources correctly align with code

Verified that the module table in src/README.md (lines 260–265) exactly matches the Terraform declarations in the codebase:

• cloudformation_stack (0.7.1) in src/main.tf (lines 103–107)
• iam_policy (2.0.2) in src/main.tf (lines 24–27)
• iam_roles (local) in src/providers.tf (lines 16–18)
• security_group (2.2.0) in src/main.tf (lines 75–78)
• this (0.25.0) in src/context.tf (lines 23–26)

Likewise, the Resources section (lines 270–275) lists exactly the resource and data source names defined in src/main.tf:

• resource aws_security_group_rule.this
• data aws_nat_gateways.ngws
• data aws_subnets.private & aws_subnets.public
• data aws_vpc.this

No drift found between documentation and implementation.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Raw link to atmos.yaml preset: verify repository, filename, and ref path.

The link points to cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml. Cross-check with atmos.yaml which imports terraform-component.yaml from a different org/repo and uses refs/heads/main in the URL path. This inconsistency may confuse readers.

Suggestions:

• Use cloudposse/.github as the source of truth.
• Standardize on either terraform-component.yaml or terraform-module.yaml.
• Prefer .../raw/main/... over .../refs/heads/main/....

Example:

- The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml) file.
+ The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/main/.github/atmos/terraform-component.yaml) file.

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

echo "Checking HTTP status codes for existing and canonical raw URLs..."

# Current (likely broken) URL
echo -n "Current URL (refs/heads/main) status: "
curl -s -o /dev/null -w "%{http_code}\n" \
  https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml

# Canonical URL using /main
echo -n "Canonical raw URL (main) status: "
curl -s -o /dev/null -w "%{http_code}\n" \
  https://raw.githubusercontent.com/cloudposse/.github/main/.github/atmos/terraform-module.yaml

# Check terraform-component.yaml existence via canonical URL
echo -n "terraform-component.yaml URL status: "
curl -s -o /dev/null -w "%{http_code}\n" \
  https://raw.githubusercontent.com/cloudposse/.github/main/.github/atmos/terraform-component.yaml

echo
echo "Listing files in .github/atmos via GitHub API:"
curl -s "https://api.github.com/repos/cloudposse/.github/contents/.github/atmos?ref=main" \
  | grep '"name":' \
  | sed -E 's/.*"name": "([^"]+)".*/\1/'

Length of output: 1152

---

Use canonical raw URL and confirm file name in README.md
The file terraform-module.yaml is the correct and only preset in the .github/atmos directory (there is no terraform-component.yaml). While both /refs/heads/main/… and /main/… paths resolve, the conventional raw URL is simpler and clearer.

Please update lines 498–499 of README.md as follows:

- The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml) file.
+ The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/main/.github/atmos/terraform-module.yaml) file.

This change standardizes on the canonical /raw/main/ path and uses the existing terraform-module.yaml resource.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml) file.
	The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/main/.github/atmos/terraform-module.yaml) file.

🤖 Prompt for AI Agents

In README.md around lines 498 to 499, update the referenced raw URL to use the
canonical /raw/main/ path and confirm the filename is terraform-module.yaml;
replace the existing link that points to
/refs/heads/main/.github/atmos/terraform-module.yaml with the simpler raw GitHub
URL that points to /raw/main/.github/atmos/terraform-module.yaml so the README
consistently references the correct terraform-module.yaml resource.

[coderabbitai]

⚠️ Potential issue

Grammar: “include the same outputs” → “expose the same outputs”

Improves readability and matches technical phrasing.

-Using Cloud Posse components for TGW ([tgw/hub] and [tgw/spoke]), the outputs of this component include
-the same outputs as the `vpc` component (RunsOn creates a VPC and subnets).
+When using Cloud Posse TGW components ([tgw/hub] and [tgw/spoke]), this component exposes
+the same outputs as the `vpc` component (RunsOn creates a VPC and subnets).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Using Cloud Posse components for TGW ([tgw/hub] and [tgw/spoke]), the outputs of this component include
	the same outputs as the `vpc` component (RunsOn creates a VPC and subnets).
	When using Cloud Posse TGW components ([tgw/hub] and [tgw/spoke]), this component exposes
	the same outputs as the `vpc` component (RunsOn creates a VPC and subnets).

🧰 Tools

🪛 LanguageTool

[grammar] ~128-~128: There might be a mistake here.
Context: ...), the outputs of this component include the same outputs as the vpc component ...

(QB_NEW_EN)

🤖 Prompt for AI Agents

In src/README.md around lines 128 to 130, update the phrasing "include the same
outputs" to "expose the same outputs" to improve grammar and technical clarity;
replace the exact phrase in that sentence (and any identical occurrences nearby)
while preserving the rest of the sentence and punctuation.