Configure Hooks

Hooks run an automated action at a specific point in a component's lifecycle — after a terraform plan, after an apply, and so on. Atmos ships built-in kinds for the jobs teams reach for most (security scanning, cost estimates, publishing outputs) plus a generic command kind for anything else.

By the end of this step, every plan will be security-scanned, and every apply will publish its component's outputs to a store.

How a hook works

A hook binds a kind (the action) to one or more events (when it runs):

hooks:
  <name>:
    events: [after-terraform-plan]   # when to run
    kind: trivy                       # what to run

Common events are after-terraform-plan and after-terraform-apply. The built-in kinds cover the usual cases — no wiring required:

checkov, trivy, kics: Security and policy scanners. The tool auto-installs through the toolchain, and findings render in your terminal (and on Atmos Pro).
infracost: Cost estimate of the planned change.
store: Publishes selected component outputs to a store so other components can read them by name.
command: Runs any binary — your escape hatch for anything the named kinds don't cover.

Scan every plan

The most common hook is a scanner that runs after each plan. Declare it once in your org defaults and it applies to every component:

stacks/orgs/acme/_defaults.yaml

terraform:
  hooks:
    security:
      events:
        - after-terraform-plan
      kind: checkov   # or: trivy, kics

Because checkov is declared in dependencies.tools, the toolchain installs it the first time the hook fires — you don't install or wire up anything.

Publish outputs on apply

Hooks also publish component coordinates for operators and downstream consumers: the store kind writes selected outputs after a component applies, so another component or tool can read them with !store without reaching into Terraform state.

First, add the store to your atmos.yaml. The config/ssm store uses AWS SSM Parameter Store (running in your sandbox via the local-aws identity) for non-secret service discovery:

atmos.yaml

stores:
  config/ssm:
    kind: aws/ssm
    identity: local-aws
    options:
      region: us-east-1
      prefix: /atmos/quickstart/config

Then add a store hook to a component. Here s3-bucket publishes its bucket_id after every apply:

stacks/catalog/s3-bucket/defaults.yaml

components:
  terraform:
    s3-bucket:
      hooks:
        publish-coordinates:
          events:
            - after-terraform-apply   # run automatically after every apply
          kind: store
          name: config/ssm            # the store to write to
          outputs:
            bucket_id: .bucket_id      # store key: Terraform output

Use the published value

A downstream component can read it by name with !store <store> <component> <key>. In this quick start, app-config uses stack-derived coordinates so the first terraform deploy --all can build the graph before any store values exist. In a larger stack, the same published coordinates can be consumed like this:

# stacks/catalog/app-config/defaults.yaml
vars:
  bucket_id: !store config/ssm s3-bucket bucket_id
  topic_arn: !store config/ssm sns-topic topic_arn
  queue_url: !store config/ssm sqs-queue queue_url

Notice how nothing in your Terraform changed

Scanning, cost analysis, and output publishing are all attached at the stack level, on lifecycle events — your component code stays plain Terraform. Publishing via a store is just one kind; reach for !terraform.state when a consumer can read a producer's already-created state directly. See Hooks for the full list of kinds and events.

Next: stores hold secrets too — keep them off disk → Manage Secrets →

quick-start-advanced

Configure Hooks

View full example

README.md

README.md3.8 KB

Source

Atmos Quick Start (Advanced)

Atmos is a universal tool for DevOps and cloud automation. This advanced example provisions a small AWS application stack — entirely offline — against a local AWS emulator (Floci), so you can learn the patterns end to end without a real AWS account or any credentials.

Follow the Quick Start: Advanced guide for a step-by-step walkthrough of this repository.

It's just plain Terraform

The components in components/terraform/ are vanilla Terraform — raw aws_* resources using only the official hashicorp/aws provider. There are no Cloud Posse modules and no special wrappers. Atmos is a bring-your-own-Terraform orchestrator: it never requires you to rewrite your Terraform or adopt proprietary components. Each component carries only a stock providers.tf (provider "aws" { region = var.region }) with no endpoint or credentials configuration — the local-aws identity (kind: aws/emulator) generates a providers_override.tf.json that points the provider at the emulator at runtime, so the exact same code deploys unchanged against real AWS.

Component	What it is (plain Terraform)
`kms-key`	`aws_kms_key` + alias
`s3-bucket`	`aws_s3_bucket` (+ versioning, SSE)
`dynamodb-table`	`aws_dynamodb_table`
`sns-topic`	`aws_sns_topic`
`sqs-queue`	`aws_sqs_queue` (+ policy)
`app-config`	publishes resolved config + secrets to SSM Parameter Store

The components are wired together with Atmos features — not Terraform remote_state data sources: stack templates build predictable coordinates, dependency metadata controls graph order, store hooks publish applied outputs, and !secret resolves declared secrets from the SSM/Secrets Manager stores.

Run it end to end

Everything runs against the local emulator. You need Atmos and a container runtime (Docker or Podman).

The test custom command brings up the emulator, seeds secrets, applies the full component DAG in dependency order, confirms the cross-component wiring resolves, then tears everything down:

atmos test -s plat-ue2-dev

Or run the same steps by hand:

# Start the local AWS emulator for the stack.
atmos emulator up aws -s plat-ue2-dev

# Lint every stack manifest.
atmos validate stacks

# Seed the required app-config secrets.
atmos secret set API_KEY=sk-quickstart-example -s plat-ue2-dev -c app-config
atmos secret set 'DB_CONFIG={"username":"app","password":"s3cr3t"}' -s plat-ue2-dev -c app-config

# Apply every component in dependency order (the S3 state backend is auto-provisioned
# inside the emulator via `provision.backend.enabled`).
atmos terraform deploy --all -s plat-ue2-dev

# Inspect a component and see where every value came from.
atmos describe component app-config -s plat-ue2-dev --provenance
atmos list instances --format tree --provenance --identity=false --process-functions=false --process-templates=false

# Tear down.
atmos terraform destroy --all -s plat-ue2-dev -auto-approve
atmos emulator down aws -s plat-ue2-dev

Available stacks: plat-ue2-{dev,staging,prod} (us-east-2) and plat-uw2-{dev,staging,prod} (us-west-2).

Operator commands

This example also registers operator-focused custom commands in atmos.yaml:

atmos operator status -s <stack>                  # show stack tree, instances, catalog, and next commands
atmos operator inspect <component> -s <stack>     # describe component config with provenance

For the full CLI configuration and command reference, see Atmos CLI.

How a hook works​

Scan every plan​

Publish outputs on apply​

Use the published value​

How a hook works

Scan every plan

Publish outputs on apply

Use the published value