Install the Toolchain

You don't have OpenTofu installed — and you don't need to install it by hand. Atmos has a built-in toolchain that installs and pins the exact tools your stacks depend on, so every developer and every CI run uses the same versions.

Experimental

By the end of this step, Atmos will install OpenTofu (and a security scanner) for you, the first time a component needs them — no asdf, tfenv, or aqua required.

The transparent way: declare what you depend on

The toolchain works automatically. You declare the tools your components need, and Atmos installs them on demand and records exact versions in a lockfile. There are two small pieces.

1. Tell Atmos where to get tools. Add a toolchain: section to your atmos.yaml:

atmos.yaml

toolchain:
  # Where installed tool binaries live (relative to base_path).
  install_path: .tools
  # Resolve installs against the committed lockfile for reproducibility.
  use_lock_file: true
  registries:
    # The Aqua registry provides metadata for 1,000+ tools (opentofu, kubectl, …).
    - name: aqua
      type: aqua
      priority: 100

2. Declare the tools your stacks depend on. In your stack defaults (you'll build these out in Create Stacks), pin versions with dependencies.tools:

# stacks/orgs/acme/_defaults.yaml
dependencies:
  tools:
    opentofu: 1.10.10
    checkov: "3.2.529"   # security scanner, used by a hook later

That's it. The next time you run a Terraform command, Atmos resolves these versions from the Aqua registry, installs them under .tools/, and pins the resolved versions in toolchain.lock.yaml. Tell Atmos to use OpenTofu as the Terraform binary in atmos.yaml:

components:
  terraform:
    command: tofu

Commit the lockfile

Check toolchain.lock.yaml into git. It records the exact resolved version for every platform, so a teammate on a different OS — or a CI runner — installs byte-for-byte the same tools. This is what turns "works on my machine" into "works everywhere."

The manual way: manage tools yourself

You can also drive the toolchain directly — useful for installing everything up front, adding a tool, or checking what's resolved.

# Install every tool declared across your stacks (reads the lockfile).
atmos toolchain install

# Install or pin a specific tool and version.
atmos toolchain add opentofu@1.10.10

# See what's installed and where it resolves.
atmos toolchain list
atmos toolchain which opentofu

Need a tool your components depend on that isn't OpenTofu — kubectl, helm, tflint, jq? Declare it the same way (dependencies.tools or atmos toolchain add), and Atmos installs it from the Aqua registry.

The payoff: the tools your infrastructure needs are declared next to the infrastructure that needs them, version-controlled in the same repo, and resolved identically everywhere — no second tool to install, no drift between laptops and CI. See the toolchain configuration reference for registries, aliases, and verification.

Tools aren't added to your system PATH — on purpose

Atmos installs tools under .tools/ and puts them on the PATH only for the commands it runs (Terraform, hooks, custom commands). It deliberately does not install them globally, so different projects can pin different versions of the same tool without colliding. When you want the pinned tools in your own shell:

Run eval "$(atmos toolchain env)" to add the toolchain to the current shell's PATH.
Run atmos toolchain exec opentofu version to invoke a single pinned tool without touching PATH.
Run atmos toolchain which opentofu (or atmos toolchain path) to print where a tool — or the toolchain's bin directory — resolves.

Next: with tools handled, start the sandbox your components will deploy against → Start the Local Sandbox →

quick-start-advanced

Install the Toolchain

View full example

README.md

README.md3.8 KB

Source

Atmos Quick Start (Advanced)

Atmos is a universal tool for DevOps and cloud automation. This advanced example provisions a small AWS application stack — entirely offline — against a local AWS emulator (Floci), so you can learn the patterns end to end without a real AWS account or any credentials.

Follow the Quick Start: Advanced guide for a step-by-step walkthrough of this repository.

It's just plain Terraform

The components in components/terraform/ are vanilla Terraform — raw aws_* resources using only the official hashicorp/aws provider. There are no Cloud Posse modules and no special wrappers. Atmos is a bring-your-own-Terraform orchestrator: it never requires you to rewrite your Terraform or adopt proprietary components. Each component carries only a stock providers.tf (provider "aws" { region = var.region }) with no endpoint or credentials configuration — the local-aws identity (kind: aws/emulator) generates a providers_override.tf.json that points the provider at the emulator at runtime, so the exact same code deploys unchanged against real AWS.

Component	What it is (plain Terraform)
`kms-key`	`aws_kms_key` + alias
`s3-bucket`	`aws_s3_bucket` (+ versioning, SSE)
`dynamodb-table`	`aws_dynamodb_table`
`sns-topic`	`aws_sns_topic`
`sqs-queue`	`aws_sqs_queue` (+ policy)
`app-config`	publishes resolved config + secrets to SSM Parameter Store

The components are wired together with Atmos features — not Terraform remote_state data sources: stack templates build predictable coordinates, dependency metadata controls graph order, store hooks publish applied outputs, and !secret resolves declared secrets from the SSM/Secrets Manager stores.

Run it end to end

Everything runs against the local emulator. You need Atmos and a container runtime (Docker or Podman).

The test custom command brings up the emulator, seeds secrets, applies the full component DAG in dependency order, confirms the cross-component wiring resolves, then tears everything down:

atmos test -s plat-ue2-dev

Or run the same steps by hand:

# Start the local AWS emulator for the stack.
atmos emulator up aws -s plat-ue2-dev

# Lint every stack manifest.
atmos validate stacks

# Seed the required app-config secrets.
atmos secret set API_KEY=sk-quickstart-example -s plat-ue2-dev -c app-config
atmos secret set 'DB_CONFIG={"username":"app","password":"s3cr3t"}' -s plat-ue2-dev -c app-config

# Apply every component in dependency order (the S3 state backend is auto-provisioned
# inside the emulator via `provision.backend.enabled`).
atmos terraform deploy --all -s plat-ue2-dev

# Inspect a component and see where every value came from.
atmos describe component app-config -s plat-ue2-dev --provenance
atmos list instances --format tree --provenance --identity=false --process-functions=false --process-templates=false

# Tear down.
atmos terraform destroy --all -s plat-ue2-dev -auto-approve
atmos emulator down aws -s plat-ue2-dev

Available stacks: plat-ue2-{dev,staging,prod} (us-east-2) and plat-uw2-{dev,staging,prod} (us-west-2).

Operator commands

This example also registers operator-focused custom commands in atmos.yaml:

atmos operator status -s <stack>                  # show stack tree, instances, catalog, and next commands
atmos operator inspect <component> -s <stack>     # describe component config with provenance

For the full CLI configuration and command reference, see Atmos CLI.

The transparent way: declare what you depend on​

The manual way: manage tools yourself​

The transparent way: declare what you depend on

The manual way: manage tools yourself