cloudposse · cloudpossebot · Mar 23, 2026 · Mar 18, 2026
diff --git a/examples/snippets/.claude/skills/atmos-auth/SKILL.md b/examples/snippets/.claude/skills/atmos-auth/SKILL.md
@@ -63,7 +63,9 @@ Profiles are defined in `profiles/<profile-name>/atmos.yaml`. Each maps identiti
 | ------------ | -------------------- | -------------------- | --------------------- |
 | `devops`     | TerraformApplyAccess | TerraformApplyAccess | TerraformApplyAccess  |
 | `developers` | TerraformStateAccess | TerraformApplyAccess | TerraformPlanAccess   |
-| `managers`   | TerraformStateAccess | TerraformPlanAccess  | TerraformPlanAccess   |
+| `managers`   | TerraformApplyAccess | TerraformApplyAccess | TerraformApplyAccess  |
+
+Managers also have a `RootAccess` Permission Set for centralized root access to member accounts.
 
 **Permission Set capabilities:**
 
@@ -83,7 +85,9 @@ Examples:
 
 ## Special Cases
 
-**superadmin profile**: IAM user with MFA for breakglass access. Avoid unless SSO is unavailable.
+**superadmin profile**: IAM user (`kind: aws/user`) with MFA in the root account. Used for coldstart/bootstrap
+before SSO is deployed, or as breakglass access. Assumes `OrganizationAccountAccessRole` into member accounts
+via identity chaining. Switch to your assigned SSO profile once the identity layer is deployed.
 
 **github-plan profile**: OIDC-based authentication for CI/CD plan operations. Uses planner roles with read-only access.
 

diff --git a/examples/snippets/stacks/workflows/quickstart/cold-start.yaml b/examples/snippets/stacks/workflows/quickstart/cold-start.yaml
@@ -0,0 +1,53 @@
+# Cold-Start Workflow - Complete Infrastructure Bootstrap
+#
+# This workflow orchestrates the complete infrastructure deployment from scratch,
+# following the proper dependency order:
+#   1. Terraform state backend
+#   2. AWS Organization and accounts
+#   3. IAM Identity Center (SSO) and execution roles
+#   4. Network layer (VPCs, Transit Gateway, DNS)
+#
+# Usage:
+#   # Complete cold-start deployment:
+#   atmos workflow all -f quickstart/cold-start
+#
+#   # Individual layers:
+#   atmos workflow deploy/foundation -f quickstart/cold-start
+#   atmos workflow deploy/network -f quickstart/cold-start
+#
+#   # Step-by-step validation:
+#   atmos workflow deploy/tfstate -f quickstart/cold-start
+#   atmos workflow deploy/accounts -f quickstart/cold-start
+#   atmos workflow deploy/identity -f quickstart/cold-start
+#   atmos workflow deploy/network -f quickstart/cold-start
+#
+# Available workflows:
+#   - all: Complete cold-start deployment (tfstate → network)
+#   - deploy/foundation: Deploy foundation layer (accounts + identity)
+#   - deploy/tfstate: Initialize Terraform state backend
+#   - deploy/accounts: Deploy accounts layer
+#   - deploy/identity: Deploy identity layer
+#   - deploy/network: Deploy network layer
+#
+
+workflows:
+  all:
+    description: Complete cold-start deployment from tfstate to network
+    steps:
+      - command: workflow all -f quickstart/foundation/accounts
+      - command: workflow vendor -f quickstart/foundation/identity
+      - command: workflow deploy/sso -f quickstart/foundation/identity
+      - command: workflow login/managers -f quickstart/cold-start
+      - command: workflow all -f quickstart/foundation/identity
+
+  login/managers:
+    description: Login as managers profile - used to force a login before deploying the identity layer (which is the first to use SSO)
+    env:
+      ATMOS_PROFILE: managers
+      ATMOS_IDENTITY: core-root/terraform
+    retry:
+      initial_delay: 15s
+      backoff_strategy: constant
+      max_retries: 3
+    steps:
+      - command: auth login
diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml
@@ -21,10 +21,16 @@
 #   - deploy/cloudtrail: Enable CloudTrail logging
 #   - deploy/ecr: Deploy ECR registry
 #
+# NOTE: Use 'superadmin' profile for initial infrastructure setup.
+# After SSO is configured and IAM roles are deployed (via identity layer),
+# update this to 'managers' for day-to-day operations.
 workflows:
   all:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploy complete accounts layer
     steps:
+      - command: workflow initial-setup -f quickstart/foundation/accounts
       - command: workflow vendor -f quickstart/foundation/accounts
       - command: workflow init/tfstate -f quickstart/foundation/accounts
       - command: workflow deploy/tfstate -f quickstart/foundation/accounts
@@ -35,9 +41,41 @@ workflows:
       - command: workflow deploy/aws-account-settings -f quickstart/foundation/accounts
       - command: workflow deploy/budgets -f quickstart/foundation/accounts
       - command: workflow deploy/cloudtrail -f quickstart/foundation/accounts
+      - command: vendor pull --component github-oidc-provider
+      - command: workflow deploy/github-oidc-provider -f quickstart/foundation/identity
       - command: workflow deploy/ecr -f quickstart/foundation/accounts
 
+  initial-setup:
+    description: Initial commands to run before deploying the accounts layer.
+    env:
+      ATMOS_PROFILE: superadmin
+      ATMOS_IDENTITY: core-root/terraform
+    steps:
+      - command: auth login
+      - command: auth whoami
+      # Request increase for IAM service quota (This is always in us-east-1)
+      - command: |
+          QUOTA_VALUE=$(atmos auth exec --identity core-root/terraform -- \
+            aws service-quotas get-service-quota \
+            --service-code iam \
+            --quota-code L-C07B4B0D \
+            --region us-east-1 | jq '.Quota.Value')
+
+          if [[ "$QUOTA_VALUE" != "4096.0" ]]; then
+            atmos auth exec --identity core-root/terraform -- \
+              aws service-quotas request-service-quota-increase \
+              --service-code iam \
+              --quota-code L-C07B4B0D \
+              --desired-value 4096 \
+              --region us-east-1
+          else
+            echo "IAM service quota is already at 4096.0"
+          fi
+        type: shell
+
   vendor:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Vendor accounts layer components.
     steps:
       - command: vendor pull --component aws-organization
@@ -53,33 +91,44 @@ workflows:
       - command: vendor pull --component tfstate-backend
 
   init/tfstate:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Provision Terraform State Backend for initial deployment.
     steps:
+      - command: terraform clean tfstate-backend --stack core-use1-root -f
       - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --auto-generate-backend-file=false
-      - command: until aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done
+      - command: until atmos auth exec --identity core-root/terraform -- aws s3 ls acme-core-use1-root-tfstate; do sleep 5; done
         type: shell
       - command: terraform deploy tfstate-backend -var="access_roles_enabled=false" --stack core-use1-root --init-run-reconfigure=false
 
   deploy/tfstate:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploy Terraform State Backend.
     steps:
       - command: terraform deploy tfstate-backend --stack core-use1-root
 
   deploy/organization:
+    env:
+      ATMOS_PROFILE: superadmin
     description: |
       Deploy the AWS Organization. This is required before finishing the root account requirements.
     steps:
       - command: terraform deploy aws-organization -s core-gbl-root
-      - command: aws ram enable-sharing-with-aws-organization
+      - command: atmos auth exec --identity core-root/terraform -- aws ram enable-sharing-with-aws-organization
         type: shell
 
   deploy/organizational-units:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploy Organizational Units
     steps:
       - command: terraform deploy aws-organizational-unit/core -s core-gbl-root
       - command: terraform deploy aws-organizational-unit/plat -s core-gbl-root
 
   deploy/accounts:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploys all AWS Organization accounts
     steps:
       - command: terraform deploy aws-account/core-artifacts -s core-gbl-root
@@ -93,11 +142,16 @@ workflows:
       - command: terraform deploy aws-account/plat-prod -s core-gbl-root
 
   deploy/scps:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploy Service Control Policies
     steps:
       - command: terraform deploy aws-scp/deny-leaving-organization -s core-gbl-root
+      - command: terraform deploy aws-scp/deny-creating-users -s core-gbl-root
 
   deploy/aws-account-settings:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Apply AWS Account settings for best practices.
     steps:
       - command: terraform deploy aws-account-settings -s core-gbl-artifacts
@@ -112,6 +166,8 @@ workflows:
       - command: terraform deploy aws-account-settings -s plat-gbl-staging
 
   deploy/budgets:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploy budgets to all accounts
     steps:
       - command: terraform deploy aws-budget -s core-gbl-root
@@ -126,12 +182,16 @@ workflows:
       - command: terraform deploy aws-budget -s plat-gbl-prod
 
   deploy/cloudtrail:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Start AWS Cloudtrail in audit and root accounts to track changes across the org.
     steps:
       - command: terraform deploy cloudtrail-bucket -s core-use1-audit
       - command: terraform deploy cloudtrail -s core-gbl-root
 
   deploy/ecr:
+    env:
+      ATMOS_PROFILE: superadmin
     description: Deploy ECR in the artifacts account to use as our container registry
     steps:
       - command: terraform deploy ecr -s core-use1-artifacts
diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml
@@ -19,32 +19,11 @@
 #   - deploy/iam-role: Deploy Terraform execution roles
 #   - deploy/github-oidc-provider: Deploy GitHub OIDC Provider to all accounts
 #
-workflows:
-  check-setup:
-    description: Verify that the environment is setup correctly to run these workflows.
-    steps:
-    - name: check-setup
-      type: shell
-      command : |-
-        if [[ "$GEODESIC_SHELL" != "true" ]]; then
-          echo "This workflow must be run from a Geodesic shell." >&2
-          exit 1
-        elif [[ -z $ATMOS_BASE_PATH ]] || [[ ! -d "$ATMOS_BASE_PATH/.git" ]]; then
-          echo "ATMOS_BASE_PATH must be set to the root of the git repository." >&2
-          echo "This is usually set automatically by Geodesic." >&2
-          echo "To fix: run the Geodesic shell from the root of the git repository." >&2
-          echo "  ATMOS_BASE_PATH: \"$ATMOS_BASE_PATH\"" >&2
-          echo "  Current directory: \"$(pwd -P)\"" >&2
-          exit 1
-        elif [[ ! -d "$ATMOS_BASE_PATH/rootfs/usr/local/bin" ]]; then
-          printf "No such directory: %s\n" "$ATMOS_BASE_PATH/rootfs/usr/local/bin" >&2
-          exit 2
-        fi
 
+workflows:
   all:
     description: Run all workflows
     steps:
-      - command: workflow check-setup -f quickstart/foundation/identity
       - command: workflow vendor -f quickstart/foundation/identity
       - command: workflow deploy/all -f quickstart/foundation/identity
 
@@ -55,17 +34,32 @@ workflows:
       - command: vendor pull --component iam-role
       - command: vendor pull --component github-oidc-provider
 
+  auth:
+    description: Authenticate to core-root/terraform identity.
+    env:
+      ATMOS_PROFILE: managers
+      ATMOS_IDENTITY: core-root/terraform
+    steps:
+      - command: auth login
+
   deploy/all:
     description: Deploy all identity components.
     steps:
       - command: workflow deploy/sso -f quickstart/foundation/identity
+      - command: workflow auth -f quickstart/foundation/identity
       - command: workflow deploy/iam-role -f quickstart/foundation/identity
       - command: workflow deploy/github-oidc-provider -f quickstart/foundation/identity
 
   deploy/sso:
     description: Update aws-sso configuration.
+    # NOTE: Use 'superadmin' profile for initial infrastructure setup.
+    # After SSO is configured and IAM roles are deployed (via identity layer),
+    # update this to 'managers' for day-to-day operations.
+    env:
+      ATMOS_PROFILE: superadmin
     steps:
       - command: terraform deploy aws-sso -s core-gbl-root
+      - command: workflow deploy/tfstate -f quickstart/foundation/accounts
 
   deploy/iam-role:
     description: |