INTMDB-301: Feature add: Add support for managment of federated authe…

…ntication configuration (#742)

* Add support for federated settings

* Refactor for service pattern change

* Refactor options and plural singular names

* Update go SDK version

* Add initial federated website docs

* Provide examples for Federated settings

* Sync go.mod to contain breaking change SDK change

* Fix examples for lint error sync SDK to master

* Add menu items for federation settings and upgrade guides

* Remove Federated Docs from PR

* PR Review updates

* Add support for datasource tests

* Fix lint fmt

* Add identity_provider_id variable

* Move identity_provider_id

* Add role mappings datasource test

* Add additional tests for federated resources

* Lint check

* Add additional datasources and tests

* Remove unused function

* Add support for role mappings and update tests and examples

* Fix role mapping import to fit new style of parameters

* Remove commented code

* go mod tidy

* Remove extra parameter user_conflicts

* Add missing parameters and refactor name of variables

* Update example

* Update mongodbatlas/resource_mongodbatlas_federated_settings_identity_provider.go

Co-authored-by: Andrea Angiolillo <[email protected]>

* go fmt

* Add support for import tests

* Add federated settings env variables to README remove upgrade guide

* Remove cloud prefix from federated examples and resources idp_id to okta_idp_id

* Add new sort to role mapping

* Add README for federated example

* Refactor alias mongodbatlas to matlas dead code removal import spaces

Co-authored-by: Andrea Angiolillo <[email protected]>

README.md

@@ -141,6 +141,19 @@ $ export MONGODB_ATLAS_API_KEYS_IDS=<API_KEYS_IDS>
 export SKIP_TEST_EXTERNAL_CREDENTIALS=TRUE
 ```
 
+- For `Federated Settings` resource configuration:
+```sh
+$ export MONGODB_ATLAS_FEDERATION_SETTINGS_ID=<YOUR_FEDERATION_SETTINGS_ID>
+$ export ONGODB_ATLAS_FEDERATED_ORG_ID=<YOUR_FEDERATED_ORG_ID>
+$ export MONGODB_ATLAS_FEDERATED_PROJECT_ID=<YOUR_VPC_FEDERATED_PROJECT_ID>
+$ export MONGODB_ATLAS_FEDERATED_GROUP_ID=<YOUR_FEDERATED_GROUP_ID>
+$ export MONGODB_ATLAS_FEDERATED_ROLE_MAPPING_ID=<YOUR_FEDERATED_ROLE_MAPPING_ID>
+$ export MONGODB_ATLAS_FEDERATED_OKTA_IDP_ID=<YOUR_FEDERATED_OKTA_IDP_ID>
+$ export MONGODB_ATLAS_FEDERATED_SSO_URL=<YOUR_FEDERATED_SSO_URL>
+$ export MONGODB_ATLAS_FEDERATED_ISSUER_URI=<YOUR_FEDERATED_ISSUER_URI>
+```
+~> **Notice:** For more information about the Federation configuration resource, see: https://www.mongodb.com/docs/atlas/reference/api/federation-configuration/
+
 ##### AWS env variables
 
 - For `Network Peering` resource configuration:

examples/Federated-Settings/Readme.md

@@ -0,0 +1,59 @@
+# Example - Okta and MongoDB Atlas Federated Settings Configuration
+
+This project aims to provide an example of using Okta and MongoDB Atlas together.
+
+
+## Dependencies
+
+* Terraform v0.13
+* Okta account 
+* A MongoDB Atlas account 
+
+```
+Terraform v0.13.0
++ provider registry.terraform.io/terraform-providers/mongodbatlas v1.4.0
+```
+
+## Usage
+
+**1\. Ensure your Okta/Mongodb Atlas Federal settings configuration is set up to have a working set of organizations, verified domains, and identity providers.**
+
+**2\. TFVARS**
+
+Now create **terraform.tfvars** file with all the variable values and make sure **not to commit it**.
+
+**3\. Review the Terraform plan. **
+
+Execute the below command and ensure you are happy with the plan.
+
+``` bash
+$ terraform plan
+```
+This project currently does the below deployments:
+
+- MongoDB Atlas Federated Settings Organizational Role Mapping
+- MongoDB Atlas Federated Settings Organizational Identity Provider
+- MongoDB Atlas Federated Settings Organizational configuration
+
+**4\. Execute the Terraform import for 2 resources that do not support create.**
+``` bash
+$ terraform import mongodbatlas_federated_settings_identity_provider.identity_provider  6287a67f7f7f7f7f441c6c-0oad7f7f7f7fk1297
+  terraform import mongodbatlas_federated_settings_org_config.org_connections_import  6287a67f7f7f7f7f441c6c-627a96837f7f7f7f7e306f14
+
+```
+
+**5\. Execute the Terraform apply.**
+
+Now execute the plan to provision the Federated settings resources.
+
+``` bash
+$ terraform apply
+```
+
+**6\. Destroy the resources.**
+
+Once you are finished your testing, ensure you destroy the resources to avoid unnecessary Atlas charges.
+
+``` bash
+$ terraform destroy
+```

examples/Federated-Settings/main.tf

@@ -0,0 +1,50 @@
+data "mongodbatlas_federated_settings" "federated_settings" {
+  org_id = var.org_id
+}
+data "mongodbatlas_federated_settings_identity_providers" "identity_provider" {
+  federation_settings_id = data.mongodbatlas_federated_settings.federated_settings.id
+}
+
+data "mongodbatlas_federated_settings_org_configs" "org_configs_ds" {
+  federation_settings_id = data.mongodbatlas_federated_settings.federated_settings.id
+}
+
+data "mongodbatlas_federated_settings_org_role_mappings" "org_role_mapping" {
+  federation_settings_id = data.mongodbatlas_federated_settings.federated_settings.id
+  org_id                 = var.org_id
+}
+resource "mongodbatlas_federated_settings_org_role_mapping" "org_role_mapping" {
+  federation_settings_id = data.mongodbatlas_federated_settings.federated_settings.id
+  org_id                 = var.org_id
+  external_group_name    = "newgroup"
+
+  role_assignments {
+    group_id = var.group_id
+    roles    = ["GROUP_OWNER", "GROUP_DATA_ACCESS_ADMIN", "GROUP_SEARCH_INDEX_EDITOR", "GROUP_DATA_ACCESS_READ_ONLY"]
+  }
+
+  role_assignments {
+    org_id = var.org_id
+    roles  = ["ORG_OWNER", "ORG_MEMBER"]
+  }
+
+}
+resource "mongodbatlas_federated_settings_org_config" "org_connections_import" {
+  federation_settings_id     = data.mongodbatlas_federated_settings.federated_settings.id
+  org_id                     = var.org_id
+  identity_provider_id       = var.identity_provider_id
+  domain_restriction_enabled = false
+  domain_allow_list          = ["yourdomain.com"]
+}
+
+resource "mongodbatlas_federated_settings_identity_provider" "identity_provider" {
+  federation_settings_id       = data.mongodbatlas_federated_settings.federated_settings.id
+  name                         = var.name
+  associated_domains           = ["yourdomain.com"]
+  sso_debug_enabled            = true
+  status                       = "ACTIVE"
+  sso_url                      = "https://mysso.oktapreview.com/app/mysso_terrafssotesdev_1/exk1f7f7f7fk5wp50h8/sso/saml"
+  issuer_uri                   = "http://www.okta.com/exk1f716hf7f750h8"
+  request_binding              = "HTTP-POST"
+  response_signature_algorithm = "SHA-256"
+}

examples/Federated-Settings/output.tf

@@ -0,0 +1,15 @@
+output "federated_settings_ds" {
+  value = data.mongodbatlas_federated_settings.federated_settings.id
+}
+
+output "identity_provider" {
+  value = data.mongodbatlas_federated_settings_identity_providers.identity_provider.id
+}
+
+output "org_configs_ds" {
+  value = data.mongodbatlas_federated_settings_org_configs.org_configs_ds.id
+}
+
+output "org_role_mapping" {
+  value = data.mongodbatlas_federated_settings_org_role_mappings.org_role_mapping.id
+}

examples/Federated-Settings/provider.tf

@@ -0,0 +1,4 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}

examples/Federated-Settings/variables.tf

@@ -0,0 +1,28 @@
+variable "public_key" {
+  type        = string
+  description = "Public Programmatic API key to authenticate to Atlas"
+}
+variable "private_key" {
+  type        = string
+  description = "Private Programmatic API key to authenticate to Atlas"
+}
+variable "org_id" {
+  type        = string
+  description = "MongoDB Organization ID"
+}
+variable "group_id" {
+  type        = string
+  description = "MongoDB Group ID"
+}
+
+variable "name" {
+  type        = string
+  description = "MongoDB Identity Provider Name"
+  default     = "mongodb_federation_test"
+}
+
+variable "identity_provider_id" {
+  type        = string
+  description = "MongoDB Identity Provider ID"
+  default     = "5754gdhgd758"
+}

examples/Federated-Settings/versions.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+    }
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+    }
+  }
+  required_version = ">= 0.13"
+}

go.sum

@@ -1230,10 +1230,6 @@ go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQc
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
 go.mongodb.org/atlas v0.12.0/go.mod h1:wVCnHcm/7/IfTjEB6K8K35PLG70yGz8BdkRwX0oK9/M=
-go.mongodb.org/atlas v0.15.1-0.20220215171307-4b760c3c624f h1:IvKkFdSSBLC5kqB1X87vn8CRAI7eXoMSK7u2lG+WUg8=
-go.mongodb.org/atlas v0.15.1-0.20220215171307-4b760c3c624f/go.mod h1:lQhRHIxc6jQHEK3/q9WLu/SdBkPj2fQYhjLGUF6Z3U8=
-go.mongodb.org/atlas v0.16.1-0.20220527133640-ba676d378a30 h1:UVbPMJSXVDyvIA/JEHI2HAwc+B4R6xpnmSya/pbANpY=
-go.mongodb.org/atlas v0.16.1-0.20220527133640-ba676d378a30/go.mod h1:lQhRHIxc6jQHEK3/q9WLu/SdBkPj2fQYhjLGUF6Z3U8=
 go.mongodb.org/atlas v0.16.1-0.20220531163122-551edbfb2f27 h1:rGTb8CaE9ZKNjmdUJ58jFcHopLg6o6Kzfm9AIayq1Hw=
 go.mongodb.org/atlas v0.16.1-0.20220531163122-551edbfb2f27/go.mod h1:lQhRHIxc6jQHEK3/q9WLu/SdBkPj2fQYhjLGUF6Z3U8=
 go.mongodb.org/realm v0.1.0 h1:zJiXyLaZrznQ+Pz947ziSrDKUep39DO4SfA0Fzx8M4M=

mongodbatlas/data_source_mongodbatlas_federated_settings.go

@@ -0,0 +1,99 @@
+package mongodbatlas
+
+import (
+	"context"
+	"errors"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	matlas "go.mongodb.org/atlas/mongodbatlas"
+)
+
+func dataSourceMongoDBAtlasFederatedSettings() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceMongoDBAtlasFederatedSettingsRead,
+		Schema: map[string]*schema.Schema{
+			"org_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"federated_domains": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"has_role_mappings": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"identity_provider_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"identity_provider_status": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceMongoDBAtlasFederatedSettingsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	// Get client connection.
+	conn := meta.(*MongoDBClient).Atlas
+
+	orgID, orgIDOk := d.GetOk("org_id")
+
+	if !orgIDOk {
+		return diag.FromErr(errors.New("org_id must be configured"))
+	}
+
+	var (
+		err error
+		org *matlas.Organization
+	)
+
+	if orgIDOk {
+		org, _, err = conn.Organizations.Get(ctx, orgID.(string))
+	}
+
+	if err != nil {
+		return diag.Errorf("Error reading Organization %s %s", orgID, err)
+	}
+
+	federationSettings, _, err := conn.FederatedSettings.Get(ctx, org.ID)
+	if err != nil {
+		return diag.Errorf("error getting Federated settings (%s): %s", orgID, err)
+	}
+
+	if err := d.Set("org_id", org.ID); err != nil {
+		return diag.Errorf("error getting Federated settings (%s): %s %s", `org_id`, org.ID, err)
+	}
+
+	if err := d.Set("federated_domains", federationSettings.FederatedDomains); err != nil {
+		return diag.Errorf("error getting Federated settings (%s): %s %s", `federated_domains`, federationSettings.FederatedDomains, err)
+	}
+
+	if err := d.Set("identity_provider_status", federationSettings.IdentityProviderStatus); err != nil {
+		return diag.Errorf("error getting Federated settings (%s): %s %s", `identityProviderStatus`, federationSettings.IdentityProviderStatus, err)
+	}
+
+	if err := d.Set("identity_provider_id", federationSettings.IdentityProviderID); err != nil {
+		return diag.Errorf("error getting Federated settings (%s): %s %s", `IdentityProviderID`, federationSettings.IdentityProviderID, err)
+	}
+
+	if err := d.Set("has_role_mappings", federationSettings.HasRoleMappings); err != nil {
+		return diag.Errorf("error getting Federated settings (%s): flag  %s ", `HasRoleMappings`, err)
+	}
+
+	d.SetId(federationSettings.ID)
+
+	return nil
+}