Working example for Atlas-encryptionAtRest-roles with a single tf app…

…ly (#415)

* Update aws-roles.tf

* Update aws-roles.tf

* Update aws-roles.tf

* Update aws-roles.tf

* two options for aws encryption at rest with iam roles

* removed extra spaces and notes

Co-authored-by: Zohar Meir <[email protected]>

examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf

@@ -0,0 +1,75 @@
+resource "mongodbatlas_cloud_provider_access" "test" {
+  project_id           = var.project_id
+  provider_name        = "AWS"
+
+  #(Optional) Since we update the `iam_assumed_role_arn` resource using an HTTP call and not by the `mongodbatlas_cloud_provider_access` resource argument, 
+  #the lifecycle argument was added so that terraform would ignore changes of the `iam_assumed_role_arn` argument in future terraform applies.
+  lifecycle {
+    ignore_changes = [
+      iam_assumed_role_arn
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "test_policy" {
+  name = "test_policy"
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+  name = "test_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access.test.atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access.test.atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+# The null resource updates the `mongodbatlas_cloud_provider_access` resource with the correct IAM role ARN using an API HTTP PATCH request.
+# sleep 10 - Waits ten seconds to make sure that all AWS servers are updated with the new IAM Role.
+resource "null_resource" "link_role_arn_to_cloud_provider_access" {
+  provisioner "local-exec" {
+      command = <<EOT
+      sleep 10;
+      curl --user "${var.public_key}:${var.private_key}" -X PATCH --digest \
+            --header "Accept: application/json" \
+            --header "Content-Type: application/json" \
+            "https://cloud.mongodb.com/api/atlas/v1.0/groups/${var.project_id}/cloudProviderAccess/${mongodbatlas_cloud_provider_access.test.role_id}?pretty=true" \
+            --data '{ "providerName": "AWS", "iamAssumedRoleArn" : "${aws_iam_role.test_role.arn}" }'
+
+EOT
+  }
+}
+
+
+output "cpa_role_id" {
+  value = mongodbatlas_cloud_provider_access.test.role_id
+}

examples/atlas-encryptionAtRest-roles/versions.tf → examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf

@@ -5,7 +5,6 @@ terraform {
     }
     mongodbatlas = {
       source = "mongodb/mongodbatlas"
-      //version = "0.7-dev"
     }
   }
   required_version = ">= 0.13"

examples/atlas-encryptionAtRest-roles/aws-roles.tf → examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf

@@ -1,9 +1,9 @@
-
 resource "mongodbatlas_cloud_provider_access" "test" {
-  project_id           = var.project_id
-  provider_name        = "AWS"
-  iam_assumed_role_arn = var.aws_iam_role_arn
-}
+        project_id = mongodbatlas_project.my_project.id
+        provider_name = "AWS"
+        #after first apply, add the following line:
+        #iam_assumed_role_arn = aws_iam_role.test_role.arn
+    }
 
 resource "aws_iam_role_policy" "test_policy" {
   name = "test_policy"
@@ -45,13 +45,9 @@ resource "aws_iam_role" "test_role" {
   ]
 }
 EOF
-
-
 }
 
-output "aws_iam_role_arn" {
-  value = aws_iam_role.test_role.arn
-}
+
 output "cpa_role_id" {
   value = mongodbatlas_cloud_provider_access.test.role_id
 }

examples/atlas-encryptionAtRest-roles-two-step/provider.tf

@@ -0,0 +1,9 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.aws_region
+}

examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf

@@ -0,0 +1,13 @@
+resource "mongodbatlas_encryption_at_rest" "test" {
+  project_id = var.project_id
+
+  aws_kms = {
+    access_key_id          = var.access_key
+    secret_access_key      = var.secret_key
+    enabled                = true
+    customer_master_key_id = var.customer_master_key
+    region                 = var.atlas_region
+    role_id                = var.cpa_role_id
+  }
+}
+

examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf

@@ -0,0 +1,4 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}

examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf

@@ -0,0 +1,33 @@
+variable "public_key" {
+  description = "The public API key for MongoDB Atlas"
+  default     = ""
+}
+variable "private_key" {
+  description = "The private API key for MongoDB Atlas"
+  default     = ""
+}
+variable "project_id" {
+  description = "Atlas project ID"
+  default     = ""
+}
+variable "customer_master_key" {
+  description = "The customer master secret key for AWS Account"
+  default     = ""
+}
+variable "atlas_region" {
+  default     = "US_EAST_1"
+  description = "Atlas Region"
+}
+
+variable "cpa_role_id" {
+  description = "AWS IAM ROLE ARN"
+  default     = ""
+}
+variable "access_key" {
+  description = "The access key for AWS Account"
+  default     = ""
+}
+variable "secret_key" {
+  description = "The secret key for AWS Account"
+  default     = ""
+}

examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+      //version = "0.7-dev"
+    }
+  }
+  required_version = ">= 0.13"
+}

examples/atlas-encryptionAtRest-roles-two-step/variables.tf

@@ -0,0 +1,36 @@
+variable "public_key" {
+  description = "The public API key for MongoDB Atlas"
+  default     = ""
+}
+variable "private_key" {
+  description = "The private API key for MongoDB Atlas"
+  default     = ""
+}
+variable "project_id" {
+  description = "Atlas project ID"
+  default     = ""
+}
+variable "access_key" {
+  description = "The access key for AWS Account"
+  default     = ""
+}
+variable "secret_key" {
+  description = "The secret key for AWS Account"
+  default     = ""
+}
+variable "customer_master_key" {
+  description = "The customer master secret key for AWS Account"
+  default     = ""
+}
+variable "atlas_region" {
+  default     = "US_EAST_1"
+  description = "Atlas Region"
+}
+variable "aws_region" {
+  default     = "us-east-1"
+  description = "AWS Region"
+}
+variable "aws_iam_role_arn" {
+  description = "AWS IAM ROLE ARN"
+  default     = ""
+}

examples/atlas-encryptionAtRest-roles-two-step/versions.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+    }
+  }
+  required_version = ">= 0.13"
+}