diff --git a/examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf new file mode 100644 index 0000000000..9363d31ca8 --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf @@ -0,0 +1,75 @@ +resource "mongodbatlas_cloud_provider_access" "test" { + project_id = var.project_id + provider_name = "AWS" + + #(Optional) Since we update the `iam_assumed_role_arn` resource using an HTTP call and not by the `mongodbatlas_cloud_provider_access` resource argument, + #the lifecycle argument was added so that terraform would ignore changes of the `iam_assumed_role_arn` argument in future terraform applies. + lifecycle { + ignore_changes = [ + iam_assumed_role_arn + ] + } +} + +resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + EOF +} + +resource "aws_iam_role" "test_role" { + name = "test_role" + + assume_role_policy = <<EOF +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "${mongodbatlas_cloud_provider_access.test.atlas_aws_account_arn}" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "${mongodbatlas_cloud_provider_access.test.atlas_assumed_role_external_id}" + } + } + } + ] +} +EOF +} + +# The null resource updates the `mongodbatlas_cloud_provider_access` resource with the correct IAM role ARN using an API HTTP PATCH request. +# sleep 10 - Waits ten seconds to make sure that all AWS servers are updated with the new IAM Role. +resource "null_resource" "link_role_arn_to_cloud_provider_access" { + provisioner "local-exec" { + command = <<EOT + sleep 10; + curl --user "${var.public_key}:${var.private_key}" -X PATCH --digest \ + --header "Accept: application/json" \ + --header "Content-Type: application/json" \ + "https://cloud.mongodb.com/api/atlas/v1.0/groups/${var.project_id}/cloudProviderAccess/${mongodbatlas_cloud_provider_access.test.role_id}?pretty=true" \ + --data '{ "providerName": "AWS", "iamAssumedRoleArn" : "${aws_iam_role.test_role.arn}" }' + +EOT + } +} + + +output "cpa_role_id" { + value = mongodbatlas_cloud_provider_access.test.role_id +} diff --git a/examples/atlas-encryptionAtRest-roles/provider.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/provider.tf similarity index 100% rename from examples/atlas-encryptionAtRest-roles/provider.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/provider.tf diff --git a/examples/atlas-encryptionAtRest-roles/second_step/atlas-encryption.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf similarity index 100% rename from examples/atlas-encryptionAtRest-roles/second_step/atlas-encryption.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf diff --git a/examples/atlas-encryptionAtRest-roles/second_step/provider.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/provider.tf similarity index 100% rename from examples/atlas-encryptionAtRest-roles/second_step/provider.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/provider.tf diff --git a/examples/atlas-encryptionAtRest-roles/second_step/variables.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf similarity index 100% rename from examples/atlas-encryptionAtRest-roles/second_step/variables.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf diff --git a/examples/atlas-encryptionAtRest-roles/second_step/versions.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/versions.tf similarity index 100% rename from examples/atlas-encryptionAtRest-roles/second_step/versions.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/versions.tf diff --git a/examples/atlas-encryptionAtRest-roles/variables.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/variables.tf similarity index 100% rename from examples/atlas-encryptionAtRest-roles/variables.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/variables.tf diff --git a/examples/atlas-encryptionAtRest-roles/versions.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf similarity index 86% rename from examples/atlas-encryptionAtRest-roles/versions.tf rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf index 4cf64c885d..5584f665d2 100644 --- a/examples/atlas-encryptionAtRest-roles/versions.tf +++ b/examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf @@ -5,7 +5,6 @@ terraform { } mongodbatlas = { source = "mongodb/mongodbatlas" - //version = "0.7-dev" } } required_version = ">= 0.13" diff --git a/examples/atlas-encryptionAtRest-roles/aws-roles.tf b/examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf similarity index 81% rename from examples/atlas-encryptionAtRest-roles/aws-roles.tf rename to examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf index b8832a3672..a3267cac89 100644 --- a/examples/atlas-encryptionAtRest-roles/aws-roles.tf +++ b/examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf @@ -1,9 +1,9 @@ - resource "mongodbatlas_cloud_provider_access" "test" { - project_id = var.project_id - provider_name = "AWS" - iam_assumed_role_arn = var.aws_iam_role_arn -} + project_id = mongodbatlas_project.my_project.id + provider_name = "AWS" + #after first apply, add the following line: + #iam_assumed_role_arn = aws_iam_role.test_role.arn + } resource "aws_iam_role_policy" "test_policy" { name = "test_policy" @@ -45,13 +45,9 @@ resource "aws_iam_role" "test_role" { ] } EOF - - } -output "aws_iam_role_arn" { - value = aws_iam_role.test_role.arn -} + output "cpa_role_id" { value = mongodbatlas_cloud_provider_access.test.role_id } diff --git a/examples/atlas-encryptionAtRest-roles-two-step/provider.tf b/examples/atlas-encryptionAtRest-roles-two-step/provider.tf new file mode 100644 index 0000000000..e075e34d7e --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/provider.tf @@ -0,0 +1,9 @@ +provider "mongodbatlas" { + public_key = var.public_key + private_key = var.private_key +} +provider "aws" { + access_key = var.access_key + secret_key = var.secret_key + region = var.aws_region +} diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf new file mode 100644 index 0000000000..84f55679c6 --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf @@ -0,0 +1,13 @@ +resource "mongodbatlas_encryption_at_rest" "test" { + project_id = var.project_id + + aws_kms = { + access_key_id = var.access_key + secret_access_key = var.secret_key + enabled = true + customer_master_key_id = var.customer_master_key + region = var.atlas_region + role_id = var.cpa_role_id + } +} + diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf new file mode 100644 index 0000000000..18c430e061 --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf @@ -0,0 +1,4 @@ +provider "mongodbatlas" { + public_key = var.public_key + private_key = var.private_key +} diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf new file mode 100644 index 0000000000..9451c23ef4 --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf @@ -0,0 +1,33 @@ +variable "public_key" { + description = "The public API key for MongoDB Atlas" + default = "" +} +variable "private_key" { + description = "The private API key for MongoDB Atlas" + default = "" +} +variable "project_id" { + description = "Atlas project ID" + default = "" +} +variable "customer_master_key" { + description = "The customer master secret key for AWS Account" + default = "" +} +variable "atlas_region" { + default = "US_EAST_1" + description = "Atlas Region" +} + +variable "cpa_role_id" { + description = "AWS IAM ROLE ARN" + default = "" +} +variable "access_key" { + description = "The access key for AWS Account" + default = "" +} +variable "secret_key" { + description = "The secret key for AWS Account" + default = "" +} diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf new file mode 100644 index 0000000000..67968fe1ae --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + //version = "0.7-dev" + } + } + required_version = ">= 0.13" +} diff --git a/examples/atlas-encryptionAtRest-roles-two-step/variables.tf b/examples/atlas-encryptionAtRest-roles-two-step/variables.tf new file mode 100644 index 0000000000..1a088c79a6 --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/variables.tf @@ -0,0 +1,36 @@ +variable "public_key" { + description = "The public API key for MongoDB Atlas" + default = "" +} +variable "private_key" { + description = "The private API key for MongoDB Atlas" + default = "" +} +variable "project_id" { + description = "Atlas project ID" + default = "" +} +variable "access_key" { + description = "The access key for AWS Account" + default = "" +} +variable "secret_key" { + description = "The secret key for AWS Account" + default = "" +} +variable "customer_master_key" { + description = "The customer master secret key for AWS Account" + default = "" +} +variable "atlas_region" { + default = "US_EAST_1" + description = "Atlas Region" +} +variable "aws_region" { + default = "us-east-1" + description = "AWS Region" +} +variable "aws_iam_role_arn" { + description = "AWS IAM ROLE ARN" + default = "" +} diff --git a/examples/atlas-encryptionAtRest-roles-two-step/versions.tf b/examples/atlas-encryptionAtRest-roles-two-step/versions.tf new file mode 100644 index 0000000000..5584f665d2 --- /dev/null +++ b/examples/atlas-encryptionAtRest-roles-two-step/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + mongodbatlas = { + source = "mongodb/mongodbatlas" + } + } + required_version = ">= 0.13" +}