From bc3c9ce30e5a13794ebb122dfcc4c17f7df0a052 Mon Sep 17 00:00:00 2001
From: zohar-mongo <72696720+zohar-mongo@users.noreply.github.com>
Date: Wed, 3 Mar 2021 19:17:41 +0200
Subject: [PATCH] Working example for Atlas-encryptionAtRest-roles with a
 single tf apply (#415)

* Update aws-roles.tf

* Update aws-roles.tf

* Update aws-roles.tf

* Update aws-roles.tf

* two options for aws encryption at rest with iam roles

* removed extra spaces and notes

Co-authored-by: Zohar Meir <zoharmeir@Zohars-MacBook-Pro.local>
---
 .../aws-roles.tf                              | 75 +++++++++++++++++++
 .../provider.tf                               |  0
 .../second_step/atlas-encryption.tf           |  0
 .../second_step/provider.tf                   |  0
 .../second_step/variables.tf                  |  0
 .../second_step/versions.tf                   |  0
 .../variables.tf                              |  0
 .../versions.tf                               |  1 -
 .../aws-roles.tf                              | 16 ++--
 .../provider.tf                               |  9 +++
 .../second_step/atlas-encryption.tf           | 13 ++++
 .../second_step/provider.tf                   |  4 +
 .../second_step/variables.tf                  | 33 ++++++++
 .../second_step/versions.tf                   |  9 +++
 .../variables.tf                              | 36 +++++++++
 .../versions.tf                               | 11 +++
 16 files changed, 196 insertions(+), 11 deletions(-)
 create mode 100644 examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/provider.tf (100%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/second_step/atlas-encryption.tf (100%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/second_step/provider.tf (100%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/second_step/variables.tf (100%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/second_step/versions.tf (100%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/variables.tf (100%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-one-step-workaround}/versions.tf (86%)
 rename examples/{atlas-encryptionAtRest-roles => atlas-encryptionAtRest-roles-two-step}/aws-roles.tf (81%)
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/provider.tf
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/variables.tf
 create mode 100644 examples/atlas-encryptionAtRest-roles-two-step/versions.tf

diff --git a/examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf
new file mode 100644
index 0000000000..9363d31ca8
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf
@@ -0,0 +1,75 @@
+resource "mongodbatlas_cloud_provider_access" "test" {
+  project_id           = var.project_id
+  provider_name        = "AWS"
+  
+  #(Optional) Since we update the `iam_assumed_role_arn` resource using an HTTP call and not by the `mongodbatlas_cloud_provider_access` resource argument, 
+  #the lifecycle argument was added so that terraform would ignore changes of the `iam_assumed_role_arn` argument in future terraform applies.
+  lifecycle {
+    ignore_changes = [
+      iam_assumed_role_arn
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "test_policy" {
+  name = "test_policy"
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+  name = "test_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access.test.atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access.test.atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+# The null resource updates the `mongodbatlas_cloud_provider_access` resource with the correct IAM role ARN using an API HTTP PATCH request.
+# sleep 10 - Waits ten seconds to make sure that all AWS servers are updated with the new IAM Role.
+resource "null_resource" "link_role_arn_to_cloud_provider_access" {
+  provisioner "local-exec" {
+      command = <<EOT
+      sleep 10;
+      curl --user "${var.public_key}:${var.private_key}" -X PATCH --digest \
+            --header "Accept: application/json" \
+            --header "Content-Type: application/json" \
+            "https://cloud.mongodb.com/api/atlas/v1.0/groups/${var.project_id}/cloudProviderAccess/${mongodbatlas_cloud_provider_access.test.role_id}?pretty=true" \
+            --data '{ "providerName": "AWS", "iamAssumedRoleArn" : "${aws_iam_role.test_role.arn}" }'
+
+EOT
+  }
+}
+
+
+output "cpa_role_id" {
+  value = mongodbatlas_cloud_provider_access.test.role_id
+}
diff --git a/examples/atlas-encryptionAtRest-roles/provider.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/provider.tf
similarity index 100%
rename from examples/atlas-encryptionAtRest-roles/provider.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/provider.tf
diff --git a/examples/atlas-encryptionAtRest-roles/second_step/atlas-encryption.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf
similarity index 100%
rename from examples/atlas-encryptionAtRest-roles/second_step/atlas-encryption.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/atlas-encryption.tf
diff --git a/examples/atlas-encryptionAtRest-roles/second_step/provider.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/provider.tf
similarity index 100%
rename from examples/atlas-encryptionAtRest-roles/second_step/provider.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/provider.tf
diff --git a/examples/atlas-encryptionAtRest-roles/second_step/variables.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf
similarity index 100%
rename from examples/atlas-encryptionAtRest-roles/second_step/variables.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/variables.tf
diff --git a/examples/atlas-encryptionAtRest-roles/second_step/versions.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/versions.tf
similarity index 100%
rename from examples/atlas-encryptionAtRest-roles/second_step/versions.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/second_step/versions.tf
diff --git a/examples/atlas-encryptionAtRest-roles/variables.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/variables.tf
similarity index 100%
rename from examples/atlas-encryptionAtRest-roles/variables.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/variables.tf
diff --git a/examples/atlas-encryptionAtRest-roles/versions.tf b/examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf
similarity index 86%
rename from examples/atlas-encryptionAtRest-roles/versions.tf
rename to examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf
index 4cf64c885d..5584f665d2 100644
--- a/examples/atlas-encryptionAtRest-roles/versions.tf
+++ b/examples/atlas-encryptionAtRest-roles-one-step-workaround/versions.tf
@@ -5,7 +5,6 @@ terraform {
     }
     mongodbatlas = {
       source = "mongodb/mongodbatlas"
-      //version = "0.7-dev"
     }
   }
   required_version = ">= 0.13"
diff --git a/examples/atlas-encryptionAtRest-roles/aws-roles.tf b/examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf
similarity index 81%
rename from examples/atlas-encryptionAtRest-roles/aws-roles.tf
rename to examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf
index b8832a3672..a3267cac89 100644
--- a/examples/atlas-encryptionAtRest-roles/aws-roles.tf
+++ b/examples/atlas-encryptionAtRest-roles-two-step/aws-roles.tf
@@ -1,9 +1,9 @@
-
 resource "mongodbatlas_cloud_provider_access" "test" {
-  project_id           = var.project_id
-  provider_name        = "AWS"
-  iam_assumed_role_arn = var.aws_iam_role_arn
-}
+        project_id = mongodbatlas_project.my_project.id
+        provider_name = "AWS"
+        #after first apply, add the following line:
+        #iam_assumed_role_arn = aws_iam_role.test_role.arn
+    }
 
 resource "aws_iam_role_policy" "test_policy" {
   name = "test_policy"
@@ -45,13 +45,9 @@ resource "aws_iam_role" "test_role" {
   ]
 }
 EOF
-
-
 }
 
-output "aws_iam_role_arn" {
-  value = aws_iam_role.test_role.arn
-}
+
 output "cpa_role_id" {
   value = mongodbatlas_cloud_provider_access.test.role_id
 }
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/provider.tf b/examples/atlas-encryptionAtRest-roles-two-step/provider.tf
new file mode 100644
index 0000000000..e075e34d7e
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/provider.tf
@@ -0,0 +1,9 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.aws_region
+}
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf
new file mode 100644
index 0000000000..84f55679c6
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf
@@ -0,0 +1,13 @@
+resource "mongodbatlas_encryption_at_rest" "test" {
+  project_id = var.project_id
+
+  aws_kms = {
+    access_key_id          = var.access_key
+    secret_access_key      = var.secret_key
+    enabled                = true
+    customer_master_key_id = var.customer_master_key
+    region                 = var.atlas_region
+    role_id                = var.cpa_role_id
+  }
+}
+
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf
new file mode 100644
index 0000000000..18c430e061
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf
@@ -0,0 +1,4 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf
new file mode 100644
index 0000000000..9451c23ef4
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf
@@ -0,0 +1,33 @@
+variable "public_key" {
+  description = "The public API key for MongoDB Atlas"
+  default     = ""
+}
+variable "private_key" {
+  description = "The private API key for MongoDB Atlas"
+  default     = ""
+}
+variable "project_id" {
+  description = "Atlas project ID"
+  default     = ""
+}
+variable "customer_master_key" {
+  description = "The customer master secret key for AWS Account"
+  default     = ""
+}
+variable "atlas_region" {
+  default     = "US_EAST_1"
+  description = "Atlas Region"
+}
+
+variable "cpa_role_id" {
+  description = "AWS IAM ROLE ARN"
+  default     = ""
+}
+variable "access_key" {
+  description = "The access key for AWS Account"
+  default     = ""
+}
+variable "secret_key" {
+  description = "The secret key for AWS Account"
+  default     = ""
+}
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf b/examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf
new file mode 100644
index 0000000000..67968fe1ae
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+      //version = "0.7-dev"
+    }
+  }
+  required_version = ">= 0.13"
+}
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/variables.tf b/examples/atlas-encryptionAtRest-roles-two-step/variables.tf
new file mode 100644
index 0000000000..1a088c79a6
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/variables.tf
@@ -0,0 +1,36 @@
+variable "public_key" {
+  description = "The public API key for MongoDB Atlas"
+  default     = ""
+}
+variable "private_key" {
+  description = "The private API key for MongoDB Atlas"
+  default     = ""
+}
+variable "project_id" {
+  description = "Atlas project ID"
+  default     = ""
+}
+variable "access_key" {
+  description = "The access key for AWS Account"
+  default     = ""
+}
+variable "secret_key" {
+  description = "The secret key for AWS Account"
+  default     = ""
+}
+variable "customer_master_key" {
+  description = "The customer master secret key for AWS Account"
+  default     = ""
+}
+variable "atlas_region" {
+  default     = "US_EAST_1"
+  description = "Atlas Region"
+}
+variable "aws_region" {
+  default     = "us-east-1"
+  description = "AWS Region"
+}
+variable "aws_iam_role_arn" {
+  description = "AWS IAM ROLE ARN"
+  default     = ""
+}
diff --git a/examples/atlas-encryptionAtRest-roles-two-step/versions.tf b/examples/atlas-encryptionAtRest-roles-two-step/versions.tf
new file mode 100644
index 0000000000..5584f665d2
--- /dev/null
+++ b/examples/atlas-encryptionAtRest-roles-two-step/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+    }
+  }
+  required_version = ">= 0.13"
+}