From a42e131eac7236c82f34c5683f2bbdfd2a3e38da Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 12:00:05 +0200 Subject: [PATCH 1/7] Include example for ear with private endpoint --- .../azure/README.md | 63 +++++++++++++++++++ .../azure/main.tf | 46 ++++++++++++++ .../azure/providers.tf | 11 ++++ .../azure/variables.tf | 54 ++++++++++++++++ .../azure/versions.tf | 14 +++++ 5 files changed, 188 insertions(+) create mode 100644 examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md create mode 100644 examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf create mode 100644 examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/providers.tf create mode 100644 examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/variables.tf create mode 100644 examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/versions.tf diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md new file mode 100644 index 0000000000..0f261179a2 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md @@ -0,0 +1,63 @@ +# MongoDB Atlas Provider -- Encryption At Rest using Customer Key Management via Private Network Interfaces (Azure) +This example shows how to configure encryption at rest using an Azure ensuring all API calls to their KMS instances travel exclusively over their KMS cloud provider’s private network infrastructure. + +## Dependencies + +* Terraform MongoDB Atlas Provider v1.19.0 minimum +* A MongoDB Atlas account +* * Terraform Azure `azapi` provider +* A Microsoft Azure account + +## Usage + +**1\. Provide the appropriate values for the input variables.** + +- `atlas_public_key`: The public API key for MongoDB Atlas +- `atlas_private_key`: The private API key for MongoDB Atlas +- `atlas_project_id`: Atlas Project ID +- `azure_subscription_id`: Azure ID that identifies your Azure subscription +- `azure_client_id`: Azure ID identifies an Azure application associated with your Azure Active Directory tenant +- `azure_client_secret`: Secret associated to the Azure application +- `azure_tenant_id`: Azure ID that identifies the Azure Active Directory tenant within your Azure subscription +- `azure_resource_group_name`: Name of the Azure resource group that contains your Azure Key Vault +- `azure_key_vault_name`: Unique string that identifies the Azure Key Vault that contains your key +- `azure_key_identifier`: Web address with a unique key that identifies for your Azure Key Vault +- `azure_region_name`: Region in which the Encryption At Rest private endpoint is located + + +NOTE: The Azure application (associated to `azure_client_id`) must have at least a Key Vault Contributor role assigned in the corresponding Key Vault. + +**2\. Review the Terraform plan.** + +Execute the following command and ensure you are happy with the plan. + +``` bash +$ terraform plan +``` +This project currently supports the following deployments: + +TODO: adjust this +- An AWS IAM Policy +- An AWS IAM Role +- An AWS S3 bucket +- An IAM role policy for the S3 bucket +- Configure Atlas to use your AWS Role +- An Atlas project in the configured Atlas organization +- Configure push-based log export to the S3 bucket for Atlas project + +**3\. Execute the Terraform apply.** + +Now execute the plan to provision the resources. + +``` bash +$ terraform apply +``` + +**4\. Destroy the resources.** + +When you have finished your testing, ensure you destroy the resources to avoid unnecessary Atlas charges. + +``` bash +$ terraform destroy +``` + diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf new file mode 100644 index 0000000000..cfa2c1ac29 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf @@ -0,0 +1,46 @@ +resource "mongodbatlas_encryption_at_rest" "ear" { + project_id = var.atlas_project_id + + azure_key_vault_config { + require_private_networking = true + + enabled = true + azure_environment = "AZURE" + + tenant_id = var.azure_tenant_id + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + secret = var.azure_client_secret + + resource_group_name = var.azure_resource_group_name + key_vault_name = var.azure_key_vault_name + key_identifier = var.azure_key_identifier + } +} + +# Creates private endpoint +resource "mongodbatlas_encryption_at_rest_private_endpoint" "test" { + project_id = mongodbatlas_encryption_at_rest.ear.project_id + cloud_provider = "AZURE" + region_name = var.azure_region_name +} + +locals { + key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${mongodbatlas_encryption_at_rest.test.azure_key_vault_config[0].resource_group_name}/providers/Microsoft.KeyVault/vaults/${mongodbatlas_encryption_at_rest.test.azure_key_vault_config[0].key_vault_name}" +} + +# Approves private endpoint connection from Azure Key Vault +resource "azapi_update_resource" "approval" { + type = "Microsoft.KeyVault/Vaults/PrivateEndpointConnections@2023-07-01" + name = mongodbatlas_encryption_at_rest_private_endpoint.test.private_endpoint_connection_name + parent_id = local.key_vault_resource_id + + body = jsonencode({ + properties = { + privateLinkServiceConnectionState = { + description = "Approved via Terraform" + status = "Approved" + } + } + }) +} diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/providers.tf b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/providers.tf new file mode 100644 index 0000000000..432a001a39 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/providers.tf @@ -0,0 +1,11 @@ +provider "mongodbatlas" { + public_key = var.atlas_public_key + private_key = var.atlas_private_key +} + +provider "azapi" { + tenant_id = var.azure_tenant_id + subscription_id = var.azure_subscription_id + client_id = var.azure_client_id + client_secret = var.azure_client_secret +} diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/variables.tf b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/variables.tf new file mode 100644 index 0000000000..50a8762fc3 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/variables.tf @@ -0,0 +1,54 @@ +variable "atlas_public_key" { + description = "The public API key for MongoDB Atlas" + type = string +} +variable "atlas_private_key" { + description = "The private API key for MongoDB Atlas" + type = string + sensitive = true +} +variable "atlas_project_id" { + description = "Atlas Project ID" + type = string +} +variable "azure_subscription_id" { + type = string + description = "Azure ID that identifies your Azure subscription" +} + +variable "azure_client_id" { + type = string + description = "Azure ID identifies an Azure application associated with your Azure Active Directory tenant" +} + +variable "azure_client_secret" { + type = string + sensitive = true + description = "Secret associated to the Azure application" +} + +variable "azure_tenant_id" { + type = string + description = "Azure ID that identifies the Azure Active Directory tenant within your Azure subscription" +} + +variable "azure_resource_group_name" { + type = string + description = "Name of the Azure resource group that contains your Azure Key Vault" +} + +variable "azure_key_vault_name" { + type = string + description = "Unique string that identifies the Azure Key Vault that contains your key" +} + +variable "azure_key_identifier" { + type = string + description = "Web address with a unique key that identifies for your Azure Key Vault" +} + +variable "azure_region_name" { + type = string + description = "Region in which the Encryption At Rest private endpoint is located." +} + diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/versions.tf b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/versions.tf new file mode 100644 index 0000000000..c955a31212 --- /dev/null +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + version = "~> 1.18" + } + + azapi = { + source = "Azure/azapi" + version = "~> 1.15" + } + } + required_version = ">= 1.0" +} From 83c47ca300e8963167c1932a125f205df7b6c739 Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 12:15:03 +0200 Subject: [PATCH 2/7] fix example --- .../azure/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf index cfa2c1ac29..574bb3a5af 100644 --- a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf @@ -19,20 +19,20 @@ resource "mongodbatlas_encryption_at_rest" "ear" { } # Creates private endpoint -resource "mongodbatlas_encryption_at_rest_private_endpoint" "test" { +resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" { project_id = mongodbatlas_encryption_at_rest.ear.project_id cloud_provider = "AZURE" region_name = var.azure_region_name } locals { - key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${mongodbatlas_encryption_at_rest.test.azure_key_vault_config[0].resource_group_name}/providers/Microsoft.KeyVault/vaults/${mongodbatlas_encryption_at_rest.test.azure_key_vault_config[0].key_vault_name}" + key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${mongodbatlas_encryption_at_rest.ear.azure_key_vault_config[0].resource_group_name}/providers/Microsoft.KeyVault/vaults/${mongodbatlas_encryption_at_rest.ear.azure_key_vault_config[0].key_vault_name}" } # Approves private endpoint connection from Azure Key Vault resource "azapi_update_resource" "approval" { type = "Microsoft.KeyVault/Vaults/PrivateEndpointConnections@2023-07-01" - name = mongodbatlas_encryption_at_rest_private_endpoint.test.private_endpoint_connection_name + name = mongodbatlas_encryption_at_rest_private_endpoint.endpoint.private_endpoint_connection_name parent_id = local.key_vault_resource_id body = jsonencode({ From 5763bf6efed4ce14d2a487c4c6e81a56b1500c09 Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 12:30:22 +0200 Subject: [PATCH 3/7] adjust readme --- .../azure/README.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md index 0f261179a2..935d359d38 100644 --- a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md @@ -36,14 +36,9 @@ $ terraform plan ``` This project currently supports the following deployments: -TODO: adjust this -- An AWS IAM Policy -- An AWS IAM Role -- An AWS S3 bucket -- An IAM role policy for the S3 bucket -- Configure Atlas to use your AWS Role -- An Atlas project in the configured Atlas organization -- Configure push-based log export to the S3 bucket for Atlas project +- Configure encryption at rest in an existing project using a custom Azure Key. Specifies that private networking is required. +- Create a private endpoint for the existing project under a certain Azure region. +- Approve the connection from the Azure Key Vault. This is being done through terraform, but alternatively the private connection can be approved through the Azure UI or CLI. **3\. Execute the Terraform apply.** From 63539e2f3e152356cd707a26804b502a4c9abc5a Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 16:41:02 +0200 Subject: [PATCH 4/7] Update examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md Co-authored-by: maastha <122359335+maastha@users.noreply.github.com> --- .../azure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md index 935d359d38..3c29d7d759 100644 --- a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md @@ -5,7 +5,7 @@ This example shows how to configure encryption at rest using an Azure ensuring a * Terraform MongoDB Atlas Provider v1.19.0 minimum * A MongoDB Atlas account -* * Terraform Azure `azapi` provider +* Terraform Azure `azapi` provider * A Microsoft Azure account ## Usage From 89a684e3363fe8cc594cafbf5fad55b648e5362d Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 16:48:35 +0200 Subject: [PATCH 5/7] Update examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md Co-authored-by: maastha <122359335+maastha@users.noreply.github.com> --- .../azure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md index 3c29d7d759..fb6fa7f035 100644 --- a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md @@ -1,5 +1,5 @@ # MongoDB Atlas Provider -- Encryption At Rest using Customer Key Management via Private Network Interfaces (Azure) -This example shows how to configure encryption at rest using an Azure ensuring all API calls to their KMS instances travel exclusively over their KMS cloud provider’s private network infrastructure. +This example shows how to configure encryption at rest using Azure with customer managed keys ensuring all communication with Azure Key Vault happens exclusively over Azure Private Link. ## Dependencies From 4ab28f11efb03624e6f76a75549cf5522f44be2b Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 16:45:04 +0200 Subject: [PATCH 6/7] add example cli command --- .../azure/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md index fb6fa7f035..20f1400ef4 100644 --- a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/README.md @@ -39,6 +39,7 @@ This project currently supports the following deployments: - Configure encryption at rest in an existing project using a custom Azure Key. Specifies that private networking is required. - Create a private endpoint for the existing project under a certain Azure region. - Approve the connection from the Azure Key Vault. This is being done through terraform, but alternatively the private connection can be approved through the Azure UI or CLI. + - CLI example command: `az keyvault private-endpoint-connection approve --approval-description {"OPTIONAL DESCRIPTION"} --resource-group {RG} --vault-name {KEY VAULT NAME} –name {PRIVATE LINK CONNECTION NAME}` **3\. Execute the Terraform apply.** From 0f7ade45052aaf725ea6613e773041f6ab8bc160 Mon Sep 17 00:00:00 2001 From: Agustin Bettati Date: Fri, 30 Aug 2024 16:46:58 +0200 Subject: [PATCH 7/7] make use of variables to make value of resource id more compact --- .../azure/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf index 574bb3a5af..636a423013 100644 --- a/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf +++ b/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/main.tf @@ -26,7 +26,7 @@ resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" { } locals { - key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${mongodbatlas_encryption_at_rest.ear.azure_key_vault_config[0].resource_group_name}/providers/Microsoft.KeyVault/vaults/${mongodbatlas_encryption_at_rest.ear.azure_key_vault_config[0].key_vault_name}" + key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${var.azure_resource_group_name}/providers/Microsoft.KeyVault/vaults/${var.azure_key_vault_name}" } # Approves private endpoint connection from Azure Key Vault