mongodb · AgustinBettati · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -0,0 +1,58 @@
+# MongoDB Atlas Provider -- Encryption At Rest using Customer Key Management via Private Network Interfaces (Azure)
+This example shows how to configure encryption at rest using an Azure ensuring all API calls to their KMS instances travel exclusively over their KMS cloud provider’s private network infrastructure.
+
+## Dependencies
+
+* Terraform MongoDB Atlas Provider v1.19.0 minimum
+* A MongoDB Atlas account 
+* * Terraform Azure `azapi` provider
+* A Microsoft Azure account
+
+## Usage
+
+**1\. Provide the appropriate values for the input variables.**
+
+- `atlas_public_key`: The public API key for MongoDB Atlas
+- `atlas_private_key`: The private API key for MongoDB Atlas
+- `atlas_project_id`: Atlas Project ID
+- `azure_subscription_id`: Azure ID that identifies your Azure subscription
+- `azure_client_id`: Azure ID identifies an Azure application associated with your Azure Active Directory tenant
+- `azure_client_secret`: Secret associated to the Azure application
+- `azure_tenant_id`: Azure ID  that identifies the Azure Active Directory tenant within your Azure subscription
+- `azure_resource_group_name`: Name of the Azure resource group that contains your Azure Key Vault
+- `azure_key_vault_name`: Unique string that identifies the Azure Key Vault that contains your key
+- `azure_key_identifier`: Web address with a unique key that identifies for your Azure Key Vault
+- `azure_region_name`: Region in which the Encryption At Rest private endpoint is located
+
+
+NOTE: The Azure application (associated to `azure_client_id`) must have at least a Key Vault Contributor role assigned in the corresponding Key Vault.
+
+**2\. Review the Terraform plan.**
+
+Execute the following command and ensure you are happy with the plan.
+
+``` bash
+$ terraform plan
+```
+This project currently supports the following deployments:
+
+- Configure encryption at rest in an existing project using a custom Azure Key. Specifies that private networking is required.
+- Create a private endpoint for the existing project under a certain Azure region. 
+- Approve the connection from the Azure Key Vault. This is being done through terraform, but alternatively the private connection can be approved through the Azure UI or CLI.
+
+**3\. Execute the Terraform apply.**
+
+Now execute the plan to provision the resources.
+
+``` bash
+$ terraform apply
+```
+
+**4\. Destroy the resources.**
+
+When you have finished your testing, ensure you destroy the resources to avoid unnecessary Atlas charges.
+
+``` bash
+$ terraform destroy
+```
+
@@ -0,0 +1,46 @@
+resource "mongodbatlas_encryption_at_rest" "ear" {
+  project_id = var.atlas_project_id
+
+  azure_key_vault_config {
+    require_private_networking = true
+
+    enabled           = true
+    azure_environment = "AZURE"
+
+    tenant_id       = var.azure_tenant_id
+    subscription_id = var.azure_subscription_id
+    client_id       = var.azure_client_id
+    secret          = var.azure_client_secret
+
+    resource_group_name = var.azure_resource_group_name
+    key_vault_name      = var.azure_key_vault_name
+    key_identifier      = var.azure_key_identifier
+  }
+}
+
+# Creates private endpoint
+resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" {
+  project_id     = mongodbatlas_encryption_at_rest.ear.project_id
+  cloud_provider = "AZURE"
+  region_name    = var.azure_region_name
+}
+
+locals {
+  key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${mongodbatlas_encryption_at_rest.ear.azure_key_vault_config[0].resource_group_name}/providers/Microsoft.KeyVault/vaults/${mongodbatlas_encryption_at_rest.ear.azure_key_vault_config[0].key_vault_name}"
+}
+
+# Approves private endpoint connection from Azure Key Vault
+resource "azapi_update_resource" "approval" {
+  type      = "Microsoft.KeyVault/Vaults/PrivateEndpointConnections@2023-07-01"
+  name      = mongodbatlas_encryption_at_rest_private_endpoint.endpoint.private_endpoint_connection_name
+  parent_id = local.key_vault_resource_id
+
+  body = jsonencode({
+    properties = {
+      privateLinkServiceConnectionState = {
+        description = "Approved via Terraform"
+        status      = "Approved"
+      }
+    }
+  })
+}
@@ -0,0 +1,11 @@
+provider "mongodbatlas" {
+  public_key  = var.atlas_public_key
+  private_key = var.atlas_private_key
+}
+
+provider "azapi" {
+  tenant_id       = var.azure_tenant_id
+  subscription_id = var.azure_subscription_id
+  client_id       = var.azure_client_id
+  client_secret   = var.azure_client_secret
+}
@@ -0,0 +1,54 @@
+variable "atlas_public_key" {
+  description = "The public API key for MongoDB Atlas"
+  type        = string
+}
+variable "atlas_private_key" {
+  description = "The private API key for MongoDB Atlas"
+  type        = string
+  sensitive   = true
+}
+variable "atlas_project_id" {
+  description = "Atlas Project ID"
+  type        = string
+}
+variable "azure_subscription_id" {
+  type        = string
+  description = "Azure ID that identifies your Azure subscription"
+}
+
+variable "azure_client_id" {
+  type        = string
+  description = "Azure ID identifies an Azure application associated with your Azure Active Directory tenant"
+}
+
+variable "azure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "Secret associated to the Azure application"
+}
+
+variable "azure_tenant_id" {
+  type        = string
+  description = "Azure ID  that identifies the Azure Active Directory tenant within your Azure subscription"
+}
+
+variable "azure_resource_group_name" {
+  type        = string
+  description = "Name of the Azure resource group that contains your Azure Key Vault"
+}
+
+variable "azure_key_vault_name" {
+  type        = string
+  description = "Unique string that identifies the Azure Key Vault that contains your key"
+}
+
+variable "azure_key_identifier" {
+  type        = string
+  description = "Web address with a unique key that identifies for your Azure Key Vault"
+}
+
+variable "azure_region_name" {
+  type        = string
+  description = "Region in which the Encryption At Rest private endpoint is located."
+}
+
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source  = "mongodb/mongodbatlas"
+      version = "~> 1.18"
+    }
+
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 1.15"
+    }
+  }
+  required_version = ">= 1.0"
+}