-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Working example for Atlas-encryptionAtRest-roles with a single tf apply #415
Merged
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
69a2fdc
Update aws-roles.tf
zohar-mongo e76093c
Update aws-roles.tf
zohar-mongo 42d98d7
Update aws-roles.tf
zohar-mongo f2fefe6
Update aws-roles.tf
zohar-mongo 2d34fd5
two options for aws encryption at rest with iam roles
ba3199c
removed extra spaces and notes
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
75 changes: 75 additions & 0 deletions
75
examples/atlas-encryptionAtRest-roles-one-step-workaround/aws-roles.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
resource "mongodbatlas_cloud_provider_access" "test" { | ||
project_id = var.project_id | ||
provider_name = "AWS" | ||
|
||
#(Optional) Since we update the `iam_assumed_role_arn` resource using an HTTP call and not by the `mongodbatlas_cloud_provider_access` resource argument, | ||
#the lifecycle argument was added so that terraform would ignore changes of the `iam_assumed_role_arn` argument in future terraform applies. | ||
lifecycle { | ||
ignore_changes = [ | ||
iam_assumed_role_arn | ||
] | ||
} | ||
} | ||
|
||
resource "aws_iam_role_policy" "test_policy" { | ||
name = "test_policy" | ||
role = aws_iam_role.test_role.id | ||
|
||
policy = <<-EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": "*", | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role" "test_role" { | ||
name = "test_role" | ||
|
||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"AWS": "${mongodbatlas_cloud_provider_access.test.atlas_aws_account_arn}" | ||
}, | ||
"Action": "sts:AssumeRole", | ||
"Condition": { | ||
"StringEquals": { | ||
"sts:ExternalId": "${mongodbatlas_cloud_provider_access.test.atlas_assumed_role_external_id}" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
# The null resource updates the `mongodbatlas_cloud_provider_access` resource with the correct IAM role ARN using an API HTTP PATCH request. | ||
# sleep 10 - Waits ten seconds to make sure that all AWS servers are updated with the new IAM Role. | ||
resource "null_resource" "link_role_arn_to_cloud_provider_access" { | ||
provisioner "local-exec" { | ||
command = <<EOT | ||
sleep 10; | ||
curl --user "${var.public_key}:${var.private_key}" -X PATCH --digest \ | ||
--header "Accept: application/json" \ | ||
--header "Content-Type: application/json" \ | ||
"https://cloud.mongodb.com/api/atlas/v1.0/groups/${var.project_id}/cloudProviderAccess/${mongodbatlas_cloud_provider_access.test.role_id}?pretty=true" \ | ||
--data '{ "providerName": "AWS", "iamAssumedRoleArn" : "${aws_iam_role.test_role.arn}" }' | ||
|
||
EOT | ||
} | ||
} | ||
|
||
|
||
output "cpa_role_id" { | ||
value = mongodbatlas_cloud_provider_access.test.role_id | ||
} |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
provider "mongodbatlas" { | ||
public_key = var.public_key | ||
private_key = var.private_key | ||
} | ||
provider "aws" { | ||
access_key = var.access_key | ||
secret_key = var.secret_key | ||
region = var.aws_region | ||
} |
13 changes: 13 additions & 0 deletions
13
examples/atlas-encryptionAtRest-roles-two-step/second_step/atlas-encryption.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
resource "mongodbatlas_encryption_at_rest" "test" { | ||
project_id = var.project_id | ||
|
||
aws_kms = { | ||
access_key_id = var.access_key | ||
secret_access_key = var.secret_key | ||
enabled = true | ||
customer_master_key_id = var.customer_master_key | ||
region = var.atlas_region | ||
role_id = var.cpa_role_id | ||
} | ||
} | ||
|
4 changes: 4 additions & 0 deletions
4
examples/atlas-encryptionAtRest-roles-two-step/second_step/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
provider "mongodbatlas" { | ||
public_key = var.public_key | ||
private_key = var.private_key | ||
} |
33 changes: 33 additions & 0 deletions
33
examples/atlas-encryptionAtRest-roles-two-step/second_step/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
variable "public_key" { | ||
description = "The public API key for MongoDB Atlas" | ||
default = "" | ||
} | ||
variable "private_key" { | ||
description = "The private API key for MongoDB Atlas" | ||
default = "" | ||
} | ||
variable "project_id" { | ||
description = "Atlas project ID" | ||
default = "" | ||
} | ||
variable "customer_master_key" { | ||
description = "The customer master secret key for AWS Account" | ||
default = "" | ||
} | ||
variable "atlas_region" { | ||
default = "US_EAST_1" | ||
description = "Atlas Region" | ||
} | ||
|
||
variable "cpa_role_id" { | ||
description = "AWS IAM ROLE ARN" | ||
default = "" | ||
} | ||
variable "access_key" { | ||
description = "The access key for AWS Account" | ||
default = "" | ||
} | ||
variable "secret_key" { | ||
description = "The secret key for AWS Account" | ||
default = "" | ||
} |
9 changes: 9 additions & 0 deletions
9
examples/atlas-encryptionAtRest-roles-two-step/second_step/versions.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
terraform { | ||
required_providers { | ||
mongodbatlas = { | ||
source = "mongodb/mongodbatlas" | ||
//version = "0.7-dev" | ||
} | ||
} | ||
required_version = ">= 0.13" | ||
} |
36 changes: 36 additions & 0 deletions
36
examples/atlas-encryptionAtRest-roles-two-step/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
variable "public_key" { | ||
description = "The public API key for MongoDB Atlas" | ||
default = "" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The default values passed as an empty string just add more lines and are of no use. @themantissa if you think we can keep it, its ok. Else please remove these as well. |
||
} | ||
variable "private_key" { | ||
description = "The private API key for MongoDB Atlas" | ||
default = "" | ||
} | ||
variable "project_id" { | ||
description = "Atlas project ID" | ||
default = "" | ||
} | ||
variable "access_key" { | ||
description = "The access key for AWS Account" | ||
default = "" | ||
} | ||
variable "secret_key" { | ||
description = "The secret key for AWS Account" | ||
default = "" | ||
} | ||
variable "customer_master_key" { | ||
description = "The customer master secret key for AWS Account" | ||
default = "" | ||
} | ||
variable "atlas_region" { | ||
default = "US_EAST_1" | ||
description = "Atlas Region" | ||
} | ||
variable "aws_region" { | ||
default = "us-east-1" | ||
description = "AWS Region" | ||
} | ||
variable "aws_iam_role_arn" { | ||
description = "AWS IAM ROLE ARN" | ||
default = "" | ||
} |
11 changes: 11 additions & 0 deletions
11
examples/atlas-encryptionAtRest-roles-two-step/versions.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
} | ||
mongodbatlas = { | ||
source = "mongodb/mongodbatlas" | ||
} | ||
} | ||
required_version = ">= 0.13" | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The default values passed as an empty string just add more lines and are of no use. @themantissa if you think we can keep it, its ok. Else please remove these as well.