INTMDB 186 - Added authorization resource to split the cloud access provider config

README.md

@@ -205,3 +205,12 @@ $ make testacc
 Thanks
 ---------------------------
 We'd like to thank [Akshay Karle](https://github.com/akshaykarle) for writing the first version of a Terraform Provider for MongoDB Atlas and paving the way for the creation of this one.
+
+# Running the integration tests
+
+The integration tests helps the validation for resources interacting with third party providers (aws, azure or gcp) using terratest [environment setup details](integration-testing/README.md)
+
+```
+  cd integration-testing
+  go test -tags=integration
+```

examples/atlas-cloud-provider-access/aws/aws-roles.tf

@@ -0,0 +1,41 @@
+resource "aws_iam_role_policy" "test_policy" {
+  name = "mongo_setup_policy"
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+  name = "mongo_setup_test_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws.atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws.atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}

examples/atlas-cloud-provider-access/aws/main.tf

@@ -0,0 +1,13 @@
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+   project_id = var.project_id
+   provider_name = var.cloud_provider_access_name
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+   project_id = var.project_id
+   role_id =  mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+   aws = {
+      iam_assumed_role_arn = aws_iam_role.test_role.arn
+   }
+}

examples/atlas-cloud-provider-access/aws/providers.tf

@@ -0,0 +1,9 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.aws_region
+}

examples/atlas-cloud-provider-access/aws/variables.tf

@@ -0,0 +1,25 @@
+// mongo 
+variable project_id {
+    type = string
+}
+variable cloud_provider_access_name {
+    type = string
+    default = "AWS"
+}
+variable public_key {
+    type = string
+}
+variable private_key {
+    type = string
+}
+
+// aws
+variable access_key {
+    type = string
+}
+variable secret_key {
+    type = string
+}
+variable aws_region {
+    type = string
+}

examples/atlas-cloud-provider-access/aws/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+    }
+  }
+  required_version = ">= 0.13"
+}

integration-testing/README.md

@@ -0,0 +1,21 @@
+### Integration tests
+
+Integration tests required extra credentials, such as for aws and azure,
+in order to execute the complete terraform cycle (init, apply, destroy)
+
+For all the testing it needs the common environment variables 
+```
+    MONGODB_ATLAS_PROJECT_ID
+    MONGODB_ATLAS_PUBLIC_KEY
+    MONGODB_ATLAS_PRIVATE_KEY
+```
+
+For specific aws related interactions 
+```
+    AWS_ACCESS_KEY_ID
+    AWS_SECRET_ACCESS_KEY
+    AWS_REGION
+
+    AWS_CUSTOMER_MASTER_KEY_ID (only required for encryption at rest with customer managed key)
+
+```

integration-testing/common.go

@@ -0,0 +1,33 @@
+package integration_testing
+
+import "os"
+
+type MongoDBCredentials struct {
+	ProjectID  string
+	PublicKey  string
+	PrivateKey string
+}
+
+type AWSCredentials struct {
+	AccessKey         string
+	SecretKey         string
+	CustomerMasterKey string
+	AwsRegion         string
+}
+
+func GetCredentialsFromEnv() MongoDBCredentials {
+	return MongoDBCredentials{
+		ProjectID:  os.Getenv("MONGODB_ATLAS_PROJECT_ID"),
+		PublicKey:  os.Getenv("MONGODB_ATLAS_PUBLIC_KEY"),
+		PrivateKey: os.Getenv("MONGODB_ATLAS_PRIVATE_KEY"),
+	}
+}
+
+func GetAWSCredentialsFromEnv() AWSCredentials {
+	return AWSCredentials{
+		AccessKey:         os.Getenv("AWS_ACCESS_KEY_ID"),
+		SecretKey:         os.Getenv("AWS_SECRET_ACCESS_KEY"),
+		CustomerMasterKey: os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID"),
+		AwsRegion:         os.Getenv("AWS_REGION"),
+	}
+}

integration-testing/resource_mongodbatlas_cloud_provider_access_test.go

@@ -0,0 +1,44 @@
+// +build integration
+
+package integration_testing
+
+import (
+	"os"
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+const (
+	defaultTerratestFilesCPA = "../examples/atlas-cloud-provider-access/aws/"
+)
+
+func TestTerraformResourceMongoDBAtlasCloudProviderAccess_basicAWS(t *testing.T) {
+	t.Parallel()
+
+	mongoSecrets := GetCredentialsFromEnv()
+	awsSecrets := GetAWSCredentialsFromEnv()
+
+	testFiles := os.Getenv("TERRATEST_CLOUD_PROVIDER_ACCESS_AWS")
+	if testFiles == "" {
+		testFiles = defaultTerratestFilesCPA
+	}
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: testFiles,
+		Vars: map[string]interface{}{
+			"project_id":                 mongoSecrets.ProjectID,
+			"cloud_provider_access_name": "AWS",
+			"public_key":                 mongoSecrets.PublicKey,
+			"private_key":                mongoSecrets.PrivateKey,
+			"access_key":                 awsSecrets.AccessKey,
+			"secret_key":                 awsSecrets.SecretKey,
+			"aws_region":                 awsSecrets.AwsRegion,
+		},
+	}
+
+	terraformTest := terraform.WithDefaultRetryableErrors(t, terraformOptions)
+
+	defer terraform.Destroy(t, terraformTest)
+	terraform.InitAndApply(t, terraformTest)
+}

integration-testing/resource_mongodbatlas_encryption_at_rest_test.go

@@ -1,45 +1,33 @@
+// +build integration
+
 package integration_testing
 
 import (
 	"fmt"
-	"os"
-	"strings"
 	"testing"
 
 	"github.com/gruntwork-io/terratest/modules/terraform"
 )
 
-func SkipTestExtCred(t *testing.T) {
-	if strings.EqualFold(os.Getenv("SKIP_TEST_EXTERNAL_CREDENTIALS"), "true") {
-		t.SkipNow()
-	}
-}
 func TestTerraformResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testing.T) {
-	SkipTestExtCred(t)
 	t.Parallel()
 
-	var (
-		projectID   = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
-		accessKey   = os.Getenv("AWS_ACCESS_KEY_ID")
-		secretKey   = os.Getenv("AWS_SECRET_ACCESS_KEY")
-		customerKey = os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")
-		awsRegion   = os.Getenv("AWS_REGION")
-		publicKey   = os.Getenv("MONGODB_ATLAS_PUBLIC_KEY")
-		privateKey  = os.Getenv("MONGODB_ATLAS_PRIVATE_KEY")
-	)
+	mongoSecrets := GetCredentialsFromEnv()
+	awsSecrets := GetAWSCredentialsFromEnv()
+
 	// Construct the terraform options with default retryable errors to handle the most common
 	// retryable errors in terraform testing.
 	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
 		// The path to where our Terraform code is located
 		TerraformDir: "../examples/atlas-encryptionAtRest-roles",
 		Vars: map[string]interface{}{
-			"access_key":          accessKey,
-			"secret_key":          secretKey,
-			"customer_master_key": customerKey,
-			"atlas_region":        awsRegion,
-			"project_id":          projectID,
-			"public_key":          publicKey,
-			"private_key":         privateKey,
+			"access_key":          awsSecrets.AccessKey,
+			"secret_key":          awsSecrets.SecretKey,
+			"customer_master_key": awsSecrets.CustomerMasterKey,
+			"atlas_region":        awsSecrets.AwsRegion,
+			"project_id":          mongoSecrets.ProjectID,
+			"public_key":          mongoSecrets.PublicKey,
+			"private_key":         mongoSecrets.PrivateKey,
 		},
 	})
 
@@ -53,20 +41,20 @@ func TestTerraformResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testi
 	awsRoleARN := terraform.Output(t, terraformOptions, "aws_iam_role_arn")
 	cpaRoleID := terraform.Output(t, terraformOptions, "cpa_role_id")
 
-	fmt.Println(fmt.Sprintf("awsRoleARN : %s", awsRoleARN))
-	fmt.Println(fmt.Sprintf("cpaRoleID : %s", cpaRoleID))
+	fmt.Printf("awsRoleARN : %s", awsRoleARN)
+	fmt.Printf("cpaRoleID : %s", cpaRoleID)
 
 	terraformOptionsUpdated := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
 		// The path to where our Terraform code is located
 		TerraformDir: "../examples/atlas-encryptionAtRest-roles",
 		Vars: map[string]interface{}{
-			"access_key":          accessKey,
-			"secret_key":          secretKey,
-			"customer_master_key": customerKey,
-			"atlas_region":        awsRegion,
-			"project_id":          projectID,
-			"public_key":          publicKey,
-			"private_key":         privateKey,
+			"access_key":          awsSecrets.AccessKey,
+			"secret_key":          awsSecrets.SecretKey,
+			"customer_master_key": awsSecrets.CustomerMasterKey,
+			"atlas_region":        awsSecrets.AwsRegion,
+			"project_id":          mongoSecrets.ProjectID,
+			"public_key":          mongoSecrets.PublicKey,
+			"private_key":         mongoSecrets.PrivateKey,
 			"aws_iam_role_arn":    awsRoleARN,
 		},
 	})
@@ -77,11 +65,11 @@ func TestTerraformResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testi
 		// The path to where our Terraform code is located
 		TerraformDir: "../examples/atlas-encryptionAtRest-roles/second_step",
 		Vars: map[string]interface{}{
-			"customer_master_key": customerKey,
-			"atlas_region":        awsRegion,
-			"project_id":          projectID,
-			"public_key":          publicKey,
-			"private_key":         privateKey,
+			"customer_master_key": awsSecrets.CustomerMasterKey,
+			"atlas_region":        awsSecrets.AwsRegion,
+			"project_id":          mongoSecrets.ProjectID,
+			"public_key":          mongoSecrets.PublicKey,
+			"private_key":         mongoSecrets.PrivateKey,
 			"cpa_role_id":         cpaRoleID,
 		},
 	})