feat: Integrate MongoDB Atlas Serverless in example module (#1)

- [x] Create user - [x] Restrict access from europe-west1 IP addresses. - [x] Create Secrets Manager secret containing connection URL.
relaycorp · Jul 20, 2023 · 848d1d2 · 848d1d2
1 parent 6600bf1
commit 848d1d2
Show file tree

Hide file tree

Showing 9 changed files with 137 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,7 @@
 .terraform
 
-examples/basic/.terraform
-examples/basic/terraform.tfstate*
-examples/basic/credentials.tf
+examples/*/.terraform
+examples/*/terraform.tfstate*
+examples/*/.terraform.tfstate.lock.info
+examples/*/terraform.tfvars
+examples/*/credentials.tf
diff --git a/examples/basic/.terraform.lock.hcl b/examples/basic/.terraform.lock.hcl
diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -1 +1,5 @@
 # Example module
+
+## Limitations
+
+- This module does NOT restrict access to MongoDB from any particular IP address.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -1,12 +1,18 @@
 locals {
   project_id = "tmp-tf-awala-endpoint"
+  gcp_region = "europe-west1"
 }
 
 module "self" {
   source = "../.."
 
   project_id = local.project_id
-  region     = "europe-west1"
+  region     = local.gcp_region
+
+  mongodb_uri = mongodbatlas_serverless_instance.main.connection_strings_standard_srv
+
+  mongodb_user                    = mongodbatlas_database_user.main.username
+  mongodb_password_secret_version = google_secret_manager_secret_version.mongodb_password.id
 
   depends_on = [google_project_service.services]
 }
diff --git a/examples/basic/mongodb.tf b/examples/basic/mongodb.tf
@@ -0,0 +1,59 @@
+locals {
+  mongodb_db_name = "main"
+}
+
+resource "mongodbatlas_serverless_instance" "main" {
+  project_id = var.mongodbatlas_project_id
+  name       = "awala-endpoint"
+
+  provider_settings_backing_provider_name = "GCP"
+  provider_settings_provider_name         = "SERVERLESS"
+  provider_settings_region_name           = "WESTERN_EUROPE"
+}
+
+resource "mongodbatlas_database_user" "main" {
+  project_id = var.mongodbatlas_project_id
+
+  username           = "awala-endpoint"
+  password           = random_password.mongodb_user_password.result
+  auth_database_name = "admin"
+
+  roles {
+    role_name     = "readWrite"
+    database_name = mongodbatlas_serverless_instance.main.name
+  }
+}
+
+resource "random_password" "mongodb_user_password" {
+  length = 32
+}
+
+resource "google_secret_manager_secret" "mongodb_password" {
+  project = local.project_id
+
+  secret_id = "awala_endpoint-mongodb_password"
+
+  replication {
+    user_managed {
+      replicas {
+        location = local.gcp_region
+      }
+    }
+  }
+}
+
+resource "google_secret_manager_secret_version" "mongodb_password" {
+  secret      = google_secret_manager_secret.mongodb_password.id
+  secret_data = random_password.mongodb_user_password.result
+}
+
+resource "mongodbatlas_project_ip_access_list" "test" {
+  project_id = var.mongodbatlas_project_id
+  cidr_block = "0.0.0.0/0"
+}
+
+resource "google_secret_manager_secret_iam_binding" "mongodb_password_reader" {
+  secret_id = google_secret_manager_secret.mongodb_password.secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  members   = ["serviceAccount:${module.self.service_account_email}"]
+}
diff --git a/examples/basic/providers.tf b/examples/basic/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source  = "mongodb/mongodbatlas"
+      version = "~> 1.10.2"
+    }
+  }
+}
+
+provider "mongodbatlas" {
+  public_key  = var.mongodbatlas_public_key
+  private_key = var.mongodbatlas_private_key
+}
diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf
@@ -0,0 +1,9 @@
+variable "mongodbatlas_public_key" {
+  description = "MongoDB Atlas public key"
+}
+
+variable "mongodbatlas_private_key" {
+  description = "MongoDB Atlas private key"
+}
+
+variable "mongodbatlas_project_id" {}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,3 @@
+output "service_account_email" {
+  value = google_service_account.endpoint.email
+}
diff --git a/variables.tf b/variables.tf
@@ -18,3 +18,18 @@ variable "kms_protection_level" {
     error_message = "KMS protection level must be either SOFTWARE or HSM"
   }
 }
+
+variable "mongodb_uri" {
+  description = "The MongoDB URI"
+  type        = string
+}
+
+variable "mongodb_user" {
+  description = "The MongoDB username"
+  type        = string
+}
+
+variable "mongodb_password_secret_version" {
+  description = "The id of the Secrets Manager secret version containing the MongoDB password"
+  type        = string
+}