add example and documentation

mongodb · Apr 22, 2024 · 1229973 · 1229973
1 parent ebeaa1e
commit 1229973
Show file tree

Hide file tree

Showing 10 changed files with 460 additions and 0 deletions.
diff --git a/examples/mongodbatlas_push_based_log_export/README.md b/examples/mongodbatlas_push_based_log_export/README.md
@@ -0,0 +1,81 @@
+# MongoDB Atlas Provider -- Cloud Provider Access Role with AWS
+This example shows how to configure push-based log export for an Atlas project.
+
+## Dependencies
+
+* Terraform MongoDB Atlas Provider v1.16.0 minimum
+* Terraform AWS provider
+* A MongoDB Atlas account 
+* An AWS account
+
+
+```
+Terraform v1.5.2
++ provider registry.terraform.io/terraform-providers/mongodbatlas v1.16.0
+```
+
+## Usage
+
+**1\. Ensure your AWS and MongoDB Atlas credentials are set up.**
+
+This can be done using environment variables:
+
+```bash
+export MONGODB_ATLAS_PUBLIC_KEY="xxxx"
+export MONGODB_ATLAS_PRIVATE_KEY="xxxx"
+```
+
+``` bash
+$ export AWS_SECRET_ACCESS_KEY='your secret key'
+$ export AWS_ACCESS_KEY_ID='your key id'
+```
+
+... or the `~/.aws/credentials` file.
+
+```
+$ cat ~/.aws/credentials
+[default]
+aws_access_key_id = your key id
+aws_secret_access_key = your secret key
+```
+... or follow as in the `variables.tf` file and create **terraform.tfvars** file with all the variable values, ex:
+```
+access_key           = "<AWS_ACCESS_KEY_ID>"
+secret_key           = "<AWS_SECRET_ACCESS_KEY>"
+public_key           = "<MONGODB_ATLAS_PUBLIC_KEY>"
+private_key          = "<MONGODB_ATLAS_PRIVATE_KEY>"
+```
+
+**2\. Review the Terraform plan.**
+
+Execute the below command and ensure you are happy with the plan.
+
+``` bash
+$ terraform plan
+```
+This project currently supports the below deployments:
+
+- An AWS IAM Policy
+- An AWS IAM Role
+- An AWS S3 bucket
+- An IAM role policy for the S3 bucket
+- Configure Atlas to use your AWS Role
+- An Atlas project in the configured Atlas organization
+- Configure push-based log export to the S3 bucket for Atlas project
+
+**3\. Execute the Terraform apply.**
+
+Now execute the plan to provision the resources.
+
+``` bash
+$ terraform apply
+```
+
+**4\. Destroy the resources.**
+
+Once you are finished your testing, ensure you destroy the resources to avoid unnecessary Atlas charges.
+
+``` bash
+$ terraform destroy
+```
+
diff --git a/examples/mongodbatlas_push_based_log_export/aws.tf b/examples/mongodbatlas_push_based_log_export/aws.tf
@@ -0,0 +1,77 @@
+// Create IAM role & policy to authorize with Atlas
+resource "aws_iam_role_policy" "test_policy" {
+  name = var.aws_iam_role_policy_name
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+
+resource "aws_iam_role" "test_role" {
+  name                 = var.aws_iam_role_name
+  max_session_duration = 43200
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config[0].atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config[0].atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+// Create S3 buckets
+resource "aws_s3_bucket" "log_bucket" {
+  bucket        = var.s3_bucket_name
+  force_destroy = true // required for destroying as Atlas may create a test folder in the bucket when push-based log export is set up 
+}
+
+// Add authorization policy to existing IAM role
+resource "aws_iam_role_policy" "s3_bucket_policy" {
+  name = var.s3_bucket_policy_name
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:ListBucket",
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:GetBucketLocation"
+        ],
+        "Resource": [
+          "${aws_s3_bucket.log_bucket.arn}",
+          "${aws_s3_bucket.log_bucket.arn}/*"
+        ]
+      }
+    ]
+  }
+  EOF
+}
diff --git a/examples/mongodbatlas_push_based_log_export/main.tf b/examples/mongodbatlas_push_based_log_export/main.tf
@@ -0,0 +1,31 @@
+resource "mongodbatlas_project" "project-tf" {
+  name   = var.atlas_project_name
+  org_id = var.atlas_org_id
+}
+
+// Set up cloud provider access in Atlas using the created IAM role
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+  project_id    = mongodbatlas_project.project-tf.id
+  provider_name = "AWS"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+  project_id = mongodbatlas_project.project-tf.id
+  role_id    = mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+  aws {
+    iam_assumed_role_arn = aws_iam_role.test_role.arn
+  }
+}
+
+// Set up push-based log export with authorized IAM role
+resource "mongodbatlas_push_based_log_export" "test" {
+  project_id  = mongodbatlas_project.project-tf.id
+  bucket_name = aws_s3_bucket.log_bucket.bucket
+  iam_role_id = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+  prefix_path = "push-based-log-test"
+}
+
+data "mongodbatlas_push_based_log_export" "test" {
+  project_id = mongodbatlas_push_based_log_export.test.project_id
+}
diff --git a/examples/mongodbatlas_push_based_log_export/providers.tf b/examples/mongodbatlas_push_based_log_export/providers.tf
@@ -0,0 +1,9 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.aws_region
+}
diff --git a/examples/mongodbatlas_push_based_log_export/variables.tf b/examples/mongodbatlas_push_based_log_export/variables.tf
@@ -0,0 +1,51 @@
+variable "public_key" {
+  description = "The public API key for MongoDB Atlas"
+  type        = string
+}
+variable "private_key" {
+  description = "The private API key for MongoDB Atlas"
+  type        = string
+}
+variable "access_key" {
+  description = "The access key for AWS Account"
+  type        = string
+}
+variable "secret_key" {
+  description = "The secret key for AWS Account"
+  type        = string
+}
+variable "aws_region" {
+  description = "AWS Region"
+  default     = "us-east-1"
+  type        = string
+}
+variable "atlas_org_id" {
+  description = "Atlas Organization ID"
+  type        = string
+}
+variable "atlas_project_name" {
+  description = "Unique 24-hexadecimal digit string that identifies your project"
+  default     = "tf-push-based-log"
+  type        = string
+}
+variable "s3_bucket_name" {
+  description = "The name of the bucket to which Atlas will send the logs to"
+  default     = "atlas-log-export"
+  type        = string
+}
+variable "s3_bucket_policy_name" {
+  description = "The name of the IAM role policy to configure for the S3 bucket"
+  default     = "atlas-log-export-s3-policy"
+  type        = string
+}
+variable "aws_iam_role_name" {
+  description = "The name of the IAM role to use to set up cloud provider access in Atlas"
+  default     = "atlas-log-export-role"
+  type        = string
+}
+variable "aws_iam_role_policy_name" {
+  description = "The name of the IAM role policy for the configured aws_iam_role_name"
+  default     = "atlas-log-export-role-policy"
+  type        = string
+}
+
diff --git a/examples/mongodbatlas_push_based_log_export/versions.tf b/examples/mongodbatlas_push_based_log_export/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source  = "mongodb/mongodbatlas"
+      version = "~> 1.16.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+  required_version = ">= 1.0"
+}
diff --git a/templates/data-sources/push_based_log_export.md.tmpl b/templates/data-sources/push_based_log_export.md.tmpl
@@ -0,0 +1,19 @@
+---
+layout: "mongodbatlas"
+page_title: "MongoDB Atlas: {{.Name}}"
+sidebar_current: "docs-{{ .ProviderShortName }}-{{ $arr := split .Type " "}}{{ range $element := $arr }}{{ $element | lower}}{{ end }}{{ $name := slice (split .Name "_") 1 }}{{ range $element := $name }}-{{ $element | lower}}{{end}}"
+description: |-
+    "Provides a data source for push-based log export feature."
+---
+
+# {{.Type}}: {{.Name}}
+
+{{ .Description | trimspace }}
+`mongodbatlas_push_based_log_export` describes the configured project level settings for the push-based log export feature.
+
+## Example Usages
+{{ tffile (printf "examples/%s/main.tf" .Name )}}
+
+{{ .SchemaMarkdown | trimspace }}
+
+For more information see: [MongoDB Atlas API - Push-Based Log Export](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Push-Based-Log-Export) Documentation.
diff --git a/templates/resources/push_based_log_export.md.tmpl b/templates/resources/push_based_log_export.md.tmpl
@@ -0,0 +1,29 @@
+---
+layout: "mongodbatlas"
+page_title: "MongoDB Atlas: {{.Name}}"
+sidebar_current: "docs-{{ .ProviderShortName }}-{{ $arr := split .Type " "}}{{ range $element := $arr }}{{ $element | lower}}{{ end }}{{ $name := slice (split .Name "_") 1 }}{{ range $element := $name }}-{{ $element | lower}}{{end}}"
+description: |-
+    "Provides resource for push-based log export feature."
+---
+
+# {{.Type}}: {{.Name}}
+
+{{ .Description | trimspace }}
+`mongodbatlas_push_based_log_export` provides a resource for push-based log export feature. The resource lets you configure, enable & disable the project level settings for the push-based log export feature. Using this resource you 
+can continually push logs from mongod, mongos, and audit logs to an AWS S3 bucket. Atlas exports logs every 5 minutes.
+
+
+## Example Usages
+
+{{ tffile (printf "examples/%s/main.tf" .Name )}}
+
+{{ .SchemaMarkdown | trimspace }}
+
+# Import 
+Push-based log export resource can be imported using the project ID, e.g.
+
+```
+$ terraform import mongodbatlas_push_based_log_export.test 650972848269185c55f40ca1
+```
+
+For more information see: [MongoDB Atlas API - Push-Based Log Export](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Push-Based-Log-Export) Documentation.
diff --git a/website/docs/d/push_based_log_export.html.markdown b/website/docs/d/push_based_log_export.html.markdown
@@ -0,0 +1,66 @@
+---
+layout: "mongodbatlas"
+page_title: "MongoDB Atlas: mongodbatlas_push_based_log_export"
+sidebar_current: "docs-mongodbatlas-datasource-push-based-log-export"
+description: |-
+    "Provides a data source for push-based log export feature."
+---
+
+# Data Source: mongodbatlas_push_based_log_export
+
+
+`mongodbatlas_push_based_log_export` describes the configured project level settings for the push-based log export feature.
+
+## Example Usages
+```terraform
+resource "mongodbatlas_project" "project-tf" {
+  name   = var.atlas_project_name
+  org_id = var.atlas_org_id
+}
+
+// Set up cloud provider access in Atlas using the created IAM role
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+  project_id    = mongodbatlas_project.project-tf.id
+  provider_name = "AWS"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+  project_id = mongodbatlas_project.project-tf.id
+  role_id    = mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+  aws {
+    iam_assumed_role_arn = aws_iam_role.test_role.arn
+  }
+}
+
+// Set up push-based log export with authorized IAM role
+resource "mongodbatlas_push_based_log_export" "test" {
+  project_id  = mongodbatlas_project.project-tf.id
+  bucket_name = aws_s3_bucket.log_bucket.bucket
+  iam_role_id = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+  prefix_path = "push-based-log-test"
+}
+
+data "mongodbatlas_push_based_log_export" "test" {
+  project_id = mongodbatlas_push_based_log_export.test.project_id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.
+
+**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.
+
+### Read-Only
+
+- `bucket_name` (String) The name of the bucket to which the agent will send the logs to.
+- `create_date` (String) Date and time that this feature was enabled on.
+- `iam_role_id` (String) ID of the AWS IAM role that will be used to write to the S3 bucket.
+- `prefix_path` (String) S3 directory in which vector will write to in order to store the logs. An empty string denotes the root directory.
+- `state` (String) Describes whether or not the feature is enabled and what status it is in.
+
+For more information see: [MongoDB Atlas API - Push-Based Log Export](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Push-Based-Log-Export) Documentation.