diff --git a/examples/mongodbatlas_push_based_log_export/README.md b/examples/mongodbatlas_push_based_log_export/README.md new file mode 100644 index 0000000000..2af478b597 --- /dev/null +++ b/examples/mongodbatlas_push_based_log_export/README.md @@ -0,0 +1,81 @@ +# MongoDB Atlas Provider -- Cloud Provider Access Role with AWS +This example shows how to configure push-based log export for an Atlas project. + +## Dependencies + +* Terraform MongoDB Atlas Provider v1.16.0 minimum +* Terraform AWS provider +* A MongoDB Atlas account +* An AWS account + + +``` +Terraform v1.5.2 ++ provider registry.terraform.io/terraform-providers/mongodbatlas v1.16.0 +``` + +## Usage + +**1\. Ensure your AWS and MongoDB Atlas credentials are set up.** + +This can be done using environment variables: + +```bash +export MONGODB_ATLAS_PUBLIC_KEY="xxxx" +export MONGODB_ATLAS_PRIVATE_KEY="xxxx" +``` + +``` bash +$ export AWS_SECRET_ACCESS_KEY='your secret key' +$ export AWS_ACCESS_KEY_ID='your key id' +``` + +... or the `~/.aws/credentials` file. + +``` +$ cat ~/.aws/credentials +[default] +aws_access_key_id = your key id +aws_secret_access_key = your secret key +``` +... or follow as in the `variables.tf` file and create **terraform.tfvars** file with all the variable values, ex: +``` +access_key = "" +secret_key = "" +public_key = "" +private_key = "" +``` + +**2\. Review the Terraform plan.** + +Execute the below command and ensure you are happy with the plan. + +``` bash +$ terraform plan +``` +This project currently supports the below deployments: + +- An AWS IAM Policy +- An AWS IAM Role +- An AWS S3 bucket +- An IAM role policy for the S3 bucket +- Configure Atlas to use your AWS Role +- An Atlas project in the configured Atlas organization +- Configure push-based log export to the S3 bucket for Atlas project + +**3\. Execute the Terraform apply.** + +Now execute the plan to provision the resources. + +``` bash +$ terraform apply +``` + +**4\. Destroy the resources.** + +Once you are finished your testing, ensure you destroy the resources to avoid unnecessary Atlas charges. + +``` bash +$ terraform destroy +``` + diff --git a/examples/mongodbatlas_push_based_log_export/aws.tf b/examples/mongodbatlas_push_based_log_export/aws.tf new file mode 100644 index 0000000000..a8caae4f35 --- /dev/null +++ b/examples/mongodbatlas_push_based_log_export/aws.tf @@ -0,0 +1,77 @@ +// Create IAM role & policy to authorize with Atlas +resource "aws_iam_role_policy" "test_policy" { + name = var.aws_iam_role_policy_name + role = aws_iam_role.test_role.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + EOF +} + + +resource "aws_iam_role" "test_role" { + name = var.aws_iam_role_name + max_session_duration = 43200 + + assume_role_policy = < +## Schema + +### Required + +- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. + +**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. + +### Read-Only + +- `bucket_name` (String) The name of the bucket to which the agent will send the logs to. +- `create_date` (String) Date and time that this feature was enabled on. +- `iam_role_id` (String) ID of the AWS IAM role that will be used to write to the S3 bucket. +- `prefix_path` (String) S3 directory in which vector will write to in order to store the logs. An empty string denotes the root directory. +- `state` (String) Describes whether or not the feature is enabled and what status it is in. + +For more information see: [MongoDB Atlas API - Push-Based Log Export](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Push-Based-Log-Export) Documentation. diff --git a/website/docs/r/push_based_log_export.html.markdown b/website/docs/r/push_based_log_export.html.markdown new file mode 100644 index 0000000000..787c9a331b --- /dev/null +++ b/website/docs/r/push_based_log_export.html.markdown @@ -0,0 +1,84 @@ +--- +layout: "mongodbatlas" +page_title: "MongoDB Atlas: mongodbatlas_push_based_log_export" +sidebar_current: "docs-mongodbatlas-resource-push-based-log-export" +description: |- + "Provides resource for push-based log export feature." +--- + +# Resource: mongodbatlas_push_based_log_export + + +`mongodbatlas_push_based_log_export` provides a resource for push-based log export feature. The resource lets you configure, enable & disable the project level settings for the push-based log export feature. Using this resource you +can continually push logs from mongod, mongos, and audit logs to an AWS S3 bucket. Atlas exports logs every 5 minutes. + + +## Example Usages + +```terraform +resource "mongodbatlas_project" "project-tf" { + name = var.atlas_project_name + org_id = var.atlas_org_id +} + +// Set up cloud provider access in Atlas using the created IAM role +resource "mongodbatlas_cloud_provider_access_setup" "setup_only" { + project_id = mongodbatlas_project.project-tf.id + provider_name = "AWS" +} + +resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" { + project_id = mongodbatlas_project.project-tf.id + role_id = mongodbatlas_cloud_provider_access_setup.setup_only.role_id + + aws { + iam_assumed_role_arn = aws_iam_role.test_role.arn + } +} + +// Set up push-based log export with authorized IAM role +resource "mongodbatlas_push_based_log_export" "test" { + project_id = mongodbatlas_project.project-tf.id + bucket_name = aws_s3_bucket.log_bucket.bucket + iam_role_id = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id + prefix_path = "push-based-log-test" +} +``` + + +## Schema + +### Required + +- `bucket_name` (String) The name of the bucket to which the agent will send the logs to. +- `iam_role_id` (String) ID of the AWS IAM role that will be used to write to the S3 bucket. +- `prefix_path` (String) S3 directory in which vector will write to in order to store the logs. An empty string denotes the root directory. +- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. + +**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. + +### Optional +- `timeouts` (Attributes) (see [below for nested schema](#nestedatt--timeouts)) + +### Read-Only + +- `create_date` (String) Date and time that this feature was enabled on. +- `state` (String) Describes whether or not the feature is enabled and what status it is in. + + +### Nested Schema for `timeouts` + +Optional: + +- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). +- `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. +- `update` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + +# Import +Push-based log export resource can be imported using the project ID, e.g. + +``` +$ terraform import mongodbatlas_push_based_log_export.test 650972848269185c55f40ca1 +``` + +For more information see: [MongoDB Atlas API - Push-Based Log Export](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Push-Based-Log-Export) Documentation.