diff --git a/.github_changelog_generator b/.github_changelog_generator index 0492113c4c..29056cc9e7 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,4 +1,4 @@ -future-release=v1.6.1 -since-tag=v1.6.0 +future-release=v1.7.0 +since-tag=v1.6.1 date-format=%B %d, %Y base=CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b96b10a4a..bedb1c465c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,34 @@ # Changelog +## [v1.7.0](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v1.7.0) (2022-12-23) + +[Full Changelog](https://github.com/mongodb/terraform-provider-mongodbatlas/compare/v1.6.1...v1.7.0) + +**Enhancements:** + +- AWS Secrets Manager (AWS SM) Authetication for Terraform Atlas Provider [\#975](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/975) - INTMDB-521 + +**Bug Fixes:** + +- Resource cloud_backup_snapshot_export_job variable name change [#976](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/976) - INTMDB-523 +- Deprecate legacy mongodbatlas.erb given Terraform Registry autogeneration [#962](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/962) - INTMDB-477 + +**Closed Issues:** + +- Terraform plan fail: Asymmetric hardware is not supported by the v1.0 API [\#958](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/958) +- Error importing ressource mongodbatlas\_network\_peering.mongo\_peer [\#906](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/906) +- \[Bug\] `container_id` is unconfigurable attribute at `mongodbatlas_advanced_cluster` resource [\#890](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/890) +- mongodbatlas\_alert\_configuration - api\_token keeps wanting to change [\#863](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/863) +- Docs - Example - Return a Connection String - Azure Private Endpoint [\#713](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/713) + +**Merged Pull Requests:** + +- Chore\(deps\): Bump github.com/gruntwork-io/terratest from 0.41.6 to 0.41.7 [\#978](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/978) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Chore\(deps\): Bump actions/stale from 6 to 7 [\#977](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/977) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Chore\(deps\): Bump github.com/gruntwork-io/terratest from 0.41.4 to 0.41.6 [\#967](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/967) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Chore\(deps\): Bump github.com/go-test/deep from 1.0.8 to 1.1.0 [\#966](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/966) ([dependabot[bot]](https://github.com/apps/dependabot)) +- Chore\(deps\): Bump goreleaser/goreleaser-action from 3 to 4 [\#965](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/965) ([dependabot[bot]](https://github.com/apps/dependabot)) + ## [v1.6.1](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v1.6.1) (2022-12-6) [Full Changelog](https://github.com/mongodb/terraform-provider-mongodbatlas/compare/v1.6.0...v1.6.1) @@ -24,7 +53,7 @@ - Shorten test names that are too long to allow for targeting specific tests [\#932](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/932) - INTMDB-368 - Remove container_id from configurable attribute in advanced_cluster [\#931](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/931) - INTMDB-463 -**Closed issues:** +**Closed Issues:** - No documented way to get config out of third party integration [\#939](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/939) - Double checking Terraform Plan before I destroy Production [\#938](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/938) @@ -121,11 +150,11 @@ - INTMDB-358 - Upgrade to go1.18 [\#835](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/835) - INTMDB-391 - Doc Fix for teams.html.markdown [\#838](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/838) -**Closed issues:** +**Closed Issues:** - importing existing cluster does not populate backup status #768 [\#768](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/768) -**Merged pull requests:** +**Merged Pull Requests:** - Chore(deps): Bump github.com/gruntwork-io/terratest from 0.40.21 to 0.40.22 [\#842](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/842) ([dependabot[bot]](https://github.com/apps/dependabot)) - Rename team.html.markdown into teams.html.markdown [\#838](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/838) ([leo-ferlin-sutton](https://github.com/leo-ferlin-sutton)) @@ -160,13 +189,13 @@ [Full Changelog](https://github.com/mongodb/terraform-provider-mongodbatlas/compare/v1.4.3...v1.4.4-pre.1) -**Closed issues:** +**Closed Issues:** - Unable to update members in an existing "mongodbatlas\_teams" as the provider attempts to remove all users first [\#790](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/790) - Please elaborate how to acquire PROJECTID and PEERINGID and PROVIDERNAME for import of network peering [\#789](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/789) - error: error reading cloud provider access cloud provider access role not found in mongodbatlas, please create it first [\#781](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/781) -**Merged pull requests:** +**Merged Pull Requests:** - Update CONTRIBUTING.md [\#798](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/798) ([themantissa](https://github.com/themantissa)) - Fix federated\_settings\_identity\_provider attribute name [\#791](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/791) ([florenp](https://github.com/florenp)) @@ -207,7 +236,7 @@ [Full Changelog](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v1.3.1...v1.4.0) -**Closed issues:** +**Closed Issues:** Note: the binary executable for windows/arm64 is not available for this release. Next release will include. - Fix for Add support for cloud export backup to mongodbatlas_cloud_backup_schedule [\#740](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/740) @@ -220,7 +249,7 @@ Note: the binary executable for windows/arm64 is not available for this release. - Fix for Cannot import export bucket - bad state id encoding [\#708](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/708) - Error missing expected { when updating the provider [\#697](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/697) -**Merged pull requests:** +**Merged Pull Requests:** - INTMDB-321: Add support for cloud export backup to mongodbatlas_cloud_backup_schedule [\#740](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/740) ([martinstibbe](https://github.com/martinstibbe)) - INTMDB-313: Update the project resource with new settings [\#741](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/741) ([martinstibbe](https://github.com/martinstibbe)) @@ -235,7 +264,7 @@ Note: the binary executable for windows/arm64 is not available for this release. [Full Changelog](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v1.3.1...v1.4.0-pre.1) -**Closed issues:** +**Closed Issues:** Note: the binary executable for windows/arm64 is not available for this release. Next release will include. - Fix for Add support for cloud export backup to mongodbatlas_cloud_backup_schedule [\#740](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/740) @@ -248,7 +277,7 @@ Note: the binary executable for windows/arm64 is not available for this release. - Fix for Cannot import export bucket - bad state id encoding [\#708](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/708) - Error missing expected { when updating the provider [\#697](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/697) -**Merged pull requests:** +**Merged Pull Requests:** - INTMDB-321: Add support for cloud export backup to mongodbatlas_cloud_backup_schedule [\#740](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/740) ([martinstibbe](https://github.com/martinstibbe)) - INTMDB-313: Update the project resource with new settings [\#741](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/741) ([martinstibbe](https://github.com/martinstibbe)) ([martinstibbe](https://github.com/martinstibbe)) diff --git a/go.mod b/go.mod index eb6e51b327..554e240f7e 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/mwielbut/pointy v1.1.0 github.com/spf13/cast v1.5.0 github.com/terraform-providers/terraform-provider-aws v1.60.1-0.20210625132053-af2d5c0ad54f - go.mongodb.org/atlas v0.18.1-0.20221109142841-f9f8ebe7b9b9 + go.mongodb.org/atlas v0.19.0 go.mongodb.org/realm v0.1.0 ) diff --git a/go.sum b/go.sum index 234ae42a33..103fa1981f 100644 --- a/go.sum +++ b/go.sum @@ -921,6 +921,8 @@ go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6y go.mongodb.org/atlas v0.12.0/go.mod h1:wVCnHcm/7/IfTjEB6K8K35PLG70yGz8BdkRwX0oK9/M= go.mongodb.org/atlas v0.18.1-0.20221109142841-f9f8ebe7b9b9 h1:9m35o4kyRYjwbsIb/lPrjxJ6afPpn9zwOF5i3SIY5Lg= go.mongodb.org/atlas v0.18.1-0.20221109142841-f9f8ebe7b9b9/go.mod h1:PFk1IGhiGjFXHGVspOK7i1U2nnPjK8wAjYwQf6FoVf4= +go.mongodb.org/atlas v0.19.0 h1:gvezG9d0KsSDaExEdTtcGqZHRvvVazzuEcBUpBXxmlg= +go.mongodb.org/atlas v0.19.0/go.mod h1:PFk1IGhiGjFXHGVspOK7i1U2nnPjK8wAjYwQf6FoVf4= go.mongodb.org/realm v0.1.0 h1:zJiXyLaZrznQ+Pz947ziSrDKUep39DO4SfA0Fzx8M4M= go.mongodb.org/realm v0.1.0/go.mod h1:4Vj6iy+Puo1TDERcoh4XZ+pjtwbOzPpzqy3Cwe8ZmDM= go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= diff --git a/mongodbatlas/config.go b/mongodbatlas/config.go index dcf7ad0900..97327963bb 100644 --- a/mongodbatlas/config.go +++ b/mongodbatlas/config.go @@ -20,6 +20,7 @@ type Config struct { PrivateKey string BaseURL string RealmBaseURL string + AssumeRole *AssumeRole } // MongoDBClient client diff --git a/mongodbatlas/data_source_mongodbatlas_cloud_backup_snapshot_export_job.go b/mongodbatlas/data_source_mongodbatlas_cloud_backup_snapshot_export_job.go index ea91930962..65f6473eae 100644 --- a/mongodbatlas/data_source_mongodbatlas_cloud_backup_snapshot_export_job.go +++ b/mongodbatlas/data_source_mongodbatlas_cloud_backup_snapshot_export_job.go @@ -104,9 +104,9 @@ func dataSourceMongoDBAtlasCloudBackupSnapshotsExportJobRead(ctx context.Context ids := decodeStateID(d.Id()) projectID := ids["project_id"] clusterName := ids["cluster_name"] - exportJobID := ids["export_job_id"] + exportID := ids["export_job_id"] - exportJob, _, err := conn.CloudProviderSnapshotExportJobs.Get(ctx, projectID, clusterName, exportJobID) + exportJob, _, err := conn.CloudProviderSnapshotExportJobs.Get(ctx, projectID, clusterName, exportID) if err != nil { return diag.Errorf("error getting snapshot export job information: %s", err) } diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go index 2d144e20f7..0ea70465c3 100644 --- a/mongodbatlas/provider.go +++ b/mongodbatlas/provider.go @@ -3,17 +3,28 @@ package mongodbatlas import ( "context" "encoding/base64" + "encoding/json" "fmt" "hash/crc32" "log" "os" "reflect" + "regexp" "sort" "strconv" "strings" - + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/endpoints" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/secretsmanager" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/mwielbut/pointy" "github.com/spf13/cast" matlas "go.mongodb.org/atlas/mongodbatlas" @@ -24,6 +35,11 @@ var ( baseURL = "" ) +type SecretData struct { + PublicKey string `json:"public_key"` + PrivateKey string `json:"private_key"` +} + // Provider returns the provider to be use by the code. func Provider() *schema.Provider { provider := &schema.Provider{ @@ -67,6 +83,51 @@ func Provider() *schema.Provider { Optional: true, Description: "MongoDB Atlas Base URL default to gov", }, + "assume_role": assumeRoleSchema(), + "secret_name": { + Type: schema.TypeString, + Optional: true, + }, + "region": { + Type: schema.TypeString, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "AWS_REGION", + "TF_VAR_AWS_REGION", + }, ""), + Optional: true, + }, + "sts_endpoint": { + Type: schema.TypeString, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "STS_ENDPOINT", + "TF_VAR_STS_ENDPOINT", + }, ""), + Optional: true, + }, + "aws_access_key_id": { + Type: schema.TypeString, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "AWS_ACCESS_KEY_ID", + "TF_VAR_AWS_ACCESS_KEY_ID", + }, ""), + Optional: true, + }, + "aws_secret_access_key": { + Type: schema.TypeString, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "AWS_SECRET_ACCESS_KEY", + "TF_VAR_AWS_SECRET_ACCESS_KEY", + }, ""), + Optional: true, + }, + "aws_session_token": { + Type: schema.TypeString, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "AWS_SESSION_TOKEN", + "TF_VAR_AWS_SESSION_TOKEN", + }, ""), + Optional: true, + }, }, DataSourcesMap: getDataSourcesMap(), ResourcesMap: getResourcesMap(), @@ -226,9 +287,79 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} RealmBaseURL: d.Get("realm_base_url").(string), } + if v, ok := d.GetOk("assume_role"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil { + config.AssumeRole = expandAssumeRole(v.([]interface{})[0].(map[string]interface{})) + secret := d.Get("secret_name").(string) + region := d.Get("region").(string) + awsAccessKeyID := d.Get("aws_access_key_id").(string) + awsSecretAccessKey := d.Get("aws_secret_access_key").(string) + awsSessionToken := d.Get("aws_session_token").(string) + endpoint := d.Get("sts_endpoint").(string) + config, _ = configureCredentialsSTS(&config, secret, region, awsAccessKeyID, awsSecretAccessKey, awsSessionToken, endpoint) + } + return config.NewClient(ctx) } +func configureCredentialsSTS(config *Config, secret, region, awsAccessKeyID, awsSecretAccessKey, awsSessionToken, endpoint string) (Config, error) { + ep, _ := endpoints.GetSTSRegionalEndpoint("regional") + sess := session.Must(session.NewSession(&aws.Config{ + Region: aws.String(region), + Credentials: credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken), + STSRegionalEndpoint: ep, + Endpoint: &endpoint, + })) + + creds := stscreds.NewCredentials(sess, config.AssumeRole.RoleARN) + + _, _ = sess.Config.Credentials.Get() + _, _ = creds.Get() + secretString := secretsManagerGetSecretValue(sess, &aws.Config{Credentials: creds, Region: aws.String(region)}, secret) + + var secretData SecretData + err := json.Unmarshal([]byte(secretString), &secretData) + if err != nil { + return *config, nil + } + config.PublicKey = secretData.PublicKey + config.PrivateKey = secretData.PrivateKey + return *config, nil +} + +func secretsManagerGetSecretValue(sess *session.Session, creds *aws.Config, secret string) string { + svc := secretsmanager.New(sess, creds) + input := &secretsmanager.GetSecretValueInput{ + SecretId: aws.String(secret), + VersionStage: aws.String("AWSCURRENT"), + } + + result, err := svc.GetSecretValue(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case secretsmanager.ErrCodeResourceNotFoundException: + fmt.Println(secretsmanager.ErrCodeResourceNotFoundException, aerr.Error()) + case secretsmanager.ErrCodeInvalidParameterException: + fmt.Println(secretsmanager.ErrCodeInvalidParameterException, aerr.Error()) + case secretsmanager.ErrCodeInvalidRequestException: + fmt.Println(secretsmanager.ErrCodeInvalidRequestException, aerr.Error()) + case secretsmanager.ErrCodeDecryptionFailure: + fmt.Println(secretsmanager.ErrCodeDecryptionFailure, aerr.Error()) + case secretsmanager.ErrCodeInternalServiceError: + fmt.Println(secretsmanager.ErrCodeInternalServiceError, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + fmt.Println(err.Error()) + } + return "" + } + + fmt.Println(result) + return *result.SecretString +} + func encodeStateID(values map[string]string) string { encode := func(e string) string { return base64.StdEncoding.EncodeToString([]byte(e)) } encodedValues := make([]string, 0) @@ -391,3 +522,167 @@ func HashCodeString(s string) int { // v == MinInt return 0 } + +// assumeRoleSchema From aws provider.go +func assumeRoleSchema() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "duration": { + Type: schema.TypeString, + Optional: true, + Description: "The duration, between 15 minutes and 12 hours, of the role session. Valid time units are ns, us (or µs), ms, s, h, or m.", + ValidateFunc: validAssumeRoleDuration, + ConflictsWith: []string{"assume_role.0.duration_seconds"}, + }, + "duration_seconds": { + Type: schema.TypeInt, + Optional: true, + Deprecated: "Use assume_role.duration instead", + Description: "The duration, in seconds, of the role session.", + ValidateFunc: validation.IntBetween(900, 43200), + ConflictsWith: []string{"assume_role.0.duration"}, + }, + "external_id": { + Type: schema.TypeString, + Optional: true, + Description: "A unique identifier that might be required when you assume a role in another account.", + ValidateFunc: validation.All( + validation.StringLenBetween(2, 1224), + validation.StringMatch(regexp.MustCompile(`[\w+=,.@:/\-]*`), ""), + ), + }, + "policy": { + Type: schema.TypeString, + Optional: true, + Description: "IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.", + ValidateFunc: validation.StringIsJSON, + }, + "policy_arns": { + Type: schema.TypeSet, + Optional: true, + Description: "Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "role_arn": { + Type: schema.TypeString, + Optional: true, + Description: "Amazon Resource Name (ARN) of an IAM Role to assume prior to making API calls.", + }, + "session_name": { + Type: schema.TypeString, + Optional: true, + Description: "An identifier for the assumed role session.", + ValidateFunc: validAssumeRoleSessionName, + }, + "source_identity": { + Type: schema.TypeString, + Optional: true, + Description: "Source identity specified by the principal assuming the role.", + ValidateFunc: validAssumeRoleSourceIdentity, + }, + "tags": { + Type: schema.TypeMap, + Optional: true, + Description: "Assume role session tags.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "transitive_tag_keys": { + Type: schema.TypeSet, + Optional: true, + Description: "Assume role session tag keys to pass to any subsequent sessions.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + }, + }, + } +} + +var validAssumeRoleSessionName = validation.All( + validation.StringLenBetween(2, 64), + validation.StringMatch(regexp.MustCompile(`[\w+=,.@\-]*`), ""), +) + +var validAssumeRoleSourceIdentity = validation.All( + validation.StringLenBetween(2, 64), + validation.StringMatch(regexp.MustCompile(`[\w+=,.@\-]*`), ""), +) + +// validAssumeRoleDuration validates a string can be parsed as a valid time.Duration +// and is within a minimum of 15 minutes and maximum of 12 hours +func validAssumeRoleDuration(v interface{}, k string) (ws []string, errors []error) { + duration, err := time.ParseDuration(v.(string)) + + if err != nil { + errors = append(errors, fmt.Errorf("%q cannot be parsed as a duration: %w", k, err)) + return + } + + if duration.Minutes() < 15 || duration.Hours() > 12 { + errors = append(errors, fmt.Errorf("duration %q must be between 15 minutes (15m) and 12 hours (12h), inclusive", k)) + } + + return +} + +type AssumeRole struct { + RoleARN string + Duration time.Duration + ExternalID string + Policy string + PolicyARNs []string + SessionName string + SourceIdentity string + Tags map[string]string + TransitiveTagKeys []string +} + +func expandAssumeRole(tfMap map[string]interface{}) *AssumeRole { + if tfMap == nil { + return nil + } + + assumeRole := AssumeRole{} + + if v, ok := tfMap["duration"].(string); ok && v != "" { + duration, _ := time.ParseDuration(v) + assumeRole.Duration = duration + } else if v, ok := tfMap["duration_seconds"].(int); ok && v != 0 { + assumeRole.Duration = time.Duration(v) * time.Second + } + + if v, ok := tfMap["external_id"].(string); ok && v != "" { + assumeRole.ExternalID = v + } + + if v, ok := tfMap["policy"].(string); ok && v != "" { + assumeRole.Policy = v + } + + if v, ok := tfMap["policy_arns"].(*schema.Set); ok && v.Len() > 0 { + assumeRole.PolicyARNs = expandStringList(v.List()) + } + + if v, ok := tfMap["role_arn"].(string); ok && v != "" { + assumeRole.RoleARN = v + } + + if v, ok := tfMap["session_name"].(string); ok && v != "" { + assumeRole.SessionName = v + } + + if v, ok := tfMap["source_identity"].(string); ok && v != "" { + assumeRole.SourceIdentity = v + } + + if v, ok := tfMap["transitive_tag_keys"].(*schema.Set); ok && v.Len() > 0 { + assumeRole.TransitiveTagKeys = expandStringList(v.List()) + } + + return &assumeRole +} diff --git a/mongodbatlas/resource_mongodbatlas_cloud_backup_snapshot_export_job.go b/mongodbatlas/resource_mongodbatlas_cloud_backup_snapshot_export_job.go index e0652ac408..1d3f3bda8e 100644 --- a/mongodbatlas/resource_mongodbatlas_cloud_backup_snapshot_export_job.go +++ b/mongodbatlas/resource_mongodbatlas_cloud_backup_snapshot_export_job.go @@ -124,9 +124,9 @@ func resourceMongoDBAtlasCloudBackupSnapshotExportJobRead(ctx context.Context, d ids := decodeStateID(d.Id()) projectID := ids["project_id"] clusterName := ids["cluster_name"] - exportJobID := ids["export_job_id"] + exportID := ids["export_job_id"] - exportJob, _, err := conn.CloudProviderSnapshotExportJobs.Get(ctx, projectID, clusterName, exportJobID) + exportJob, _, err := conn.CloudProviderSnapshotExportJobs.Get(ctx, projectID, clusterName, exportID) if err != nil { // case 404 // deleted in the backend case @@ -278,17 +278,17 @@ func resourceMongoDBAtlasCloudBackupSnapshotExportJobImportState(ctx context.Con projectID := parts[0] clusterName := parts[1] - exportJobID := parts[2] + exportID := parts[2] - _, _, err := conn.CloudProviderSnapshotExportJobs.Get(ctx, projectID, clusterName, exportJobID) + _, _, err := conn.CloudProviderSnapshotExportJobs.Get(ctx, projectID, clusterName, exportID) if err != nil { - return nil, fmt.Errorf("couldn't import snapshot export job %s in project %s and cluster %s, error: %s", exportJobID, projectID, clusterName, err) + return nil, fmt.Errorf("couldn't import snapshot export job %s in project %s and cluster %s, error: %s", exportID, projectID, clusterName, err) } d.SetId(encodeStateID(map[string]string{ "project_id": projectID, "cluster_name": clusterName, - "export_job_id": exportJobID, + "export_job_id": exportID, })) return []*schema.ResourceData{d}, nil diff --git a/website/docs/guides/1.7.0-upgrade-guide.html.markdown b/website/docs/guides/1.7.0-upgrade-guide.html.markdown new file mode 100644 index 0000000000..1526910f07 --- /dev/null +++ b/website/docs/guides/1.7.0-upgrade-guide.html.markdown @@ -0,0 +1,26 @@ +--- +layout: "mongodbatlas" +page_title: "MongoDB Atlas Provider 1.7.0: Upgrade and Information Guide" +sidebar_current: "docs-mongodbatlas-guides-170-upgrade-guide" +description: |- +MongoDB Atlas Provider 1.7.0: Upgrade and Information Guide +--- + +# MongoDB Atlas Provider 1.7.0: Upgrade and Information Guide + +The Terraform MongoDB Atlas Provider version 1.7.0 has one main new and exciting feature. + +New Features: +* You can now [`authenticate with AWS Secrets Manager (AWS SM)`](https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/website/docs/index.html.markdown#aws-secrets-manager) + + +See the [CHANGELOG](https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/CHANGELOG.md) for more details. + + +### Helpful Links + +* [Report bugs](https://github.com/mongodb/terraform-provider-mongodbatlas/issues) + +* [Request Features](https://feedback.mongodb.com/forums/924145-atlas?category_id=370723) + +* [Contact Support](https://docs.atlas.mongodb.com/support/) covered by MongoDB Atlas support plans, Developer and above. diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 64ad25efe3..e27c6a0e7f 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -33,6 +33,8 @@ The [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/tutorial/manage **Role**: If unsure of which role level to grant your key, we suggest creating an organization API Key with an Organization Owner role. This ensures that you have sufficient access for all actions. +**API Key Access List**: Some Atlas API resources such as Cloud Backup Restores, Cloud Backup Snapshots, and Cloud Backup Schedules **require** an Atlas API Key Access List to utilize these feature. Hence, if using Terraform, or any other programmatic control, to manage these resources you must have the IP address or CIDR block that the connection is coming from added to the Atlas API Key Access List of the Atlas API key you are using. See [Resources that require API Key List](https://www.mongodb.com/docs/atlas/configure-api-access/#use-api-resources-that-require-an-access-list) + ## Configure MongoDB Atlas for Government In order to enable the Terraform MongoDB Atlas Provider for use with MongoDB Atlas for Government add is_mongodbgov_cloud = true to your provider configuration: @@ -47,7 +49,6 @@ provider "mongodbatlas" { ``` Also see [`Atlas for Government Considerations`](https://www.mongodb.com/docs/atlas/government/api/#atlas-for-government-considerations). -**API Key Access List**: Some Atlas API resources such as Cloud Backup Restores, Cloud Backup Snapshots, and Cloud Backup Schedules **require** an Atlas API Key Access List to utilize these feature. Hence, if using Terraform, or any other programmatic control, to manage these resources you must have the IP address or CIDR block that the connection is coming from added to the Atlas API Key Access List of the Atlas API key you are using. See [Resources that require API Key List](https://www.mongodb.com/docs/atlas/configure-api-access/#use-api-resources-that-require-an-access-list) ## Authenticate the Provider The MongoDB Atlas provider offers a flexible means of providing credentials for authentication. @@ -75,6 +76,34 @@ As an alternative to `MONGODB_ATLAS_PUBLIC_KEY` and `MONGODB_ATLAS_PRIVATE_KEY` if you are using [MongoDB CLI](https://docs.mongodb.com/mongocli/stable/) then `MCLI_PUBLIC_API_KEY` and `MCLI_PRIVATE_API_KEY` are also supported. +### AWS Secrets Manager +AWS Secrets Manager (AWS SM) helps to manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles. See [product page](https://aws.amazon.com/secrets-manager/) and [documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) for more details. + +In order to enable the Terraform MongoDB Atlas Provider to use AWS SM, first create Atlas API Keys and add them as a secret to AWS SM with a basic key with a raw value. See below example: +``` + { + "public_key": "iepubky", + "private_key":"prvkey" + } +``` + +Next, add assume_role block with `role_arn`, `secret_name`, and AWS `region` to match the AWS region where secret is stored with AWS SM. See below example: +```terraform +# Configure the MongoDB Atlas Provider to Authenticate with AWS Secrets Manager +provider "mongodbatlas" { + assume_role { + role_arn = "arn:aws:iam::476xxx451:role/mdbsts" + } + secret_name = "mongodbsecret" + aws_access_key_id = "ASIXXBNEK" + aws_secret_access_key = "ZUZgVb8XYZWEXXEDURGFHFc5Au" + aws_session_token = "IQoXX3+Q=" + region = "us-east-2" + sts_endpoint = "https://sts.us-east-2.amazonaws.com/" +} +``` +Note: `aws_access_key_id`, `aws_secret_access_key`, `aws_session_token`, `region` can also be passed in using environment variables i.e. aws_access_key_id will accept AWS_ACCESS_KEY_ID and TF_VAR_AWS_ACCESS_KEY_ID as a default value in place of value in a terraform file variable. + ### Static Credentials Static credentials can be provided by adding the following attributes in-line in the MongoDB Atlas provider block, diff --git a/website/mongodbatlas.erb b/website/mongodbatlas.erb deleted file mode 100644 index 2ca0c028e3..0000000000 --- a/website/mongodbatlas.erb +++ /dev/null @@ -1,243 +0,0 @@ -<% wrap_layout :inner do %> - <% content_for :sidebar do %> - - <% end %> - - <%= yield %> -<% end %>