From 5e306337b4b473bebfa85aac4a33b8e52ab8fb5b Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Thu, 20 Jan 2022 13:42:53 -0800 Subject: [PATCH] Mongo Atlas - IAM Policy (#241) --- .../aws/mongodb-atlas-users/main.tf | 29 ++++++++++++++++++- .../aws/mongodb-atlas-users/variables.tf | 6 ---- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/terraform-modules/aws/mongodb-atlas-users/main.tf b/terraform-modules/aws/mongodb-atlas-users/main.tf index 00872d4af..fecf2e600 100644 --- a/terraform-modules/aws/mongodb-atlas-users/main.tf +++ b/terraform-modules/aws/mongodb-atlas-users/main.tf @@ -21,7 +21,7 @@ resource "mongodbatlas_database_user" "admin" { } resource "mongodbatlas_database_user" "test" { - username = var.iam_role_name + username = aws_iam_role.this.arn project_id = var.mongodbatlas_projectid auth_database_name = "$external" aws_iam_type = "ROLE" @@ -72,3 +72,30 @@ resource "aws_secretsmanager_secret_version" "this" { secret_id = aws_secretsmanager_secret.this[0].id secret_string = random_password.password[0].result } + +################################################ +# AWS role +# +# Using Mongo Atlas IAM authentication. This would be the role that is given access to the databases. +################################################ +data "aws_caller_identity" "current" {} + +resource "aws_iam_role" "this" { + name = "mongo-atlas-${var.cluster_name}" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + "Effect": "Allow", + "Principal": { + "AWS": data.aws_caller_identity.current.account_id + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] + }) + + tags = var.tags +} diff --git a/terraform-modules/aws/mongodb-atlas-users/variables.tf b/terraform-modules/aws/mongodb-atlas-users/variables.tf index c4b5ece67..e52d68915 100644 --- a/terraform-modules/aws/mongodb-atlas-users/variables.tf +++ b/terraform-modules/aws/mongodb-atlas-users/variables.tf @@ -32,12 +32,6 @@ variable "recovery_window_in_days" { default = 0 } -variable "iam_role_name" { - type = string - description = "The IAM Role name to assign an auth user to the DB" - default = null -} - variable "user_password" { type = string description = "The password for the user"