From ed828493b3bfa8f7eca6b5ffed9d173e5c07d968 Mon Sep 17 00:00:00 2001 From: mybarretto Date: Thu, 10 Feb 2022 10:23:14 -0800 Subject: [PATCH] Adding an optional custom user for Mongo Atlas (#249) --- .../aws/mongodb-atlas-users/main.tf | 41 ++++++++++++++++- .../aws/mongodb-atlas-users/variables.tf | 45 +++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/terraform-modules/aws/mongodb-atlas-users/main.tf b/terraform-modules/aws/mongodb-atlas-users/main.tf index fecf2e600..ed30f772a 100644 --- a/terraform-modules/aws/mongodb-atlas-users/main.tf +++ b/terraform-modules/aws/mongodb-atlas-users/main.tf @@ -20,7 +20,12 @@ resource "mongodbatlas_database_user" "admin" { } } -resource "mongodbatlas_database_user" "test" { +# This user is created from an AWS IAM Role, which is also provisioned by this module +# (see the "AWS Role" section at the end of this file) +# Due to limitations of current MongoDB drivers (see https://jira.mongodb.org/browse/DRIVERS-2011) +# this setup doesn't work as intended as of 2022-02-09, but it is expected to work once +# the MongoDB drivers are updated. +resource "mongodbatlas_database_user" "app_user" { username = aws_iam_role.this.arn project_id = var.mongodbatlas_projectid auth_database_name = "$external" @@ -42,6 +47,40 @@ resource "mongodbatlas_database_user" "test" { } } +# This additional user can be customized with any given AWS IAM Role +# This can be useful when there is the need to use a Role that was created elsewhere +resource "mongodbatlas_database_user" "custom_user" { + count = var.create_custom_user ? 1 : 0 + username = var.custom_user_iam_role + project_id = var.mongodbatlas_projectid + auth_database_name = "$external" + aws_iam_type = "ROLE" + + dynamic "roles" { + for_each = var.custom_user_roles + content { + role_name = roles.value["role_name"] + database_name = roles.value["database_name"] + } + } + + dynamic "labels" { + for_each = var.custom_user_labels + content { + key = labels.value["key"] + value = labels.value["value"] + } + } + + dynamic "scopes" { + for_each = var.custom_user_scopes + content { + name = scopes.value["name"] + type = scopes.value["type"] + } + } +} + ################################################ # AWS Secret # diff --git a/terraform-modules/aws/mongodb-atlas-users/variables.tf b/terraform-modules/aws/mongodb-atlas-users/variables.tf index e52d68915..d25e12be6 100644 --- a/terraform-modules/aws/mongodb-atlas-users/variables.tf +++ b/terraform-modules/aws/mongodb-atlas-users/variables.tf @@ -48,3 +48,48 @@ variable "database_username" { type = string default = "admin" } + +variable "create_custom_user" { + type = bool + description = "To create a custom user or not" + default = false +} + +variable "custom_user_iam_role" { + type = string + description = "The AWS IAM Role of the custom user" + default = null +} + +variable "custom_user_roles" { + type = list(any) + description = "A list mapping roles to databases for the custom user" + default = [ + { + role_name = "readWriteAnyDatabase" + database_name = "admin" + } + ] +} + +variable "custom_user_labels" { + type = list(any) + description = "A list of key-value pairs for tagging the custom user" + default = [ + { + key = "%s" + value = "%s" + } + ] +} + +variable "custom_user_scopes" { + type = list(any) + description = "A list of clusters and data lakes the custom user" + default = [ + { + name = "my_cluster" + type = "CLUSTER" + } + ] +}