AWS IAM Role Access
In MongoDB Atlas you may at some stage wish to use a cloud provider to either store files to S3, encrypt at rest and so on.
MongoDB Atlas allows you to configure the Cloud Provider Role and authenticate that role to use later as a service.
In this article we use terraform to
1) Create the Cloud Service in MongoDB Atlas
2) Get the external ref from Atlas and provide this as a trusted source to a Role on your own AWS Account.
3) Authenticate the role as an Assumed Role to Atlas.
https://github.com/nareshmaharaj-consultant/atlas_cloud_provider_terraform
Use the following
variables.tf
variable "mongodb_atlas_api_pub_key" {
default = "qvesfrig"
}
variable "mongodb_atlas_api_pri_key" {
default = "enter your private key here"
}
variable "mongodb_atlas_project_id" {
default = "60ab6ed5fb4a1f43c4950e71"
}
variable "atlas_project_name" {
type = string
description = "Name of the Atlas project the role is associated with"
default = "my-atlas"
}
variable "account_name" {
type = string
description = "Name of the AWS account. Used as a name prefix"
default = "naresh.maharaj"
}
variable "tags" {
type = map(string)
description = "Key/value pairs of additional information attached to resources"
default = {}
}
variable "atlas_aws_root_account_id" {
type = number
description = "Atlas AWS root account ARN IAM account id"
default = "536727724300"
}
variable "aws_root_account_id" {
type = number
description = "Atlas AWS root account ARN IAM account id"
default = "521195893806"
}
variable "atlas_external_ids" {
type = list(any)
description = "List of unique external IDs (per-Atlas project)"
default = []
}
main.tf
terraform {
required_providers {
mongodbatlas = {
source = "mongodb/mongodbatlas"
version = "0.9.1"
}
}
}
provider "mongodbatlas" {
# Configuration options
public_key = var.mongodb_atlas_api_pub_key
private_key = var.mongodb_atlas_api_pri_key
}
resource "mongodbatlas_cloud_provider_access" "test_role" {
project_id = "${var.mongodb_atlas_project_id}"
provider_name = "AWS"
}
data "aws_iam_policy_document" "atlas-assume-role-policy" {
statement {
sid = "rolepolicy"
actions = ["sts:AssumeRole"]
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = ["${mongodbatlas_cloud_provider_access.test_role.atlas_assumed_role_external_id}"]
}
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.atlas_aws_root_account_id}:root"]
}
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "atlas-cmk-access-role" {
name = "${var.account_name}-atlas-cmk-${var.atlas_project_name}-role"
tags = merge({ "Name" = "${var.account_name}-atlas-cmk-role" }, var.tags)
assume_role_policy = data.aws_iam_policy_document.atlas-assume-role-policy.json
}
resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
project_id = mongodbatlas_cloud_provider_access.test_role.project_id
role_id = mongodbatlas_cloud_provider_access.test_role.role_id
aws = {
iam_assumed_role_arn = "arn:aws:iam::${var.aws_root_account_id}:role/${var.account_name}-atlas-cmk-${var.atlas_project_name}-role"
}
}
output "atlas_assumed_role_external_id" {
value = mongodbatlas_cloud_provider_access.test_role.atlas_assumed_role_external_id
}
Run
init
terraform plan ( check everything meets your expectations )
terraform apply
Top comments (0)