atlas-init 0.1.0__py3-none-any.whl → 0.1.4__py3-none-any.whl

atlas_init/settings/path.py

@@ -1,4 +1,5 @@
 import os
+from collections.abc import Callable
 from pathlib import Path
 
 import dotenv
@@ -21,15 +22,18 @@ DEFAULT_PROFILES_PATH.mkdir(exist_ok=True, parents=True)
 DEFAULT_TF_PATH = ROOT_PATH / "tf"
 DEFAULT_CONFIG_PATH = ROOT_PATH / "atlas_init.yaml"
 DEFAULT_SCHEMA_CONFIG_PATH = ROOT_PATH / "terraform.yaml"
+DEFAULT_GITHUB_CI_RUN_LOGS = ROOT_PATH / "github_ci_run_logs"
+DEFAULT_GITHUB_SUMMARY_DIR = ROOT_PATH / "github_ci_summary"
 
 
 def load_dotenv(env_path: Path) -> dict[str, str]:
     return {k: v for k, v in dotenv.dotenv_values(env_path).items() if v}
 
 
-def dump_vscode_dotenv(generated_path: Path, vscode_env_path: Path) -> None:
+def dump_vscode_dotenv(generated_path: Path, vscode_env_path: Path, **extras: str) -> None:
     vscode_env_vars = load_dotenv(generated_path)
     vscode_env_vars.pop("TF_CLI_CONFIG_FILE", None)  # migration tests will use local provider instead of online
+    vscode_env_vars.update(extras)
     dump_dotenv(vscode_env_path, vscode_env_vars)
 
 
@@ -43,6 +47,13 @@ def current_dir():
     return Path(os.path.curdir).absolute()
 
 
+def default_factory_cwd(rel_path: str) -> Callable[[], Path]:
+    def default_factory():
+        return current_dir() / rel_path
+
+    return default_factory
+
+
 def repo_path_rel_path() -> tuple[Path, str]:
     cwd = current_dir()
     rel_path = []

atlas_init/settings/rich_utils.py

@@ -9,11 +9,48 @@ class _LogLevel(BaseModel):
     log_level: Literal["INFO", "WARNING", "ERROR", "CRITICAL"]
 
 
-def configure_logging(log_level: str = "INFO"):
+def remove_secrets(message: str, secrets: list[str]) -> str:
+    for secret in secrets:
+        message = message.replace(secret, "***")
+    return message
+
+
+class SecretsHider(logging.Filter):
+    def __init__(self, secrets: list[str], name: str = "") -> None:
+        self.secrets = secrets
+        super().__init__(name)
+
+    def filter(self, record: logging.LogRecord) -> bool:
+        record.msg = remove_secrets(record.msg, self.secrets)
+        return True
+
+
+dangerous_keys = ["key", "id", "secret"]
+safe_keys: list[str] = ["/"]
+
+
+def hide_secrets(handler: logging.Handler, secrets_dict: dict[str, str]) -> None:
+    secrets_to_hide = set()
+    for key, value in secrets_dict.items():
+        if not isinstance(value, str):
+            continue
+        key_lower = key.lower()
+        if key_lower in {"true", "false"}:
+            continue
+        if any(safe in key_lower for safe in safe_keys):
+            continue
+        if any(danger in key_lower for danger in dangerous_keys):
+            secrets_to_hide.add(value)
+    handler.addFilter(SecretsHider(list(secrets_to_hide), name="secrets-hider"))
+
+
+def configure_logging(log_level: str = "INFO") -> logging.Handler:
     _LogLevel(log_level=log_level)  # type: ignore
+    handler = RichHandler(rich_tracebacks=True)
     logging.basicConfig(
         level=logging.getLevelName(log_level),
         format="%(message)s",
         datefmt="[%X]",
-        handlers=[RichHandler(rich_tracebacks=True)],
+        handlers=[handler],
     )
+    return handler

atlas_init/terraform.yaml

@@ -15,7 +15,7 @@ resources:
       - tags
     attributes:
       aliases:
-        groupId: id
+        groupId: project_id
   create:
     path: /api/atlas/v2/groups
     method: POST
@@ -28,3 +28,79 @@ resources:
   delete:
     path: /api/atlas/v2/groups/{groupId}
     method: DELETE
+- name: streamprocessor
+  extensions:
+  - type: rename_attribute
+    from_name: _id
+    to_name: id
+  - type: ignore_nested
+    path: "*.links"
+  - type: change_attribute_type
+    path: processor_name
+    new_value: required
+  - type: change_attribute_type
+    path: project_id
+    new_value: required
+  - type: skip_validators
+  provider_spec_attributes: []
+  schema:
+    ignores:
+      - name
+      - pretty
+      - envelope
+      - links
+    attributes: # (only works on path attributes)
+      aliases:
+        # _id: id
+        # name: processor_name
+        groupId: project_id
+        tenantName: instance_name
+  create:
+    path: /api/atlas/v2/groups/{groupId}/streams/{tenantName}/processor
+    method: POST
+  read:
+    path: /api/atlas/v2/groups/{groupId}/streams/{tenantName}/processor/{processorName}
+    method: GET
+  delete:
+    path: /api/atlas/v2/groups/{groupId}/streams/{tenantName}/processor/{processorName}
+    method: DELETE
+  # update: not implemented yet
+  #   path: api/atlas/v2/groups/{groupId}/streams/{tenantName}/processor
+  #   method: PATCH
+data_sources:
+- name: stream_processor
+  extensions:
+  - type: rename_attribute
+    from_name: _id
+    to_name: id
+  - type: rename_attribute
+    from_name: tenant_name
+    to_name: instance_name
+  - type: ignore_nested
+    path: "*.links"
+  - type: change_attribute_type
+    path: processor_name
+    new_value: required
+  - type: change_attribute_type
+    path: project_id
+    new_value: required
+  - type: skip_validators
+  # pagination attributes
+  # generating test files
+  read:
+    path: /api/atlas/v2/groups/{groupId}/streams/{tenantName}/processor/{processorName}
+    method: GET
+  schema:
+    ignores:
+      - name
+      - pretty
+      - envelope
+      - links
+    attributes: # (only works on path attributes)
+      aliases:
+        groupId: project_id
+- name: stream_processors
+  read:
+    # unable to extract the description here
+    path: /api/atlas/v2/groups/{groupId}/streams/{tenantName}/processors
+    method: GET

atlas_init/tf/.terraform.lock.hcl

@@ -0,0 +1,125 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.67.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:8wkuQvQiqjjm2+gQepy6xFBfimGoesKz1BPcVKWvED8=",
+    "zh:1259c8106c0a3fc0ed3b3eb814ab88d6a672e678b533f47d1bbbe3107949f43e",
+    "zh:226414049afd6d334cc16ff5d6cef23683620a9b56da67a21422a113d9cce4ab",
+    "zh:3c89b103aea20ef82a84e889abaeb971cb168de8292b61b34b83e807c40085a9",
+    "zh:3dd88e994fb7d7a6c6eafd3c01393274e4f776021176acea2e980f73fbd4acbc",
+    "zh:487e0dda221c84a20a143904c1cee4e63fce6c5c57c21368ea79beee87b108da",
+    "zh:7693bdcec8181aafcbda2c41c35b1386997e2c92b6f011df058009e4c8b300e1",
+    "zh:82679536250420f9e8e6edfd0fa9a1bab99a7f31fe5f049ac7a2e0d8c287b56f",
+    "zh:8685218dae921740083820c52afa66cdf14cf130539da1efd7d9a78bfb6ade64",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9e553a3ec05eedea779d393447fc316689ba6c4d4d8d569b986898e6dbe58fee",
+    "zh:a36c24acd3c75bac8211fefde58c459778021eb871ff8339be1c26ad8fd67ee1",
+    "zh:ce48bd1e35d6f996f1a09d8f99e8084469b7fec5611e67a50a63e96375b87ebe",
+    "zh:d6c76a24205513725269e4783da14be9648e9086fb621496052f4b37d52d785e",
+    "zh:d95a31745affb178ea48fa8e0be94691a8f7507ea55c0d0a4b6e0a8ef6fcb929",
+    "zh:f061ce59fac1bc425c1092e6647ed4bb1b61824416041b46dbf336e01a63ad89",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/http" {
+  version     = "3.4.2"
+  constraints = "3.4.2"
+  hashes = [
+    "h1:vaoPfsLm6mOk6avKTrWi35o+9p4fEeZAY3hzYoXVTfo=",
+    "zh:0ba051c9c8659ce0fec94a3d50926745f11759509c4d6de0ad5f5eb289f0edd9",
+    "zh:23e6760e8406fef645913bf47bfab1ca984c1c5805d2bb0ef8310b16913d29cd",
+    "zh:3c69fde4548bfe65b968534c4df8d699648c921d6a065b97fec5faece73a442b",
+    "zh:41c7f9a8c117704b7a8fa96a57ebfb92b72129d9625128eeb0dee7d5a09d1110",
+    "zh:59d09d2e00727df10565cc82a33250b44201fcd353eb2b1579507a5a0adcce18",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:c95b2f63d4357b3068531b90d9dca62a32551d7693defb7ab14b650b5d139c57",
+    "zh:cc0a3bbd3026191b35f417d3a8f26bdfad376d15be9e8d99a8803487ca5b0105",
+    "zh:d1185c6abb3ba25123fb7df1ad7dbe2b9cd8f43962628da551040fbe1934656f",
+    "zh:dfb26fccab7ecdc150f67415e6cfe19d699dc43e8bf5722f36032b17b46a0fbe",
+    "zh:eb1fcc00073bc0463f64e49600a73d925b1a0c0ae5b94dd7b67d3ebac248a113",
+    "zh:ec9b9ad69cf790cb0603a1036d758063bbbc35c0c75f72dd04a1eddaf46ad010",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:gpp25uNkYJYzJVnkyRr7RIBVfwLs9GSq2HNnFpTRBg0=",
+    "zh:244b445bf34ddbd167731cc6c6b95bbed231dc4493f8cc34bd6850cfe1f78528",
+    "zh:3c330bdb626123228a0d1b1daa6c741b4d5d484ab1c7ae5d2f48d4c9885cc5e9",
+    "zh:5ff5f9b791ddd7557e815449173f2db38d338e674d2d91800ac6e6d808de1d1d",
+    "zh:70206147104f4bf26ae67d730c995772f85bf23e28c2c2e7612c74f4dae3c46f",
+    "zh:75029676993accd6bef933c196b2fad51a9ec8a69a847dbbe96ec8ebf7926cdc",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7d48d5999fe1fcdae9295a7c3448ac1541f5a24c474bd82df6d4fa3732483f2b",
+    "zh:b766b38b027f0f84028244d1c2f990431a37d4fc3ac645962924554016507e77",
+    "zh:bfc7ad301dada204cf51c59d8bd6a9a87de5fddb42190b4d6ba157d6e08a1f10",
+    "zh:c902b527702a8c5e2c25a6637d07bbb1690cb6c1e63917a5f6dc460efd18d43f",
+    "zh:d68ae0e1070cf429c46586bc87580c3ed113f76241da2b6e4f1a8348126b3c46",
+    "zh:f4903fd89f7c92a346ae9e666c2d0b6884c4474ae109e9b4bd15e7efaa4bfc29",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=",
+    "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2",
+    "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d",
+    "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3",
+    "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f",
+    "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301",
+    "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670",
+    "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed",
+    "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65",
+    "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd",
+    "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.3"
+  hashes = [
+    "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
+    "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
+    "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
+    "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
+    "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
+    "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
+    "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
+    "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
+    "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
+    "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
+    "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
+  ]
+}
+
+provider "registry.terraform.io/mongodb/mongodbatlas" {
+  version     = "1.19.0"
+  constraints = "1.19.0"
+  hashes = [
+    "h1:zzKWs4GzWXo+ImMQud/b0ECObJmbtB2wCrK3b98z1ms=",
+    "zh:3a8198e83b9b2dd1c461049f19464e82ce3f24d9fa7508e0e6dd642e2be70f73",
+    "zh:3a89a8395624a8e8516c6147b1612798f05e59ed3f13c1f6d8878099c9ca5f6e",
+    "zh:41ff89b10d5f1069d4bfa093e2d9297f1670863716f60d7b874f076bc37bc2ac",
+    "zh:5baf75906ccfc658be79b4c02c86032943af18c159f9c80a067ed696f23db527",
+    "zh:697aa8aebc5f4f8b6c42ba33bd1fec5ab8244555905bf6c6482ebf4733fe7976",
+    "zh:6d7fe4c2bca1e34e0c881266a463bbe16dd9a2934b7fa6d116c711a56b895f6f",
+    "zh:6dca00e357d04fbaeab6d2fa336c6704e289c076beef250a3cfe948a901bc4d4",
+    "zh:877a40cabcc49ee9fb40143dcbd6253d0c08ac1603a71e2cf2dde2d1fbfde574",
+    "zh:8a43a657196f4917f32f07ea91f056a2be6e7adb8a1fb7df4517ad9b71362c30",
+    "zh:91ef30b6020da3d5c5781ea6718b5f785c1eb3c7f4677343b31af2297d9f3558",
+    "zh:9bbc42509526c942db3979eaacd15b96ad454777993a0b002f908f9e9fcef51c",
+    "zh:b11fd160fcdd9cf7423283af7e0c3f0970b391b5a62ec30fe699ffdd54351896",
+    "zh:c297a0a188141741f14578cd8db41c309361e37b1b0904e635a7ebd0993e86f7",
+    "zh:c8af40986dbc42e77d0e34af7ea2d730cb87aa0471236392dbea0926ab95159a",
+  ]
+}

atlas_init/tf/always.tf

@@ -9,6 +9,7 @@ resource "random_password" "username" {
 }
 
 data "http" "myip" {
+  count = var.use_project_myip ? 1 : 0
   url = "https://ipv4.icanhazip.com"
 }
 
@@ -35,9 +36,17 @@ resource "mongodbatlas_project" "project" {
   org_id = var.org_id
 
   tags = local.tags
+  region_usage_restrictions = var.is_mongodbgov_cloud ? "GOV_REGIONS_ONLY" : null
+  project_owner_id = length(var.user_id) > 0 ? var.user_id : null
 }
 
 resource "mongodbatlas_project_ip_access_list" "mongo-access" {
+  count = var.use_project_myip ? 1 : 0
   project_id = mongodbatlas_project.project.id
-  cidr_block = "${chomp(data.http.myip.response_body)}/32"
-}
+  cidr_block = "${chomp(data.http.myip[0].response_body)}/32"
+}
+
+data "mongodbatlas_atlas_user" "this" {
+  count = length(var.user_id) > 0 ? 1 : 0
+  user_id = var.user_id
+}

atlas_init/tf/main.tf

@@ -24,6 +24,9 @@ module "cfn" {
   atlas_private_key = var.atlas_private_key
   cfn_profile       = local.cfn_profile
   tags              = local.tags
+  aws_account_id    = local.aws_account_id
+  use_kms_key       = var.cfn_config.use_kms_key
+  aws_region        = var.cfn_config.region
 }
 
 module "cluster" {

atlas_init/tf/modules/aws_s3/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     mongodbatlas = {
       source  = "mongodb/mongodbatlas"
-      version = ">=1.4.3"
+      version = "1.19.0"
     }
   }
   required_version = ">= 1.0"

atlas_init/tf/modules/aws_vars/aws_vars.tf

@@ -14,5 +14,7 @@ output "env_vars" {
     AWS_ACCESS_KEY_ID          = var.aws_access_key_id
     AWS_SECRET_ACCESS_KEY      = var.aws_secret_access_key
     AWS_REGION                 = var.aws_region
+    AWS_REGION_LOWERCASE       = var.aws_region
+    AWS_REGION_UPPERCASE       = replace(upper(var.aws_region), "-", "_")
   }
 }

atlas_init/tf/modules/aws_vpc/provider.tf

@@ -2,7 +2,10 @@ terraform {
   required_providers {
     mongodbatlas = {
       source  = "mongodb/mongodbatlas"
-      version = ">=1.4.3"
+      version = "1.19.0"
+    }
+    aws = {
+      source = "hashicorp/aws"
     }
   }
   required_version = ">= 1.0"

atlas_init/tf/modules/cfn/cfn.tf

@@ -1,22 +1,3 @@
-variable "cfn_profile" {
-  type = string
-}
-variable "atlas_public_key" {
-  type = string
-}
-
-variable "atlas_private_key" {
-  type = string
-}
-
-variable "atlas_base_url" {
-  type = string
-}
-
-variable "tags" {
-  type = map(string)
-}
-
 terraform {
   required_providers {
     aws = {
@@ -30,22 +11,52 @@ locals {
   resource_actions_yaml = file("${path.module}/resource_actions.yaml")
   services              = yamldecode(local.services_yaml)
   resource_actions      = yamldecode(local.resource_actions_yaml)
+  role_name             = "cfn-execution-role-${var.cfn_profile}"
+  iam_policy_statement = {
+    Sid      = "Original"
+    Action   = local.resource_actions
+    Effect   = "Allow"
+    Resource = "*"
+  }
+  iam_policy_statement_kms = {
+    Sid      = "Extra"
+    Action   = ["kms:Decrypt"]
+    Effect   = "Allow"
+    Resource = try(aws_kms_key.this[0].arn, "invalid-arn-not-used")
+  }
+  iam_policy_statement_cloudwatch = {
+    Sid      = "CloudwatchLogs"
+    Action   = ["logs:*"]
+    Effect   = "Allow"
+    Resource = "*"
+  }
+  iam_policy_statements = var.use_kms_key ? [local.iam_policy_statement, local.iam_policy_statement_kms, local.iam_policy_statement_cloudwatch] : [local.iam_policy_statement, local.iam_policy_statement_cloudwatch]
+  iam_role_policy_json = jsonencode({
+    Version   = "2012-10-17"
+    Statement = local.iam_policy_statements
+  })
 }
 
 resource "aws_secretsmanager_secret" "cfn" {
   name                    = "cfn/atlas/profile/${var.cfn_profile}"
+  description             = "Secrets for the cfn ${var.cfn_profile} profile"
   recovery_window_in_days = 0 # allow force deletion
   tags                    = var.tags
+  kms_key_id              = var.use_kms_key ? aws_kms_key.this[0].arn : null
 }
+
 resource "aws_secretsmanager_secret_version" "cfn" {
   secret_id = aws_secretsmanager_secret.cfn.id
   secret_string = jsonencode({
-    BaseUrl    = var.atlas_base_url
-    PublicKey  = var.atlas_public_key
-    PrivateKey = var.atlas_private_key
+    BaseUrl     = var.atlas_base_url
+    PublicKey   = var.atlas_public_key
+    PrivateKey  = var.atlas_private_key
+    DebugClient = true
   })
 }
 
+data "aws_caller_identity" "this" {}
+
 data "aws_iam_policy_document" "assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -54,27 +65,22 @@ data "aws_iam_policy_document" "assume_role" {
       type        = "Service"
       identifiers = local.services
     }
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_caller_identity.this.arn] # Allow the terraform creator account to assume the role
+    }
   }
 }
 
 resource "aws_iam_role" "execution_role" {
-  name                 = "cfn-execution-role-${var.cfn_profile}"
+  name                 = local.role_name
   assume_role_policy   = data.aws_iam_policy_document.assume_role.json
   max_session_duration = 8400
 
   inline_policy {
     name = "ResourceTypePolicy"
 
-    policy = jsonencode({
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Action   = local.resource_actions
-          Effect   = "Allow"
-          Resource = "*"
-        },
-      ]
-    })
+    policy = local.iam_role_policy_json
 
   }
 }
@@ -89,3 +95,11 @@ output "env_vars" {
     CFN_EXAMPLE_EXECUTION_ROLE   = aws_iam_role.execution_role.arn
   }
 }
+
+
+output "info" {
+  value = {
+    kms_key_policy_json  = local.kms_key_policy_json
+    iam_role_policy_json = local.iam_role_policy_json
+  }
+}

atlas_init/tf/modules/cfn/kms.tf

@@ -0,0 +1,54 @@
+locals {
+  account_principal = {
+    AWS = var.aws_account_id
+  }
+  kms_secretsmanager_condition = {
+    StringEquals = {
+      "kms:CallerAccount" = var.aws_account_id
+      "kms:ViaService"    = "secretsmanager.${var.aws_region}.amazonaws.com"
+    }
+  }
+  kms_key_policy_json = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid       = "Enable IAM User Permissions",
+        Effect    = "Allow",
+        Principal = local.account_principal,
+        Action    = "kms:*",
+        Resource  = "*"
+      },
+      {
+        Sid       = "Enable IAM User Permissions for Role",
+        Effect    = "Allow",
+        Principal = {
+          AWS = "*"
+        }
+        Action    = "kms:Decrypt",
+        Resource  = "*"
+        Condition = {
+          StringEquals = {
+            "aws:PrincipalArn" = "arn:aws:iam::${var.aws_account_id}:role/${local.role_name}"
+          }
+        }
+      },
+      # { useful to check our example guide
+      #   "Sid" : "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager",
+      #   "Effect" : "Allow",
+      #   # "Principal" : { "AWS" : [aws_iam_role.execution_role.arn] },
+      #   "Principal" : { "AWS" : "*" },
+      #   "Action" : [
+      #     "kms:Decrypt",
+      #   ],
+      #   "Resource" : "*",
+      #   "Condition" : local.kms_secretsmanager_condition
+      # },
+    ]
+  })
+}
+resource "aws_kms_key" "this" {
+  count                   = var.use_kms_key ? 1 : 0
+  description             = "KMS key for ${var.cfn_profile}"
+  deletion_window_in_days = 7
+  policy = local.kms_key_policy_json
+}

atlas_init/tf/modules/cfn/resource_actions.yaml

@@ -2,6 +2,7 @@
 - "secretsmanager:PutSecretValue"
 - "ec2:CreateVpcEndpoint"
 - "ec2:DeleteVpcEndpoints"
+- "ec2:DescribeVpcEndpoints"
 - "cloudformation:CreateResource"
 - "cloudformation:DeleteResource"
 - "cloudformation:GetResource"

atlas_init/tf/modules/cfn/variables.tf

@@ -0,0 +1,31 @@
+variable "cfn_profile" {
+  type = string
+}
+variable "atlas_public_key" {
+  type = string
+}
+
+variable "atlas_private_key" {
+  type = string
+}
+
+variable "atlas_base_url" {
+  type = string
+}
+
+variable "tags" {
+  type = map(string)
+}
+
+variable "use_kms_key" {
+  type = bool
+  default = false
+}
+
+variable "aws_account_id" {
+  type = string
+}
+
+variable "aws_region" {
+  type = string
+}

atlas_init/tf/modules/cloud_provider/cloud_provider.tf

@@ -49,6 +49,7 @@ EOF
 output "env_vars" {
   value = {
     IAM_ROLE_ID = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+    AWS_IAM_ROLE_ARN = aws_iam_role.aws_role.arn
   }
 }
 

atlas_init/tf/modules/cloud_provider/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     mongodbatlas = {
       source  = "mongodb/mongodbatlas"
-      version = ">=1.4.3"
+      version = "1.19.0"
     }
     aws = {
       source  = "hashicorp/aws"