atlas-init 0.4.1__py3-none-any.whl → 0.4.2__py3-none-any.whl

atlas_init/cli_tf/hcl/modifier.py

@@ -0,0 +1,144 @@
+import logging
+from collections import defaultdict
+from copy import deepcopy
+from pathlib import Path
+
+import hcl2
+from lark import Token, Tree, UnexpectedToken
+
+logger = logging.getLogger(__name__)
+
+BLOCK_TYPE_VARIABLE = "variable"
+BLOCK_TYPE_OUTPUT = "output"
+
+
+def process_token(node: Token, indent=0):
+    logger.debug(f"[{indent}] (token)\t|", " " * indent, node.type, node.value)
+    return deepcopy(node)
+
+
+def is_identifier_block_type(tree: Tree | Token, block_type: str) -> bool:
+    if not isinstance(tree, Tree):
+        return False
+    try:
+        return tree.children[0].value == block_type  # type: ignore
+    except (IndexError, AttributeError):
+        return False
+
+
+def is_block_type(tree: Tree, block_type: str) -> bool:
+    try:
+        return tree.data == "block" and is_identifier_block_type(tree.children[0], block_type)
+    except (IndexError, AttributeError):
+        return False
+
+
+def update_description(tree: Tree, new_descriptions: dict[str, str], existing_names: dict[str, list[str]]) -> Tree:
+    new_children = tree.children.copy()
+    variable_body = new_children[2]
+    assert variable_body.data == "body"
+    name = token_name(new_children[1])
+    old_description = read_description_attribute(variable_body)
+    existing_names[name].append(old_description)
+    new_description = new_descriptions.get(name, "")
+    if not new_description:
+        logger.debug(f"no description found for variable {name}")
+        return tree
+    new_children[2] = update_body_with_description(variable_body, new_description)
+    return Tree(tree.data, new_children)
+
+
+def token_name(token: Token | Tree) -> str:
+    if isinstance(token, Token):
+        return token.value.strip('"')
+    err_msg = f"unexpected token type {type(token)} for token name"
+    raise ValueError(err_msg)
+
+
+def has_attribute_description(maybe_attribute: Token | Tree) -> bool:
+    if not isinstance(maybe_attribute, Tree):
+        return False
+    return maybe_attribute.data == "attribute" and maybe_attribute.children[0].children[0].value == "description"  # type: ignore
+
+
+def update_body_with_description(tree: Tree, new_description: str) -> Tree:
+    new_description = new_description.replace('"', '\\"')
+    new_children = tree.children.copy()
+    found_description = False
+    for i, maybe_attribute in enumerate(new_children):
+        if has_attribute_description(maybe_attribute):
+            found_description = True
+            new_children[i] = create_description_attribute(new_description)
+    if not found_description:
+        new_children.insert(0, new_line())
+        new_children.insert(1, create_description_attribute(new_description))
+    return Tree(tree.data, new_children)
+
+
+def new_line() -> Tree:
+    return Tree(
+        Token("RULE", "new_line_or_comment"),
+        [Token("NL_OR_COMMENT", "\n  ")],
+    )
+
+
+def read_description_attribute(tree: Tree) -> str:
+    return next(
+        (
+            token_name(maybe_attribute.children[-1].children[0])
+            for maybe_attribute in tree.children
+            if has_attribute_description(maybe_attribute)
+        ),
+        "",
+    )
+
+
+def create_description_attribute(description_value: str) -> Tree:
+    children = [
+        Tree(Token("RULE", "identifier"), [Token("NAME", "description")]),
+        Token("EQ", " ="),
+        Tree(Token("RULE", "expr_term"), [Token("STRING_LIT", f'"{description_value}"')]),
+    ]
+    return Tree(Token("RULE", "attribute"), children)
+
+
+def process_descriptions(
+    node: Tree,
+    name_updates: dict[str, str],
+    existing_names: dict[str, list[str]],
+    depth=0,
+    *,
+    block_type: str,
+) -> Tree:
+    new_children = []
+    logger.debug(f"[{depth}] (tree)\t|", " " * depth, node.data)
+    for child in node.children:
+        if isinstance(child, Tree):
+            if is_block_type(child, block_type):
+                child = update_description(  # noqa: PLW2901
+                    child, name_updates, existing_names
+                )
+            new_children.append(
+                process_descriptions(child, name_updates, existing_names, depth + 1, block_type=block_type)
+            )
+        else:
+            new_children.append(process_token(child, depth + 1))
+
+    return Tree(node.data, new_children)
+
+
+def update_descriptions(tf_path: Path, new_names: dict[str, str], block_type: str) -> tuple[str, dict[str, list[str]]]:
+    try:
+        tree = hcl2.parses(tf_path.read_text())  # type: ignore
+    except UnexpectedToken as e:
+        logger.warning(f"failed to parse {tf_path}: {e}")
+        return "", {}
+    existing_descriptions = defaultdict(list)
+    new_tree = process_descriptions(
+        tree,
+        new_names,
+        existing_descriptions,
+        block_type=block_type,
+    )
+    new_tf = hcl2.writes(new_tree)  # type: ignore
+    return new_tf, existing_descriptions

atlas_init/cli_tf/hcl/modifier_test/test_process_variables_output_.tf

@@ -0,0 +1,25 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+
+module "cluster" {
+  source = "../../module_maintainer/v3"
+
+  cluster_name           = var.cluster_name
+  cluster_type           = var.cluster_type
+  mongo_db_major_version = var.mongo_db_major_version
+  project_id             = var.project_id
+  replication_specs_new  = var.replication_specs_new
+  tags                   = var.tags
+}
+
+output "mongodb_connection_strings" {
+  description = "new connection strings desc"
+  value = module.cluster.mongodb_connection_strings
+}
+
+output "with_desc" {
+  value = "with_desc"
+  description = "description new"
+}

atlas_init/cli_tf/hcl/modifier_test/test_process_variables_variable_.tf

@@ -0,0 +1,24 @@
+variable "cluster_name" {
+  description = "description of \"cluster\" name"
+  type = string
+}
+variable "replication_specs" {
+  description = "List of replication specifications in legacy mongodbatlas_cluster format"
+  default     = []
+  type = list(object({
+    num_shards = number
+    zone_name  = string
+    regions_config = set(object({
+      region_name     = string
+      electable_nodes = number
+      priority        = number
+      read_only_nodes = optional(number, 0)
+    }))
+  }))
+}
+
+variable "provider_name" {
+  description = "azure/aws/gcp"
+  type    = string
+  default = ""# optional in v3
+}

atlas_init/cli_tf/hcl/modifier_test.py

@@ -0,0 +1,95 @@
+import pytest
+
+from atlas_init.cli_tf.hcl.modifier import BLOCK_TYPE_OUTPUT, BLOCK_TYPE_VARIABLE, update_descriptions
+
+example_variables_tf = """variable "cluster_name" {
+  type = string
+}
+variable "replication_specs" {
+  description = "List of replication specifications in legacy mongodbatlas_cluster format"
+  default     = []
+  type = list(object({
+    num_shards = number
+    zone_name  = string
+    regions_config = set(object({
+      region_name     = string
+      electable_nodes = number
+      priority        = number
+      read_only_nodes = optional(number, 0)
+    }))
+  }))
+}
+
+variable "provider_name" {
+  type    = string
+  default = "" # optional in v3
+}
+"""
+
+_existing_descriptions_variables = {
+    "cluster_name": [""],
+    "provider_name": [""],
+    "replication_specs": ["List of replication specifications in legacy "],
+}
+
+example_outputs_tf = """provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+
+module "cluster" {
+  source = "../../module_maintainer/v3"
+
+  cluster_name           = var.cluster_name
+  cluster_type           = var.cluster_type
+  mongo_db_major_version = var.mongo_db_major_version
+  project_id             = var.project_id
+  replication_specs_new  = var.replication_specs_new
+  tags                   = var.tags
+}
+
+output "mongodb_connection_strings" {
+  value = module.cluster.mongodb_connection_strings
+}
+
+output "with_desc" {
+  value = "with_desc"
+  description = "description old"
+}
+"""
+_existing_descriptions_outputs = {
+    "mongodb_connection_strings": [""],
+    "with_desc": ["description old"],
+}
+
+
+@pytest.mark.parametrize(
+    ("block_type", "new_names", "existing_descriptions", "tf_config"),
+    [
+        (
+            BLOCK_TYPE_VARIABLE,
+            {
+                "cluster_name": 'description of "cluster" name',
+                "provider_name": "azure/aws/gcp",
+            },
+            _existing_descriptions_variables,
+            example_variables_tf,
+        ),
+        (
+            BLOCK_TYPE_OUTPUT,
+            {
+                "with_desc": "description new",
+                "mongodb_connection_strings": "new connection strings desc",
+            },
+            _existing_descriptions_outputs,
+            example_outputs_tf,
+        ),
+    ],
+    ids=[BLOCK_TYPE_VARIABLE, BLOCK_TYPE_OUTPUT],
+)
+def test_process_variables(tmp_path, file_regression, block_type, new_names, existing_descriptions, tf_config):
+    example_tf_path = tmp_path / "example.tf"
+    example_tf_path.write_text(tf_config)
+    new_tf, existing_descriptions = update_descriptions(example_tf_path, new_names, block_type=block_type)
+    file_regression.check(new_tf, extension=".tf")
+    assert dict(existing_descriptions.items()) == existing_descriptions

atlas_init/cli_tf/log_clean.py

@@ -0,0 +1,29 @@
+import logging
+from pathlib import Path
+
+import typer
+
+logger = logging.getLogger(__name__)
+SPLIT_STR = "mongodbatlas: "
+
+
+def remove_prefix(line: str) -> str:
+    """
+    >>> remove_prefix(
+    ...     "2025-02-14T15:47:14.157Z [DEBUG] provider.terraform-provider-mongodbatlas: {"
+    ... )
+    '{'
+    >>> remove_prefix(
+    ...     '2025-02-14T15:47:14.158Z [DEBUG] provider.terraform-provider-mongodbatlas:  "biConnector": {'
+    ... )
+    ' "biConnector": {'
+    """
+    return line if SPLIT_STR not in line else line.split(SPLIT_STR, 1)[1]
+
+
+def log_clean(log_path: str = typer.Argument(..., help="Path to the log file")):
+    log_path_parsed = Path(log_path)
+    assert log_path_parsed.exists(), f"file not found: {log_path}"
+    new_lines = [remove_prefix(line) for line in log_path_parsed.read_text().splitlines()]
+    log_path_parsed.write_text("\n".join(new_lines))
+    logger.info(f"cleaned log file: {log_path}")

atlas_init/repos/path.py

@@ -16,6 +16,15 @@ _KNOWN_OWNER_PROJECTS = {
 }
 
 
+def package_glob(package_path: str) -> str:
+    return f"{package_path}/*.go"
+
+
+def go_package_prefix(repo_path: Path) -> str:
+    owner_project = owner_project_name(repo_path)
+    return f"github.com/{owner_project}"
+
+
 def _owner_project_name(repo_path: Path) -> str:
     owner_project = owner_project_name(repo_path)
     if owner_project not in _KNOWN_OWNER_PROJECTS:
@@ -61,6 +70,11 @@ class Repo(StrEnum):
     TF = "tf"
 
 
+def as_repo_alias(path: Path) -> Repo:
+    owner = owner_project_name(path)
+    return _owner_lookup(owner)
+
+
 _owner_repos = {
     GH_OWNER_TERRAFORM_PROVIDER_MONGODBATLAS: Repo.TF,
     GH_OWNER_MONGODBATLAS_CLOUDFORMATION_RESOURCES: Repo.CFN,

atlas_init/settings/config.py

@@ -2,22 +2,22 @@ from __future__ import annotations
 
 import fnmatch
 import logging
+from collections import defaultdict
 from collections.abc import Iterable
 from functools import total_ordering
 from os import getenv
 from pathlib import Path
 from typing import Any
 
-from model_lib import Entity, dump_ignore_falsy
+from model_lib import Entity, IgnoreFalsy
 from pydantic import Field, model_validator
 
-from atlas_init.repos.path import owner_project_name
+from atlas_init.repos.path import as_repo_alias, go_package_prefix, owner_project_name, package_glob
 
 logger = logging.getLogger(__name__)
 
 
-@dump_ignore_falsy
-class TerraformVars(Entity):
+class TerraformVars(IgnoreFalsy):
     cluster_info: bool = False
     cluster_info_m10: bool = False
     stream_instance: bool = False
@@ -28,6 +28,7 @@ class TerraformVars(Entity):
     use_aws_vpc: bool = False
     use_aws_s3: bool = False
     use_federated_vars: bool = False
+    use_encryption_at_rest: bool = False
 
     def __add__(self, other: TerraformVars):  # type: ignore
         assert isinstance(other, TerraformVars)  # type: ignore
@@ -59,6 +60,8 @@ class TerraformVars(Entity):
             config["use_project_extra"] = True
         if self.use_federated_vars:
             config["use_federated_vars"] = True
+        if self.use_encryption_at_rest:
+            config["use_encryption_at_rest"] = True
         if self.stream_instance:
             # hack until backend bug with stream instance is fixed
             config["stream_instance_config"] = {"name": getenv("ATLAS_STREAM_INSTANCE_NAME", "atlas-init")}
@@ -70,15 +73,13 @@ class PyHook(Entity):
     locate: str
 
 
-@dump_ignore_falsy
 @total_ordering
-class TestSuite(Entity):
+class TestSuite(IgnoreFalsy):
     __test__ = False
 
     name: str
     sequential_tests: bool = False
     repo_go_packages: dict[str, list[str]] = Field(default_factory=dict)
-    repo_globs: dict[str, list[str]] = Field(default_factory=dict)
     vars: TerraformVars = Field(default_factory=TerraformVars)  # type: ignore
     post_apply_hooks: list[PyHook] = Field(default_factory=list)
 
@@ -87,13 +88,23 @@ class TestSuite(Entity):
             raise TypeError
         return self.name < other.name
 
-    def all_globs(self, repo_alias: str) -> list[str]:
-        go_packages = self.repo_go_packages.get(repo_alias, [])
-        return self.repo_globs.get(repo_alias, []) + [f"{pkg}/*.go" for pkg in go_packages] + go_packages
+    def package_url_tests(self, repo_path: Path, prefix: str = "") -> dict[str, dict[str, Path]]:
+        alias = as_repo_alias(repo_path)
+        packages = self.repo_go_packages.get(alias, [])
+        names = defaultdict(dict)
+        for package in packages:
+            pkg_name = f"{go_package_prefix(repo_path)}/{package}"
+            for go_file in repo_path.glob(f"{package}/*.go"):
+                with go_file.open() as f:
+                    for line in f:
+                        if line.startswith(f"func {prefix}"):
+                            test_name = line.split("(")[0].strip().removeprefix("func ")
+                            names[pkg_name][test_name] = go_file.parent
+        return names
 
     def is_active(self, repo_alias: str, change_paths: Iterable[str]) -> bool:
         """changes paths should be relative to the repo"""
-        globs = self.all_globs(repo_alias)
+        globs = [package_glob(pkg) for pkg in self.repo_go_packages.get(repo_alias, [])]
         return any(any(fnmatch.fnmatch(path, glob) for glob in globs) for path in change_paths)
 
     def cwd_is_repo_go_pkg(self, cwd: Path, repo_alias: str) -> bool:
@@ -145,9 +156,9 @@ class AtlasInitConfig(Entity):
     @model_validator(mode="after")
     def ensure_all_repo_aliases_are_found(self):
         missing_aliases = set()
-        aliases = set(self.repo_aliases.keys())
+        aliases = set(self.repo_aliases.values())
         for group in self.test_suites:
-            if more_missing := group.repo_globs.keys() - aliases:
+            if more_missing := (group.repo_go_packages.keys() - aliases):
                 logger.warning(f"repo aliases not found for group={group.name}: {more_missing}")
                 missing_aliases |= more_missing
         if missing_aliases:

atlas_init/settings/rich_utils.py

@@ -36,7 +36,7 @@ def hide_secrets(handler: logging.Handler, secrets_dict: dict[str, str]) -> None
         if not isinstance(value, str):
             continue
         key_lower = key.lower()
-        if key_lower in {"true", "false"} or value.lower() in {"true", "false"}:
+        if key_lower in {"true", "false"} or value.lower() in {"true", "false"} or value.isdigit():
             continue
         if any(safe in key_lower for safe in safe_keys):
             continue

atlas_init/tf/.terraform.lock.hcl

@@ -2,25 +2,25 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "5.67.0"
+  version     = "5.87.0"
   constraints = "~> 5.0"
   hashes = [
-    "h1:8wkuQvQiqjjm2+gQepy6xFBfimGoesKz1BPcVKWvED8=",
-    "zh:1259c8106c0a3fc0ed3b3eb814ab88d6a672e678b533f47d1bbbe3107949f43e",
-    "zh:226414049afd6d334cc16ff5d6cef23683620a9b56da67a21422a113d9cce4ab",
-    "zh:3c89b103aea20ef82a84e889abaeb971cb168de8292b61b34b83e807c40085a9",
-    "zh:3dd88e994fb7d7a6c6eafd3c01393274e4f776021176acea2e980f73fbd4acbc",
-    "zh:487e0dda221c84a20a143904c1cee4e63fce6c5c57c21368ea79beee87b108da",
-    "zh:7693bdcec8181aafcbda2c41c35b1386997e2c92b6f011df058009e4c8b300e1",
-    "zh:82679536250420f9e8e6edfd0fa9a1bab99a7f31fe5f049ac7a2e0d8c287b56f",
-    "zh:8685218dae921740083820c52afa66cdf14cf130539da1efd7d9a78bfb6ade64",
+    "h1:IYq3by7O/eJuXzJwOF920z2nZEkw08PkDFdw2xkyhrs=",
+    "zh:017f237466875c919330b9e214fb33af14fffbff830d3755e8976d8fa3c963c2",
+    "zh:0776d1e60aa93c85ecbb01144aed2789c8e180bb0f1c811a0aba17ca7247b26c",
+    "zh:0dfa5c6cfb3724494fdc73f7d042515e88a20da8968959f48b3ec0b937bd8c8f",
+    "zh:1707a5ead36a7980cb3f83e8b69a67a14ae725bfc990ddfcc209b59400b57b04",
+    "zh:1c71f54fdd6adcbe547d6577dbb843d72a30fef0ab882d0afbeb8a7b348bc442",
+    "zh:3563c850a29790957ec3f4d3ba203bfa2e084ac7319035b3f43b91f818a2c9b4",
+    "zh:520bf6cef53785a92226651d5bebacbbf9314bdbc3211d0bf0903bce4e45149d",
+    "zh:56f9778575830f6e5c23462c2eccbf2c9afaddb00a69275fcfb33cd1a6d17f4d",
+    "zh:73e381cb0b1e76d471d7b0952f3d2a80350b507d15bda9b7041ea69077e3b5b5",
+    "zh:7da74b48f8fa088be758a92407980400cb4b039a8d9ba3c108907e4055e9ad6f",
+    "zh:8dacfa9623ba2e0197fe7db6faaaa0820a3b91fe00ba9e5d8a646340522bc8dd",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9e553a3ec05eedea779d393447fc316689ba6c4d4d8d569b986898e6dbe58fee",
-    "zh:a36c24acd3c75bac8211fefde58c459778021eb871ff8339be1c26ad8fd67ee1",
-    "zh:ce48bd1e35d6f996f1a09d8f99e8084469b7fec5611e67a50a63e96375b87ebe",
-    "zh:d6c76a24205513725269e4783da14be9648e9086fb621496052f4b37d52d785e",
-    "zh:d95a31745affb178ea48fa8e0be94691a8f7507ea55c0d0a4b6e0a8ef6fcb929",
-    "zh:f061ce59fac1bc425c1092e6647ed4bb1b61824416041b46dbf336e01a63ad89",
+    "zh:9c2ebd21d697e1a611fe201788dc9e1678949a088afc85d4589563bca484d835",
+    "zh:ac5d0bbf36f9a6cedbfb63993f6baf0aabdaf21c8d7fc3b1e69ba8cbf344b5f3",
+    "zh:c2329644179f78a0458b6cf2dd5eaadca4c610fc3577a1b50620544d92df13e8",
   ]
 }
 

atlas_init/tf/main.tf

@@ -5,7 +5,8 @@ locals {
     Owner = "terraform-atlas-init"
   }
   use_aws_vpc        = var.use_private_link || var.use_vpc_peering || var.use_aws_vpc
-  use_cloud_provider = var.use_aws_s3
+  use_aws_kms        = var.use_encryption_at_rest
+  use_cloud_provider = var.use_aws_s3 || var.use_encryption_at_rest
   # https://www.mongodb.com/docs/atlas/reference/amazon-aws/
   atlas_region = replace(upper(var.aws_region), "-", "_")
   use_cluster  = var.cluster_config.name != ""
@@ -133,6 +134,18 @@ module "aws_s3" {
   iam_role_name = module.cloud_provider[0].iam_role_name
 }
 
+module "aws_kms" {
+  source = "./modules/aws_kms"
+  count  = local.use_aws_kms ? 1 : 0
+
+  access_iam_role_arns = {
+    atlas = module.cloud_provider[0].iam_role_arn
+  }
+  aws_account_id       = local.aws_account_id
+  aws_region           = var.aws_region
+  key_suffix           = var.project_name
+}
+
 module "federated_vars" {
   source = "./modules/federated_vars"
   count  = var.use_federated_vars ? 1 : 0
@@ -142,3 +155,14 @@ module "federated_vars" {
   project_id            = local.project_id
   base_url              = var.atlas_base_url
 }
+
+module "encryption_at_rest" {
+  source = "./modules/encryption_at_rest"
+  count  = var.use_encryption_at_rest ? 1 : 0
+
+  project_id    = local.project_id
+  atlas_role_id = module.cloud_provider[0].atlas_role_id
+  kms_key_id    = module.aws_kms[0].kms_key_id
+  atlas_regions = [local.atlas_region]
+
+}

atlas_init/tf/modules/aws_kms/aws_kms.tf

@@ -0,0 +1,100 @@
+variable "aws_account_id" {
+  type = string
+}
+variable "aws_region" {
+  type = string
+}
+variable "access_iam_role_arns" {
+  type = map(string)
+  description = "static name to arn"
+}
+
+variable "key_suffix" {
+  type = string
+}
+
+locals {
+  kms_secretsmanager_condition = {
+    StringEquals = {
+      "kms:CallerAccount" = var.aws_account_id
+      "kms:ViaService"    = "secretsmanager.${var.aws_region}.amazonaws.com"
+    }
+  }
+  role_names = { for static_name, role_arn in var.access_iam_role_arns : split("/", role_arn)[length(split("/", role_arn)) - 1] => role_arn }
+  kms_key_policy_statements = [
+    {
+      Sid    = "Enable IAM User Permissions Current AWS Account",
+      Effect = "Allow",
+      Principal = {
+        AWS = var.aws_account_id
+      },
+      Action   = "kms:*",
+      Resource = "*"
+    },
+    # { useful to check our example guide
+    #   "Sid" : "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager",
+    #   "Effect" : "Allow",
+    #   # "Principal" : { "AWS" : [aws_iam_role.execution_role.arn] },
+    #   "Principal" : { "AWS" : "*" },
+    #   "Action" : [
+    #     "kms:Decrypt",
+    #   ],
+    #   "Resource" : "*",
+    #   "Condition" : local.kms_secretsmanager_condition
+    # },
+  ]
+
+  access_roles = [for role_name, role_arn in local.role_names :
+    {
+      Sid    = "Enable IAM Permissions for Role ${role_name}",
+      Effect = "Allow",
+      Principal = {
+        AWS = "*"
+      }
+      Action   = "kms:*",
+      Resource = "*"
+      Condition = {
+        StringEquals = {
+          "aws:PrincipalArn" = role_arn
+        }
+      }
+    }
+  ]
+  kms_key_policy_json = jsonencode({
+    Version   = "2012-10-17",
+    Statement = concat(local.kms_key_policy_statements, local.access_roles)
+  })
+}
+resource "aws_kms_key" "this" {
+  description             = "KMS key for atlas-init ${var.key_suffix}"
+  deletion_window_in_days = 7
+  multi_region            = true
+  policy                  = local.kms_key_policy_json
+}
+
+resource "aws_iam_role_policy" "kms_access" {
+  for_each = var.access_iam_role_arns
+  name     = "atlas-init-${each.key}-kms-access"
+  role     = split("/", each.value)[length(split("/", each.value)) - 1]
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "kms:*"
+        ],
+        "Resource": [
+          "${aws_kms_key.this.arn}"
+        ]
+      }
+    ]
+  }
+  EOF
+}
+
+output "kms_key_id" {
+  value = aws_kms_key.this.id
+}

atlas_init/tf/modules/aws_kms/provider.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

atlas_init/tf/modules/cloud_provider/cloud_provider.tf

@@ -53,7 +53,14 @@ output "env_vars" {
   }
 }
 
-
 output "iam_role_name" {
   value = aws_iam_role.aws_role.name
+}
+
+output "atlas_role_id" {
+  value = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+}
+
+output "iam_role_arn" {
+  value = aws_iam_role.aws_role.arn
 }