From 4b483a5105daecb4dc7dfdd854205897496c6b84 Mon Sep 17 00:00:00 2001 From: Scott Sickles Date: Fri, 3 Nov 2023 16:13:39 -0400 Subject: [PATCH] moved the project and collection of public/private key to the mongo-project block; added connection for mongo-project block; remove creation of private-link endpoint --- README.md | 5 +++++ atlas.tf | 42 ++---------------------------------------- outputs.tf | 8 ++++---- private-link.tf | 12 ++++++------ project.tf | 18 ++++++++++++++++++ variables.tf | 17 ----------------- 6 files changed, 35 insertions(+), 67 deletions(-) create mode 100644 project.tf diff --git a/README.md b/README.md index 6b1722b..ebfd509 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,11 @@ It does so with a Private Link Endpoint. See the Mongo Atlas guide on [Private L In order to establish this secure connection, an AWS VPC Endpoint from your AWS account is connected to a Mongo Atlas Private Link Endpoint. This is the recommended and most secure way to connect to your Mongo Atlas cluster. It does make this module AWS specific. +## Connections + +This module requires two connections: one to your AWS network and one to your Atlas project. +It will create a secure and performant connection between your AWS network and the Private Link endpoint from your Atlas project. + ## Logs Logs for this infrastructure can be access through Atlas. diff --git a/atlas.tf b/atlas.tf index be27060..838dbea 100644 --- a/atlas.tf +++ b/atlas.tf @@ -1,42 +1,4 @@ provider "mongodbatlas" { - public_key = var.atlas_public_key - private_key = var.atlas_private_key -} - -resource "aws_secretsmanager_secret" "atlas_public_key" { - name_prefix = "${local.block_name}/atlas_public_key/" - tags = local.tags - kms_key_id = aws_kms_key.this.arn - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_secretsmanager_secret_version" "atlas_public_key" { - secret_id = aws_secretsmanager_secret.atlas_public_key.id - secret_string = var.atlas_public_key - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_secretsmanager_secret" "atlas_private_key" { - name_prefix = "${local.block_name}/atlas_private_key/" - tags = local.tags - kms_key_id = aws_kms_key.this.arn - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_secretsmanager_secret_version" "atlas_private_key" { - secret_id = aws_secretsmanager_secret.atlas_private_key.id - secret_string = var.atlas_private_key - - lifecycle { - create_before_destroy = true - } + public_key = data.aws_secretsmanager_secret_version.atlas_public_key.secret_string + private_key = data.aws_secretsmanager_secret_version.atlas_private_key.secret_string } diff --git a/outputs.tf b/outputs.tf index 283d479..d314c72 100644 --- a/outputs.tf +++ b/outputs.tf @@ -29,21 +29,21 @@ output "db_admin_secret_id" { } output "atlas_public_key_secret_id" { - value = aws_secretsmanager_secret.atlas_public_key.name + value = local.atlas_public_key_secret_id description = "The public key used to authenticate to your MongoDB Atlas account" } output "atlas_private_key_secret_id" { - value = aws_secretsmanager_secret.atlas_private_key.name + value = local.atlas_private_key_secret_id description = "The private key used to authenticate to your MongoDB Atlas account" } output "atlas_project_id" { - value = var.atlas_project_id + value = local.atlas_project_id description = "string ||| The ID of the Atlas project" } output "atlas_private_link_id" { - value = mongodbatlas_privatelink_endpoint.this.id + value = local.private_link_id description = "string ||| The ID of the Atlas private link" } diff --git a/private-link.tf b/private-link.tf index a672b52..f93a45f 100644 --- a/private-link.tf +++ b/private-link.tf @@ -1,12 +1,12 @@ -resource "mongodbatlas_privatelink_endpoint" "this" { - project_id = var.atlas_project_id +data "mongodbatlas_privatelink_endpoint" "this" { provider_name = "AWS" - region = data.aws_region.this.name + project_id = local.atlas_project_id + private_link_id = local.private_link_id } resource "aws_vpc_endpoint" "this" { vpc_id = local.vpc_id - service_name = mongodbatlas_privatelink_endpoint.this.endpoint_service_name + service_name = data.mongodbatlas_privatelink_endpoint.this.endpoint_service_name vpc_endpoint_type = "Interface" subnet_ids = local.private_subnet_ids security_group_ids = [aws_security_group.this.id] @@ -14,8 +14,8 @@ resource "aws_vpc_endpoint" "this" { } resource "mongodbatlas_privatelink_endpoint_service" "this" { - project_id = var.atlas_project_id - private_link_id = mongodbatlas_privatelink_endpoint.this.private_link_id + project_id = local.atlas_project_id + private_link_id = data.mongodbatlas_privatelink_endpoint.this.private_link_id endpoint_service_id = aws_vpc_endpoint.this.id provider_name = "AWS" } diff --git a/project.tf b/project.tf new file mode 100644 index 0000000..621284c --- /dev/null +++ b/project.tf @@ -0,0 +1,18 @@ +data "ns_connection" "atlas-project" { + name = "atlas-project" + contract = "network/aws/mongo:atlas" +} + +locals { + atlas_project_id = data.ns_connection.atlas-project.outputs.project_id + private_link_id = data.ns_connection.atlas-project.outputs.private_link_id + atlas_public_key_secret_id = data.ns_connection.atlas-project.outputs.atlas_public_key_secret_id + atlas_private_key_secret_id = data.ns_connection.atlas-project.outputs.atlas_private_key_secret_id +} + +data "aws_secretsmanager_secret_version" "atlas_public_key" { + secret_id = local.atlas_public_key_secret_id +} +data "aws_secretsmanager_secret_version" "atlas_private_key" { + secret_id = local.atlas_private_key_secret_id +} diff --git a/variables.tf b/variables.tf index 2446ebe..7b76210 100644 --- a/variables.tf +++ b/variables.tf @@ -1,20 +1,3 @@ -variable "atlas_public_key" { - type = string - sensitive = true - description = "The public key used to authenticate to your MongoDB Atlas account" -} - -variable "atlas_private_key" { - type = string - sensitive = true - description = "The private key used to authenticate to your MongoDB Atlas account" -} - -variable "atlas_project_id" { - type = string - description = "The ID of the Atlas project to create the cluster in" -} - variable "mongodb_major_version" { type = string default = "6"