nullstone-modules · ssickles · Nov 3, 2023
diff --git a/README.md b/README.md
@@ -33,6 +33,11 @@ It does so with a Private Link Endpoint. See the Mongo Atlas guide on [Private L
 In order to establish this secure connection, an AWS VPC Endpoint from your AWS account is connected to a Mongo Atlas Private Link Endpoint.
 This is the recommended and most secure way to connect to your Mongo Atlas cluster. It does make this module AWS specific.
 
+## Connections
+
+This module requires two connections: one to your AWS network and one to your Atlas project.
+It will create a secure and performant connection between your AWS network and the Private Link endpoint from your Atlas project.
+
 ## Logs
 
 Logs for this infrastructure can be access through Atlas.
diff --git a/atlas.tf b/atlas.tf
@@ -1,42 +1,4 @@
 provider "mongodbatlas" {
-  public_key  = var.atlas_public_key
-  private_key = var.atlas_private_key
-}
-
-resource "aws_secretsmanager_secret" "atlas_public_key" {
-  name_prefix = "${local.block_name}/atlas_public_key/"
-  tags        = local.tags
-  kms_key_id  = aws_kms_key.this.arn
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_secretsmanager_secret_version" "atlas_public_key" {
-  secret_id     = aws_secretsmanager_secret.atlas_public_key.id
-  secret_string = var.atlas_public_key
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_secretsmanager_secret" "atlas_private_key" {
-  name_prefix = "${local.block_name}/atlas_private_key/"
-  tags        = local.tags
-  kms_key_id  = aws_kms_key.this.arn
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_secretsmanager_secret_version" "atlas_private_key" {
-  secret_id     = aws_secretsmanager_secret.atlas_private_key.id
-  secret_string = var.atlas_private_key
-
-  lifecycle {
-    create_before_destroy = true
-  }
+  public_key  = data.aws_secretsmanager_secret_version.atlas_public_key.secret_string
+  private_key = data.aws_secretsmanager_secret_version.atlas_private_key.secret_string
 }
diff --git a/outputs.tf b/outputs.tf
@@ -29,21 +29,21 @@ output "db_admin_secret_id" {
 }
 
 output "atlas_public_key_secret_id" {
-  value       = aws_secretsmanager_secret.atlas_public_key.name
+  value       = local.atlas_public_key_secret_id
   description = "The public key used to authenticate to your MongoDB Atlas account"
 }
 
 output "atlas_private_key_secret_id" {
-  value       = aws_secretsmanager_secret.atlas_private_key.name
+  value       = local.atlas_private_key_secret_id
   description = "The private key used to authenticate to your MongoDB Atlas account"
 }
 
 output "atlas_project_id" {
-  value       = var.atlas_project_id
+  value       = local.atlas_project_id
   description = "string ||| The ID of the Atlas project"
 }
 
 output "atlas_private_link_id" {
-  value       = mongodbatlas_privatelink_endpoint.this.id
+  value       = local.private_link_id
   description = "string ||| The ID of the Atlas private link"
 }
diff --git a/private-link.tf b/private-link.tf
@@ -1,21 +1,21 @@
-resource "mongodbatlas_privatelink_endpoint" "this" {
-  project_id    = var.atlas_project_id
+data "mongodbatlas_privatelink_endpoint" "this" {
   provider_name = "AWS"
-  region        = data.aws_region.this.name
+  project_id = local.atlas_project_id
+  private_link_id = local.private_link_id
 }
 
 resource "aws_vpc_endpoint" "this" {
   vpc_id             = local.vpc_id
-  service_name       = mongodbatlas_privatelink_endpoint.this.endpoint_service_name
+  service_name       = data.mongodbatlas_privatelink_endpoint.this.endpoint_service_name
   vpc_endpoint_type  = "Interface"
   subnet_ids         = local.private_subnet_ids
   security_group_ids = [aws_security_group.this.id]
   tags               = merge(local.tags, { Name = local.resource_name })
 }
 
 resource "mongodbatlas_privatelink_endpoint_service" "this" {
-  project_id          = var.atlas_project_id
-  private_link_id     = mongodbatlas_privatelink_endpoint.this.private_link_id
+  project_id          = local.atlas_project_id
+  private_link_id     = data.mongodbatlas_privatelink_endpoint.this.private_link_id
   endpoint_service_id = aws_vpc_endpoint.this.id
   provider_name       = "AWS"
 }
diff --git a/project.tf b/project.tf
@@ -0,0 +1,18 @@
+data "ns_connection" "atlas-project" {
+  name     = "atlas-project"
+  contract = "network/aws/mongo:atlas"
+}
+
+locals {
+  atlas_project_id = data.ns_connection.atlas-project.outputs.project_id
+  private_link_id = data.ns_connection.atlas-project.outputs.private_link_id
+  atlas_public_key_secret_id = data.ns_connection.atlas-project.outputs.atlas_public_key_secret_id
+  atlas_private_key_secret_id = data.ns_connection.atlas-project.outputs.atlas_private_key_secret_id
+}
+
+data "aws_secretsmanager_secret_version" "atlas_public_key" {
+  secret_id = local.atlas_public_key_secret_id
+}
+data "aws_secretsmanager_secret_version" "atlas_private_key" {
+  secret_id = local.atlas_private_key_secret_id
+}
diff --git a/variables.tf b/variables.tf
@@ -1,20 +1,3 @@
-variable "atlas_public_key" {
-  type        = string
-  sensitive   = true
-  description = "The public key used to authenticate to your MongoDB Atlas account"
-}
-
-variable "atlas_private_key" {
-  type        = string
-  sensitive   = true
-  description = "The private key used to authenticate to your MongoDB Atlas account"
-}
-
-variable "atlas_project_id" {
-  type        = string
-  description = "The ID of the Atlas project to create the cluster in"
-}
-
 variable "mongodb_major_version" {
   type        = string
   default     = "6"