feat: CLOUDP-380111 Add project-service-account-secret resource (#1578)

Co-authored-by: Rakhul S Prakash <rakhul.s.prakash@peerislands.io>
Co-authored-by: ParthasarathyV <114770988+ParthasarathyV@users.noreply.github.com>

Author: 3 people

.github/workflows/contract-testing.yaml

@@ -32,6 +32,7 @@ jobs:
      private-endpoint-service: ${{ steps.filter.outputs.private-endpoint-service }}
      privatelink-endpoint-service-data-federation-online-archive: ${{ steps.filter.outputs.privatelink-endpoint-service-data-federation-online-archive }}
      project: ${{ steps.filter.outputs.project }}
+     project-service-account-secret: ${{ steps.filter.outputs.project-service-account-secret }}
      resource-policy: ${{ steps.filter.outputs.resource-policy }}
      search-deployment: ${{ steps.filter.outputs.search-deployment }}
      search-index: ${{ steps.filter.outputs.search-index }}
@@ -90,6 +91,8 @@ jobs:
           - 'cfn-resources/privatelink-endpoint-service-data-federation-online-archive/**'
         project:
           - 'cfn-resources/project/**'
+        project-service-account-secret:
+          - 'cfn-resources/project-service-account-secret/**'
         resource-policy:
           - 'cfn-resources/resource-policy/**'
         search-deployment:
@@ -970,6 +973,46 @@ jobs:
        
        make run-contract-testing
        make delete-test-resources
+  project-service-account-secret:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.project-service-account-secret == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          cd cfn-resources/project-service-account-secret
+          make create-test-resources
+
+          cat inputs/*
+
+          make run-contract-testing
+          make delete-test-resources
   resource-policy:
     needs: change-detection
     if: ${{ needs.change-detection.outputs.resource-policy == 'true' }}

cfn-resources/project-service-account-secret/.rpdk-config

@@ -0,0 +1,12 @@
+{
+  "typeName": "MongoDB::Atlas::ProjectServiceAccountSecret",
+  "language": "go",
+  "runtime": "provided.al2",
+  "entrypoint": "bootstrap",
+  "testEntrypoint": "bootstrap",
+  "settings": {
+    "import_path": "github.com/mongodb/mongodbatlas-cloudformation-resources/project-service-account-secret",
+    "protocolVersion": "2.0.0",
+    "pluginVersion": "2.0.4"
+  }
+}

cfn-resources/project-service-account-secret/Makefile

@@ -0,0 +1,37 @@
+.PHONY: build test clean
+tags=logging callback metrics scheduler
+cgo=0
+goos=linux
+goarch=amd64
+CFNREP_GIT_SHA?=$(shell git rev-parse HEAD)
+ldXflags=-s -w -X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=info -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+ldXflagsD=-X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=debug -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+
+build:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflags)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+debug:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/debug cmd/main.go
+
+clean:
+	rm -rf bin
+
+submit: clean build # submit to private registry must use release build not debug build
+	@echo "==> Submitting to private registry for testing"
+	 cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/project-service-account-secret/README.md

@@ -0,0 +1,29 @@
+# MongoDB::Atlas::ProjectServiceAccountSecret
+
+## Description
+
+The Project Service Account Secret resource provides a secret for a Service Account at the project level. This resource lets you create and delete secrets for Project Service Accounts. For more information, see [Create One Project Service Account Secret](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Service-Accounts/operation/createGroupServiceAccountSecret) in the MongoDB Atlas API documentation.
+
+~> **IMPORTANT WARNING:** Managing Service Account Secrets with CloudFormation **exposes sensitive organizational secrets** in CloudFormation's outputs and logs. We suggest following [AWS Secrets Manager best practices](https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html) for handling sensitive data.
+
+-> **NOTE:** This resource does not support updates. Any property change will trigger a replacement (delete + create). To rotate secrets, simply replace the resource.
+
+## Requirements
+
+To securely give CloudFormation access to your Atlas credentials, you must
+set up an [AWS Profile](/README.md#mongodb-atlas-api-keys-credential-management).
+
+## Attributes and Parameters
+
+See the [resource docs](docs/README.md).
+
+## Cloudformation Examples
+
+See the examples [CFN Template](/examples/project-service-account-secret/README.md) for example resource.
+
+## Important Notes
+
+- The `Secret` property contains the actual secret value and is only returned once during creation
+- This resource does not support updates - any change will trigger a replacement
+- Secrets have an expiration time controlled by `SecretExpiresAfterHours`
+- The minimum and maximum expiration times are controlled by your organization's settings