feat: Update Database User

add oidcAuthType

Author: outcomes-winter-rakhulsprakash

cfn-resources/database-user/cmd/resource/model.go

@@ -110,6 +110,7 @@ func Read(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 	currentModel.LdapAuthType = databaseUser.LdapAuthType
 	currentModel.AWSIAMType = databaseUser.AwsIAMType
 	currentModel.X509Type = databaseUser.X509Type
+	currentModel.OIDCAuthType = databaseUser.OidcAuthType
 	currentModel.Username = &databaseUser.Username
 	var roles []RoleDefinition
 
@@ -252,7 +253,9 @@ func List(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 			DatabaseName: &databaseUser.DatabaseName,
 			Description:  databaseUser.Description,
 			LdapAuthType: databaseUser.LdapAuthType,
+			AWSIAMType:   databaseUser.AwsIAMType,
 			X509Type:     databaseUser.X509Type,
+			OIDCAuthType: databaseUser.OidcAuthType,
 			Username:     &databaseUser.Username,
 			ProjectId:    currentModel.ProjectId,
 		}
@@ -341,10 +344,13 @@ func setModel(currentModel *Model) (*admin.CloudDatabaseUser, error) {
 	if currentModel.X509Type == nil {
 		currentModel.X509Type = &none
 	}
+	if currentModel.OIDCAuthType == nil {
+		currentModel.OIDCAuthType = &none
+	}
 
 	if currentModel.Password == nil {
-		if (*currentModel.LdapAuthType == none) && (*currentModel.AWSIAMType == none) && (*currentModel.X509Type == none) {
-			err := fmt.Errorf("password cannot be empty if not LDAP or IAM or X509 is not provided")
+		if (*currentModel.LdapAuthType == none) && (*currentModel.AWSIAMType == none) && (*currentModel.X509Type == none) && (*currentModel.OIDCAuthType == none) {
+			err := fmt.Errorf("password cannot be empty if not LDAP or IAM or X509 or OIDC is not provided")
 			return nil, err
 		}
 		currentModel.Password = aws.String("")
@@ -364,6 +370,7 @@ func setModel(currentModel *Model) (*admin.CloudDatabaseUser, error) {
 		LdapAuthType:    currentModel.LdapAuthType,
 		AwsIAMType:      currentModel.AWSIAMType,
 		X509Type:        currentModel.X509Type,
+		OidcAuthType:    currentModel.OIDCAuthType,
 		DeleteAfterDate: util.StringPtrToTimePtr(currentModel.DeleteAfterDate),
 		Description:     currentModel.Description,
 	}

cfn-resources/database-user/cmd/resource/resource.go

@@ -19,6 +19,7 @@ To declare this entity in your AWS CloudFormation template, use the following sy
         "<a href="#labels" title="Labels">Labels</a>" : <i>[ <a href="labeldefinition.md">labelDefinition</a>, ... ]</i>,
         "<a href="#ldapauthtype" title="LdapAuthType">LdapAuthType</a>" : <i>String</i>,
         "<a href="#x509type" title="X509Type">X509Type</a>" : <i>String</i>,
+        "<a href="#oidcauthtype" title="OIDCAuthType">OIDCAuthType</a>" : <i>String</i>,
         "<a href="#password" title="Password">Password</a>" : <i>String</i>,
         "<a href="#projectid" title="ProjectId">ProjectId</a>" : <i>String</i>,
         "<a href="#roles" title="Roles">Roles</a>" : <i>[ <a href="roledefinition.md">roleDefinition</a>, ... ]</i>,
@@ -42,6 +43,7 @@ Properties:
       - <a href="labeldefinition.md">labelDefinition</a></i>
     <a href="#ldapauthtype" title="LdapAuthType">LdapAuthType</a>: <i>String</i>
     <a href="#x509type" title="X509Type">X509Type</a>: <i>String</i>
+    <a href="#oidcauthtype" title="OIDCAuthType">OIDCAuthType</a>: <i>String</i>
     <a href="#password" title="Password">Password</a>: <i>String</i>
     <a href="#projectid" title="ProjectId">ProjectId</a>: <i>String</i>
     <a href="#roles" title="Roles">Roles</a>: <i>
@@ -130,6 +132,18 @@ _Allowed Values_: <code>NONE</code> | <code>MANAGED</code> | <code>CUSTOMER</cod
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### OIDCAuthType
+
+Human-readable label that indicates whether the new database user or group authenticates with OIDC federated authentication. To create a federated authentication user, specify the value of USER in this field. To create a federated authentication group, specify the value of IDP_GROUP in this field. Default value is `NONE`.
+
+_Required_: No
+
+_Type_: String
+
+_Allowed Values_: <code>NONE</code> | <code>USER</code> | <code>IDP_GROUP</code>
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 #### Password
 
 The user’s password. This field is not included in the entity returned from the server.

cfn-resources/database-user/docs/README.md

@@ -120,6 +120,11 @@
       ],
       "type": "string"
     },
+    "OIDCAuthType": {
+      "description": "Human-readable label that indicates whether the new database user or group authenticates with OIDC federated authentication. To create a federated authentication user, specify the value of USER in this field. To create a federated authentication group, specify the value of IDP_GROUP in this field. Default value is `NONE`.",
+      "enum": ["NONE", "USER", "IDP_GROUP"],
+      "type": "string"
+    },
     "Password": {
       "description": "The user’s password. This field is not included in the entity returned from the server.",
       "type": "string"

cfn-resources/database-user/mongodb-atlas-databaseuser.json

@@ -0,0 +1,28 @@
+{
+  "Username": "DataUser3",
+  "Password": "MongoDB12345%",
+  "ProjectId": "${MONGODB_ATLAS_PROJECT_ID}",
+  "Profile": "${MONGODB_ATLAS_PROFILE}",
+  "DatabaseName": "admin",
+  "Description": "User with Labels to test OIDCAuthType field",
+  "OIDCAuthType": "NONE",
+  "Roles": [
+    {
+      "RoleName": "readWrite",
+      "DatabaseName": "testdb",
+      "CollectionName": "col1"
+    }
+  ],
+  "Scopes": [
+    {
+      "Type": "CLUSTER",
+      "Name": "testdb"
+    }
+  ],
+  "Labels": [
+    {
+      "Key": "testType",
+      "Value": "oidc-field-validation"
+    }
+  ]
+}

cfn-resources/database-user/test/inputs_3_create.template.json

@@ -0,0 +1,31 @@
+{
+  "Username": "DataUser3",
+  "Password": "MongoDB12345%",
+  "ProjectId": "${MONGODB_ATLAS_PROJECT_ID}",
+  "Profile": "${MONGODB_ATLAS_PROFILE}",
+  "DatabaseName": "admin",
+  "Description": "Updated user with modified Labels",
+  "OIDCAuthType": "NONE",
+  "Roles": [
+    {
+      "RoleName": "readWriteAnyDatabase",
+      "DatabaseName": "admin"
+    }
+  ],
+  "Scopes": [
+    {
+      "Type": "CLUSTER",
+      "Name": "testdb2"
+    }
+  ],
+  "Labels": [
+    {
+      "Key": "testType",
+      "Value": "oidc-field-validation"
+    },
+    {
+      "Key": "updated",
+      "Value": "true"
+    }
+  ]
+}

cfn-resources/database-user/test/inputs_3_update.template.json

@@ -0,0 +1,87 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "This template creates a database user with OIDC (OpenID Connect) federated authentication. OIDC authentication requires federation settings to be configured in your MongoDB Atlas organization. OIDCAuthType supports USER (individual users) and IDP_GROUP (identity provider groups).",
+  "Parameters": {
+    "ProjectId": {
+      "Type": "String",
+      "Description": "Unique 24-hexadecimal digit string that identifies your project"
+    },
+    "Profile": {
+      "Type": "String",
+      "Description": "Secret Manager Profile that contains the Atlas Programmatic keys",
+      "ConstraintDescription": "",
+      "Default": "default"
+    },
+    "DatabaseName": {
+      "Type": "String",
+      "Description": "Database against which the database user authenticates. For OIDC authentication, this must be $external",
+      "Default": "$external"
+    },
+    "Username": {
+      "Type": "String",
+      "Description": "Username for OIDC authentication. Format: <federation_settings_id>/<username> (e.g., 6489e4f0bebcb4b0dbd8e7b3/john.doe). The federation_settings_id can be found in your Atlas organization's federation settings."
+    },
+    "Description": {
+      "Type": "String",
+      "Description": "Description of this database user.",
+      "Default": "OIDC federated authentication user"
+    }
+  },
+  "Mappings": {},
+  "Resources": {
+    "OidcUser": {
+      "Type": "MongoDB::Atlas::DatabaseUser",
+      "Metadata": {
+        "Comment": "Remember to update the \"Roles\" field with a list of roles that you want to assign to the user. OIDC authentication requires federation settings to be configured in your Atlas organization. The username must follow the format: <federation_settings_id>/<username>. For group-based authentication, use OIDCAuthType: IDP_GROUP and format: <federation_settings_id>/<group_name>"
+      },
+      "Properties": {
+        "Username": {
+          "Ref": "Username"
+        },
+        "OIDCAuthType": "USER",
+        "ProjectId": {
+          "Ref": "ProjectId"
+        },
+        "DatabaseName": {
+          "Ref": "DatabaseName"
+        },
+        "Profile": {
+          "Ref": "Profile"
+        },
+        "Description": {
+          "Ref": "Description"
+        },
+        "Roles": [
+          {
+            "RoleName": "readWriteAnyDatabase",
+            "DatabaseName": "admin"
+          }
+        ],
+        "Labels": [
+          {
+            "Key": "authType",
+            "Value": "oidc"
+          },
+          {
+            "Key": "environment",
+            "Value": "production"
+          }
+        ]
+      }
+    }
+  },
+  "Outputs": {
+    "MongoDBOidcUsername": {
+      "Description": "Unique identifier for the OIDC database user",
+      "Value": {
+        "Fn::GetAtt": ["OidcUser", "UserCFNIdentifier"]
+      }
+    },
+    "Username": {
+      "Description": "Username of the OIDC database user",
+      "Value": {
+        "Ref": "Username"
+      }
+    }
+  }
+}