feat: CLOUDP-369802 Add log-integration resource (#1555)

Co-authored-by: Rakhul S Prakash <rakhul.s.prakash@peerislands.io>
Co-authored-by: sivaram-mongodb <sivaram@mongodb.com>
Co-authored-by: ParthasarathyV <114770988+ParthasarathyV@users.noreply.github.com>

Author: 4 people

.github/workflows/contract-testing.yaml

@@ -25,6 +25,7 @@ jobs:
      federated-settings-identity-provider: ${{ steps.filter.outputs.federated-settings-identity-provider }}
      federated-settings-org-role-mapping: ${{ steps.filter.outputs.federated-settings-org-role-mapping }}
      flex-cluster: ${{ steps.filter.outputs.flex-cluster }}
+     log-integration: ${{ steps.filter.outputs.log-integration }}
      online-archive: ${{ steps.filter.outputs.online-archive }}
      organization: ${{ steps.filter.outputs.organization }}
      service-account: ${{ steps.filter.outputs.service-account }}
@@ -78,6 +79,8 @@ jobs:
           - 'cfn-resources/federated-settings-org-role-mapping/**'
         flex-cluster:
           - 'cfn-resources/flex-cluster/**'
+        log-integration:
+          - 'cfn-resources/log-integration/**'
         online-archive:
           - 'cfn-resources/online-archive/**'
         organization:
@@ -689,6 +692,46 @@ jobs:
         
         make run-contract-testing
         make delete-test-resources
+  log-integration:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.log-integration == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@c2a20b1822cc4a6bc594ff7f1dbb658758e383c3
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          pushd cfn-resources/log-integration
+          make create-test-resources
+          
+          cat inputs/*
+
+          make run-contract-testing
+          make delete-test-resources
   online-archive:
     needs: change-detection
     if: ${{ needs.change-detection.outputs.online-archive == 'true' }}

.gitignore

@@ -48,3 +48,8 @@ CLAUDE.md
 
 # generated markdown file with resource versions, will not be commited until we have mechanism to keep updated
 cfn-resources/resource-versions.md
+
+# dynamically generated test policy files (not templates)
+**/test/trust-policy.json
+**/test/s3-policy.json
+**/test/add-policy.json

cfn-resources/log-integration/.rpdk-config

@@ -0,0 +1,12 @@
+{
+  "typeName": "MongoDB::Atlas::LogIntegration",
+  "language": "go",
+  "runtime": "provided.al2",
+  "entrypoint": "bootstrap",
+  "testEntrypoint": "bootstrap",
+  "settings": {
+    "import_path": "github.com/mongodb/mongodbatlas-cloudformation-resources/log-integration",
+    "protocolVersion": "2.0.0",
+    "pluginVersion": "2.0.4"
+  }
+}

cfn-resources/log-integration/Makefile

@@ -0,0 +1,37 @@
+.PHONY: build test clean
+tags=logging callback metrics scheduler
+cgo=0
+goos=linux
+goarch=amd64
+CFNREP_GIT_SHA?=$(shell git rev-parse HEAD)
+ldXflags=-s -w -X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=info -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+ldXflagsD=-X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=debug -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+
+build:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflags)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+debug:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/debug cmd/main.go
+
+clean:
+	rm -rf bin
+
+submit: clean build # submit to private registry must use release build not debug build
+	@echo "==> Submitting to private registry for testing"
+	 cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/log-integration/README.md

@@ -0,0 +1,20 @@
+# MongoDB::Atlas::LogIntegration
+
+## Description
+
+The log integration resource provides access to push-based log export configurations for MongoDB Atlas. The resource allows you to create, edit and delete log export integrations to AWS S3 buckets. Push-based log export enables you to automatically export MongoDB Atlas logs to your AWS S3 bucket with 1-minute frequency.
+
+For more information, see [Push Logs to AWS S3 bucket](https://www.mongodb.com/docs/atlas/push-logs/) and the [Push-Based Log Export API](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-push-based-log-export).
+
+## Requirements
+
+To securely give CloudFormation access to your Atlas credentials, you must
+set up an [AWS Profile](/README.md#mongodb-atlas-api-keys-credential-management).
+
+## Attributes and Parameters
+
+See the [resource docs](docs/README.md).
+
+## CloudFormation Examples
+
+See the example [CFN Template](/examples/log-integration/README.md) for example resource.

cfn-resources/log-integration/cmd/main.go

@@ -0,0 +1,111 @@
+// Copyright 2026 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package resource
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
+	"github.com/mongodb/mongodbatlas-cloudformation-resources/util"
+	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/constants"
+	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/progressevent"
+)
+
+func HandleCreate(req *handler.Request, client *util.MongoDBClient, model *Model) handler.ProgressEvent {
+	s3LogIntegrationReq := NewLogIntegrationCreateRequest(model)
+	logIntegrationResp, resp, err := client.AtlasSDK.PushBasedLogExportApi.CreateGroupLogIntegration(context.Background(), *model.ProjectId, s3LogIntegrationReq).Execute()
+	if err != nil {
+		return handleError(resp, err, "Error creating log integration")
+	}
+
+	UpdateLogIntegrationModel(model, logIntegrationResp)
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         "Create complete",
+		ResourceModel:   model,
+	}
+}
+
+func HandleRead(req *handler.Request, client *util.MongoDBClient, model *Model) handler.ProgressEvent {
+	logIntegrationResp, resp, err := client.AtlasSDK.PushBasedLogExportApi.GetGroupLogIntegration(context.Background(), *model.ProjectId, *model.IntegrationId).Execute()
+	if err != nil {
+		return handleError(resp, err, "Error reading log integration")
+	}
+
+	UpdateLogIntegrationModel(model, logIntegrationResp)
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         constants.ReadComplete,
+		ResourceModel:   model,
+	}
+}
+
+func HandleUpdate(req *handler.Request, client *util.MongoDBClient, model *Model) handler.ProgressEvent {
+	logIntegrationReq := NewLogIntegrationUpdateRequest(model)
+	logIntegrationResp, resp, err := client.AtlasSDK.PushBasedLogExportApi.UpdateGroupLogIntegration(context.Background(), *model.ProjectId, *model.IntegrationId, logIntegrationReq).Execute()
+	if err != nil {
+		return handleError(resp, err, "Error updating log integration")
+	}
+
+	UpdateLogIntegrationModel(model, logIntegrationResp)
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         "Update complete",
+		ResourceModel:   model,
+	}
+}
+
+func HandleDelete(req *handler.Request, client *util.MongoDBClient, model *Model) handler.ProgressEvent {
+	resp, err := client.AtlasSDK.PushBasedLogExportApi.DeleteGroupLogIntegration(context.Background(), *model.ProjectId, *model.IntegrationId).Execute()
+	if err != nil {
+		return handleError(resp, err, "Error deleting log integration")
+	}
+
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         "Delete complete",
+	}
+}
+
+func HandleList(req *handler.Request, client *util.MongoDBClient, model *Model) handler.ProgressEvent {
+	paginatedResp, resp, err := client.AtlasSDK.PushBasedLogExportApi.ListGroupLogIntegrations(context.Background(), *model.ProjectId).Execute()
+	if err != nil {
+		return handleError(resp, err, "Error listing log integrations")
+	}
+
+	var allModels []*Model
+	results := paginatedResp.GetResults()
+	for i := range results {
+		modelItem := &Model{
+			ProjectId: model.ProjectId,
+			Profile:   model.Profile,
+		}
+		UpdateLogIntegrationModel(modelItem, &results[i])
+		allModels = append(allModels, modelItem)
+	}
+
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         constants.Complete,
+		ResourceModel:   allModels,
+	}
+}
+
+func handleError(resp *http.Response, err error, message string) handler.ProgressEvent {
+	errMsg := fmt.Sprintf("%s: %v", message, err)
+	return progressevent.GetFailedEventByResponse(errMsg, resp)
+}