feat: CLOUDP-380113 Add service account access list entry resource (#1580)

Co-authored-by: Rakhul S Prakash <rakhul.s.prakash@peerislands.io>

Author: rakhul-mongo

.github/workflows/contract-testing.yaml

@@ -30,6 +30,7 @@ jobs:
      organization: ${{ steps.filter.outputs.organization }}
      service-account: ${{ steps.filter.outputs.service-account }}
      service-account-secret: ${{ steps.filter.outputs.service-account-secret }}
+     service-account-access-list-entry: ${{ steps.filter.outputs.service-account-access-list-entry }}
      private-endpoint-aws: ${{ steps.filter.outputs.private-endpoint-aws }}
      private-endpoint-service: ${{ steps.filter.outputs.private-endpoint-service }}
      privatelink-endpoint-service-data-federation-online-archive: ${{ steps.filter.outputs.privatelink-endpoint-service-data-federation-online-archive }}
@@ -89,6 +90,8 @@ jobs:
           - 'cfn-resources/service-account/**'
         service-account-secret:
           - 'cfn-resources/service-account-secret/**'
+        service-account-access-list-entry:
+          - 'cfn-resources/service-account-access-list-entry/**'
         private-endpoint-aws:
           - 'cfn-resources/private-endpoint-aws/**'
         private-endpoint-service:
@@ -895,6 +898,48 @@ jobs:
 
           make run-contract-testing
           make delete-test-resources
+    
+  service-account-access-list-entry:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.service-account-access-list-entry == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          cd cfn-resources/service-account-access-list-entry
+          make create-test-resources
+
+          cat inputs/*
+
+          make run-contract-testing
+          make delete-test-resources
+
   private-endpoint-aws:
     needs: change-detection
     if: ${{ needs.change-detection.outputs.private-endpoint-aws == 'true' }}

cfn-resources/service-account-access-list-entry/.rpdk-config

@@ -0,0 +1,12 @@
+{
+  "typeName": "MongoDB::Atlas::ServiceAccountAccessListEntry",
+  "language": "go",
+  "runtime": "provided.al2",
+  "entrypoint": "bootstrap",
+  "testEntrypoint": "bootstrap",
+  "settings": {
+    "import_path": "github.com/mongodb/mongodbatlas-cloudformation-resources/service-account-access-list-entry",
+    "protocolVersion": "2.0.0",
+    "pluginVersion": "2.0.4"
+  }
+}

cfn-resources/service-account-access-list-entry/Makefile

@@ -0,0 +1,37 @@
+.PHONY: build test clean
+tags=logging callback metrics scheduler
+cgo=0
+goos=linux
+goarch=amd64
+CFNREP_GIT_SHA?=$(shell git rev-parse HEAD)
+ldXflags=-s -w -X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=info -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+ldXflagsD=-X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=debug -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+
+build:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflags)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+debug:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/debug cmd/main.go
+
+clean:
+	rm -rf bin
+
+submit: clean build # submit to private registry must use release build not debug build
+	@echo "==> Submitting to private registry for testing"
+	 cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/service-account-access-list-entry/README.md

@@ -0,0 +1,28 @@
+# MongoDB::Atlas::ServiceAccountAccessListEntry
+
+## Description
+
+The Service Account Access List Entry resource manages IP access list entries for MongoDB Atlas Service Accounts at the organization level. This resource lets you create, read, delete, and list IP access list entries. For more information, see [Create One Service Account Access List Entry](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Service-Accounts/operation/createOrgServiceAccountAccessList) in the MongoDB Atlas API documentation.
+
+-> **NOTE:** This resource does not support updates. Any property change will trigger a replacement (delete + create).
+
+## Requirements
+
+To securely give CloudFormation access to your Atlas credentials, you must
+set up an [AWS Profile](/README.md#mongodb-atlas-api-keys-credential-management).
+
+## Attributes and Parameters
+
+See the [resource docs](docs/README.md).
+
+## Cloudformation Examples
+
+See the example [CFN Template](/examples/service-account-access-list-entry/README.md) for example resource.
+
+## Important Notes
+
+- You must specify either `CIDRBlock` or `IPAddress`, but not both
+- When you specify an IP address, Atlas automatically generates a `/32` CIDR block
+- This resource does not support updates - any change will trigger a replacement
+- Access list entries are identified by the combination of `OrgId`, `ClientId`, and `CIDRBlock`
+- The List operation returns all access list entries for a given service account