feat: CLOUDP-369811 - Federated SettingsOrgRoleMapping Enable contract_testing workflow (#1568)

Co-authored-by: Rakhul S Prakash <rakhul.s.prakash@peerislands.io>

Author: rakhul-mongo

.github/workflows/contract-testing.yaml

@@ -22,6 +22,7 @@ jobs:
      federated-database-instance: ${{ steps.filter.outputs.federated-database-instance }}
      federated-query-limit: ${{ steps.filter.outputs.federated-query-limit }}
      federated-settings-identity-provider: ${{ steps.filter.outputs.federated-settings-identity-provider }}
+     federated-settings-org-role-mapping: ${{ steps.filter.outputs.federated-settings-org-role-mapping }}
      flex-cluster: ${{ steps.filter.outputs.flex-cluster }}
      online-archive: ${{ steps.filter.outputs.online-archive }}
      organization: ${{ steps.filter.outputs.organization }}
@@ -68,6 +69,8 @@ jobs:
           - 'cfn-resources/federated-query-limit/**'
         federated-settings-identity-provider:
           - 'cfn-resources/federated-settings-identity-provider/**'
+        federated-settings-org-role-mapping:
+          - 'cfn-resources/federated-settings-org-role-mapping/**'
         flex-cluster:
           - 'cfn-resources/flex-cluster/**'
         online-archive:
@@ -553,6 +556,48 @@ jobs:
           make run-contract-testing
           make delete-test-resources
 
+  federated-settings-org-role-mapping:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.federated-settings-org-role-mapping == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+          MONGODB_ATLAS_FEDERATION_SETTINGS_ID: ${{ vars.MONGODB_ATLAS_FEDERATION_SETTINGS_ID }}
+        run: |
+          cd cfn-resources/federated-settings-org-role-mapping
+          make create-test-resources
+
+          cat inputs/*
+
+          make run-contract-testing
+          make delete-test-resources
+
   flex-cluster:
     needs: change-detection
     if: ${{ needs.change-detection.outputs.flex-cluster == 'true' }}

cfn-resources/federated-settings-org-role-mapping/Makefile

@@ -13,7 +13,25 @@ build:
 
 debug:
 	cfn generate
-	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/debug cmd/main.go
 
 clean:
 	rm -rf bin
+
+submit: clean build # submit to private registry must use release build not debug build
+	@echo "==> Submitting to private registry for testing"
+	 cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/federated-settings-org-role-mapping/cmd/resource/config.go

@@ -21,15 +21,14 @@ import (
 	"net/http"
 	"strings"
 
-	admin20231115002 "go.mongodb.org/atlas-sdk/v20231115002/admin"
-
 	"github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
 	"github.com/aws/aws-sdk-go-v2/service/cloudformation/types"
 
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/constants"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/progressevent"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/validator"
+	"go.mongodb.org/atlas-sdk/v20250312013/admin"
 )
 
 var CreateRequiredFields = []string{constants.FederationSettingsID, constants.OrgID, constants.ExternalGroupName, constants.RoleAssignments}
@@ -68,9 +67,9 @@ func Create(req handler.Request, prevModel *Model, currentModel *Model) (handler
 	orgID := currentModel.OrgId
 
 	requestBody, _, _ := modelToRoleMappingRequest(currentModel)
-	federatedSettingsOrganizationRoleMapping, resp, err := client.Atlas20231115002.FederatedAuthenticationApi.CreateRoleMapping(context.Background(), *federationSettingsID, *orgID, requestBody).Execute()
+	federatedSettingsOrganizationRoleMapping, resp, err := client.AtlasSDK.FederatedAuthenticationApi.CreateRoleMapping(context.Background(), *federationSettingsID, *orgID, requestBody).Execute()
 	if err != nil {
-		if resp.StatusCode == http.StatusBadRequest && strings.Contains(err.Error(), "DUPLICATE_ROLE_MAPPING") {
+		if resp != nil && resp.StatusCode == http.StatusBadRequest && strings.Contains(err.Error(), "DUPLICATE_ROLE_MAPPING") {
 			return progressevent.GetFailedEventByCode("Resource already exists",
 				string(types.HandlerErrorCodeAlreadyExists)), nil
 		}
@@ -101,7 +100,7 @@ func Read(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 	orgID := currentModel.OrgId
 	roleMappingID := currentModel.Id
 
-	federatedSettingsOrganizationRoleMapping, resp, err := client.Atlas20231115002.FederatedAuthenticationApi.
+	federatedSettingsOrganizationRoleMapping, resp, err := client.AtlasSDK.FederatedAuthenticationApi.
 		GetRoleMapping(context.Background(), *federationSettingsID, *roleMappingID, *orgID).
 		Execute()
 	if err != nil {
@@ -137,7 +136,7 @@ func Update(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		return progressevent.GetFailedEventByCode("Not Found", string(types.HandlerErrorCodeNotFound)), nil
 	}
 
-	if (currentModel.RoleAssignments) == nil || len(currentModel.RoleAssignments) == 0 {
+	if len(currentModel.RoleAssignments) == 0 {
 		err := errors.New(RoleAssignementShouldBeSet)
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
@@ -146,7 +145,7 @@ func Update(req handler.Request, prevModel *Model, currentModel *Model) (handler
 	}
 	// preparing model request
 	requestBody, _, _ := modelToRoleMappingRequest(currentModel)
-	federatedSettingsOrganizationRoleMapping, resp, err := client.Atlas20231115002.FederatedAuthenticationApi.
+	federatedSettingsOrganizationRoleMapping, resp, err := client.AtlasSDK.FederatedAuthenticationApi.
 		UpdateRoleMapping(context.Background(), *federationSettingsID, *roleMappingID, *orgID, requestBody).
 		Execute()
 	if err != nil {
@@ -183,7 +182,7 @@ func Delete(req handler.Request, prevModel *Model, currentModel *Model) (handler
 	federationSettingsID := currentModel.FederationSettingsId
 	orgID := currentModel.OrgId
 	roleMappingID := currentModel.Id
-	resp, err := client.Atlas20231115002.FederatedAuthenticationApi.
+	resp, err := client.AtlasSDK.FederatedAuthenticationApi.
 		DeleteRoleMapping(context.Background(), *federationSettingsID, *roleMappingID, *orgID).
 		Execute()
 	if err != nil {
@@ -214,7 +213,7 @@ func List(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 	federationSettingsID := currentModel.FederationSettingsId
 	orgID := currentModel.OrgId
 
-	federatedSettingsOrganizationRoleMappings, resp, err := client.Atlas20231115002.
+	federatedSettingsOrganizationRoleMappings, resp, err := client.AtlasSDK.
 		FederatedAuthenticationApi.
 		ListRoleMappings(context.Background(), *federationSettingsID, *orgID).
 		Execute()
@@ -224,15 +223,18 @@ func List(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 	}
 
 	models := make([]interface{}, 0)
-	for i := range federatedSettingsOrganizationRoleMappings.Results {
-		model := Model{}
-		model.Profile = currentModel.Profile
-		model.OrgId = currentModel.OrgId
-		model.FederationSettingsId = currentModel.FederationSettingsId
-		model.Id = federatedSettingsOrganizationRoleMappings.Results[i].Id
-		model.ExternalGroupName = &federatedSettingsOrganizationRoleMappings.Results[i].ExternalGroupName
-		model.RoleAssignments = flattenRoleAssignments(federatedSettingsOrganizationRoleMappings.Results[i].RoleAssignments)
-		models = append(models, model)
+	if federatedSettingsOrganizationRoleMappings.Results != nil {
+		for i := range *federatedSettingsOrganizationRoleMappings.Results {
+			roleMappings := *federatedSettingsOrganizationRoleMappings.Results
+			model := Model{}
+			model.Profile = currentModel.Profile
+			model.OrgId = currentModel.OrgId
+			model.FederationSettingsId = currentModel.FederationSettingsId
+			model.Id = roleMappings[i].Id
+			model.ExternalGroupName = &roleMappings[i].ExternalGroupName
+			model.RoleAssignments = flattenRoleAssignments(roleMappings[i].RoleAssignments)
+			models = append(models, model)
+		}
 	}
 	return handler.ProgressEvent{
 		OperationStatus: handler.Success,
@@ -241,8 +243,8 @@ func List(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 	}, nil
 }
 
-func modelToRoleMappingRequest(currentModel *Model) (*admin20231115002.AuthFederationRoleMapping, handler.ProgressEvent, error) {
-	roleMappingRequest := &admin20231115002.AuthFederationRoleMapping{}
+func modelToRoleMappingRequest(currentModel *Model) (*admin.AuthFederationRoleMapping, handler.ProgressEvent, error) {
+	roleMappingRequest := &admin.AuthFederationRoleMapping{}
 	if currentModel.Id != nil {
 		roleMappingRequest.Id = currentModel.Id
 	}
@@ -255,10 +257,10 @@ func modelToRoleMappingRequest(currentModel *Model) (*admin20231115002.AuthFeder
 	return roleMappingRequest, handler.ProgressEvent{}, nil
 }
 
-func expandRoleAssignments(assignments []RoleAssignment) []admin20231115002.RoleAssignment {
-	roles := make([]admin20231115002.RoleAssignment, len(assignments))
+func expandRoleAssignments(assignments []RoleAssignment) *[]admin.ConnectedOrgConfigRoleAssignment {
+	roles := make([]admin.ConnectedOrgConfigRoleAssignment, len(assignments))
 	for i := range assignments {
-		role := admin20231115002.RoleAssignment{}
+		role := admin.ConnectedOrgConfigRoleAssignment{}
 		if util.IsStringPresent(assignments[i].Role) {
 			role.Role = assignments[i].Role
 		}
@@ -273,10 +275,10 @@ func expandRoleAssignments(assignments []RoleAssignment) []admin20231115002.Role
 		roles[i] = role
 	}
 
-	return roles
+	return &roles
 }
 
-func roleMappingToModel(currentModel Model, roleMapping *admin20231115002.AuthFederationRoleMapping) *Model {
+func roleMappingToModel(currentModel Model, roleMapping *admin.AuthFederationRoleMapping) *Model {
 	out := &Model{
 		Profile:              currentModel.Profile,
 		FederationSettingsId: currentModel.FederationSettingsId,
@@ -288,9 +290,12 @@ func roleMappingToModel(currentModel Model, roleMapping *admin20231115002.AuthFe
 	return out
 }
 
-func flattenRoleAssignments(assignments []admin20231115002.RoleAssignment) []RoleAssignment {
+func flattenRoleAssignments(assignments *[]admin.ConnectedOrgConfigRoleAssignment) []RoleAssignment {
 	roleAssignments := make([]RoleAssignment, 0)
-	for _, role := range assignments {
+	if assignments == nil {
+		return roleAssignments
+	}
+	for _, role := range *assignments {
 		roleAssignments = append(roleAssignments, RoleAssignment{
 			Role:      role.Role,
 			OrgId:     role.OrgId,
@@ -302,7 +307,7 @@ func flattenRoleAssignments(assignments []admin20231115002.RoleAssignment) []Rol
 
 func isRoleMappingExists(currentModel *Model, client *util.MongoDBClient) bool {
 	var isExists bool
-	fedSettingsConnectedOrg, _, err := client.Atlas20231115002.FederatedAuthenticationApi.
+	fedSettingsConnectedOrg, _, err := client.AtlasSDK.FederatedAuthenticationApi.
 		GetRoleMapping(context.Background(), *currentModel.FederationSettingsId, *currentModel.Id, *currentModel.OrgId).
 		Execute()
 	if err != nil {

cfn-resources/federated-settings-org-role-mapping/cmd/resource/resource.go

@@ -50,13 +50,13 @@ _Update requires_: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/l
 
 Unique human-readable label that identifies the identity provider group to whichthis role mapping applies.
 
-_Required_: No
+_Required_: Yes
 
 _Type_: String
 
-_Minimum_: <code>1</code>
+_Minimum Length_: <code>1</code>
 
-_Maximum_: <code>200</code>
+_Maximum Length_: <code>200</code>
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
@@ -68,9 +68,9 @@ _Required_: Yes
 
 _Type_: String
 
-_Minimum_: <code>24</code>
+_Minimum Length_: <code>24</code>
 
-_Maximum_: <code>24</code>
+_Maximum Length_: <code>24</code>
 
 _Pattern_: <code>^([a-f0-9]{24})$</code>
 
@@ -84,9 +84,9 @@ _Required_: Yes
 
 _Type_: String
 
-_Minimum_: <code>24</code>
+_Minimum Length_: <code>24</code>
 
-_Maximum_: <code>24</code>
+_Maximum Length_: <code>24</code>
 
 _Pattern_: <code>^([a-f0-9]{24})$</code>
 

cfn-resources/federated-settings-org-role-mapping/docs/README.md

@@ -15,7 +15,7 @@ function usage {
 }
 
 #set profile
-profile="federation"
+profile="default"
 if [ ${MONGODB_ATLAS_PROFILE+x} ]; then
 	echo "profile set to ${MONGODB_ATLAS_PROFILE}"
 	profile=${MONGODB_ATLAS_PROFILE}
@@ -41,10 +41,10 @@ cd "$(dirname "$0")" || exit
 for inputFile in inputs_*; do
 	outputFile=${inputFile//$WORDTOREMOVE/}
 	jq --arg org "$MONGODB_ATLAS_ORG_ID" \
-		--arg FederationSettingsId "$ATLAS_FEDERATED_SETTINGS_ID" \
+		--arg FederationSettingsId "$MONGODB_ATLAS_FEDERATION_SETTINGS_ID" \
 		--arg projectId "$projectId" \
 		--arg profile "$profile" \
-		'.Profile?|=$profile | .FederationSettingsId?|=$FederationSettingsId | .OrgId?|=$org | .RoleAssignments[0].ProjectId?|=$projectId' \
+		'.Profile?|=$profile | .FederationSettingsId?|=$FederationSettingsId | .OrgId?|=$org | .RoleAssignments[0].OrgId?|=$org | .RoleAssignments[1].ProjectId?|=$projectId' \
 		"$inputFile" >"../inputs/$outputFile"
 done
 cd ..

cfn-resources/federated-settings-org-role-mapping/test/cfn-test-create-inputs.sh

@@ -1,22 +1,4 @@
 #!/usr/bin/env bash
 # cfn-test-delete-inputs.sh
 #
-# This tool deletes the mongodb resources used for `cfn test` as inputs.
-#
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-function usage {
-	echo "usage:$0 "
-}
-
-projectId=$(jq -r '.ProjectId' ./inputs/inputs_1_create.json)
-
-#delete project
-if atlas projects delete "$projectId" --force; then
-	echo "$projectId project deletion OK"
-else
-	(echo "Failed cleaning project:$projectId" && exit 1)
-fi
+# Needs to exist to be called in Publish, but no cleanup is needed.

cfn-resources/federated-settings-org-role-mapping/test/cfn-test-delete-inputs.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# This tool generates the resources and json files in the inputs/ for `cfn test`.
+set -o errexit
+set -o nounset
+set -o pipefail
+
+projectName="cfn-test-bot-$(date +%s)-$RANDOM"
+
+# create project
+projectId=$(atlas projects create "${projectName}" --output=json | jq -r '.id')
+
+echo "projectId: $projectId"
+echo "projectName: $projectName"
+
+./test/cfn-test-create-inputs.sh "$projectName"

cfn-resources/federated-settings-org-role-mapping/test/contract-testing/cfn-test-create.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# This tool deletes the mongodb resources used for `cfn test` as inputs.
+set -o errexit
+set -o nounset
+set -o pipefail
+
+projectId=$(jq -r '.RoleAssignments[] | select(.ProjectId != null) | .ProjectId' ./inputs/inputs_1_create.json | head -n 1)
+
+if [ -n "$projectId" ] && [ "$projectId" != "null" ]; then
+	if atlas projects delete "$projectId" --force; then
+		echo "$projectId project deletion OK"
+	else
+		(echo "Failed cleaning project: $projectId" && exit 1)
+	fi
+else
+	echo "No project to delete (no ProjectId found in test inputs)"
+fi