feat: CLOUDP-372605 Update encryption-at-rest resource (#1558)

Co-authored-by: sivaram-mongodb <sivaram@mongodb.com>
Co-authored-by: ParthasarathyV <114770988+ParthasarathyV@users.noreply.github.com>
Co-authored-by: ParthasarathyV <parthasarathy.varadhan@mongodb.com>

Author: 3 people

.github/workflows/contract-testing.yaml

@@ -19,6 +19,7 @@ jobs:
      cloud-backup-restore-jobs: ${{ steps.filter.outputs.cloud-backup-restore-jobs }}
      cluster-outage-simulation: ${{ steps.filter.outputs.cluster-outage-simulation }}
      database-user: ${{ steps.filter.outputs.database-user }}
+     encryption-at-rest: ${{ steps.filter.outputs.encryption-at-rest }}
      federated-database-instance: ${{ steps.filter.outputs.federated-database-instance }}
      federated-query-limit: ${{ steps.filter.outputs.federated-query-limit }}
      federated-settings-identity-provider: ${{ steps.filter.outputs.federated-settings-identity-provider }}
@@ -65,6 +66,8 @@ jobs:
           - 'cfn-resources/cluster-outage-simulation/**'
         database-user:
           - 'cfn-resources/database-user/**'
+        encryption-at-rest:
+          - 'cfn-resources/encryption-at-rest/**'
         federated-database-instance:
           - 'cfn-resources/federated-database-instance/**'
         federated-query-limit:
@@ -434,6 +437,47 @@ jobs:
           
           cat inputs/*
           
+          make run-contract-testing
+          make delete-test-resources
+  encryption-at-rest:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.encryption-at-rest == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          pushd cfn-resources/encryption-at-rest
+          make create-test-resources
+
+          cat inputs/inputs_1_create.json
+          cat inputs/inputs_1_update.json
+
           make run-contract-testing
           make delete-test-resources
   federated-database-instance:

cfn-resources/encryption-at-rest/Makefile

@@ -17,3 +17,21 @@ debug:
 
 clean:
 	rm -rf bin
+
+submit: clean build
+	@echo "==> Submitting to private registry for testing"
+	cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/encryption-at-rest/cmd/resource/model.go

@@ -22,7 +22,7 @@ import (
 	"math/big"
 	"strconv"
 
-	admin20231115002 "go.mongodb.org/atlas-sdk/v20231115002/admin"
+	"go.mongodb.org/atlas-sdk/v20250312013/admin"
 
 	"github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -57,7 +57,7 @@ func Create(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		return *pe, nil
 	}
 
-	_, resp, err := client.Atlas20231115002.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), *currentModel.ProjectId, currentModel.getParams()).Execute()
+	_, resp, err := client.AtlasSDK.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), *currentModel.ProjectId, currentModel.getParams()).Execute()
 	if err != nil {
 		return progressevent.GetFailedEventByResponse(err.Error(), resp), nil
 	}
@@ -82,7 +82,7 @@ func Read(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 		return *pe, nil
 	}
 
-	info, resp, err := client.Atlas20231115002.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), *currentModel.ProjectId).Execute()
+	info, resp, err := client.AtlasSDK.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), *currentModel.ProjectId).Execute()
 	if err != nil {
 		return progressevent.GetFailedEventByResponse(err.Error(), resp), nil
 	}
@@ -91,10 +91,17 @@ func Read(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 		return *pe, nil
 	}
 
+	if currentModel.AwsKmsConfig == nil {
+		currentModel.AwsKmsConfig = &AwsKmsConfig{}
+	}
 	currentModel.AwsKmsConfig.CustomerMasterKeyID = info.AwsKms.CustomerMasterKeyID
 	currentModel.AwsKmsConfig.Enabled = info.AwsKms.Enabled
 	currentModel.AwsKmsConfig.RoleID = info.AwsKms.RoleId
 	currentModel.AwsKmsConfig.Region = info.AwsKms.Region
+	currentModel.AwsKmsConfig.Valid = info.AwsKms.Valid
+	currentModel.AwsKmsConfig.RequirePrivateNetworking = info.AwsKms.RequirePrivateNetworking
+
+	currentModel.EnabledForSearchNodes = info.EnabledForSearchNodes
 
 	return handler.ProgressEvent{
 		OperationStatus: handler.Success,
@@ -115,7 +122,7 @@ func Update(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		return *pe, nil
 	}
 
-	info, resp, err := client.Atlas20231115002.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), *currentModel.ProjectId).Execute()
+	info, resp, err := client.AtlasSDK.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), *currentModel.ProjectId).Execute()
 	if err != nil {
 		return progressevent.GetFailedEventByResponse(err.Error(), resp), nil
 	}
@@ -124,7 +131,7 @@ func Update(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		return *pe, nil
 	}
 
-	_, resp, err = client.Atlas20231115002.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), *currentModel.ProjectId, currentModel.getParams()).Execute()
+	_, resp, err = client.AtlasSDK.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), *currentModel.ProjectId, currentModel.getParams()).Execute()
 	if err != nil {
 		return progressevent.GetFailedEventByResponse(err.Error(), resp), nil
 	}
@@ -148,7 +155,7 @@ func Delete(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		return *pe, nil
 	}
 
-	info, resp, err := client.Atlas20231115002.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), *currentModel.ProjectId).Execute()
+	info, resp, err := client.AtlasSDK.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), *currentModel.ProjectId).Execute()
 	if err != nil {
 		return progressevent.GetFailedEventByResponse(err.Error(), resp), nil
 	}
@@ -157,10 +164,10 @@ func Delete(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		return *pe, nil
 	}
 
-	params := &admin20231115002.EncryptionAtRest{
-		AwsKms: &admin20231115002.AWSKMSConfiguration{Enabled: aws.Bool(false)},
+	params := &admin.EncryptionAtRest{
+		AwsKms: &admin.AWSKMSConfiguration{Enabled: aws.Bool(false)},
 	}
-	_, resp, err = client.Atlas20231115002.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), *currentModel.ProjectId, params).Execute()
+	_, resp, err = client.AtlasSDK.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), *currentModel.ProjectId, params).Execute()
 	if err != nil {
 		return progressevent.GetFailedEventByResponse(err.Error(), resp), nil
 	}
@@ -175,7 +182,7 @@ func List(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 	return handler.ProgressEvent{}, errors.New("not implemented: List")
 }
 
-func validateExist(info *admin20231115002.EncryptionAtRest) *handler.ProgressEvent {
+func validateExist(info *admin.EncryptionAtRest) *handler.ProgressEvent {
 	if info != nil && info.AwsKms != nil && aws.ToBool(info.AwsKms.Enabled) {
 		return nil
 	}
@@ -193,13 +200,22 @@ func randInt64() int64 {
 	return val.Int64()
 }
 
-func (m *Model) getParams() *admin20231115002.EncryptionAtRest {
-	return &admin20231115002.EncryptionAtRest{
-		AwsKms: &admin20231115002.AWSKMSConfiguration{
-			Enabled:             m.AwsKmsConfig.Enabled,
-			CustomerMasterKeyID: m.AwsKmsConfig.CustomerMasterKeyID,
-			RoleId:              m.AwsKmsConfig.RoleID,
-			Region:              m.AwsKmsConfig.Region,
-		},
+func (m *Model) getParams() *admin.EncryptionAtRest {
+	params := &admin.EncryptionAtRest{}
+
+	if m.EnabledForSearchNodes != nil {
+		params.EnabledForSearchNodes = m.EnabledForSearchNodes
 	}
+
+	if m.AwsKmsConfig != nil {
+		params.AwsKms = &admin.AWSKMSConfiguration{
+			Enabled:                  m.AwsKmsConfig.Enabled,
+			CustomerMasterKeyID:      m.AwsKmsConfig.CustomerMasterKeyID,
+			Region:                   m.AwsKmsConfig.Region,
+			RoleId:                   m.AwsKmsConfig.RoleID,
+			RequirePrivateNetworking: m.AwsKmsConfig.RequirePrivateNetworking,
+		}
+	}
+
+	return params
 }

cfn-resources/encryption-at-rest/cmd/resource/resource.go

@@ -13,6 +13,7 @@ To declare this entity in your AWS CloudFormation template, use the following sy
     "Type" : "MongoDB::Atlas::EncryptionAtRest",
     "Properties" : {
         "<a href="#awskmsconfig" title="AwsKmsConfig">AwsKmsConfig</a>" : <i><a href="awskmsconfig.md">AwsKmsConfig</a></i>,
+        "<a href="#enabledforsearchnodes" title="EnabledForSearchNodes">EnabledForSearchNodes</a>" : <i>Boolean</i>,
         "<a href="#profile" title="Profile">Profile</a>" : <i>String</i>,
         "<a href="#projectid" title="ProjectId">ProjectId</a>" : <i>String</i>,
     }
@@ -25,6 +26,7 @@ To declare this entity in your AWS CloudFormation template, use the following sy
 Type: MongoDB::Atlas::EncryptionAtRest
 Properties:
     <a href="#awskmsconfig" title="AwsKmsConfig">AwsKmsConfig</a>: <i><a href="awskmsconfig.md">AwsKmsConfig</a></i>
+    <a href="#enabledforsearchnodes" title="EnabledForSearchNodes">EnabledForSearchNodes</a>: <i>Boolean</i>
     <a href="#profile" title="Profile">Profile</a>: <i>String</i>
     <a href="#projectid" title="ProjectId">ProjectId</a>: <i>String</i>
 </pre>
@@ -41,6 +43,16 @@ _Type_: <a href="awskmsconfig.md">AwsKmsConfig</a>
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### EnabledForSearchNodes
+
+Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
+
+_Required_: No
+
+_Type_: Boolean
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 #### Profile
 
 The profile is defined in AWS Secret manager. See [Secret Manager Profile setup](../../../examples/profile-secret.yaml).
@@ -73,3 +85,7 @@ For more information about using the `Fn::GetAtt` intrinsic function, see [Fn::G
 
 Unique identifier.
 
+#### Valid
+
+Returns the <code>Valid</code> value.
+

cfn-resources/encryption-at-rest/docs/README.md

@@ -10,61 +10,73 @@ To declare this entity in your AWS CloudFormation template, use the following sy
 
 <pre>
 {
-    "<a href="#roleid" title="RoleID">RoleID</a>" : <i>String</i>,
-    "<a href="#customermasterkeyid" title="CustomerMasterKeyID">CustomerMasterKeyID</a>" : <i>String</i>,
     "<a href="#enabled" title="Enabled">Enabled</a>" : <i>Boolean</i>,
-    "<a href="#region" title="Region">Region</a>" : <i>String</i>
+    "<a href="#customermasterkeyid" title="CustomerMasterKeyID">CustomerMasterKeyID</a>" : <i>String</i>,
+    "<a href="#region" title="Region">Region</a>" : <i>String</i>,
+    "<a href="#roleid" title="RoleID">RoleID</a>" : <i>String</i>,
+    "<a href="#requireprivatenetworking" title="RequirePrivateNetworking">RequirePrivateNetworking</a>" : <i>Boolean</i>
 }
 </pre>
 
 ### YAML
 
 <pre>
-<a href="#roleid" title="RoleID">RoleID</a>: <i>String</i>
-<a href="#customermasterkeyid" title="CustomerMasterKeyID">CustomerMasterKeyID</a>: <i>String</i>
 <a href="#enabled" title="Enabled">Enabled</a>: <i>Boolean</i>
+<a href="#customermasterkeyid" title="CustomerMasterKeyID">CustomerMasterKeyID</a>: <i>String</i>
 <a href="#region" title="Region">Region</a>: <i>String</i>
+<a href="#roleid" title="RoleID">RoleID</a>: <i>String</i>
+<a href="#requireprivatenetworking" title="RequirePrivateNetworking">RequirePrivateNetworking</a>: <i>Boolean</i>
 </pre>
 
 ## Properties
 
-#### RoleID
+#### Enabled
 
-ID of an AWS IAM role authorized to manage an AWS customer master key.
+Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.
 
 _Required_: No
 
-_Type_: String
+_Type_: Boolean
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
 #### CustomerMasterKeyID
 
-The AWS customer master key used to encrypt and decrypt the MongoDB master keys.
+Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
 
 _Required_: No
 
 _Type_: String
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
-#### Enabled
+#### Region
 
-Specifies whether Encryption at Rest is enabled for an Atlas project. To disable Encryption at Rest, pass only this parameter with a value of false. When you disable Encryption at Rest, Atlas also removes the configuration details.
+Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases.
 
 _Required_: No
 
-_Type_: Boolean
+_Type_: String
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
-#### Region
+#### RoleID
 
-The AWS region in which the AWS customer master key exists.
+Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
 
 _Required_: No
 
 _Type_: String
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### RequirePrivateNetworking
+
+Enable connection to your Amazon Web Services (AWS) Key Management Service (KMS) over private networking.
+
+_Required_: No
+
+_Type_: Boolean
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+