feat: CLOUDP-380114 Add Project Service Account Access List Entry (#1581)

Co-authored-by: Rakhul S Prakash <rakhul.s.prakash@peerislands.io>

Author: rakhul-mongo

.github/workflows/contract-testing.yaml

@@ -38,6 +38,7 @@ jobs:
      project: ${{ steps.filter.outputs.project }}
      project-service-account-secret: ${{ steps.filter.outputs.project-service-account-secret }}
      project-service-account: ${{ steps.filter.outputs.project-service-account }}
+     project-service-account-access-list-entry: ${{ steps.filter.outputs.project-service-account-access-list-entry }}
      resource-policy: ${{ steps.filter.outputs.resource-policy }}
      search-deployment: ${{ steps.filter.outputs.search-deployment }}
      search-index: ${{ steps.filter.outputs.search-index }}
@@ -108,6 +109,8 @@ jobs:
           - 'cfn-resources/project-service-account-secret/**'
         project-service-account:
           - 'cfn-resources/project-service-account/**'
+        project-service-account-access-list-entry:
+          - 'cfn-resources/project-service-account-access-list-entry/**'
         resource-policy:
           - 'cfn-resources/resource-policy/**'
         search-deployment:
@@ -1235,6 +1238,47 @@ jobs:
        make run-contract-testing
        make delete-test-resources
 
+  project-service-account-access-list-entry:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.project-service-account-access-list-entry == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          cd cfn-resources/project-service-account-access-list-entry
+          make create-test-resources
+
+          cat inputs/*
+
+          make run-contract-testing
+          make delete-test-resources
+
   resource-policy:
     needs: change-detection
     if: ${{ needs.change-detection.outputs.resource-policy == 'true' }}

cfn-resources/project-service-account-access-list-entry/.rpdk-config

@@ -0,0 +1,12 @@
+{
+  "typeName": "MongoDB::Atlas::ProjectServiceAccountAccessListEntry",
+  "language": "go",
+  "runtime": "provided.al2",
+  "entrypoint": "bootstrap",
+  "testEntrypoint": "bootstrap",
+  "settings": {
+    "import_path": "github.com/mongodb/mongodbatlas-cloudformation-resources/project-service-account-access-list-entry",
+    "protocolVersion": "2.0.0",
+    "pluginVersion": "2.0.4"
+  }
+}

cfn-resources/project-service-account-access-list-entry/Makefile

@@ -0,0 +1,37 @@
+.PHONY: build test clean
+tags=logging callback metrics scheduler
+cgo=0
+goos=linux
+goarch=amd64
+CFNREP_GIT_SHA?=$(shell git rev-parse HEAD)
+ldXflags=-s -w -X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=info -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+ldXflagsD=-X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=debug -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+
+build:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflags)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+debug:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/debug cmd/main.go
+
+clean:
+	rm -rf bin
+
+submit: clean build # submit to private registry must use release build not debug build
+	@echo "==> Submitting to private registry for testing"
+	 cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/project-service-account-access-list-entry/README.md

@@ -0,0 +1,28 @@
+# MongoDB::Atlas::ProjectServiceAccountAccessListEntry
+
+## Description
+
+The Project Service Account Access List Entry resource manages IP access list entries for MongoDB Atlas Project Service Accounts. This resource lets you create, read, delete, and list IP access list entries at the project level. For more information, see [Create One Project Service Account Access List Entry](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Service-Accounts/operation/createAccessList) in the MongoDB Atlas API documentation.
+
+-> **NOTE:** This resource does not support updates. Any property change will trigger a replacement (delete + create).
+
+## Requirements
+
+To securely give CloudFormation access to your Atlas credentials, you must
+set up an [AWS Profile](/README.md#mongodb-atlas-api-keys-credential-management).
+
+## Attributes and Parameters
+
+See the [resource docs](docs/README.md).
+
+## Cloudformation Examples
+
+See the example [CFN Template](/examples/project-service-account-access-list-entry/README.md) for example resource.
+
+## Important Notes
+
+- You must specify either `CIDRBlock` or `IPAddress`, but not both
+- When you specify an IP address, Atlas automatically generates a `/32` CIDR block
+- This resource does not support updates - any change will trigger a replacement
+- Access list entries are identified by the combination of `ProjectId`, `ClientId`, and `CIDRBlock`
+- The List operation returns all access list entries for a given project service account