Merge branch 'master' into CLOUDP-369809-private-endpoint-aws

Author: ParthasarathyV

.github/workflows/contract-testing.yaml

@@ -30,6 +30,7 @@ jobs:
      search-deployment: ${{ steps.filter.outputs.search-deployment }}
      stream-connection: ${{ steps.filter.outputs.stream-connection }}
      stream-instance: ${{ steps.filter.outputs.stream-instance }}
+     stream-processor: ${{ steps.filter.outputs.stream-processor }}
      stream-workspace: ${{ steps.filter.outputs.stream-workspace }}
    steps:
    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
@@ -76,6 +77,8 @@ jobs:
           - 'cfn-resources/stream-connection/**'
         stream-instance:
           - 'cfn-resources/stream-instance/**'
+        stream-processor:
+          - 'cfn-resources/stream-processor/**'
         stream-workspace:
           - 'cfn-resources/stream-workspace/**'
   access-list-api-key:
@@ -855,6 +858,46 @@ jobs:
           pushd cfn-resources/stream-instance
           make create-test-resources
           cat inputs/inputs_1_create.json
+          make run-contract-testing
+          make delete-test-resources
+  stream-processor:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.stream-processor == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@c2a20b1822cc4a6bc594ff7f1dbb658758e383c3
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          cd cfn-resources/stream-processor
+          make create-test-resources
+
+          cat inputs/*
+
           make run-contract-testing
           make delete-test-resources
   stream-workspace:
@@ -897,4 +940,4 @@ jobs:
           cat inputs/inputs_1_update.json
 
           make run-contract-testing
-          make delete-test-resources
+          make delete-test-resources

cfn-resources/organization/cmd/resource/config.go

@@ -217,10 +217,37 @@ func Delete(req handler.Request, prevModel *Model, currentModel *Model) (handler
 
 	// If exists
 	_, response, err = currentModel.getOrgDetails(ctx, conn, currentModel)
-	if err != nil && response.StatusCode == http.StatusUnauthorized {
+	if err != nil && util.StatusUnauthorized(response) {
 		return handleError(response, constants.DELETE, err)
 	}
 
+	currentModel.IsDeleted = util.Pointer(false)
+
+	responseMsg, progressEvent := runDelete(ctx, conn, currentModel)
+	if responseMsg.Error != nil {
+		// Retry once on transient server error, waiting 20 seconds before retrying request
+		// This covers case of contract tests which create and delete an org within seconds, encountering an error while deleting the org
+		if responseMsg.Response != nil && responseMsg.Response.StatusCode == http.StatusInternalServerError {
+			_, _ = logger.Warnf("Transient server error while deleting organization, retrying in 20 seconds")
+			time.Sleep(20 * time.Second)
+			responseMsg, progressEvent = runDelete(ctx, conn, currentModel)
+		}
+	}
+	if progressEvent != nil {
+		return *progressEvent, nil
+	}
+	if responseMsg.Error != nil {
+		return handleError(responseMsg.Response, constants.DELETE, responseMsg.Error)
+	}
+
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         DeleteCompleted,
+		ResourceModel:   nil}, nil
+}
+
+// Encapsulate the delete+wait logic so the same flow can be used on retry.
+func runDelete(ctx context.Context, conn *admin.APIClient, currentModel *Model) (*DeleteResponse, *handler.ProgressEvent) {
 	deleteRequest := conn.OrganizationsApi.DeleteOrg(ctx, *currentModel.OrgId)
 
 	// Since the Delete API is synchronous and takes more than 1 minute most of the time,
@@ -234,38 +261,29 @@ func Delete(req handler.Request, prevModel *Model, currentModel *Model) (handler
 		responseChan <- DeleteResponse{Error: err, Response: response}
 	}()
 
-	currentModel.IsDeleted = util.Pointer(false)
 	select {
 	case responseMsg := <-responseChan:
-		if responseMsg.Error != nil {
-			return handleError(responseMsg.Response, constants.DELETE, responseMsg.Error)
-		}
-
+		return &responseMsg, nil
 	case <-time.After(30 * time.Second):
 		// If the Delete is not completed in the above time,
 		// we return a progress event with inProgress status and callback context
-		return handler.ProgressEvent{
+		return nil, &handler.ProgressEvent{
 			OperationStatus:      handler.InProgress,
 			Message:              DeleteInProgress,
 			ResourceModel:        currentModel,
 			CallbackDelaySeconds: CallBackSeconds,
 			CallbackContext: map[string]interface{}{
 				constants.StateName: DeletingState,
 			},
-		}, nil
+		}
 	}
-
-	return handler.ProgressEvent{
-		OperationStatus: handler.Success,
-		Message:         DeleteCompleted,
-		ResourceModel:   nil}, nil
 }
 
 func deleteCallback(ctx context.Context, conn *admin.APIClient, currentModel *Model) (handler.ProgressEvent, error) {
 	// Read before delete
 	org, response, err := currentModel.getOrgDetails(ctx, conn, currentModel)
 	if err != nil {
-		if response.StatusCode == http.StatusUnauthorized {
+		if util.StatusUnauthorized(response) {
 			return handler.ProgressEvent{
 				OperationStatus: handler.Success,
 				Message:         DeleteCompleted,
@@ -315,28 +333,29 @@ func (model *Model) getOrgDetails(ctx context.Context, conn *admin.APIClient, cu
 	model.MultiFactorAuthRequired = settings.MultiFactorAuthRequired
 	model.RestrictEmployeeAccess = settings.RestrictEmployeeAccess
 	model.GenAIFeaturesEnabled = settings.GenAIFeaturesEnabled
+	model.SecurityContact = settings.SecurityContact
 
 	return model, response, nil
 }
 
 func handleError(response *http.Response, method constants.CfnFunctions, err error) (handler.ProgressEvent, error) {
 	errMsg := fmt.Sprintf("%s error:%s", method, err.Error())
 	_, _ = logger.Warn(errMsg)
-	if response.StatusCode == http.StatusConflict {
+	if util.StatusConflict(response) {
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
 			Message:          errMsg,
 			HandlerErrorCode: string(types.HandlerErrorCodeAlreadyExists)}, nil
 	}
 
-	if response.StatusCode == http.StatusUnauthorized {
+	if util.StatusUnauthorized(response) {
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
 			Message:          "Not found",
 			HandlerErrorCode: string(types.HandlerErrorCodeNotFound)}, nil
 	}
 
-	if response.StatusCode == http.StatusBadRequest {
+	if util.StatusBadRequest(response) {
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
 			Message:          errMsg,
@@ -359,6 +378,7 @@ func newOrganizationSettings(model *Model) *admin.OrganizationSettings {
 		MultiFactorAuthRequired: model.MultiFactorAuthRequired,
 		RestrictEmployeeAccess:  model.RestrictEmployeeAccess,
 		GenAIFeaturesEnabled:    model.GenAIFeaturesEnabled,
+		SecurityContact:         model.SecurityContact,
 	}
 }
 

cfn-resources/organization/cmd/resource/model.go

@@ -23,7 +23,8 @@ To declare this entity in your AWS CloudFormation template, use the following sy
         "<a href="#isdeleted" title="IsDeleted">IsDeleted</a>" : <i>Boolean</i>,
         "<a href="#apiaccesslistrequired" title="ApiAccessListRequired">ApiAccessListRequired</a>" : <i>Boolean</i>,
         "<a href="#multifactorauthrequired" title="MultiFactorAuthRequired">MultiFactorAuthRequired</a>" : <i>Boolean</i>,
-        "<a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>" : <i>Boolean</i>
+        "<a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>" : <i>Boolean</i>,
+        "<a href="#securitycontact" title="SecurityContact">SecurityContact</a>" : <i>String</i>
     }
 }
 </pre>
@@ -45,6 +46,7 @@ Properties:
     <a href="#apiaccesslistrequired" title="ApiAccessListRequired">ApiAccessListRequired</a>: <i>Boolean</i>
     <a href="#multifactorauthrequired" title="MultiFactorAuthRequired">MultiFactorAuthRequired</a>: <i>Boolean</i>
     <a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>: <i>Boolean</i>
+    <a href="#securitycontact" title="SecurityContact">SecurityContact</a>: <i>String</i>
 </pre>
 
 ## Properties
@@ -173,6 +175,16 @@ _Type_: Boolean
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### SecurityContact
+
+Email address of the security contact for the organization.
+
+_Required_: No
+
+_Type_: String
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 ## Return Values
 
 ### Fn::GetAtt

cfn-resources/organization/cmd/resource/resource.go

@@ -83,6 +83,10 @@
     "RestrictEmployeeAccess": {
       "type": "boolean",
       "description": "Flag that indicates whether to block MongoDB Support from accessing Atlas infrastructure for any deployment in the specified organization without explicit permission. Once this setting is turned on, you can grant MongoDB Support a 24-hour bypass access to the Atlas deployment to resolve support issues. To learn more, see: https://www.mongodb.com/docs/atlas/security-restrict-support-access/."
+    },
+    "SecurityContact": {
+      "type": "string",
+      "description": "Email address of the security contact for the organization."
     }
   },
   "additionalProperties": false,

cfn-resources/organization/docs/README.md

@@ -14,5 +14,6 @@
   "RestrictEmployeeAccess": "false",
   "ApiAccessListRequired": "false",
   "SkipDefaultAlertsSettings": "true",
-  "GenAIFeaturesEnabled": "true"
+  "GenAIFeaturesEnabled": "true",
+  "SecurityContact": "security-test@example.com"
 }

cfn-resources/organization/mongodb-atlas-organization.json

@@ -14,5 +14,6 @@
   "RestrictEmployeeAccess": "true",
   "ApiAccessListRequired": "false",
   "SkipDefaultAlertsSettings": "false",
-  "GenAIFeaturesEnabled": "false"
+  "GenAIFeaturesEnabled": "false",
+  "SecurityContact": "security-updated@example.com"
 }

cfn-resources/organization/test/inputs_1_create.json

@@ -14,9 +14,9 @@
 
 package resource
 
-import admin20231115014 "go.mongodb.org/atlas-sdk/v20231115014/admin"
+import "go.mongodb.org/atlas-sdk/v20250312012/admin"
 
-func NewCFNSearchDeployment(prevModel *Model, apiResp *admin20231115014.ApiSearchDeploymentResponse) Model {
+func NewCFNSearchDeployment(prevModel *Model, apiResp *admin.ApiSearchDeploymentResponse) Model {
 	respSpecs := apiResp.GetSpecs()
 	resultSpecs := make([]ApiSearchDeploymentSpec, len(respSpecs))
 	for i := range respSpecs {
@@ -25,25 +25,27 @@ func NewCFNSearchDeployment(prevModel *Model, apiResp *admin20231115014.ApiSearc
 			NodeCount:    &respSpecs[i].NodeCount,
 		}
 	}
+
 	return Model{
-		Profile:     prevModel.Profile,
-		ClusterName: prevModel.ClusterName,
-		ProjectId:   prevModel.ProjectId,
-		Id:          apiResp.Id,
-		Specs:       resultSpecs,
-		StateName:   apiResp.StateName,
+		Profile:                  prevModel.Profile,
+		ClusterName:              prevModel.ClusterName,
+		ProjectId:                prevModel.ProjectId,
+		Id:                       apiResp.Id,
+		Specs:                    resultSpecs,
+		StateName:                apiResp.StateName,
+		EncryptionAtRestProvider: apiResp.EncryptionAtRestProvider,
 	}
 }
 
-func NewSearchDeploymentReq(model *Model) admin20231115014.ApiSearchDeploymentRequest {
+func NewSearchDeploymentReq(model *Model) admin.ApiSearchDeploymentRequest {
 	modelSpecs := model.Specs
-	requestSpecs := make([]admin20231115014.ApiSearchDeploymentSpec, len(modelSpecs))
+	requestSpecs := make([]admin.ApiSearchDeploymentSpec, len(modelSpecs))
 	for i, spec := range modelSpecs {
 		// Both spec fields are required in CFN model and will be defined
-		requestSpecs[i] = admin20231115014.ApiSearchDeploymentSpec{
+		requestSpecs[i] = admin.ApiSearchDeploymentSpec{
 			InstanceSize: *spec.InstanceSize,
 			NodeCount:    *spec.NodeCount,
 		}
 	}
-	return admin20231115014.ApiSearchDeploymentRequest{Specs: requestSpecs}
+	return admin.ApiSearchDeploymentRequest{Specs: requestSpecs}
 }