mongodb
diff --git a/‎cfn-resources/cfn-testing-helper.sh‎
Lines changed: 7 additions & 2 deletions b/‎cfn-resources/cfn-testing-helper.sh‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎cfn-resources/org-service-account/.rpdk-config‎
Lines changed: 27 additions & 0 deletions b/‎cfn-resources/org-service-account/.rpdk-config‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎cfn-resources/org-service-account/Makefile‎
Lines changed: 23 additions & 0 deletions b/‎cfn-resources/org-service-account/Makefile‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎cfn-resources/org-service-account/README.md‎
Lines changed: 19 additions & 0 deletions b/‎cfn-resources/org-service-account/README.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎cfn-resources/org-service-account/cmd/main.go‎
Lines changed: 85 additions & 0 deletions b/‎cfn-resources/org-service-account/cmd/main.go‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎cfn-resources/org-service-account/cmd/resource/config.go‎
Lines changed: 19 additions & 0 deletions b/‎cfn-resources/org-service-account/cmd/resource/config.go‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎cfn-resources/org-service-account/cmd/resource/mappings.go‎
Lines changed: 101 additions & 0 deletions b/‎cfn-resources/org-service-account/cmd/resource/mappings.go‎
Lines changed: 101 additions & 0 deletions
@@ -157,9 +157,14 @@ done
 echo "Step 4/4: cleaning up 'cfn test' inputs "
 SAM_LOG=$(mktemp)
 for resource in ${resources}; do
-	cd "${res}"
+	cd "${resource}"
+	if [ -f ./test/cfn-test-delete-inputs.sh ]; then
 	chmod +x ./test/cfn-test-delete-inputs.sh
-	./test/cfn-test-delete-inputs.sh "${PROJECT_NAME}-${res}" && echo "resource:${res} inputs delete OK" || echo "resource:${res} input delete FAILED"
+		./test/cfn-test-delete-inputs.sh "${PROJECT_NAME}-${resource}" && echo "resource:${resource} inputs delete OK" || echo "resource:${resource} input delete FAILED"
+	else
+		echo "resource:${resource} - delete script not found, skipping cleanup"
+	fi
+	cd -
 done
 
 echo "Clean up project"
 
@@ -0,0 +1,27 @@
+{
+    "artifact_type": "RESOURCE",
+    "typeName": "MongoDB::Atlas::OrgServiceAccount",
+    "language": "go",
+    "runtime": "provided.al2",
+    "entrypoint": "bootstrap",
+    "testEntrypoint": "bootstrap",
+    "settings": {
+        "version": false,
+        "subparser_name": null,
+        "verbose": 0,
+        "force": false,
+        "type_name": null,
+        "artifact_type": null,
+        "endpoint_url": null,
+        "region": null,
+        "target_schemas": [],
+        "profile": null,
+        "import_path": "github.com/mongodb/mongodbatlas-cloudformation-resources/org-service-account",
+        "protocolVersion": "2.0.0"
+    },
+    "canarySettings": {
+        "contract_test_file_names": [
+            "inputs_1.json"
+        ]
+    }
+}
@@ -0,0 +1,23 @@
+.PHONY: build test clean debug
+tags=logging callback metrics scheduler
+cgo=0
+goos=linux
+goarch=amd64
+CFNREP_GIT_SHA?=$(shell git rev-parse HEAD)
+ldXflags=-s -w -X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=info -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+ldXflagsD=-X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=debug -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+
+build:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflags)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+debug:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+test:
+	cfn generate
+	env GOOS=$(goos) go build -ldflags="-s -w" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+clean:
+	rm -rf bin
@@ -0,0 +1,19 @@
+# MongoDB::Atlas::OrgServiceAccount
+
+## Description
+
+Resource for managing [Service Accounts](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-service-accounts) for a MongoDB Atlas organization. Service accounts provide programmatic access to MongoDB Atlas resources and are used for automation, CI/CD pipelines, and service-to-service authentication.
+
+## Requirements
+
+To securely give CloudFormation access to your Atlas credentials, you must
+set up an [AWS Profile](/README.md#mongodb-atlas-api-keys-credential-management).
+
+## Attributes and Parameters
+
+See the [resource docs](docs/README.md).
+
+## Cloudformation Examples
+
+See the examples [CFN Template](/examples/org-service-account/README.md) for example resource.
+
@@ -0,0 +1,101 @@
+// Copyright 2026 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package resource
+
+import (
+	"sort"
+
+	"go.mongodb.org/atlas-sdk/v20250312010/admin"
+
+	"github.com/mongodb/mongodbatlas-cloudformation-resources/util"
+)
+
+func GetOrgServiceAccountModel(account *admin.OrgServiceAccount, currentModel *Model) *Model {
+	model := new(Model)
+
+	if currentModel != nil {
+		model = currentModel
+	}
+	if account != nil {
+		if currentModel != nil {
+			model.OrgId = currentModel.OrgId
+			model.Profile = currentModel.Profile
+		}
+		model.Name = account.Name
+		model.Description = account.Description
+		if account.Roles != nil {
+			roles := *account.Roles
+			if currentModel != nil && currentModel.Roles != nil && len(currentModel.Roles) > 0 {
+				model.Roles = currentModel.Roles
+			} else {
+				sort.Strings(roles)
+				model.Roles = roles
+			}
+		}
+		model.ClientId = account.ClientId
+		model.CreatedAt = util.TimePtrToStringPtr(account.CreatedAt)
+
+		if account.Secrets != nil {
+			model.Secrets = make([]Secret, len(*account.Secrets))
+			for i, s := range *account.Secrets {
+				createdAt := s.CreatedAt
+				expiresAt := s.ExpiresAt
+				model.Secrets[i] = Secret{
+					Id:                &s.Id,
+					CreatedAt:         util.TimePtrToStringPtr(&createdAt),
+					ExpiresAt:         util.TimePtrToStringPtr(&expiresAt),
+					LastUsedAt:        util.TimePtrToStringPtr(s.LastUsedAt),
+					MaskedSecretValue: s.MaskedSecretValue,
+					Secret:            s.Secret,
+				}
+			}
+		}
+	}
+	return model
+}
+
+func NewOrgServiceAccountCreateReq(model *Model) *admin.OrgServiceAccountRequest {
+	if model == nil {
+		return nil
+	}
+	secretExpiresAfterHours := *model.SecretExpiresAfterHours
+	roles := make([]string, len(model.Roles))
+	copy(roles, model.Roles)
+	sort.Strings(roles)
+	return &admin.OrgServiceAccountRequest{
+		Name:                    *model.Name,
+		Description:             *model.Description,
+		Roles:                   roles,
+		SecretExpiresAfterHours: secretExpiresAfterHours,
+	}
+}
+
+func NewOrgServiceAccountUpdateReq(model *Model) *admin.OrgServiceAccountUpdateRequest {
+	if model == nil {
+		return nil
+	}
+	var roles *[]string
+	if len(model.Roles) > 0 {
+		sortedRoles := make([]string, len(model.Roles))
+		copy(sortedRoles, model.Roles)
+		sort.Strings(sortedRoles)
+		roles = &sortedRoles
+	}
+	return &admin.OrgServiceAccountUpdateRequest{
+		Name:        model.Name,
+		Description: model.Description,
+		Roles:       roles,
+	}
+}