feat: Service Account CloudFormation Resource

[sivaram-mongodb]

Proposed changes

Added new resource Service Account:

• Manages organization-level service accounts for MongoDB Atlas
• Provides programmatic access to Atlas resources for automation and CI/CD
• Supports configurable secret expiration for enhanced security
• Implements role-based access control with organization-level roles
• Features write-only secret field for secure credential handling
• Enables service-to-service authentication for automated workflows

Resource Configuration:

The Service Account resource enables you to create and manage service accounts at the organization level in MongoDB Atlas. Service accounts provide programmatic access to Atlas resources and are essential for automation, CI/CD pipelines, infrastructure as code, and service-to-service authentication.

Required Properties:

• OrgId: Organization identifier (24-hexadecimal characters)
• Name: Human-readable name for the service account
• Description: Description of the service account's purpose
• Roles: Array of organization-level roles (minimum 1 role required)
• SecretExpiresAfterHours: Expiration time for the secret in hours (minimum: 1)

Optional Properties:

• Profile: AWS Secrets Manager profile for Atlas credentials (default: "default")

Read-Only Properties:

• ClientId: Unique client identifier for the service account (generated on create)
• CreatedAt: Timestamp when the service account was created (ISO 8601 format)
• Secrets: Array of secrets associated with the service account
  • Id: Unique identifier of the secret
  • CreatedAt: When the secret was created
  • ExpiresAt: When the secret expires
  • LastUsedAt: When the secret was last used (if applicable)
  • MaskedSecretValue: Masked representation of the secret (e.g., "****abc123")
  • Secret: Write-only - Only returned on create, never in read/update/list operations

Create-Only Properties:

• OrgId, Profile, SecretExpiresAfterHours: Cannot be changed after creation

Configuration Examples:

Service Account:

{
  "OrgId": "64d2a9b8f1a2c3e4d5e6f7a8",
  "Name": "ci-cd-service-account",
  "Description": "Service account for CI/CD pipeline automation",
  "Roles": ["ORG_MEMBER"],
  "SecretExpiresAfterHours": 720
}

cfn testing:

stack testing:

Atlas - After Creation

Jira ticket: CLOUDP-369799

Please include a summary of the fix/feature/change, including any relevant motivation and context.

Link to any related issue(s):

Type of change:

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as
  expected)
• This change requires a documentation update
• If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Manual QA performed:

• cfn invoke for each of CRUDL/cfn test
• Updated resource in example
• Published to AWS private registry
• Used the template in example to create and update a stack in AWS
• Deleted stack to ensure resources are deleted
• Created multiple resources in same stack
• Validated in Atlas UI
• Included screenshots

Required Checklist:

• I have signed the MongoDB CLA
• I have added tests that prove my fix is effective or that my feature works
• I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• I have added any necessary documentation (if appropriate)
• I have run make fmt and formatted my code
• For CFN Resources: I have released by changes in the private registry and proved by change
  works in Atlas

Further comments