Skip to content

feat: Backup Compliance Policy CloudFormation Resource#1535

Merged
rakhul-mongo merged 5 commits intomasterfrom
CLOUDP-369800-backup-compliance-policy
Jan 29, 2026
Merged

feat: Backup Compliance Policy CloudFormation Resource#1535
rakhul-mongo merged 5 commits intomasterfrom
CLOUDP-369800-backup-compliance-policy

Conversation

@sivaram-mongodb
Copy link
Copy Markdown
Contributor

@sivaram-mongodb sivaram-mongodb commented Jan 16, 2026
edited
Loading

Proposed changes

Added new resource Backup Compliance Policy:

  • Manages MongoDB Atlas Backup Compliance Policy at the project level
  • Prevents unauthorized modifications or deletions of cluster settings, backups, and backup configurations
  • Enforces compliance requirements as minimum policy for all clusters and backups in the project
  • Supports scheduled backup policies (hourly, daily, weekly, monthly, yearly) with configurable retention
  • Supports on-demand backup policy items for flexible backup scheduling
  • Implements copy protection to prevent snapshot deletion until retention period expires
  • Enforces encryption at rest using Customer Key Management (CKM) for all clusters
  • Enables point-in-time recovery with Continuous Cloud Backup configuration
  • Features asynchronous state management with callback-based polling for policy activation
  • Full lifecycle management with create, read, update, delete, and list operations

Resource Schema:

Required Properties:

  • ProjectId: Unique identifier of the project
  • AuthorizedEmail: Email address of authorized user
  • AuthorizedUserFirstName: First name of authorized user
  • AuthorizedUserLastName: Last name of authorized user

Optional Properties:

  • CopyProtectionEnabled: Enable additional copy protection (default: false)
  • EncryptionAtRestEnabled: Require Encryption at Rest using CKM (default: false)
  • PitEnabled: Enable Continuous Cloud Backup (default: false)
  • RestoreWindowDays: Number of days for restore window
  • OnDemandPolicyItem: On-demand backup policy configuration
  • PolicyItemHourly: Hourly backup policy item
  • PolicyItemDaily: Daily backup policy item
  • PolicyItemWeekly: Array of weekly backup policy items
  • PolicyItemMonthly: Array of monthly backup policy items
  • PolicyItemYearly: Array of yearly backup policy items

Create-Only Properties:

  • ProjectId: Cannot be changed after creation

Configuration Examples:

Basic Backup Compliance Policy:

{
  "ProjectId": "5e2211c17a3e5a48f5497de3",
  "AuthorizedEmail": "admin@example.com",
  "AuthorizedUserFirstName": "John",
  "AuthorizedUserLastName": "Doe",
  "CopyProtectionEnabled": true,
  "EncryptionAtRestEnabled": true,
  "PitEnabled": true,
  "RestoreWindowDays": 7
}

cfn-testing

image

Published to AWS private registry

image

Stack Testing

image

Atlas

before

image

create

image

update

image

delete

image

Jira ticket: CLOUDP-369800

Please include a summary of the fix/feature/change, including any relevant motivation and context.

Link to any related issue(s):

Type of change:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as
    expected)
  • This change requires a documentation update
  • If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Manual QA performed:

  • cfn invoke for each of CRUDL/cfn test
  • Updated resource in example
  • Published to AWS private registry
  • Used the template in example to create and update a stack in AWS
  • Deleted stack to ensure resources are deleted
  • Created multiple resources in same stack
  • Validated in Atlas UI
  • Included screenshots

Required Checklist:

  • I have signed the MongoDB CLA
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
  • I have added any necessary documentation (if appropriate)
  • I have run make fmt and formatted my code
  • For CFN Resources: I have released by changes in the private registry and proved by change
    works in Atlas.

@sivaram-mongodb sivaram-mongodb force-pushed the CLOUDP-369800-backup-compliance-policy branch from daa7387 to 90bbac7 Compare January 16, 2026 11:08
@rakhul-mongo rakhul-mongo force-pushed the CLOUDP-369800-backup-compliance-policy branch from 90bbac7 to 2207423 Compare January 20, 2026 05:20
@ParthasarathyV ParthasarathyV marked this pull request as ready for review January 22, 2026 14:06
@ParthasarathyV ParthasarathyV requested a review from a team as a code owner January 22, 2026 14:06
oarbusi
oarbusi reviewed Jan 28, 2026
View reviewed changes
Comment thread cfn-resources/backup-compliance-policy/cmd/resource/mappings.go Outdated
}

if policy.ProjectId != nil {
currentModel.ProjectId = policy.ProjectId
Copy link
Copy Markdown
Collaborator

@oarbusi oarbusi Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not currentModel.ProjectId = policy.GetProjectId()?

Copy link
Copy Markdown
Contributor

@rakhul-mongo rakhul-mongo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Valid point, updated as per suggested.

oarbusi
oarbusi reviewed Jan 28, 2026
View reviewed changes
Comment thread cfn-resources/backup-compliance-policy/cmd/resource/mappings.go Outdated
Comment on lines +214 to +232
frequencyInterval := 0
if item.FrequencyInterval != nil {
frequencyInterval = *item.FrequencyInterval
}
retentionValue := 0
if item.RetentionValue != nil {
retentionValue = *item.RetentionValue
}
retentionUnit := ""
if item.RetentionUnit != nil {
retentionUnit = *item.RetentionUnit
}
return &admin.BackupComplianceOnDemandPolicyItem{
Id: item.Id,
FrequencyInterval: frequencyInterval,
FrequencyType: "ondemand",
RetentionUnit: retentionUnit,
RetentionValue: retentionValue,
}
Copy link
Copy Markdown
Collaborator

@oarbusi oarbusi Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, but this way you don't have to declare the variables with the zero values

Suggested change
frequencyInterval := 0
if item.FrequencyInterval != nil {
frequencyInterval = *item.FrequencyInterval
}
retentionValue := 0
if item.RetentionValue != nil {
retentionValue = *item.RetentionValue
}
retentionUnit := ""
if item.RetentionUnit != nil {
retentionUnit = *item.RetentionUnit
}
return &admin.BackupComplianceOnDemandPolicyItem{
Id: item.Id,
FrequencyInterval: frequencyInterval,
FrequencyType: "ondemand",
RetentionUnit: retentionUnit,
RetentionValue: retentionValue,
}
onDemandPolicy := &admin.BackupComplianceOnDemandPolicyItem{
Id: item.Id,
FrequencyType: "ondemand",
}
if item.FrequencyInterval != nil {
onDemandPolicy.FrequencyInterval = *item.FrequencyInterval
}
if item.RetentionValue != nil {
onDemandPolicy.RetentionValue = *item.RetentionValue
}
if item.RetentionUnit != nil {
onDemandPolicy.RetentionUnit = *item.RetentionUnit
}
return onDemandPolicy

Copy link
Copy Markdown
Contributor

@rakhul-mongo rakhul-mongo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is better, thanks

oarbusi
oarbusi reviewed Jan 28, 2026
View reviewed changes
Comment thread cfn-resources/backup-compliance-policy/cmd/resource/mappings.go
}
}

func ExpandScheduledPolicyItem(item *ScheduledPolicyItem, frequencyType string) admin.BackupComplianceScheduledPolicyItem {
Copy link
Copy Markdown
Collaborator

@oarbusi oarbusi Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same suggestion from ExpandOnDemandPolicyItem could be applied here

Copy link
Copy Markdown
Contributor

@rakhul-mongo rakhul-mongo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

oarbusi
oarbusi approved these changes Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@oarbusi oarbusi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just some suggestions

@rakhul-mongo rakhul-mongo force-pushed the CLOUDP-369800-backup-compliance-policy branch from e68facc to 518aa9e Compare January 29, 2026 05:32
@rakhul-mongo rakhul-mongo force-pushed the CLOUDP-369800-backup-compliance-policy branch from 518aa9e to 3d94e0e Compare January 29, 2026 05:41
@rakhul-mongo rakhul-mongo added this pull request to the merge queue Jan 29, 2026
Merged via the queue into master with commit 18f8556 Jan 29, 2026
43 checks passed
@rakhul-mongo rakhul-mongo deleted the CLOUDP-369800-backup-compliance-policy branch January 29, 2026 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oarbusi oarbusi oarbusi approved these changes

+1 more reviewer

@rakhul-mongo rakhul-mongo rakhul-mongo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sivaram-mongodb @oarbusi @rakhul-mongo @outcomes-winter-rakhulsprakash @ParthasarathyV