├── .github
    └── workflows
    │   └── tfsec.yml
├── .gitignore
├── LICENSE
├── README.md
├── aws-resources.tf
├── backup.tf
├── cluster.tf
├── connections.tf
├── database_users.tf
├── encryption.tf
├── example-tfvars
├── locals.tf
├── outputs.tf
├── projects.tf
├── provider.tf
├── teams.tf
└── variables.tf


/.github/workflows/tfsec.yml:
--------------------------------------------------------------------------------
 1 | # This workflow uses actions that are not certified by GitHub.
 2 | # They are provided by a third-party and are governed by
 3 | # separate terms of service, privacy policy, and support
 4 | # documentation.
 5 | 
 6 | name: tfsec
 7 | 
 8 | on:
 9 |   push:
10 |     branches: [ main ]
11 |   pull_request:
12 |     branches: [ main ]  
13 |   schedule:
14 |     - cron: '22 0 * * 6'
15 | 
16 | jobs:
17 |   tfsec:
18 |     name: Run tfsec sarif report
19 |     runs-on: ubuntu-latest
20 |     permissions:
21 |       actions: read
22 |       contents: read
23 |       security-events: write
24 | 
25 |     steps:
26 |       - name: Clone repo
27 |         uses: actions/checkout@v2
28 | 
29 |       - name: Run tfsec
30 |         uses: tfsec/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
31 |         with:
32 |           sarif_file: tfsec.sarif         
33 | 
34 |       - name: Upload SARIF file
35 |         uses: github/codeql-action/upload-sarif@v1
36 |         with:
37 |           # Path to SARIF file relative to the root of the repository
38 |           sarif_file: tfsec.sarif  
39 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | **.terraform**
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # Crash log files
 9 | crash.log
10 | 
11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
12 | # .tfvars files are managed as part of configuration and so should be included in
13 | # version control.
14 | #
15 | # example.tfvars
16 | 
17 | # Ignore override files as they are usually used to override resources locally and so
18 | # are not checked in
19 | override.tf
20 | override.tf.json
21 | *_override.tf
22 | *_override.tf.json
23 | 
24 | # Include override files you do wish to add to version control using negated pattern
25 | #
26 | # !example_override.tf
27 | 
28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
29 | # example: *tfplan*
30 | 
31 | .**_**
32 | 
33 | terraform.tfvars
34 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # terraform-mongodbatlas-resources-aws
 2 | This is a terraform module to create resources in mongodb atlas.
 3 | 
 4 | NOTE: The current provider used for this project is AWS only
 5 | 
 6 | 
 7 | ### Before Deploying
 8 | 
 9 | Export your mongodb public and private key
10 | ```
11 | export MONGODB_ATLAS_PUBLIC_KEY=""
12 | export MONGODB_ATLAS_PRIVATE_KEY=""
13 | ```
14 | 
15 | 


--------------------------------------------------------------------------------
/aws-resources.tf:
--------------------------------------------------------------------------------
  1 | #######################################
  2 | ### AWS KMS Key
  3 | #######################################
  4 | resource "aws_kms_key" "default" {
  5 |   count                    = var.create && var.encryption_enabled ? 1 : 0
  6 |   deletion_window_in_days  = var.deletion_window_in_days
  7 |   enable_key_rotation      = var.enable_key_rotation
  8 |   policy                   = var.policy
  9 |   description              = var.description
 10 |   key_usage                = var.key_usage
 11 |   customer_master_key_spec = var.customer_master_key_spec
 12 |   multi_region             = var.multi_region
 13 |   tags                     = var.tags
 14 | }
 15 | 
 16 | resource "aws_kms_alias" "default" {
 17 |   count = var.create && var.encryption_enabled ? 1 : 0
 18 |   name  = var.alias
 19 |   #name          = coalesce(var.alias, format("alias/%v", module.this.id))
 20 |   target_key_id = join("", aws_kms_key.default.*.id)
 21 | }
 22 | ########################################
 23 | ### AWS Roles
 24 | ########################################
 25 | resource "aws_iam_role_policy" "policy" {
 26 |   count  = var.create && var.encryption_enabled ? 1 : 0
 27 |   name   = "mongodb_atlas_setup_policy"
 28 |   role   = aws_iam_role.role[0].id
 29 |   policy = <<-EOF
 30 |   {
 31 |     "Version": "2012-10-17",
 32 |     "Statement": [
 33 |       {
 34 |         "Effect": "Allow",
 35 | 		"Action": "*",
 36 | 		"Resource": "*"
 37 |       }
 38 |     ]
 39 |   }
 40 |   EOF
 41 |   depends_on = [
 42 |     aws_iam_role.role
 43 |   ]
 44 | }
 45 | 
 46 | resource "aws_iam_role" "role" {
 47 |   count = var.create && var.encryption_enabled ? 1 : 0
 48 |   name  = "mongodb_setup_role"
 49 | 
 50 |   assume_role_policy = <<EOF
 51 | {
 52 |   "Version": "2012-10-17",
 53 |   "Statement": [
 54 |     {
 55 |       "Effect": "Allow",
 56 |       "Principal": {
 57 |         "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only[0].aws_config[0].atlas_aws_account_arn}"
 58 |       },
 59 |       "Action": "sts:AssumeRole",
 60 |       "Condition": {
 61 |         "StringEquals": {
 62 |           "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only[0].aws_config[0].atlas_assumed_role_external_id}"
 63 |         }
 64 |       }
 65 |     }
 66 |   ]
 67 | }
 68 | EOF
 69 | }
 70 | ########################################################
 71 | ### Mongdb atlas and AWS VPC Private Link
 72 | ########################################################
 73 | resource "mongodbatlas_privatelink_endpoint" "default" {
 74 |   count         = local.free_tier == false && var.create && var.create_privatelink_endpoint == true ? 1 : 0
 75 |   project_id    = mongodbatlas_project.project[0].id
 76 |   provider_name = local.cloud_provider
 77 |   region        = var.aws_region
 78 | }
 79 | 
 80 | resource "aws_vpc_endpoint" "ptfe_service" {
 81 |   count              = local.free_tier == false && var.create && var.create_privatelink_endpoint == true ? 1 : 0
 82 |   vpc_id             = var.vpc_id
 83 |   service_name       = mongodbatlas_privatelink_endpoint.default[0].endpoint_service_name
 84 |   vpc_endpoint_type  = var.vpc_endpoint_type
 85 |   subnet_ids         = var.subnet_ids
 86 |   security_group_ids = var.security_group_ids
 87 | 
 88 |   depends_on = [
 89 |     mongodbatlas_privatelink_endpoint.default
 90 |   ]
 91 | }
 92 | 
 93 | resource "mongodbatlas_privatelink_endpoint_service" "test" {
 94 |   count               = local.free_tier == false && var.create && var.create_privatelink_endpoint == true ? 1 : 0
 95 |   project_id          = mongodbatlas_project.project[0].id
 96 |   private_link_id     = mongodbatlas_privatelink_endpoint.default[0].private_link_id
 97 |   endpoint_service_id = aws_vpc_endpoint.ptfe_service[0].id
 98 |   provider_name       = "AWS"
 99 | 
100 |   depends_on = [
101 |     mongodbatlas_privatelink_endpoint.default,
102 |     aws_vpc_endpoint.ptfe_service
103 |   ]
104 | 
105 | }
106 | 


--------------------------------------------------------------------------------
/backup.tf:
--------------------------------------------------------------------------------
 1 | resource "mongodbatlas_cloud_backup_schedule" "hourly" {
 2 |   count = var.create && local.free_tier == false && var.hourly_backup_enabled ? 1 : 0
 3 | 
 4 |   project_id   = mongodbatlas_project.project[0].id
 5 |   cluster_name = var.cluster_type == "REPLICASET" || local.free_tier || local.sharding ? mongodbatlas_cluster.replicaset[0].name : mongodbatlas_cluster.sharded[0].name
 6 | 
 7 |   reference_hour_of_day    = var.hourly_reference_hour_of_day != null ? var.hourly_reference_hour_of_day : var.reference_hour_of_day
 8 |   reference_minute_of_hour = var.hourly_reference_minute_of_hour != null ? var.hourly_reference_minute_of_hour : var.reference_minute_of_hour
 9 |   restore_window_days      = var.hourly_restore_window_days != null ? var.hourly_restore_window_days : var.restore_window_days
10 | 
11 |   // This will now add the desired policy items to the existing mongodbatlas_cloud_backup_schedule resource
12 | 
13 |   policy_item_hourly {
14 |     frequency_interval = var.hourly_frequency_interval
15 |     retention_unit     = var.hourly_retention_unit
16 |     retention_value    = var.hourly_retention_value
17 |   }
18 | }
19 | 
20 | resource "mongodbatlas_cloud_backup_schedule" "daily" {
21 |   count        = var.create && local.free_tier == false && var.daily_backup_enabled ? 1 : 0
22 |   project_id   = mongodbatlas_project.project[0].id
23 |   cluster_name = var.cluster_type == "REPLICASET" || local.free_tier || local.sharding ? mongodbatlas_cluster.replicaset[0].name : mongodbatlas_cluster.sharded[0].name
24 | 
25 |   reference_hour_of_day    = var.daily_reference_hour_of_day != null ? var.daily_reference_hour_of_day : var.reference_hour_of_day
26 |   reference_minute_of_hour = var.daily_reference_minute_of_hour != null ? var.daily_reference_minute_of_hour : var.reference_minute_of_hour
27 |   restore_window_days      = var.daily_restore_window_days != null ? var.daily_restore_window_days : var.restore_window_days
28 | 
29 |   // This will now add the desired policy items to the existing mongodbatlas_cloud_backup_schedule resource
30 | 
31 |   policy_item_daily {
32 |     frequency_interval = var.daily_frequency_interval
33 |     retention_unit     = var.daily_retention_unit
34 |     retention_value    = var.daily_retention_value
35 |   }
36 | }
37 | resource "mongodbatlas_cloud_backup_schedule" "weekly" {
38 |   count        = var.create && local.free_tier == false && var.weekly_backup_enabled ? 1 : 0
39 |   project_id   = mongodbatlas_project.project[0].id
40 |   cluster_name = var.cluster_type == "REPLICASET" || local.free_tier || local.sharding ? mongodbatlas_cluster.replicaset[0].name : mongodbatlas_cluster.sharded[0].name
41 | 
42 |   reference_hour_of_day    = var.weekly_reference_hour_of_day != null ? var.weekly_reference_hour_of_day : var.reference_hour_of_day
43 |   reference_minute_of_hour = var.weekly_reference_minute_of_hour != null ? var.weekly_reference_minute_of_hour : var.reference_minute_of_hour
44 |   restore_window_days      = var.weekly_restore_window_days != null ? var.weekly_restore_window_days : var.restore_window_days
45 | 
46 |   // This will now add the desired policy items to the existing mongodbatlas_cloud_backup_schedule resource
47 | 
48 |   policy_item_weekly {
49 |     frequency_interval = var.weekly_frequency_interval
50 |     retention_unit     = var.weekly_retention_unit
51 |     retention_value    = var.weekly_retention_value
52 |   }
53 | }
54 | resource "mongodbatlas_cloud_backup_schedule" "monthly" {
55 |   count        = var.create && local.free_tier == false && var.monthly_backup_enabled ? 1 : 0
56 |   project_id   = mongodbatlas_project.project[0].id
57 |   cluster_name = var.cluster_type == "REPLICASET" || local.free_tier || local.sharding ? mongodbatlas_cluster.replicaset[0].name : mongodbatlas_cluster.sharded[0].name
58 | 
59 |   reference_hour_of_day    = var.monthly_reference_hour_of_day != null ? var.monthly_reference_hour_of_day : var.reference_hour_of_day
60 |   reference_minute_of_hour = var.monthly_reference_minute_of_hour != null ? var.monthly_reference_minute_of_hour : var.reference_minute_of_hour
61 |   restore_window_days      = var.monthly_restore_window_days != null ? var.monthly_restore_window_days : var.restore_window_days
62 | 
63 |   // This will now add the desired policy items to the existing mongodbatlas_cloud_backup_schedule resource
64 |   policy_item_monthly {
65 |     frequency_interval = var.monthly_frequency_interval
66 |     retention_unit     = var.monthly_retention_unit
67 |     retention_value    = var.monthly_retention_value
68 |   }
69 | }
70 | 


--------------------------------------------------------------------------------
/cluster.tf:
--------------------------------------------------------------------------------
  1 | ####################3###################################
  2 | ### MONGODB ATLAS CLUSTER IN THE PROJECT : SHARDED CLUSTER
  3 | ####################3###################################
  4 | resource "mongodbatlas_cluster" "sharded" {
  5 |   count                       = local.sharding == false && local.free_tier == false && var.create && var.cluster_type != "REPLICASET" ? 1 : 0
  6 |   project_id                  = mongodbatlas_project.project[0].id
  7 |   name                        = var.cluster_name
  8 |   provider_name               = local.provider_name
  9 |   backing_provider_name       = local.backing_provider_name
 10 |   provider_region_name        = var.atlas_region
 11 |   provider_instance_size_name = var.instance_type
 12 |   mongo_db_major_version      = var.mongodb_major_ver
 13 |   cluster_type                = local.free_tier ? "REPLICASET" : local.cluster_type
 14 |   cloud_backup                = local.free_tier ? false : var.cloud_backup
 15 |   pit_enabled                 = local.free_tier ? false : var.cloud_backup
 16 |   disk_size_gb                = local.free_tier ? null : var.disk_size_gb
 17 |   provider_volume_type        = local.free_tier ? "" : var.volume_type
 18 |   provider_disk_iops          = local.sharding && var.volume_type == "STANDARD" ? null : var.provider_disk_iops
 19 |   num_shards                  = local.sharding ? 1 : var.num_shards
 20 |   #for auto_scaling
 21 |   #storage scaling
 22 |   auto_scaling_disk_gb_enabled = local.free_tier ? false : var.auto_scaling_disk_gb_enabled
 23 |   #cluster tier scaling
 24 |   auto_scaling_compute_enabled                    = local.free_tier ? false : var.auto_scaling_compute_enabled
 25 |   auto_scaling_compute_scale_down_enabled         = local.free_tier || var.auto_scaling_compute_enabled == false ? false : var.auto_scaling_compute_scale_down_enabled
 26 |   provider_auto_scaling_compute_min_instance_size = local.free_tier ? "" : var.provider_auto_scaling_compute_min_instance_size
 27 |   provider_auto_scaling_compute_max_instance_size = local.free_tier ? "" : var.provider_auto_scaling_compute_max_instance_size
 28 |   #encryption
 29 |   encryption_at_rest_provider = local.free_tier ? "NONE" : var.encryption_at_rest_provider
 30 | 
 31 |   dynamic "replication_specs" {
 32 |     for_each = var.cluster_type != "REPLICASET" && var.replication_specs_sharded != null ? var.replication_specs_sharded : []
 33 |     content {
 34 |       num_shards = replication_specs.value.num_shards
 35 |       zone_name  = replication_specs.value.zone_name
 36 |       regions_config {
 37 |         region_name     = replication_specs.value.region_name
 38 |         electable_nodes = replication_specs.value.electable_nodes
 39 |         priority        = replication_specs.value.priority
 40 |         read_only_nodes = replication_specs.value.read_only_nodes
 41 |       }
 42 |     }
 43 |   }
 44 | 
 45 |   dynamic "labels" {
 46 |     for_each = var.labels
 47 |     content {
 48 |       key   = labels.key
 49 |       value = labels.value
 50 |     }
 51 |   }
 52 | 
 53 |   depends_on = [
 54 |     mongodbatlas_project.project,
 55 |     mongodbatlas_encryption_at_rest.encryption,
 56 |     mongodbatlas_cloud_provider_access_setup.setup_only,
 57 |     mongodbatlas_cloud_provider_access_authorization.auth_role
 58 |   ]
 59 | }
 60 | 
 61 | 
 62 | ####################3###################################
 63 | ### MONGODB ATLAS CLUSTER IN THE PROJECT : REPLICASET ? FREE TIER
 64 | ####################3###################################
 65 | resource "mongodbatlas_cluster" "replicaset" {
 66 |   count                       = local.sharding || (var.create && var.cluster_type == "REPLICASET") || local.free_tier ? 1 : 0
 67 |   project_id                  = mongodbatlas_project.project[0].id
 68 |   name                        = var.cluster_name
 69 |   provider_name               = local.provider_name
 70 |   backing_provider_name       = local.backing_provider_name
 71 |   provider_region_name        = var.atlas_region
 72 |   provider_instance_size_name = var.instance_type
 73 |   mongo_db_major_version      = var.mongodb_major_ver
 74 |   cluster_type                = local.free_tier ? "REPLICASET" : local.cluster_type
 75 |   cloud_backup                = local.free_tier ? false : var.cloud_backup
 76 |   pit_enabled                 = local.free_tier ? false : var.cloud_backup
 77 |   disk_size_gb                = local.free_tier ? null : var.disk_size_gb
 78 |   provider_volume_type        = local.free_tier ? "" : var.volume_type
 79 |   provider_disk_iops          = local.sharding && var.volume_type == "STANDARD" ? null : var.provider_disk_iops
 80 |   num_shards                  = local.sharding ? 1 : var.num_shards
 81 |   #for auto_scaling
 82 |   #storage scaling
 83 |   auto_scaling_disk_gb_enabled = local.free_tier ? false : var.auto_scaling_disk_gb_enabled
 84 |   #cluster tier scaling
 85 |   auto_scaling_compute_enabled                    = local.free_tier ? false : var.auto_scaling_compute_enabled
 86 |   auto_scaling_compute_scale_down_enabled         = local.free_tier || var.auto_scaling_compute_enabled == false ? false : var.auto_scaling_compute_scale_down_enabled
 87 |   provider_auto_scaling_compute_min_instance_size = local.free_tier ? "" : var.provider_auto_scaling_compute_min_instance_size
 88 |   provider_auto_scaling_compute_max_instance_size = local.free_tier ? "" : var.provider_auto_scaling_compute_max_instance_size
 89 |   #encryption
 90 |   encryption_at_rest_provider = local.free_tier ? "NONE" : var.encryption_at_rest_provider
 91 | 
 92 |   replication_specs {
 93 |     num_shards = var.replication_specs != null ? var.num_shards_replicaset : var.num_shards
 94 |     dynamic "regions_config" {
 95 |       for_each = var.replication_specs != null ? var.replication_specs : local.replication_specs
 96 |       content {
 97 |         region_name     = regions_config.value.region_name
 98 |         electable_nodes = regions_config.value.electable_nodes
 99 |         priority        = regions_config.value.priority
100 |         read_only_nodes = regions_config.value.read_only_nodes
101 |       }
102 |     }
103 |   }
104 | 
105 |   dynamic "labels" {
106 |     for_each = var.labels
107 |     content {
108 |       key   = labels.key
109 |       value = labels.value
110 |     }
111 |   }
112 | 
113 |   depends_on = [
114 |     mongodbatlas_project.project,
115 |     mongodbatlas_encryption_at_rest.encryption,
116 |     mongodbatlas_cloud_provider_access_setup.setup_only,
117 |     mongodbatlas_cloud_provider_access_authorization.auth_role
118 |   ]
119 | }
120 | 


--------------------------------------------------------------------------------
/connections.tf:
--------------------------------------------------------------------------------
 1 | #Optional, if no variable is passed, the loop will run on an empty object.
 2 | resource "mongodbatlas_project_ip_access_list" "whitelists" {
 3 |   for_each = var.create ? var.whitelists : {}
 4 | 
 5 |   project_id = mongodbatlas_project.project[0].id
 6 |   comment    = each.key
 7 |   cidr_block = each.value
 8 | 
 9 |   depends_on = [
10 |     mongodbatlas_project.project
11 |   ]
12 | }
13 | 
14 | #####################3###################################
15 | ## CREATE AWS PEER REQUESTS TO AWS VPC
16 | #####################3###################################
17 | #
18 | #resource "mongodbatlas_network_peering" "mongo_peer" {
19 | #  for_each = var.vpc_peer
20 | #
21 | #  accepter_region_name   = each.value.region
22 | #  project_id             = mongodbatlas_project.project.id
23 | #  container_id           = mongodbatlas_cluster.cluster.container_id
24 | #  provider_name          = local.cloud_provider
25 | #  route_table_cidr_block = each.value.route_table_cidr_block
26 | #  vpc_id                 = each.value.vpc_id
27 | #  aws_account_id         = each.value.aws_account_id
28 | #}
29 | #
30 | #####################3###################################
31 | ## ACCEPT THE PEER REQUESTS ON THE AWS SIDE
32 | #####################3###################################
33 | #
34 | #resource "aws_vpc_peering_connection_accepter" "peer" {
35 | #  for_each = var.vpc_peer
36 | #
37 | #  vpc_peering_connection_id = mongodbatlas_network_peering.mongo_peer[each.key].connection_id
38 | #  auto_accept               = true
39 | #}
40 | 
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------
/database_users.tf:
--------------------------------------------------------------------------------
 1 | ########################################
 2 | ### RANDOM PASSWORD FOR DATABASE USERS
 3 | ######################### ##############
 4 | resource "random_password" "password" {
 5 |   for_each         = var.create ? local.db_users_flat : {}
 6 |   length           = 16
 7 |   special          = true
 8 |   override_special = "_%!+"
 9 | }
10 | 
11 | resource "mongodbatlas_database_user" "user" {
12 |   for_each           = var.create ? local.db_users_flat : {}
13 |   username           = each.value.username
14 |   password           = random_password.password[each.key].result
15 |   project_id         = mongodbatlas_project.project[0].id
16 |   auth_database_name = "admin"
17 |   dynamic "roles" {
18 |     for_each = range(length(each.value.cluster.db_name))
19 |     content {
20 |       database_name = each.value.cluster.db_name[roles.key]
21 |       role_name     = each.value.cluster.db_role[roles.key]
22 |     }
23 |   }
24 |   dynamic "scopes" {
25 |     for_each = range(length(each.value.cluster.clustername))
26 |     content {
27 |       name = each.value.cluster.clustername[scopes.key]
28 |       type = each.value.cluster.db_type[scopes.key]
29 |     }
30 |   }
31 | 
32 |   depends_on = [
33 |     mongodbatlas_project.project,
34 |     #mongodbatlas_cluster.cluster,
35 |     random_password.password
36 |   ]
37 | }
38 | 


--------------------------------------------------------------------------------
/encryption.tf:
--------------------------------------------------------------------------------
 1 | ########################################
 2 | ## MongoDB Atlas
 3 | ########################################
 4 | 
 5 | resource "mongodbatlas_encryption_at_rest" "encryption" {
 6 |   count      = var.create && var.encryption_enabled ? 1 : 0
 7 |   project_id = mongodbatlas_project.project[0].id
 8 | 
 9 |   aws_kms_config {
10 |     enabled                = var.encryption_enabled
11 |     customer_master_key_id = var.customer_master_key_id == "" ? aws_kms_key.default[0].key_id : var.customer_master_key_id
12 |     region                 = var.atlas_region #atlas region (this region should have your kms key in AWS)
13 |     role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role[0].role_id
14 |   }
15 | 
16 |   depends_on = [
17 |     mongodbatlas_project.project,
18 |     mongodbatlas_cloud_provider_access_authorization.auth_role
19 |   ]
20 | }
21 | 
22 | resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
23 |   count         = var.create && var.encryption_enabled ? 1 : 0
24 |   project_id    = mongodbatlas_project.project[0].id
25 |   provider_name = var.cloud_provider
26 | 
27 |   depends_on = [
28 |     mongodbatlas_project.project
29 |   ]
30 | }
31 | 
32 | resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
33 |   count      = var.create && var.encryption_enabled ? 1 : 0
34 |   project_id = mongodbatlas_project.project[0].id
35 |   role_id    = mongodbatlas_cloud_provider_access_setup.setup_only[0].role_id
36 | 
37 |   aws {
38 |     iam_assumed_role_arn = aws_iam_role.role[0].arn
39 |   }
40 | 
41 |   depends_on = [
42 |     aws_iam_role.role,
43 |     mongodbatlas_cloud_provider_access_setup.setup_only,
44 |     mongodbatlas_project.project
45 |   ]
46 | }
47 | 


--------------------------------------------------------------------------------
/example-tfvars:
--------------------------------------------------------------------------------
  1 | cloud_provider               = "AWS"
  2 | cluster_type                 = "REPLICASET"
  3 | volume_type                  = "STANDARD"
  4 | region                       = "EU_WEST_1"
  5 | cluster_name                 = "test"
  6 | instance_type                = "M10"
  7 | mongodb_major_ver            = 5.0
  8 | num_shards                   = 3
  9 | backup_enabled               = false
 10 | pit_enabled                  = false
 11 | auto_scaling_disk_gb_enabled = false
 12 | org_id                       = ""
 13 | project_name                 = "test"
 14 | white_lists = {
 15 |   "example comment" : "0.0.0.0/0"
 16 | }
 17 | aws_rgion = "eu-west-1"
 18 | replication_factor = 3
 19 | #NOTE: Set this to true for M0 cluster if you have credit card associated to MongoDB else set it to false as it cannot be enabled unless credit card is associated
 20 | cloud_backup = false
 21 | #NOTE: Set this to true for M0 cluster if you have credit card associated to MongoDB else set it to false as it cannot be enabled unless credit card is associated
 22 | #pit_enabled  = false
 23 | disk_size_gb = 10
 24 | #auto_scaling_disk_gb_enabled = true
 25 | #volume_type = "STANDARD"
 26 | #provider_disk_iops =
 27 | #vpc_peer =
 28 | #create_privatelink_endpoint =
 29 | #vpc_id =
 30 | #vpc_endpoint_type =
 31 | #subnet_ids =
 32 | #security_group_ids =
 33 | #NOTE: Required if autoScaling.compute.enabled is true.
 34 | provider_auto_scaling_compute_max_instance_size = "M40"
 35 | provider_auto_scaling_compute_min_instance_size = "M10"
 36 | #NOTE: If auto_scaling_compute_enabled is true, then Atlas will automatically scale up to the maximum provided and down to the minimum, if provided. This will cause the value of provider_instance_size_name returned to potential be different than what is specified in the Terraform config and if one then applies a plan, not noting this, Terraform will scale the cluster back down to the original instanceSizeName value. To prevent this a lifecycle customization should be used, i.e.:
 37 | # lifecycle { ignore_changes = [provider_instance_size_name] }
 38 | # But in order to explicitly change provider_instance_size_name comment the lifecycle block and run terraform apply. Please ensure to uncomment it to prevent any accidental changes.
 39 | auto_scaling_compute_enabled = true
 40 | #This option is only available if autoScaling.compute.enabled is true.
 41 | auto_scaling_compute_scale_down_enabled = true
 42 | encryption_at_rest_provider             = "AWS"
 43 | ############################
 44 | ## Encryption at rest
 45 | ############################
 46 | enabled                = true
 47 | customer_master_key_id = ""
 48 | #######################################
 49 | ### Cloud Backup Schedule
 50 | #######################################
 51 | reference_hour_of_day    = 3
 52 | reference_minute_of_hour = 45
 53 | restore_window_days      = 4
 54 | #policy_item_hourly
 55 | hourly_backup_enabled     = true
 56 | hourly_frequency_interval = 1
 57 | hourly_retention_unit     = "days"
 58 | hourly_retention_value    = 1
 59 | #policy_item_daily
 60 | daily_backup_enabled = false
 61 | #daily_frequency_interval =
 62 | #daily_retention_unit =
 63 | #daily_retention_value =
 64 | #policy_item_weekly
 65 | weekly_backup_enabled = false
 66 | #weekly_frequency_interval =
 67 | #weekly_retention_unit =
 68 | #weekly_retention_value =
 69 | #policy_item_monthly
 70 | monthly_backup_enabled = false
 71 | #monthly_frequency_interval = 5
 72 | #monthly_retention_unit = "months"
 73 | #monthly_retention_value = 4
 74 | #
 75 | #teams = {
 76 | #  Devops = {
 77 | #    users        = ["user1@email.com"]
 78 | #    org_role     = ["ORG_OWNER"]
 79 | #    project_role = ["GROUP_OWNER"]
 80 | #  },
 81 | #  DevTeam = {
 82 | #    users        = ["user3@email.com", "user4@email.com"]
 83 | #    org_role     = ["ORG_MEMBER", "ORG_OWNER"]
 84 | #    project_role = ["GROUP_DATA_ACCESS_READ_ONLY", "GROUP_READ_ONLY"]
 85 | #  }
 86 | #}
 87 | #db_users = {
 88 | #  user_list = {    #some_list
 89 | #    test-user1 = { #user
 90 | #      db_name     = ["db_a", "db_b"]
 91 | #      db_role     = ["readWrite", "read"]
 92 | #      db_type     = ["CLUSTER"]
 93 | #      clustername = ["test"]
 94 | #    },
 95 | #    test-user2 = { #user
 96 | #      db_name     = ["db_d", "db_e"]
 97 | #      db_role     = ["readWrite", "readWrite"]
 98 | #      db_type     = ["CLUSTER", "CLUSTER", "CLUSTER"]
 99 | #      clustername = ["test", "test-1", "test-2"]
100 | #    },
101 | #    test-user3 = { #user
102 | #      db_name     = ["db_c", "db_g", "db_a"]
103 | #      db_role     = ["readWrite", "read", "dbAdmin"]
104 | #      db_type     = ["CLUSTER", "CLUSTER", "CLUSTER"]
105 | #      clustername = ["test-2", "test-5", "test-7"]
106 | #    }
107 | #  }
108 | #}
109 | 


--------------------------------------------------------------------------------
/locals.tf:
--------------------------------------------------------------------------------
 1 | #The module from mongodb itself is limited to AWS only for now.
 2 | locals {
 3 |   cloud_provider = "AWS"
 4 |   db_users_flat = merge([
 5 |     for lists, users in var.db_users :
 6 |     {
 7 |       for user, data in users :
 8 |       "${lists}-${user}" => {
 9 |         username = user
10 |         cluster  = data
11 |       }
12 |     }
13 |   ]...) # please do NOT remove the dots
14 | 
15 |   free_tier             = substr(var.instance_type, 1, length(var.instance_type)) < substr("M10", 1, length("M10")) || var.cloud_provider == "TENANT"
16 |   provider_name         = local.free_tier ? "TENANT" : var.cloud_provider
17 |   backing_provider_name = local.free_tier || local.provider_name == "TENANT" ? var.backing_provider_name : ""
18 |   cluster_type          = var.cluster_type == "REPLICASET" || (substr(var.instance_type, 1, length(var.instance_type)) < substr("M30", 1, length("M30"))) ? "REPLICASET" : var.cluster_type
19 |   sharding              = substr(var.instance_type, 1, length(var.instance_type)) < substr("M30", 1, length("M30"))
20 | 
21 |   replication_specs = [
22 |     {
23 |       electable_nodes = var.electable_nodes
24 |       priority        = var.priority
25 |       read_only_nodes = var.read_only_nodes
26 |       region_name     = var.atlas_region
27 |     }
28 |   ]
29 | 
30 | }
31 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "key_arn" {
 2 |   value       = join("", aws_kms_key.default.*.arn)
 3 |   description = "Key ARN"
 4 | }
 5 | 
 6 | output "key_id" {
 7 |   value       = join("", aws_kms_key.default.*.key_id)
 8 |   description = "Key ID"
 9 | }
10 | 
11 | output "alias_arn" {
12 |   value       = join("", aws_kms_alias.default.*.arn)
13 |   description = "Alias ARN"
14 | }
15 | 
16 | output "alias_name" {
17 |   value       = join("", aws_kms_alias.default.*.name)
18 |   description = "Alias name"
19 | }
20 | 


--------------------------------------------------------------------------------
/projects.tf:
--------------------------------------------------------------------------------
 1 | ################################
 2 | ### PROJECT
 3 | ################################
 4 | 
 5 | resource "mongodbatlas_project" "project" {
 6 |   count  = var.create ? 1 : 0
 7 |   name   = var.project_name
 8 |   org_id = var.org_id
 9 | 
10 |   #Associate teams and privileges if passed, if not - run with an empty object
11 |   dynamic "teams" {
12 |     for_each = var.teams
13 |     content {
14 |       team_id    = mongodbatlas_teams.team[teams.key].team_id
15 |       role_names = teams.value.project_role
16 |     }
17 |   }
18 | 
19 |   depends_on = [
20 |     mongodbatlas_teams.team
21 |   ]
22 | 
23 | }
24 | 


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     mongodbatlas = {
 4 |       source = "mongodb/mongodbatlas"
 5 |       version = ">=1.5.0"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "mongodbatlas" {
11 | }
12 | 
13 | 


--------------------------------------------------------------------------------
/teams.tf:
--------------------------------------------------------------------------------
 1 | ###########################################
 2 | ### TEAMS FROM **EXISTING USERS**
 3 | ###########################################
 4 | 
 5 | resource "mongodbatlas_teams" "team" {
 6 |   for_each  = var.create ? var.teams : {}
 7 |   org_id    = var.org_id
 8 |   name      = each.key
 9 |   usernames = each.value.users
10 | }
11 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | #can be exported as 'export MONGODB_ATLAS_PRIVATE_KEY="xxxx"'
  2 | variable "create" {
  3 |   description = "Flag to ensuer either to create or not  create the resource"
  4 |   type        = bool
  5 |   default     = true
  6 | }
  7 | 
  8 | variable "mongodbatlas_public_key" {
  9 |   description = "This is the public key of your MongoDB Atlas '' API key pair"
 10 |   type        = string
 11 |   default     = ""
 12 | }
 13 | 
 14 | #can be exported as 'export MONGODB_ATLAS_PRIVATE_KEY="xxxx"'
 15 | variable "mongodbatlas_private_key" {
 16 |   description = "This is the private key of your MongoDB Atlas API key pair"
 17 |   type        = string
 18 |   default     = ""
 19 | }
 20 | 
 21 | variable "cloud_provider" {
 22 |   description = "Cloud service provider on which the servers are provisioned. The possible values are: AWS, GCP, AZURE, and (... TENANT - A multi-tenant deployment on one of the supported cloud service providers. Only valid when providerSettings.instanceSizeName is either M2 or M5. ...)"
 23 |   type        = string
 24 |   default     = "AWS"
 25 | }
 26 | 
 27 | variable "backing_provider_name" {
 28 |   description = "Cloud service provider on which the server for a multi-tenant cluster is provisioned. This setting is only valid when providerSetting.providerName is TENANT and providerSetting.instanceSizeName is M2 or M5. The possible values are: AWS, GCP, AZURE"
 29 |   type        = string
 30 |   default     = "AWS"
 31 | }
 32 | 
 33 | variable "project_name" {
 34 |   description = "The name of the project you want to create"
 35 |   type        = string
 36 |   default     = ""
 37 | }
 38 | 
 39 | variable "org_id" {
 40 |   description = "The ID of the Atlas organization you want to create the project within"
 41 |   type        = string
 42 |   default     = ""
 43 | }
 44 | 
 45 | variable "teams" {
 46 |   description = "An object that contains all the groups that should be created in the project"
 47 |   type        = any
 48 |   default     = {}
 49 | }
 50 | 
 51 | variable "db_users" {
 52 |   description = "An object that contains all the groups that should be created in the project"
 53 |   type        = map(any)
 54 |   default     = {}
 55 | }
 56 | 
 57 | variable "whitelists" {
 58 |   description = "An object that contains all the network white-lists that should be created in the project"
 59 |   type        = map(any)
 60 |   #default     = {}
 61 |   default = { "example" : "202.51.88.91/32" }
 62 | }
 63 | 
 64 | variable "atlas_region" {
 65 |   description = "The AWS region-name that the cluster will be deployed on"
 66 |   type        = string
 67 |   default     = "US_EAST_1"
 68 | }
 69 | 
 70 | variable "aws_region" {
 71 |   description = "The AWS region-name that the AWS KMS KEY, Private Link, and other resides on"
 72 |   type        = string
 73 |   default     = "us-east-1"
 74 | }
 75 | 
 76 | variable "cluster_name" {
 77 |   description = "The cluster name"
 78 |   type        = string
 79 |   default     = "ClusterMongo"
 80 | }
 81 | 
 82 | variable "instance_type" {
 83 |   description = "The Atlas instance-type name"
 84 |   type        = string
 85 |   default     = "M10"
 86 | }
 87 | 
 88 | variable "mongodb_major_ver" {
 89 |   description = "The MongoDB cluster major version"
 90 |   type        = number
 91 |   default     = 5.0
 92 | }
 93 | 
 94 | variable "cluster_type" {
 95 |   description = "The MongoDB Atlas cluster type - SHARDED/REPLICASET/GEOSHARDED"
 96 |   type        = string
 97 |   default     = "REPLICASET"
 98 | }
 99 | 
100 | variable "num_shards" {
101 |   description = " Number of shards to deploy in the specified zone, minimum 1."
102 |   type        = number
103 |   default     = 1
104 | }
105 | 
106 | variable "num_shards_replicaset" {
107 |   description = " Number of shards to deploy in the specified zone, minimum 1."
108 |   type        = number
109 |   default     = 2
110 | }
111 | 
112 | variable "replication_factor" {
113 |   description = " Number of replica set members. Each member keeps a copy of your databases, providing high availability and data redundancy. The possible values are 3, 5, or 7. The default value is 3."
114 |   type        = number
115 |   default     = null
116 | }
117 | 
118 | #variable "replication_specs_replicaset" {
119 | variable "replication_specs" {
120 |   description = "An object that contains all the groups that should be created in the project"
121 |   type        = list(map(any))
122 |   default     = null
123 | }
124 | variable "replication_specs_sharded" {
125 |   description = "An object that contains all the groups that should be created in the project"
126 |   type        = list(map(any))
127 |   default     = null
128 | }
129 | 
130 | variable "electable_nodes" {
131 |   description = "Number of electable nodes for Atlas to deploy to the region. Electable nodes can become the primary and can facilitate local reads. The total number of electableNodes across all replication spec regions must total 3, 5, or 7. Specify 0 if you do not want any electable nodes in the region.You cannot create electable nodes in a region if priority is 0."
132 |   type        = number
133 |   default     = 3
134 | }
135 | 
136 | variable "priority" {
137 |   description = "Election priority of the region. For regions with only read-only nodes, set this value to 0. For regions where electable_nodes is at least 1, each region must have a priority of exactly one (1) less than the previous region. The first region must have a priority of 7. The lowest possible priority is 1. The priority 7 region identifies the Preferred Region of the cluster. Atlas places the primary node in the Preferred Region. Priorities 1 through 7 are exclusive - no more than one region per cluster can be assigned a given priority. Example: If you have three regions, their priorities would be 7, 6, and 5 respectively. If you added two more regions for supporting electable nodes, the priorities of those regions would be 4 and 3 respectively."
138 |   type        = number
139 |   default     = 7
140 | }
141 | 
142 | variable "read_only_nodes" {
143 |   description = "Number of read-only nodes for Atlas to deploy to the region. Read-only nodes can never become the primary, but can facilitate local-reads. Specify 0 if you do not want any read-only nodes in the region."
144 |   type        = number
145 |   default     = 0
146 | }
147 | 
148 | variable "analytics_nodes" {
149 |   description = "The number of analytics nodes for Atlas to deploy to the region. Analytics nodes are useful for handling analytic data such as reporting queries from BI Connector for Atlas. Analytics nodes are read-only, and can never become the primary. If you do not specify this option, no analytics nodes are deployed to the region."
150 |   type        = number
151 |   default     = 0
152 | }
153 | #NOTE: Set this to true for M0 cluster if you have credit card associated to MongoDB else set it to false as it cannot be enabled unless credit card is associated
154 | variable "cloud_backup" {
155 |   description = "Flag indicating if the cluster uses Cloud Backup for backups. Deprecated use cloud_backup instead."
156 |   type        = bool
157 |   default     = true
158 | }
159 | 
160 | #NOTE: Set this to true for M0 cluster if you have credit card associated to MongoDB else set it to false as it cannot be enabled unless credit card is associated
161 | variable "pit_enabled" {
162 |   description = "Indicating if the cluster uses Continuous Cloud Backup, if set to true - provider_backup must also be set to true"
163 |   type        = bool
164 |   default     = true
165 | }
166 | 
167 | variable "backup_enabled" {
168 |   description = "Legacy Backup - Set to true to enable Atlas legacy backups for the cluster. Important - MongoDB deprecated the Legacy Backup feature. Clusters that use Legacy Backup can continue to use it"
169 |   type        = bool
170 |   default     = false
171 | }
172 | 
173 | variable "disk_size_gb" {
174 |   description = "Capacity,in gigabytes,of the host’s root volume"
175 |   type        = number
176 |   default     = 50
177 | }
178 | 
179 | variable "auto_scaling_disk_gb_enabled" {
180 |   description = "Indicating if disk auto-scaling is enabled"
181 |   type        = bool
182 |   default     = true
183 | }
184 | 
185 | variable "volume_type" {
186 |   description = "The type of the volume. The possible values are: STANDARD and PROVISIONED. PROVISIONED is ONLY required if setting IOPS higher than the default instance IOPS. This value is for AWS only"
187 |   type        = string
188 |   default     = "STANDARD"
189 | }
190 | 
191 | variable "provider_disk_iops" {
192 |   description = "The maximum input/output operations per second (IOPS) the system can perform. The possible values depend on the selected provider_instance_size_name and disk_size_gb. This setting requires that provider_instance_size_name to be M30 or greater and cannot be used with clusters with local NVMe SSDs. The default value for provider_disk_iops is the same as the cluster tier's Standard IOPS value, as viewable in the Atlas console. It is used in cases where a higher number of IOPS is needed and possible. If a value is submitted that is lower or equal to the default IOPS value for the cluster tier Atlas ignores the requested value and uses the default. More details available under the providerSettings.diskIOPS parameter"
193 |   type        = number
194 |   default     = null
195 | }
196 | 
197 | 
198 | #NOTE: Required if autoScaling.compute.enabled is true.
199 | variable "provider_auto_scaling_compute_max_instance_size" {
200 |   description = "Maximum instance size to which your cluster can automatically scale (e.g., M40)."
201 |   type        = string
202 |   default     = ""
203 | }
204 | 
205 | variable "provider_auto_scaling_compute_min_instance_size" {
206 |   description = "Minimum instance size to which your cluster can automatically scale (e.g., M10)."
207 |   type        = string
208 |   default     = ""
209 | }
210 | 
211 | #NOTE: If auto_scaling_compute_enabled is true, then Atlas will automatically scale up to the maximum provided and down to the minimum, if provided. This will cause the value of provider_instance_size_name returned to potential be different than what is specified in the Terraform config and if one then applies a plan, not noting this, Terraform will scale the cluster back down to the original instanceSizeName value. To prevent this a lifecycle customization should be used, i.e.:
212 | # lifecycle { ignore_changes = [provider_instance_size_name] }
213 | # But in order to explicitly change provider_instance_size_name comment the lifecycle block and run terraform apply. Please ensure to uncomment it to prevent any accidental changes.
214 | variable "auto_scaling_compute_enabled" {
215 |   description = "Specifies whether cluster tier auto-scaling is enabled. The default is false. Set to true to enable cluster tier auto-scaling. Set to false to disable cluster tier auto-scaling. "
216 |   type        = bool
217 |   default     = false
218 | }
219 | 
220 | #This option is only available if autoScaling.compute.enabled is true.
221 | variable "auto_scaling_compute_scale_down_enabled" {
222 |   description = "Specifies whether cluster tier auto-scaling is enabled. The default is false. Set to true to enable cluster tier to scale down."
223 |   type        = bool
224 |   default     = false
225 | }
226 | 
227 | variable "encryption_at_rest_provider" {
228 |   description = "Possible values are AWS, GCP, AZURE or NONE. Only needed if you desire to manage the keys, see Encryption at Rest using Customer Key Management for complete documentation. You must configure encryption at rest for the Atlas project before enabling it on any cluster in the project. For complete documentation on configuring Encryption at Rest, see Encryption at Rest using Customer Key Management. Requires M10 or greater. and for legacy backups, backup_enabled, to be false or omitted. Note: Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest, by default."
229 |   type        = string
230 |   default     = "NONE"
231 | }
232 | 
233 | ############################
234 | ## Encryption at rest
235 | ############################
236 | variable "encryption_enabled" {
237 |   description = "Specifies whether Encryption at Rest is enabled for an Atlas project, To disable Encryption at Rest, pass only this parameter with a value of false, When you disable Encryption at Rest, Atlas also removes the configuration details."
238 |   default     = false
239 |   type        = bool
240 | }
241 | 
242 | variable "customer_master_key_id" {
243 |   description = "The AWS customer master key used to encrypt and decrypt the MongoDB master keys."
244 |   type        = string
245 |   default     = ""
246 | }
247 | 
248 | variable "role_id" {
249 |   description = "ID of an AWS IAM role authorized to manage an AWS customer master key. To find the ID for an existing IAM role check the role_id attribute of the mongodbatlas_cloud_provider_access resource"
250 |   type        = string
251 |   default     = ""
252 | }
253 | 
254 | variable "iam_assumed_role_arn" {
255 |   description = "ARN of the IAM Role that Atlas assumes when accessing resources in your AWS account. This value is required after the creation (register of the role) as part of Set Up Unified AWS Access."
256 |   type        = string
257 |   default     = ""
258 | }
259 | #######################################
260 | ### Cloud Backup Schedule
261 | #######################################
262 | variable "reference_hour_of_day" {
263 |   description = "UTC Hour of day between 0 and 23, inclusive, representing which hour of the day that Atlas takes snapshots for backup policy items."
264 |   type        = number
265 |   default     = 3
266 | }
267 | variable "reference_minute_of_hour" {
268 |   description = ") UTC Minutes after reference_hour_of_day that Atlas takes snapshots for backup policy items. Must be between 0 and 59, inclusive."
269 |   type        = number
270 |   default     = 45
271 | }
272 | variable "restore_window_days" {
273 |   description = "Number of days back in time you can restore to with point-in-time accuracy. Must be a positive, non-zero integer."
274 |   type        = number
275 |   default     = 4
276 | }
277 | variable "hourly_reference_hour_of_day" {
278 |   description = "UTC Hour of day between 0 and 23, inclusive, representing which hour of the day that Atlas takes snapshots for backup policy items."
279 |   type        = number
280 |   default     = null
281 | }
282 | variable "hourly_reference_minute_of_hour" {
283 |   description = ") UTC Minutes after reference_hour_of_day that Atlas takes snapshots for backup policy items. Must be between 0 and 59, inclusive."
284 |   type        = number
285 |   default     = null
286 | }
287 | variable "hourly_restore_window_days" {
288 |   description = "Number of days back in time you can restore to with point-in-time accuracy. Must be a positive, non-zero integer."
289 |   type        = number
290 |   default     = null
291 | }
292 | variable "daily_reference_minute_of_hour" {
293 |   description = ") UTC Minutes after reference_hour_of_day that Atlas takes snapshots for backup policy items. Must be between 0 and 59, inclusive."
294 |   type        = number
295 |   default     = null
296 | }
297 | variable "daily_restore_window_days" {
298 |   description = "Number of days back in time you can restore to with point-in-time accuracy. Must be a positive, non-zero integer."
299 |   type        = number
300 |   default     = null
301 | }
302 | variable "daily_reference_hour_of_day" {
303 |   description = "UTC Hour of day between 0 and 23, inclusive, representing which hour of the day that Atlas takes snapshots for backup policy items."
304 |   type        = number
305 |   default     = null
306 | }
307 | variable "weekly_reference_minute_of_hour" {
308 |   description = ") UTC Minutes after reference_hour_of_day that Atlas takes snapshots for backup policy items. Must be between 0 and 59, inclusive."
309 |   type        = number
310 |   default     = null
311 | }
312 | variable "weekly_restore_window_days" {
313 |   description = "Number of days back in time you can restore to with point-in-time accuracy. Must be a positive, non-zero integer."
314 |   type        = number
315 |   default     = null
316 | }
317 | variable "weekly_reference_hour_of_day" {
318 |   description = "UTC Hour of day between 0 and 23, inclusive, representing which hour of the day that Atlas takes snapshots for backup policy items."
319 |   type        = number
320 |   default     = null
321 | }
322 | variable "monthly_reference_hour_of_day" {
323 |   description = "UTC Hour of day between 0 and 23, inclusive, representing which hour of the day that Atlas takes snapshots for backup policy items."
324 |   type        = number
325 |   default     = null
326 | }
327 | variable "monthly_reference_minute_of_hour" {
328 |   description = ") UTC Minutes after reference_hour_of_day that Atlas takes snapshots for backup policy items. Must be between 0 and 59, inclusive."
329 |   type        = number
330 |   default     = null
331 | }
332 | variable "monthly_restore_window_days" {
333 |   description = "Number of days back in time you can restore to with point-in-time accuracy. Must be a positive, non-zero integer."
334 |   type        = number
335 |   default     = null
336 | }
337 | 
338 | #policy_item_hourly
339 | variable "hourly_backup_enabled" {
340 |   description = "Enable hourly backup for your cluster."
341 |   type        = bool
342 |   default     = true
343 | }
344 | 
345 | variable "hourly_frequency_interval" {
346 |   description = "Desired frequency of the new backup policy item specified by frequency_type"
347 |   type        = number
348 |   default     = 1
349 | }
350 | 
351 | variable "hourly_retention_unit" {
352 |   description = "Scope of the backup policy item: days, weeks, or months."
353 |   type        = string
354 |   default     = "days"
355 | }
356 | 
357 | variable "hourly_retention_value" {
358 |   description = "Value to associate with retention_unit"
359 |   type        = number
360 |   default     = 1
361 | }
362 | 
363 | #policy_item_daily
364 | variable "daily_backup_enabled" {
365 |   description = "Enable hourly backup for your cluster."
366 |   type        = bool
367 |   default     = true
368 | }
369 | 
370 | variable "daily_frequency_interval" {
371 |   description = "Desired frequency of the new backup policy item specified by frequency_type"
372 |   type        = number
373 |   default     = 1
374 | }
375 | 
376 | variable "daily_retention_unit" {
377 |   description = "Scope of the backup policy item: days, weeks, or months."
378 |   type        = string
379 |   default     = "days"
380 | }
381 | 
382 | variable "daily_retention_value" {
383 |   description = "Value to associate with retention_unit"
384 |   type        = number
385 |   default     = 2
386 | }
387 | 
388 | #policy_item_weekly
389 | variable "weekly_backup_enabled" {
390 |   description = "Enable hourly backup for your cluster."
391 |   type        = bool
392 |   default     = false
393 | }
394 | 
395 | variable "weekly_frequency_interval" {
396 |   description = "Desired frequency of the new backup policy item specified by frequency_type"
397 |   type        = number
398 |   default     = 4
399 | }
400 | 
401 | variable "weekly_retention_unit" {
402 |   description = "Scope of the backup policy item: days, weeks, or months."
403 |   type        = string
404 |   default     = "weeks"
405 | }
406 | 
407 | variable "weekly_retention_value" {
408 |   description = "Value to associate with retention_unit"
409 |   type        = number
410 |   default     = 3
411 | }
412 | 
413 | #policy_item_monthly
414 | variable "monthly_backup_enabled" {
415 |   description = "Enable hourly backup for your cluster."
416 |   type        = bool
417 |   default     = false
418 | }
419 | variable "monthly_frequency_interval" {
420 |   description = "Desired frequency of the new backup policy item specified by frequency_type"
421 |   type        = number
422 |   default     = 5
423 | }
424 | 
425 | variable "monthly_retention_unit" {
426 |   description = "Scope of the backup policy item: days, weeks, or months."
427 |   type        = string
428 |   default     = "months"
429 | }
430 | 
431 | variable "monthly_retention_value" {
432 |   description = "Value to associate with retention_unit"
433 |   type        = number
434 |   default     = 4
435 | }
436 | 
437 | variable "labels" {
438 |   description = "Key-value pairs that tag and categorize the cluster. Each key and value has a maximum length of 255 characters. You cannot set the key Infrastructure Tool, it is used for internal purposes to track aggregate usage."
439 |   type        = map(any) #list(map(string))
440 |   default     = {}       #[{}]
441 | }
442 | 
443 | 
444 | ##########################################
445 | ### AWS Resources
446 | ##########################################
447 | variable "deletion_window_in_days" {
448 |   type        = number
449 |   default     = 30
450 |   description = "Duration in days after which the key is deleted after destruction of the resource"
451 | }
452 | 
453 | variable "enable_key_rotation" {
454 |   type        = bool
455 |   default     = true
456 |   description = "Specifies whether key rotation is enabled"
457 | }
458 | 
459 | variable "description" {
460 |   type        = string
461 |   default     = "Parameter Store KMS master key"
462 |   description = "The description of the key as viewed in AWS console"
463 | }
464 | 
465 | variable "alias" {
466 |   type        = string
467 |   default     = ""
468 |   description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash. If not specified, the alias name will be auto-generated."
469 | }
470 | 
471 | variable "policy" {
472 |   type        = string
473 |   default     = ""
474 |   description = "A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy."
475 | }
476 | 
477 | variable "key_usage" {
478 |   type        = string
479 |   default     = "ENCRYPT_DECRYPT"
480 |   description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`."
481 | }
482 | 
483 | variable "customer_master_key_spec" {
484 |   type        = string
485 |   default     = "SYMMETRIC_DEFAULT"
486 |   description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`."
487 | }
488 | 
489 | variable "multi_region" {
490 |   type        = bool
491 |   default     = false
492 |   description = "Indicates whether the KMS key is a multi-Region (true) or regional (false) key."
493 | }
494 | 
495 | variable "vpc_peer" {
496 |   description = "An object that contains all VPC peering requests from the cluster to AWS VPC's"
497 |   type        = map(any)
498 |   default     = {}
499 | }
500 | 
501 | variable "create_privatelink_endpoint" {
502 |   description = "Either to create privatelink endpoint or not"
503 |   type        = bool
504 |   default     = false
505 | }
506 | 
507 | variable "vpc_id" {
508 |   description = "The ID of the VPC in which the endpoint will be used."
509 |   type        = string
510 |   default     = ""
511 | }
512 | 
513 | variable "vpc_endpoint_type" {
514 |   description = "The VPC endpoint type, Gateway, GatewayLoadBalancer, or Interface"
515 |   type        = string
516 |   default     = "Interface"
517 | }
518 | 
519 | variable "subnet_ids" {
520 |   description = "The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type GatewayLoadBalancer and Interface."
521 |   type        = list(string)
522 |   default     = []
523 | }
524 | 
525 | variable "security_group_ids" {
526 |   description = "The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface."
527 |   type        = list(string)
528 |   default     = []
529 | }
530 | 
531 | 
532 | variable "tags" {
533 |   description = "A map of tags to add to all resources"
534 |   type        = map(string)
535 |   default     = {}
536 | 
537 | }
538 | 


--------------------------------------------------------------------------------