mongodbatlas_resource_policy describes a resource policy in an organization.
-> NOTE: Resource Policies are currently in Public Preview. To use this feature, you must take the following actions:
- Enable the
Atlas Resource PoliciesPreview Feature in your organization (contact MongoDB Support). - Enable the Preview Features when running
terraformcommands.
resource "mongodbatlas_resource_policy" "project_ip_access_list" {
org_id = var.org_id
name = "forbid-access-from-anywhere"
description = "Forbids access from anywhere"
policies = [
{
body = <<EOF
forbid (
principal,
action == ResourcePolicy::Action::"project.ipAccessList.modify",
resource
)
when {
context.project.ipAccessList.contains(ip("0.0.0.0/0"))
};
EOF
},
]
}
resource "mongodbatlas_resource_policy" "cloud_provider" {
org_id = var.org_id
name = "forbid-cloud-provider"
description = "Forbids AWS and Azure for clusters"
policies = [
{
body = templatefile("${path.module}/cloud-provider.cedar", {
CLOUD_PROVIDER = "azure"
})
},
{
body = templatefile("${path.module}/cloud-provider.cedar", {
CLOUD_PROVIDER = "aws"
})
},
]
}
data "cedar_policyset" "cloud_region" {
policy {
any_principal = true
effect = "forbid"
action = {
type = " ResourcePolicy::Action"
id = "cluster.modify"
}
any_resource = true
when {
text = "context.cluster.regions.contains(ResourcePolicy::Region::\"gcp:us-east1\")"
}
}
}
resource "mongodbatlas_resource_policy" "cloud_region" {
org_id = var.org_id
name = "forbid-cloud-region"
policies = [
{
body = data.cedar_policyset.cloud_region.text
},
]
}
data "mongodbatlas_resource_policy" "project_ip_access_list" {
org_id = mongodbatlas_resource_policy.project_ip_access_list.org_id
id = mongodbatlas_resource_policy.project_ip_access_list.id
}
data "mongodbatlas_resource_policies" "this" {
org_id = data.mongodbatlas_resource_policy.project_ip_access_list.org_id
depends_on = [mongodbatlas_resource_policy.project_ip_access_list, mongodbatlas_resource_policy.cloud_provider, mongodbatlas_resource_policy.cloud_region]
}
output "policy_ids" {
value = { for policy in data.mongodbatlas_resource_policies.this.results : policy.name => policy.id }
}id(String) Unique 24-hexadecimal digit string that identifies an Atlas resource policy.org_id(String) Unique 24-hexadecimal digit string that identifies the organization that contains your projects. Use the /orgs endpoint to retrieve all organizations to which the authenticated user has access.
created_by_user(Attributes) The user that last updated the Atlas resource policy. (see below for nested schema)created_date(String) Date and time in UTC when the Atlas resource policy was created.description(String) Description of the Atlas resource policy.last_updated_by_user(Attributes) The user that last updated the Atlas resource policy. (see below for nested schema)last_updated_date(String) Date and time in UTC when the Atlas resource policy was last updated.name(String) Human-readable label that describes the Atlas resource policy.policies(Attributes List) List of policies that make up the Atlas resource policy. (see below for nested schema)version(String) A string that identifies the version of the Atlas resource policy.
Read-Only:
id(String) Unique 24-hexadecimal character string that identifies a user.name(String) Human-readable label that describes a user.
Read-Only:
id(String) Unique 24-hexadecimal character string that identifies a user.name(String) Human-readable label that describes a user.
Read-Only:
body(String) A string that defines the permissions for the policy. The syntax used is the Cedar Policy language.id(String) Unique 24-hexadecimal character string that identifies the policy.