From 1016f9300d5faf437f994275e1a624672f66ba52 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 5 Sep 2025 11:36:02 +0100 Subject: [PATCH 1/9] Adds testing for service account --- .github/workflows/test.yml | 43 ++++++++++++++++++++++ build/generate-service-account.sh | 58 ++++++++++++++++++++++++++++++ build/terminate-service-account.sh | 49 +++++++++++++++++++++++++ 3 files changed, 150 insertions(+) create mode 100644 build/generate-service-account.sh create mode 100644 build/terminate-service-account.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d6c219a..7733613 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -107,3 +107,46 @@ jobs: with: delete-project-id: ${{ steps.create-project.outputs.create-project-id }} delete-cluster-name: ${{github.run_id}}-cluster + + test-service-account-authentication: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: create a service account and get client ID and client secret + id: generate_sa + env: + MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_API_KEY }} + MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_API_KEY }} + MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }} + run: | + bash build/generate-service-account.sh + - name: create project + env: + MONGODB_ATLAS_PUBLIC_API_KEY: "" # Temporarily set to empty so that the action uses the client ID and client secret + MONGODB_ATLAS_PRIVATE_API_KEY: "" + MONGODB_ATLAS_CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }} + MONGODB_ATLAS_CLIENT_SECRET: ${{ steps.generate_sa.outputs.client-secret }} + uses: mongodb/atlas-github-action@v0.2.0 + id: create-project + with: + create-project-name: ${{ github.run_id }}-project1 + - name: delete project + env: + MONGODB_ATLAS_PUBLIC_API_KEY: "" + MONGODB_ATLAS_PRIVATE_API_KEY: "" + MONGODB_ATLAS_CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }} + MONGODB_ATLAS_CLIENT_SECRET: ${{ steps.generate_sa.outputs.client-secret }} + uses: mongodb/atlas-github-action@v0.2.0 + with: + delete-project-id: ${{ steps.create-project.outputs.create-project-id }} + + - name: delete the service account + env: + MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_API_KEY }} + MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_API_KEY }} + MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }} + CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }} + run: | + bash build/terminate-service-account.sh diff --git a/build/generate-service-account.sh b/build/generate-service-account.sh new file mode 100644 index 0000000..f1b0f0e --- /dev/null +++ b/build/generate-service-account.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash + +# Copyright 2025 MongoDB Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ -z "$MONGODB_ATLAS_PUBLIC_API_KEY" ]; then + echo "MONGODB_ATLAS_PUBLIC_API_KEY env var is not set" + exit 1 +fi +if [ -z "$MONGODB_ATLAS_PRIVATE_API_KEY" ]; then + echo "MONGODB_ATLAS_PRIVATE_API_KEY env var is not set" + exit 1 +fi +if [ -z "$MONGODB_ATLAS_ORG_ID" ]; then + echo "MONGODB_ATLAS_ORG_ID env var is not set" + exit 1 +fi + +output=$( + curl --user "${MONGODB_ATLAS_PUBLIC_API_KEY}:${MONGODB_ATLAS_PRIVATE_API_KEY}" \ + --digest \ + --header "Accept: application/vnd.atlas.2025-03-12+json" \ + --header "Content-Type: application/json" \ + -X POST "https://cloud.mongodb.com/api/atlas/v2/orgs/${MONGODB_ATLAS_ORG_ID}/serviceAccounts" \ + -d '{ + "description": "test service account for atlascli github actions", + "name": "atlascli-github-actions-service-account", + "roles": [ + "ORG_OWNER" + ], + "secretExpiresAfterHours": 8 + }' +) + +client_id=$(echo "$output" | jq -r '.clientId') +client_secret=$(echo "$output" | jq -r '.secrets[0].secret') + +if [ -z "$client_id" ] || [ -z "$client_secret" ]; then + echo "Failed to create service account. Response:" + echo "$output" + exit 1 +else + echo "Service account with client ID $client_id created successfully." +fi + +echo "client-id=$client_id" >> $GITHUB_OUTPUT +echo "client-secret=$client_secret" >> $GITHUB_OUTPUT diff --git a/build/terminate-service-account.sh b/build/terminate-service-account.sh new file mode 100644 index 0000000..1f7ec74 --- /dev/null +++ b/build/terminate-service-account.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +# Copyright 2025 MongoDB Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ -z "$MONGODB_ATLAS_PUBLIC_API_KEY" ]; then + echo "MONGODB_ATLAS_PUBLIC_API_KEY env var is not set" + exit 1 +fi +if [ -z "$MONGODB_ATLAS_PRIVATE_API_KEY" ]; then + echo "MONGODB_ATLAS_PRIVATE_API_KEY env var is not set" + exit 1 +fi +if [ -z "$MONGODB_ATLAS_ORG_ID" ]; then + echo "MONGODB_ATLAS_ORG_ID env var is not set" + exit 1 +fi +if [ -z "$CLIENT_ID" ]; then + echo "CLIENT_ID env var is not set" + exit 1 +fi + +output=$( + curl --user "${MONGODB_ATLAS_PUBLIC_API_KEY}:${MONGODB_ATLAS_PRIVATE_API_KEY}" \ + --digest \ + --header "Accept: application/vnd.atlas.2025-03-12+json" \ + --header "Content-Type: application/json" \ + -X DELETE "https://cloud.mongodb.com/api/atlas/v2/orgs/${MONGODB_ATLAS_ORG_ID}/serviceAccounts/${CLIENT_ID}" +) +error_code=$(echo "$output" | jq -r '.error') + +if [ "$error_code" -ge 300 ]; then + echo "Failed to delete service account with Client ID $CLIENT_ID. Response:" + echo "$output" + exit 1 +else + echo "Service account with Client ID $CLIENT_ID has been deleted successfully." +fi From 7793956150c6976a8dde21b20f5ff89ef8d4c096 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 5 Sep 2025 13:17:50 +0100 Subject: [PATCH 2/9] Update README.md with service acc example --- README.md | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7aba87c..4fa5f12 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,13 @@ latest version is officially supported. Before you begin, complete the following prerequisites: -1. [Configure Atlas CLI API Keys](https://www.mongodb.com/docs/atlas/configure-api-access/) for your organization or project. -2. Add the API Keys to the [repository secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets). -3. Set the environment variables `MONGODB_ATLAS_PUBLIC_API_KEY` and `MONGODB_ATLAS_PRIVATE_API_KEY` to the Atlas CLI API Keys you configured. -See [Atlas CLI Environment Variables](https://www.mongodb.com/docs/atlas/cli/stable/atlas-cli-env-variables/) for all supported environment variables. +1. [Configure programmatic authenticaiton](https://www.mongodb.com/docs/atlas/configure-api-access/) for your organization or project. +2. Add the authentication credentials to the [repository secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets). +3. In your workflow, set the appropriate environment variables using the secrets you configured in step 2. + - For Service Account authentication, set `MONGODB_ATLAS_CLIENT_ID` and `MONGODB_ATLAS_CLIENT_SECRET`. + - For API key authentication, set `MONGODB_ATLAS_PUBLIC_API_KEY` and `MONGODB_ATLAS_PRIVATE_API_KEY`. + + See [Atlas CLI Environment Variables](https://www.mongodb.com/docs/atlas/cli/stable/atlas-cli-env-variables/) for all supported environment variables. ## Configuration @@ -49,7 +52,7 @@ jobs: ``` ### Setup and Teardown -This workflow sets up a project and creates a free cluster. It retrieves the connection string which can be used to connect to the new cluster. +This workflow sets up a project and creates a free cluster using an API Key to authenticate. It retrieves the connection string which can be used to connect to the new cluster. Afterwards, it deletes the project and cluster. ```yaml on: [push] @@ -92,6 +95,39 @@ jobs: delete-cluster-name: test-cluster ``` + +### List Clusters with Service Account Credentials +This workflow uses Service Account credentials to authenticate and lists all clusters in a specified project. The output is saved to a file for later use. + +```yaml +on: [push] + +name: Atlas CLI List Clusters Example + +env: + MONGODB_ATLAS_CLIENT_ID: ${{ secrets.CLIENT_ID }} + MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} + MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} # default organisation ID + MONGODB_ATLAS_PROJECT_ID: ${{ secrets.PROJECT_ID }} # default project ID + +jobs: + list-clusters: + runs-on: ubuntu-latest + + steps: + - name: Setup AtlasCLI + uses: mongodb/atlas-github-action@v0.2.0 + - name: List Clusters + shell: bash + run: | + atlas cluster list --projectId "$MONGODB_ATLAS_PROJECT_ID" --output json > clusters.json + - name: Upload Cluster List + uses: actions/upload-artifact@v4 + with: + name: clusters-list + path: clusters.json +``` + ## Limitations This Action supports only Linux runners (e.g. ubuntu-latest). From 0203109e7c8554b63fa01e3d3edd2c514ed00566 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 11:51:13 +0100 Subject: [PATCH 3/9] Fixes secret names --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7733613..29882a2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -108,7 +108,7 @@ jobs: delete-project-id: ${{ steps.create-project.outputs.create-project-id }} delete-cluster-name: ${{github.run_id}}-cluster - test-service-account-authentication: + service-account-authentication: runs-on: ubuntu-latest steps: - name: Checkout @@ -117,9 +117,9 @@ jobs: - name: create a service account and get client ID and client secret id: generate_sa env: - MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_API_KEY }} - MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_API_KEY }} - MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }} + MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.PUBLIC_API_KEY }} + MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.PRIVATE_API_KEY }} + MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} run: | bash build/generate-service-account.sh - name: create project @@ -144,9 +144,9 @@ jobs: - name: delete the service account env: - MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_API_KEY }} - MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_API_KEY }} - MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }} + MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.PUBLIC_API_KEY }} + MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.PRIVATE_API_KEY }} + MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }} run: | bash build/terminate-service-account.sh From 51ee585c151055aafc44f014dab8f4ae1ac9801e Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 12:00:36 +0100 Subject: [PATCH 4/9] Creates SA in dev env --- .github/workflows/test.yml | 4 ---- build/generate-service-account.sh | 12 ++++++++---- 2 files changed, 8 insertions(+), 8 deletions(-) mode change 100644 => 100755 build/generate-service-account.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 29882a2..e805823 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -116,10 +116,6 @@ jobs: - name: create a service account and get client ID and client secret id: generate_sa - env: - MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.PUBLIC_API_KEY }} - MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.PRIVATE_API_KEY }} - MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} run: | bash build/generate-service-account.sh - name: create project diff --git a/build/generate-service-account.sh b/build/generate-service-account.sh old mode 100644 new mode 100755 index f1b0f0e..a29d841 --- a/build/generate-service-account.sh +++ b/build/generate-service-account.sh @@ -26,13 +26,17 @@ if [ -z "$MONGODB_ATLAS_ORG_ID" ]; then echo "MONGODB_ATLAS_ORG_ID env var is not set" exit 1 fi +if [ -z "$MONGODB_ATLAS_OPS_MANAGER_URL" ]; then + echo "MONGODB_ATLAS_ORG_ID env var is not set" + exit 1 +fi output=$( curl --user "${MONGODB_ATLAS_PUBLIC_API_KEY}:${MONGODB_ATLAS_PRIVATE_API_KEY}" \ --digest \ --header "Accept: application/vnd.atlas.2025-03-12+json" \ --header "Content-Type: application/json" \ - -X POST "https://cloud.mongodb.com/api/atlas/v2/orgs/${MONGODB_ATLAS_ORG_ID}/serviceAccounts" \ + -X POST "${MONGODB_ATLAS_OPS_MANAGER_URL}api/atlas/v2/orgs/${MONGODB_ATLAS_ORG_ID}/serviceAccounts" \ -d '{ "description": "test service account for atlascli github actions", "name": "atlascli-github-actions-service-account", @@ -46,7 +50,7 @@ output=$( client_id=$(echo "$output" | jq -r '.clientId') client_secret=$(echo "$output" | jq -r '.secrets[0].secret') -if [ -z "$client_id" ] || [ -z "$client_secret" ]; then +if [ -z "$client_id" ] || [ "$client_id" = "null" ] || [ -z "$client_secret" ] || [ "$client_secret" = "null" ]; then echo "Failed to create service account. Response:" echo "$output" exit 1 @@ -54,5 +58,5 @@ else echo "Service account with client ID $client_id created successfully." fi -echo "client-id=$client_id" >> $GITHUB_OUTPUT -echo "client-secret=$client_secret" >> $GITHUB_OUTPUT +echo "client-id=$client_id" >> "$GITHUB_OUTPUT" +echo "client-secret=$client_secret" >> "$GITHUB_OUTPUT" From 5f5bceccc1fe4faee27037ff451c2282d5a9b93d Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 12:04:35 +0100 Subject: [PATCH 5/9] Adds supress storage warning to tests --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e805823..7eddc38 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,6 +12,7 @@ env: MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} MONGODB_ATLAS_PROJECT_ID: ${{ secrets.PROJECT_ID }} MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.CLOUD_DEV_URL }} + MONGODB_ATLAS_SILENCE_STORAGE_WARNING: "true" jobs: no-version: name: Use AtlasCLI without version input From 28cf06826b07b792fffed1427bcb73eb5005ce9d Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 12:09:10 +0100 Subject: [PATCH 6/9] Removes needless redeclaration of env vars --- .github/workflows/test.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7eddc38..0aabcc9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -141,9 +141,6 @@ jobs: - name: delete the service account env: - MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.PUBLIC_API_KEY }} - MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.PRIVATE_API_KEY }} - MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }} run: | bash build/terminate-service-account.sh From ad386ddb066ef4701ca3eb8b6709a0608ac15c52 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 12:19:27 +0100 Subject: [PATCH 7/9] nit task name formatting --- .github/workflows/test.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0aabcc9..d5487f4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -110,16 +110,17 @@ jobs: delete-cluster-name: ${{github.run_id}}-cluster service-account-authentication: + name: Setup a Service Account and create a project runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - - name: create a service account and get client ID and client secret + - name: Create a Service Account and get client ID and client secret id: generate_sa run: | bash build/generate-service-account.sh - - name: create project + - name: Create a project env: MONGODB_ATLAS_PUBLIC_API_KEY: "" # Temporarily set to empty so that the action uses the client ID and client secret MONGODB_ATLAS_PRIVATE_API_KEY: "" @@ -129,7 +130,7 @@ jobs: id: create-project with: create-project-name: ${{ github.run_id }}-project1 - - name: delete project + - name: Delete a project env: MONGODB_ATLAS_PUBLIC_API_KEY: "" MONGODB_ATLAS_PRIVATE_API_KEY: "" @@ -139,7 +140,7 @@ jobs: with: delete-project-id: ${{ steps.create-project.outputs.create-project-id }} - - name: delete the service account + - name: Delete the Service Account env: CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }} run: | From 1a94b5eab3174276721b6288a6435ce1776341b9 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 12:28:25 +0100 Subject: [PATCH 8/9] Removed TODO comment --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 4fa5f12..bea4161 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,6 @@ jobs: delete-cluster-name: test-cluster ``` - ### List Clusters with Service Account Credentials This workflow uses Service Account credentials to authenticate and lists all clusters in a specified project. The output is saved to a file for later use. From 414a9a6e3eb0c5a1a6d0fd66a5b6d654a3617cdd Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 12 Sep 2025 12:31:27 +0100 Subject: [PATCH 9/9] fixes project name for sa test --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d5487f4..042d447 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -129,7 +129,7 @@ jobs: uses: mongodb/atlas-github-action@v0.2.0 id: create-project with: - create-project-name: ${{ github.run_id }}-project1 + create-project-name: ${{ github.run_id }}-project3 - name: Delete a project env: MONGODB_ATLAS_PUBLIC_API_KEY: ""