DOCSP-43343 Authorization and Authentication page (#18)

* DOCSP-43343 Authorization and Authentication page

* DOCSP-43343 updates for SS' feedback

* Apply suggestions from code review

Co-authored-by: Sarah Simpers <[email protected]>

* DOCSP-43343 updates for SS copy feedback

* DOCSP-43343 updates for LA's feedback

---------

Co-authored-by: Sarah Simpers <[email protected]>

Author: kanchana-mongodb

source/auth.txt

@@ -0,0 +1,9 @@
+.. code-block:: 
+   :copyable: true 
+
+   atlas dbusers create  \
+     --projectId "6698000acf48197e089e4085" \
+     --username "MyRoleARN" \
+     --awsIAMType "ROLE" \
+     --role "clusterMonitor" \
+     --scope "myCluster"

source/includes/examples/cli-example-auth-aws-iam-devtest.rst

@@ -0,0 +1,16 @@
+.. code-block:: 
+   :copyable: true 
+
+   atlas federatedAuthentication federationSettings identityProvider create oidc IDPName \ 
+     --audience "api://12345678-1234-1234-1234-123456789abc" \ 
+     --authorizationType "GROUP" \
+     --clientId "abcdef12-3456-7890-abcd-ef1234567890" \
+     --desc "MyOIDCProvider test" \
+     --federationSettingsId "5d1113b25a115342acc2d1aa" \
+     --groupsClaim "groups" \
+     --idpType "WORKLOAD" \
+     --issuerUri "https://sts.windows.net/12345678-1234-1234-1234-123456789abc/" \
+     --userClaim "sub"  \
+     --associatedDomain "example.com"
+
+             

source/includes/examples/cli-example-auth-oidc-stagingprod.rst

@@ -0,0 +1,8 @@
+.. code-block:: 
+   :copyable: true
+
+   atlas dbusers create \
+     --projectId "6698000acf48197e089e4085" \
+     --username "okta/my-idp-group" \
+     --role "readWrite,dbAdmin" \
+     --oidcType "IDP_GROUP" 

source/includes/examples/cli-example-auth-okta-stagingprod.rst

@@ -0,0 +1,10 @@
+.. code-block:: 
+   :copyable: true 
+
+   atlas dbusers create  \
+     --projectId 6698000acf48197e089e4085 \
+     --username "tempUser" \
+     --password "securePassword" \
+     --role "readWrite" \
+     --scope "myCluster" \
+     --deleteAfter "2025-02-01T12:00:00Z"

source/includes/examples/cli-example-auth-temp-user-devtest.rst

@@ -0,0 +1,26 @@
+.. code-block:: 
+   :copyable: true 
+
+   resource "mongodbatlas_custom_db_role" "create_role" {
+     project_id = var.project_id
+     role_name  = "my_custom_role"
+
+     actions {
+       action = "UPDATE"
+       resources {
+         database_name   = "myDb"
+       }
+     }
+     actions {
+       action = "INSERT"
+       resources {
+         database_name   = "myDb"
+       }
+     }
+     actions {
+       action = "REMOVE"
+       resources {
+         database_name   = "myDb"
+       }
+     }
+   }

source/includes/examples/tf-example-auth-create-custom-role-stagingprod.rst

@@ -0,0 +1,14 @@
+.. code-block:: 
+   :copyable: true 
+
+   resource "mongodbatlas_database_user" "oidc" {
+     project_id         = var.project_id
+     username           = "${mongodbatlas_federated_settings_identity_provider.oidc.idp_id}/${azurerm_user_assigned_identity.this.principal_id}"
+     oidc_auth_type     = "USER"
+     auth_database_name = "$external" # required when using OIDC USER authentication
+
+     roles {
+       role_name     = "atlasAdmin"
+       database_name = "admin"
+     }
+   }

source/includes/examples/tf-example-auth-create-oidc-user-stagingprod.rst

@@ -0,0 +1,19 @@
+.. code-block:: shell 
+   :copyable: true
+
+   resource "mongodbatlas_database_user" "admin_user" {
+     project_id = "6698000acf48197e089e4085"
+     username = "adminUser"
+     password = "securePassword"  # Use a secure password
+     auth_database_name = "admin"
+
+     roles {
+       role_name     = "atlasAdmin"  # Admin role for the cluster
+       database_name = "admin"
+     }
+
+     roles {
+       role_name     = "readWriteAnyDatabase"  # Project member rights
+       database_name = "admin"
+     }
+   }

source/includes/examples/tf-example-auth-grant-roles-devtest.rst

@@ -0,0 +1,37 @@
+.. code-block:: 
+   :copyable: true 
+
+   # Connection string to use in this configuration
+   locals {
+     mongodb_uri = var.connection_strings[0]
+   }
+
+   # Atlas organization details to use in the configuration
+   data "mongodbatlas_federated_settings" "this" {
+     org_id = var.org_id
+     name   = var.project_name
+     project_id = var.project_id
+   }
+
+   # Configure an identity provider for federated authentication
+   resource "mongodbatlas_federated_settings_identity_provider" "oidc" {
+     federation_settings_id = data.mongodbatlas_federated_settings.this.id
+     audience               = var.token_audience
+     authorization_type     = "USER"
+     description            = "oidc-for-azure"
+     # e.g. "https://sts.windows.net/91405384-d71e-47f5-92dd-759e272cdc1c/"
+     issuer_uri = "https://sts.windows.net/${azurerm_user_assigned_identity.this.tenant_id}/"
+     idp_type   = "WORKLOAD"
+     name       = "OIDC-for-azure"
+     protocol   = "OIDC"
+     # groups_claim = null
+     user_claim = "sub"
+   }
+
+   resource "mongodbatlas_federated_settings_org_config" "this" {
+     federation_settings_id            = data.mongodbatlas_federated_settings.this.id
+     org_id                            = var.org_id
+     domain_restriction_enabled        = false
+     domain_allow_list                 = []
+     data_access_identity_provider_ids = [mongodbatlas_federated_settings_identity_provider.oidc.idp_id]
+   }

source/includes/examples/tf-example-auth-oidc-stagingprod.rst

@@ -0,0 +1,28 @@
+.. code-block:: shell 
+   :copyable: true 
+
+   locals {
+     test_user_password = random_password.password.result
+   }
+
+   # Generates 12 characters long random password without special characters
+   resource "random_password" "password" {
+     length  = 12
+     special = false
+   }
+
+   resource "mongodbatlas_database_user" "user1" {
+     username           = var.user[0]
+     password           = local.test_user_password
+     project_id         = var.project_id
+     auth_database_name = "admin"
+     scopes             = var.clusters[0]
+
+     roles {
+       role_name     = "readWriteAny"
+       database_name = var.database_name[0]
+     }
+   }
+
+   output "user1" { value = mongodbatlas_database_user.user1.username }
+   output "userpwd" { value = mongodbatlas_database_user.user1.password sensitive = true }