mongodb_atlas_identity_provider
Beta
Direct

Mongodb Atlas MongoDB Identity Provider

This module sets up the identity provider configuration in MongoDB Atlas.

Panfactum Role to MongoDB Atlas Role Mapping

This document outlines the default role mappings between Panfactum Roles and MongoDB Atlas Roles. The mappings ensure that users in Panfactum have appropriate permissions in MongoDB Atlas, maintaining security and role-based access control.

For more details on MongoDB Atlas roles, refer to the official documentation:
MongoDB Atlas User Roles

Panfactum RoleMongoDB Atlas Role(s)Reason for Mapping
superusersORG_OWNERSuperusers require full administrative access to the MongoDB Atlas organization, including user management, billing, and resource creation.
privileged_engineersORG_OWNERPrivileged engineers act as admins, enabling them to fully manage Atlas independently without relying on Panfactum.
billing_adminsORG_BILLING_ADMINBilling admins manage payment details and invoices but do not need full administrative control over the organization.
engineersORG_READ_ONLYEngineers require read-only access to view Atlas organization settings but cannot modify any configurations.
restricted_engineersORG_MEMBERRestricted engineers have basic membership access, allowing them to work within assigned projects but without organization-wide privileges.

Guide

Pre-req: Setup MongoDB Atlas Identity Provider Domain Verification

  1. Go to your MongoDB Atlas account
  2. Go to Organization Settings -> Federated Authentication Settings -> Domains
  3. Click on Add Domain Add Domain
  4. Add the root domain that you are using for Authentik (i.e., panfactum.com)
  5. Select DNS Record as the verification method DNS Verification
  6. Note the TXT Record that is generated. You will need this value in future steps. DNS TXT Verification Record

Deploy a new DNS TXT Record & Verify

  1. Add a text record to your production/global/aws_dns/terragrunt.hcl file that looks like this:

    include "panfactum" {
       path   = find_in_parent_folders("panfactum.hcl")
       expose = true
    }
    

    terraform {
       source = include.panfactum.locals.pf_stack_source
    }
    

    inputs = {
       zones = {
          // Replace with the domain from
          // "Setup MongoDB Atlas Identity Provider Domain Verification"
          "REPLACE_ME" = {
             txt_records = [
                {
                   subdomain = ""
                   records = [
                      "mongodb-site-verification=REPLACE_ME", // MongoDB Atlas SSO
                   ]
                }
             ]
          }
       }
    }

  2. Run terragrunt apply

  3. Go back to MongoDB Atlas and click on Verify next to the domain you added

  4. Confirm verification

Download the Signing Certificate from Authentik

Before proceeding, make sure to have downloaded the signing certificate from the Authentik application

  1. Login to your Authentik instance
  2. Switch over to the Admin section Authentik Admin
  3. Go to the section Applications -> Providers -> MongoDB Atlas
  4. Find Related objects and click on the Download button for the Download signing certificate Authentik Identity Provider Signature

Deploy the MongoDB Identity Provider module

Unfortunately, the terraform provider for MongoDB Atlas does not support the creation of the Identity Provider but allows for modifications. We will first create the resource through the UI and then import it to configure further.

1. From MongoDB Atlas UI

  1. Go to Organization Settings
  2. Note the Organization ID. You will need this value in future steps.
  3. Go to Federated Authentication Settings -> Identity Providers
  4. Click on Configure Identity Provider Configure Identity Provider
  5. Select Workforce Identity Federation
  6. Select SAML for Atlas UI Access
  7. Set a Name such as Authentik Integration
  8. Click on Fill with placeholder values for the Issuer URI and Single Sign-On URL Fill with placeholder values
  9. Upload the Signing Certificate that we downloaded above
  10. Set the Request Binding to HTTP-POST
  11. Set the Response Signature Algorithm to SHA-256
  12. Continue to the next step and note these values as you will need them in future steps.
    • ACS URL
    • Audience URI
    • IdP ID
    • Federation Settings ID (Found in the url https://cloud.mongodb.com/v2#/federation/<this-is-your-federation-settings-id>/overview)

2. Create Access Keys

  1. Go to Organization Settings -> Access Manager
  2. Click on Applications tab
  3. Click on Add new
  4. Set the description to terraform
  5. Set the Organization Permission to Organization Owner
  6. Save the public and private key to your .env file
    1. Set MONGODB_ATLAS_PUBLIC_KEY
    2. Set MONGODB_ATLAS_PRIVATE_KEY

3. From the terminal

  1. Add a new a mongodb_atlas_identity_provider folder adjacent to your authentik_core_resources folder

  2. Add a new a terragrunt.hcl file that looks like this:

    include "panfactum" {
       path   = find_in_parent_folders("panfactum.hcl")
       expose = true
    }
    

    terraform {
       source = include.panfactum.locals.pf_stack_source
    }
    

    dependency "authentik_atlas_mongodb_sso" {
       config_path = "../authentik_mongodb_atlas_sso"
    }
    

    inputs = {
       issuer_url = dependency.authentik_atlas_mongodb_sso.outputs.issuer_url
       sso_url    = dependency.authentik_atlas_mongodb_sso.outputs.url_sso_post
    

       // Set to "Organization ID" from step 1.2
       // Example: 679ac9030691076f53402259
       organization_id = "REPLACE_ME"
    

       // Set to "Federation Settings ID" from step 1.12
       // Example: 679ac90e37161e292db2780e
       federation_settings_id = "REPLACE_ME"
    

       // Set to "IdP ID" from step 1.12
       // Example: 67a80b37499ddf3676fa8f2b
       idp_id = "REPLACE_ME"
    

       // Set to the domain you verified in the prerequisite step:
       // "Setup MongoDB Atlas Identity Provider Domain Verification"
       // Example: panfactum.com
       associated_domains = [REPLACE_ME]
    

       sso_debug_enabled  = true
    }

  3. Run pf-tf-init

  4. Run terragrunt apply

4. CICD (Optional)

If you have CICD setup and are deploying infrastructure using the wf_tf_deploy module, you will also need to pass in the keys:

module "tf_deploy" {
  source = "${var.pf_module_source}wf_tf_deploy${var.pf_module_ref}"


  name = "tf-deploy"
  namespace = local.namespace


  # This is the repository url for that contains your terragrunt configuration files
  repo = "github.com/panfactum/stack"


  # All modules in this directory of the repository will be deployed
  tf_apply_dir = "environments/production/us-east-2"


  # These secrets will be exposed as environment variables during the
  # `terragrunt apply`. This can be used to supply credentials to
  # the OpenTofu providers.
  secrets = {
      AUTHENTIK_TOKEN = var.authentik_token
      MONGODB_ATLAS_PUBLIC_KEY  = var.mongodb_atlas_public_key
      MONGODB_ATLAS_PRIVATE_KEY = var.mongodb_atlas_private_key
  }
}

5. Finish Authentik Setup

If you are following the authentik_mongodb_atlas_sso module guide, please return and resume the Sync Authentik with the Atlas Settings section.

Disable SSO Bypass

After you have confirmed and validated that SSO is working through Authentik, disable the Bypass SAML Mode toggle by removing the sso_debug_enabled in the mongodb_atlas_identity_provider module.

include "panfactum" {
   path   = find_in_parent_folders("panfactum.hcl")
   expose = true
}


terraform {
   source = include.panfactum.locals.pf_stack_source
}


dependency "authentik_atlas_mongodb_sso" {
   config_path = "../authentik_mongodb_atlas_sso"
}


inputs = {
   issuer_url = dependency.authentik_atlas_mongodb_sso.outputs.issuer_url
   sso_url    = dependency.authentik_atlas_mongodb_sso.outputs.url_sso_post


   // Set to "Organization ID" from step 1.2
   // Example: 679ac9030691076f53402259
   organization_id = "REPLACE_ME"


   // Set to "Federation Settings ID" from step 1.12
   // Example: 679ac90e37161e292db2780e
   federation_settings_id = "REPLACE_ME"


   // Set to "IdP ID" from step 1.12
   // Example: 67a80b37499ddf3676fa8f2b
   idp_id = "REPLACE_ME"


   // Set to the domain you verified in the prerequisite step:
   // "Setup MongoDB Atlas Identity Provider Domain Verification"
   // Example: panfactum.com
   associated_domains = [REPLACE_ME]


   sso_debug_enabled  = true
}

Providers

The following providers are needed by this module:

Required Inputs

The following input variables are required:

federation_settings_id

Description: The IDP ID from MongoDB Atlas

Type: string

idp_id

Description: The IDP ID from MongoDB Atlas

Type: string

issuer_url

Description: The issuer URL

Type: string

organization_id

Description: ID of the MongoDB Atlas organization

Type: string

sso_url

Description: The SSO URL

Type: string

Optional Inputs

The following input variables are optional (have default values):

active

Description: The status of the identity provider in MongoDB Atlas. Setting to false will disable the identity provider and SSO will not function.

Type: bool

Default: true

associated_domains

Description: The domains associated with the identity provider

Type: list(string)

Default: []

extra_role_mappings

Description: Extra authentik roles to map to MongoDB Atlas roles. {<panfactum role> => [<mongodb role>, ...]}

Type: map(list(string))

Default: {}

name

Description: The name of the identity provider

Type: string

Default: "Panfactum Authentik Integration"

sso_debug_enabled

Description: Enable SSO debug. This allows users to login with a password bypassing the SSO flow.

Type: bool

Default: false

Outputs

The following outputs are exported:

acs_url

Description: Assertion consumer service URL to which the IdP sends the SAML response

Maintainer Notes

No notes