Access Control for MongoDB Atlas via IP Whitelists

Question

Pulumi · Accepted Answer

Access control in MongoDB Atlas involves restricting which IP addresses are allowed to connect to your database clusters. MongoDB Atlas enables you to create an IP whitelist to control access to your database. An IP whitelist is a security feature that allows only connections from specified IP addresses or ranges to access your database.

Here's a step-by-step explanation of how to set up IP whitelisting in MongoDB Atlas using Pulumi and the `mongodbatlas` provider:

1. **Import the Provider**: Import the `pulumi_mongodbatlas` module, which contains the necessary classes for creating and managing resources in MongoDB Atlas.

2. **Create Project**: Before you can manage access control, you need a MongoDB Atlas project. While you can do this through the Atlas UI, you can also create a project programmatically using the `mongodbatlas.Project` class.

3. **Define the IP Whitelist**: Use the `mongodbatlas.ProjectIpWhitelist` class to define the IP address(es) you want to whitelist. You can define a specific IP address or a range by providing a CIDR block.

- `projectId`: The ID of the project for which you want to set up the whitelist.
   - `cidrBlock`: The IP range in CIDR notation that you want to whitelist. For a single IP, append `/32` to the end of the IP address.
   - `comment`: An optional comment describing the purpose or owner of the whitelisted IP.

4. **Create Resources**: Instantiate the defined classes so they represent actual resources in the MongoDB Atlas account linked to your Pulumi service.

Below is a Pulumi program in Python that defines an IP whitelist for a given MongoDB Atlas project:

```python
import pulumi
import pulumi_mongodbatlas as mongodbatlas

# Configure your MongoDB Atlas API Token and Project ID using config or environment variables
config = pulumi.Config()
atlas_project_id = config.require('atlasProjectId') # Project ID should be configured in the Pulumi config

# An example IP whitelist entry for an IP address
ip_whitelist = mongodbatlas.ProjectIpWhitelist("ip-whitelist",
    project_id=atlas_project_id,
    cidr_block="192.168.1.15/32", # Replace with the IP address you want to whitelist
    comment="Whitelist for application server")

# pulumi.export is used here to output the IP whitelist entry ID after pulumi up has been applied.
pulumi.export('ipWhitelistId', ip_whitelist.id)
```

To run this Pulumi program, take the following steps:

- Make sure you have Python installed on your machine.
- Install the Pulumi CLI.
- Set up your [MongoDB Atlas API token](https://www.pulumi.com/registry/packages/mongodbatlas/installation-configuration/#generate-mongodb-atlas-api-token).
- Create a new Pulumi project or use an existing one.
- Save the provided code into a file named `__main__.py` inside your project directory.
- Configure your atlasProjectId using `pulumi config set atlasProjectId YOUR_PROJECT_ID`.
- Run `pulumi up` to create the resources defined in the program.

This program does not include error handling, logging, or complex deployment logic, which you would want to consider for production-level code. It's meant to illustrate the basic setup.

Remember to replace "192.168.1.15" with the actual IP address you wish to whitelist and append `/32` for a single IP address, or specify an IP range in CIDR notation if needed.

For a comprehensive list of configurations and details on the `mongodbatlas` provider, you can refer to the official [Pulumi MongoDB Atlas documentation](https://www.pulumi.com/registry/packages/mongodbatlas/api-docs/).