1. Connecting serverless functions securely to MongoDB Atlas with PrivateLink

    TypeScript

    To connect serverless functions securely to MongoDB Atlas using PrivateLink, you'll need to establish a private endpoint connection within your Virtual Private Cloud (VPC) that routes traffic to your MongoDB Atlas cluster over AWS's private network. This ensures your database traffic does not traverse the public internet, greatly enhancing security.

    Here's a high-level overview of the steps we'll take in the Pulumi program:

    1. Provision a MongoDB Atlas cluster.
    2. Set up a PrivateLink endpoint for the Atlas cluster within your AWS account.
    3. Deploy an AWS Lambda function within the same VPC as the PrivateLink endpoint.

    In the provided program, we'll use mongodbatlas.Cluster to create a MongoDB Atlas cluster, mongodbatlas.PrivatelinkEndpointServiceServerless to set up the PrivateLink endpoint, and AWS Pulumi resources to deploy the serverless Lambda function.

    First, ensure you have the required Pulumi packages installed in your Pulumi project:

    pulumi plugin install resource mongodbatlas v3.11.0 npm install @pulumi/mongodbatlas @pulumi/aws

    Now let's write the Pulumi program to set up the infrastructure:

    import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; import * as mongodbatlas from "@pulumi/mongodbatlas"; // Use your actual MongoDB Atlas Project ID const projectId = "yourMongoDBAtlasProjectId"; // Be sure to replace the variables with actual values const clusterName = "my-atlas-cluster"; const providerName = "AWS"; // AWS is the cloud provider for PrivateLink // Create a MongoDB Atlas Cluster const cluster = new mongodbatlas.Cluster(clusterName, { projectId: projectId, providerName: providerName, // other required properties like provider region, instance size, etc. specific to your requirements }); // Set up PrivateLink for the Atlas Cluster const privateLink = new mongodbatlas.PrivatelinkEndpointServiceServerless("my-atlas-private-link", { projectId: projectId, endpointId: cluster.clusterId, // The ID of the cluster to attach to the endpoint // Include provider-specific properties as required, such as providerName, and AWS accountId }); // Create an AWS Lambda function to connect to the MongoDB Atlas cluster const lambdaRole = new aws.iam.Role("lambdaRole", { assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "lambda.amazonaws.com" }), }); // Attach the necessary policies to the role const policyAttachment = new aws.iam.PolicyAttachment("lambda-basica-execution", { policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole, roles: [lambdaRole], }); // Define the Lambda function const lambdaFunction = new aws.lambda.Function("myFunction", { // Lambda properties such as the handler, runtime, role assignment, etc. code: new pulumi.asset.AssetArchive({ ".": new pulumi.asset.FileArchive("./path-to-lambda-code"), }), role: lambdaRole.arn, handler: "index.handler", runtime: aws.lambda.Runtime.NodeJS14dX, // Example of a valid runtime // additional properties, such as environment variables, VPC config, etc. }); // Export relevant endpoints, IDs, or names of the resources export const clusterId = cluster.id; export const privateLinkId = privateLink.id; export const lambdaFunctionName = lambdaFunction.name;

    Explanation:

    • A new MongoDB Atlas cluster is provisioned with necessary properties such as region and instance size.
    • A new PrivateLink endpoint is configured for the cluster to enforce that connectivity is performed over AWS's private network.
    • An AWS Lambda function is deployed. Ensure that the function is placed within the same AWS VPC and security groups as the PrivateLink to allow connectivity to MongoDB Atlas. The actual Lambda function code and specifics, like environment variables or VPC config, need to be defined according to your use case.

    Please carefully replace placeholders such as project IDs and region names with actual values that apply to your infrastructure. You need to write the Lambda function code (referred in the new pulumi.asset.FileArchive("./path-to-lambda-code")) which will contain the logic for interacting with your MongoDB instance.

    Do not forget to configure both AWS and MongoDB Atlas access in your Pulumi stack using the pulumi config set command for setting secrets and other necessary configuration values as needed.

    The program above assumes you have already configured your Pulumi CLI for AWS and MongoDB Atlas. Please ensure you have the proper IAM roles and permissions set up for both the Lambda to execute and the PrivateLink endpoint to be created within your VPC.

    Detailed information about the mongodbatlas.Cluster and mongodbatlas.PrivatelinkEndpointServiceServerless can be found in the MongoDB Atlas Pulumi provider documentation.