use cluster APIs to support certain processArgs

Author: maastha

cfn-resources/cluster/cmd/resource/mappings.go

@@ -19,12 +19,14 @@ import (
 	"fmt"
 	"reflect"
 
+	"go.mongodb.org/atlas-sdk/v20231115014/admin"
+
 	"github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
 	"github.com/aws/aws-sdk-go/service/cloudformation"
+	"github.com/spf13/cast"
+
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/constants"
-	"github.com/spf13/cast"
-	"go.mongodb.org/atlas-sdk/v20231115014/admin"
 )
 
 func mapClusterToModel(model *Model, cluster *admin.AdvancedClusterDescription) {
@@ -374,20 +376,27 @@ func flattenPrivateEndpoint(pes *[]admin.ClusterDescriptionConnectionStringsPriv
 	return privateEndpoints
 }
 
-func flattenProcessArgs(p *admin.ClusterDescriptionProcessArgs) *ProcessArgs {
-	return &ProcessArgs{
+func flattenProcessArgs(p *admin.ClusterDescriptionProcessArgs, cluster *admin.AdvancedClusterDescription) *ProcessArgs {
+	res := &ProcessArgs{
 		DefaultReadConcern:               p.DefaultReadConcern,
 		DefaultWriteConcern:              p.DefaultWriteConcern,
 		FailIndexKeyTooLong:              p.FailIndexKeyTooLong,
 		JavascriptEnabled:                p.JavascriptEnabled,
-		MinimumEnabledTLSProtocol:        p.MinimumEnabledTlsProtocol,
 		NoTableScan:                      p.NoTableScan,
 		OplogSizeMB:                      p.OplogSizeMB,
 		SampleSizeBIConnector:            p.SampleSizeBIConnector,
 		SampleRefreshIntervalBIConnector: p.SampleRefreshIntervalBIConnector,
 		OplogMinRetentionHours:           p.OplogMinRetentionHours,
 		TransactionLifetimeLimitSeconds:  util.Int64PtrToIntPtr(p.TransactionLifetimeLimitSeconds),
 	}
+
+	if advConfig := cluster.AdvancedConfiguration; advConfig != nil {
+		res.MinimumEnabledTLSProtocol = advConfig.MinimumEnabledTlsProtocol
+		res.TlsCipherConfigMode = advConfig.TlsCipherConfigMode
+		res.CustomOpensslCipherConfigTls12 = *advConfig.CustomOpensslCipherConfigTls12
+	}
+
+	return res
 }
 
 func flattenLabels(clusterLabels []admin.ComponentLabel) []Labels {
@@ -412,9 +421,7 @@ func expandAdvancedSettings(processArgs ProcessArgs) *admin.ClusterDescriptionPr
 		args.DefaultWriteConcern = processArgs.DefaultWriteConcern
 	}
 	args.JavascriptEnabled = processArgs.JavascriptEnabled
-	if processArgs.MinimumEnabledTLSProtocol != nil {
-		args.MinimumEnabledTlsProtocol = processArgs.MinimumEnabledTLSProtocol
-	}
+
 	args.NoTableScan = processArgs.NoTableScan
 
 	if processArgs.OplogSizeMB != nil {
@@ -593,9 +600,25 @@ func setClusterRequest(currentModel *Model) (*admin.AdvancedClusterDescription,
 	clusterRequest.Tags = tags
 
 	clusterRequest.TerminationProtectionEnabled = currentModel.TerminationProtectionEnabled
+
+	clusterRequest.AdvancedConfiguration = expandClusterAdvancedConfiguration(*currentModel.AdvancedSettings)
 	return clusterRequest, nil
 }
 
+func expandClusterAdvancedConfiguration(processArgs ProcessArgs) *admin.ApiAtlasClusterAdvancedConfiguration {
+	var args admin.ApiAtlasClusterAdvancedConfiguration
+
+	if processArgs.MinimumEnabledTLSProtocol != nil {
+		args.MinimumEnabledTlsProtocol = processArgs.MinimumEnabledTLSProtocol
+	}
+	if processArgs.TlsCipherConfigMode != nil {
+		args.TlsCipherConfigMode = processArgs.TlsCipherConfigMode
+	}
+	args.CustomOpensslCipherConfigTls12 = &processArgs.CustomOpensslCipherConfigTls12
+
+	return &args
+}
+
 func AddReplicationSpecIDs(src, dest []admin.ReplicationSpec) *[]admin.ReplicationSpec {
 	zoneToID := map[string]string{}
 	providerRegionToID := map[string]string{}

cfn-resources/cluster/cmd/resource/model.go

@@ -21,16 +21,18 @@ import (
 	"net/http"
 	"strings"
 
+	"go.mongodb.org/atlas-sdk/v20231115014/admin"
+
 	"github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cloudformation"
+	"github.com/spf13/cast"
+
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/constants"
 	log "github.com/mongodb/mongodbatlas-cloudformation-resources/util/logger"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/progressevent"
 	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/validator"
-	"github.com/spf13/cast"
-	"go.mongodb.org/atlas-sdk/v20231115014/admin"
 )
 
 const (
@@ -309,7 +311,7 @@ func List(req handler.Request, prevModel *Model, currentModel *Model) (handler.P
 			return progressevent.GetFailedEventByResponse(fmt.Sprintf("Error creating resource : %s", err.Error()),
 				res), nil
 		}
-		model.AdvancedSettings = flattenProcessArgs(processArgs)
+		model.AdvancedSettings = flattenProcessArgs(processArgs, &clusterResults[i])
 		models[i] = model
 	}
 
@@ -395,7 +397,7 @@ func readCluster(ctx context.Context, client *util.MongoDBClient, currentModel *
 		if errr != nil || resp.StatusCode != http.StatusOK {
 			return currentModel, resp, errr
 		}
-		currentModel.AdvancedSettings = flattenProcessArgs(processArgs)
+		currentModel.AdvancedSettings = flattenProcessArgs(processArgs, cluster)
 	}
 	return currentModel, res, err
 }

cfn-resources/cluster/cmd/resource/resource.go

@@ -15,6 +15,8 @@ To declare this entity in your AWS CloudFormation template, use the following sy
     "<a href="#failindexkeytoolong" title="FailIndexKeyTooLong">FailIndexKeyTooLong</a>" : <i>Boolean</i>,
     "<a href="#javascriptenabled" title="JavascriptEnabled">JavascriptEnabled</a>" : <i>Boolean</i>,
     "<a href="#minimumenabledtlsprotocol" title="MinimumEnabledTLSProtocol">MinimumEnabledTLSProtocol</a>" : <i>String</i>,
+    "<a href="#tlscipherconfigmode" title="TlsCipherConfigMode">TlsCipherConfigMode</a>" : <i>String</i>,
+    "<a href="#customopensslcipherconfigtls12" title="CustomOpensslCipherConfigTls12">CustomOpensslCipherConfigTls12</a>" : <i>[ String, ... ]</i>,
     "<a href="#notablescan" title="NoTableScan">NoTableScan</a>" : <i>Boolean</i>,
     "<a href="#oplogsizemb" title="OplogSizeMB">OplogSizeMB</a>" : <i>Integer</i>,
     "<a href="#samplesizebiconnector" title="SampleSizeBIConnector">SampleSizeBIConnector</a>" : <i>Integer</i>,
@@ -32,6 +34,9 @@ To declare this entity in your AWS CloudFormation template, use the following sy
 <a href="#failindexkeytoolong" title="FailIndexKeyTooLong">FailIndexKeyTooLong</a>: <i>Boolean</i>
 <a href="#javascriptenabled" title="JavascriptEnabled">JavascriptEnabled</a>: <i>Boolean</i>
 <a href="#minimumenabledtlsprotocol" title="MinimumEnabledTLSProtocol">MinimumEnabledTLSProtocol</a>: <i>String</i>
+<a href="#tlscipherconfigmode" title="TlsCipherConfigMode">TlsCipherConfigMode</a>: <i>String</i>
+<a href="#customopensslcipherconfigtls12" title="CustomOpensslCipherConfigTls12">CustomOpensslCipherConfigTls12</a>: <i>
+      - String</i>
 <a href="#notablescan" title="NoTableScan">NoTableScan</a>: <i>Boolean</i>
 <a href="#oplogsizemb" title="OplogSizeMB">OplogSizeMB</a>: <i>Integer</i>
 <a href="#samplesizebiconnector" title="SampleSizeBIConnector">SampleSizeBIConnector</a>: <i>Integer</i>
@@ -92,6 +97,26 @@ _Type_: String
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### TlsCipherConfigMode
+
+The TLS cipher suite configuration mode. Valid values include `CUSTOM` or `DEFAULT`. The `DEFAULT` mode uses the default cipher suites. The `CUSTOM` mode allows you to specify custom cipher suites for both TLS 1.2 and TLS 1.3. To unset, this should be set back to `DEFAULT`.
+
+_Required_: No
+
+_Type_: String
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
+#### CustomOpensslCipherConfigTls12
+
+The custom OpenSSL cipher suite list for TLS 1.2. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
+
+_Required_: No
+
+_Type_: List of String
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 #### NoTableScan
 
 Flag that indicates whether the cluster disables executing any query that requires a collection scan to return results.

cfn-resources/cluster/docs/processargs.md

@@ -249,6 +249,18 @@
           "type": "string",
           "description": "Minimum Transport Layer Security (TLS) version that the cluster accepts for incoming connections. Clusters using TLS 1.0 or 1.1 should consider setting TLS 1.2 as the minimum TLS protocol version."
         },
+        "TlsCipherConfigMode": {
+          "type": "string",
+          "description": "The TLS cipher suite configuration mode. Valid values include `CUSTOM` or `DEFAULT`. The `DEFAULT` mode uses the default cipher suites. The `CUSTOM` mode allows you to specify custom cipher suites for both TLS 1.2 and TLS 1.3. To unset, this should be set back to `DEFAULT`."
+        },
+        "CustomOpensslCipherConfigTls12": {
+          "type": "array",
+          "insertionOrder": false,
+          "items": {
+            "type": "string"
+          },
+          "description": "The custom OpenSSL cipher suite list for TLS 1.2. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`."
+        },
         "NoTableScan": {
           "type": "boolean",
           "description": "Flag that indicates whether the cluster disables executing any query that requires a collection scan to return results."

cfn-resources/cluster/mongodb-atlas-cluster.json

@@ -7,6 +7,11 @@
     "DefaultWriteConcern": "1",
     "JavascriptEnabled": "false",
     "MinimumEnabledTLSProtocol": "TLS1_2",
+    "TlsCipherConfigMode": "CUSTOM",
+    "CustomOpensslCipherConfigTls12": [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+    ],
     "NoTableScan": "false",
     "OplogSizeMB": "4000",
     "SampleSizeBIConnector": "110",

cfn-resources/cluster/test/inputs_1_update.template.json

@@ -19,7 +19,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/tidwall/pretty v1.2.1
 	go.mongodb.org/atlas-sdk/v20231115002 v20231115002.1.0
-	go.mongodb.org/atlas-sdk/v20231115014 v20231115014.0.0
+	go.mongodb.org/atlas-sdk/v20231115014 v20231115014.0.1-0.20250501203224-d289267fb00f
 	go.mongodb.org/atlas-sdk/v20250312002 v20250312002.0.0
 )
 

cfn-resources/go.mod

@@ -105,6 +105,8 @@ go.mongodb.org/atlas-sdk/v20231115002 v20231115002.1.0 h1:x6nnq2pUIP9mN4WLD4/Ese
 go.mongodb.org/atlas-sdk/v20231115002 v20231115002.1.0/go.mod h1:el7cm23kEiiw72HAYimhNweKqp/ubHsNJk+Mk30yJhM=
 go.mongodb.org/atlas-sdk/v20231115014 v20231115014.0.0 h1:hN7x3m6THf03q/tE48up1j0U/26lJmx+s1LXB/qvHHc=
 go.mongodb.org/atlas-sdk/v20231115014 v20231115014.0.0/go.mod h1:pCl46YnWOIde8lq27whXDwUseNeUvtAy3vy5ZDeTcBA=
+go.mongodb.org/atlas-sdk/v20231115014 v20231115014.0.1-0.20250501203224-d289267fb00f h1:N5VEDjQhHAfS8RUBjHkkNqTi0qeiON5gML9YcLxJXQ8=
+go.mongodb.org/atlas-sdk/v20231115014 v20231115014.0.1-0.20250501203224-d289267fb00f/go.mod h1:pCl46YnWOIde8lq27whXDwUseNeUvtAy3vy5ZDeTcBA=
 go.mongodb.org/atlas-sdk/v20250312002 v20250312002.0.0 h1:KX8PrYp3/PCSxG4NbGLcc3+EsNcfyhcvylGbe/oRlx8=
 go.mongodb.org/atlas-sdk/v20250312002 v20250312002.0.0/go.mod h1:HHCmHxHPdJRr1bUXlvRIZbm7M4gRujjur1GnjE44YgA=
 golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=

cfn-resources/go.sum

@@ -41,7 +41,12 @@
           "NoTableScan": "false",
           "OplogSizeMB": "2000",
           "SampleSizeBIConnector": "110",
-          "SampleRefreshIntervalBIConnector": "310"
+          "SampleRefreshIntervalBIConnector": "310",
+          "TlsCipherConfigMode": "CUSTOM",
+          "CustomOpensslCipherConfigTls12": [
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+          ]
         },
         "BackupEnabled": "true",
         "ClusterType": "REPLICASET",
@@ -122,4 +127,4 @@
       }
     }
   }
-}
+}