chore: Generates and checks PURLS on the CI

.github/workflows/code-health.yaml

@@ -18,6 +18,12 @@ jobs:
       run: | 
         cd cfn-resources
         go build -v ./...
+    - name: Install CloudFormation CLI
+      run: pip install cloudformation-cli cloudformation-cli-go-plugin
+    - name: Generate purls for all resources
+      run: make gen-purls
+    - name: Check purls for all resources
+      run: make check-purls
   mock-generation:
     runs-on: ubuntu-latest
     steps:

.github/workflows/contract-testing.yaml

@@ -36,45 +36,62 @@ jobs:
    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
      id: filter
      with:
+      predicate-quantifier: 'every'
       filters: |
         access-list-api-key:
           - 'cfn-resources/access-list-api-key/**'
+          - '!cfn-resources/access-list-api-key/compliance/**'
         alert-configuration:
           - 'cfn-resources/alert-configuration/**'
+          - '!cfn-resources/alert-configuration/compliance/**'
         api-key:
           - 'cfn-resources/api-key/**'
+          - '!cfn-resources/api-key/compliance/**'
         auditing:
           - 'cfn-resources/auditing/**'
+          - '!cfn-resources/auditing/compliance/**'
         cloud-backup-restore-jobs:
           - 'cfn-resources/cloud-backup-restore-jobs/**'
+          - '!cfn-resources/cloud-backup-restore-jobs/compliance/**'
         cluster-outage-simulation:
           - 'cfn-resources/cluster-outage-simulation/**'
+          - '!cfn-resources/cluster-outage-simulation/compliance/**'
         federated-database-instance:
           - 'cfn-resources/federated-database-instance/**'
+          - '!cfn-resources/federated-database-instance/compliance/**'
         federated-query-limit:
           - 'cfn-resources/federated-query-limit/**'
+          - '!cfn-resources/federated-query-limit/compliance/**'
         online-archive:
           - 'cfn-resources/online-archive/**'
+          - '!cfn-resources/online-archive/compliance/**'
         organization:
           - 'cfn-resources/organization/**'
+          - '!cfn-resources/organization/compliance/**'
         private-endpoint-aws:
           - 'cfn-resources/private-endpoint-aws/**'
+          - '!cfn-resources/private-endpoint-aws/compliance/**'
         private-endpoint-service:
           - 'cfn-resources/private-endpoint-service/**'
+          - '!cfn-resources/private-endpoint-service/compliance/**'
         privatelink-endpoint-service-data-federation-online-archive:
           - 'cfn-resources/privatelink-endpoint-service-data-federation-online-archive/**'
+          - '!cfn-resources/privatelink-endpoint-service-data-federation-online-archive/compliance/**'
         project:
           - 'cfn-resources/project/**'
+          - '!cfn-resources/project/compliance/**'
         resource-policy:
           - 'cfn-resources/resource-policy/**'
+          - '!cfn-resources/resource-policy/compliance/**'
         search-deployment:
           - 'cfn-resources/search-deployment/**'
-        serverless-private-endpoint:
-          - 'cfn-resources/serverless-private-endpoint/**'
+          - '!cfn-resources/search-deployment/compliance/**'
         stream-connection:
           - 'cfn-resources/stream-connection/**'
+          - '!cfn-resources/stream-connection/compliance/**'
         stream-instance:
           - 'cfn-resources/stream-instance/**'
+          - '!cfn-resources/stream-instance/compliance/**'
   access-list-api-key:
     needs: change-detection
     if: ${{ needs.change-detection.outputs.access-list-api-key == 'true' }}
@@ -729,48 +746,6 @@ jobs:
 
           cat inputs/inputs_1_create.json
 
-          make run-contract-testing
-          make delete-test-resources
-  serverless-private-endpoint:
-    needs: change-detection
-    if: ${{ needs.change-detection.outputs.  serverless-private-endpoint == 'true' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
-        with:
-          go-version-file: 'cfn-resources/go.mod'
-      - name: setup Atlas CLI
-        uses: mongodb/atlas-github-action@15663d068c40a8582d881560961fce9d45e0df9a
-      - uses: aws-actions/setup-sam@819220f63fb333a9a394dd0a5cab2d8303fd17e2
-        with:
-          use-installer: true
-      - uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
-          aws-region: eu-west-1
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
-        with:
-          python-version: '3.9'
-          cache: 'pip' # caching pip dependencies
-      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
-      - name: Run the Contract test
-        shell: bash
-        env:
-          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
-          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
-          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
-          MONGODB_ATLAS_TEAM_ID: 641490b0207f4d22f4d8f2fd
-          MONGODB_ATLAS_OPS_MANAGER_URL: https://cloud-dev.mongodb.com/
-          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
-        run: |
-          pushd cfn-resources/serverless-private-endpoint
-          make create-test-resources
-
-          cat inputs/inputs_1_create.json
-          cat inputs/inputs_1_update.json
-
           make run-contract-testing
           make delete-test-resources
   stream-connection:

Makefile

@@ -63,3 +63,10 @@ generate-mocks: # uses mockery to generate mocks in folder `cfn-resources/testut
 generate-resource-versions-markdown: 
 	(cd cfn-resources && go run tool/markdown-generator/*.go)
 
+.PHONY: gen-purls
+gen-purls:
+	./scripts/generate-purls.sh
+
+.PHONY: check-purls
+check-purls:
+	./scripts/check-purls.sh

cfn-resources/access-list-api-key/compliance/purls.txt

@@ -0,0 +1,19 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/alert-configuration/compliance/purls.txt

@@ -0,0 +1,18 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/github.com/spf13/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/api-key/compliance/purls.txt

@@ -0,0 +1,17 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/auditing/compliance/purls.txt

@@ -0,0 +1,17 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/cloud-backup-restore-jobs/compliance/purls.txt

@@ -0,0 +1,17 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/cloud-backup-schedule/compliance/purls.txt

@@ -0,0 +1,17 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/cloud-backup-snapshot-export-bucket/compliance/purls.txt

@@ -0,0 +1,19 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]

cfn-resources/cloud-backup-snapshot-export-bucket/docs/README.md

@@ -61,9 +61,9 @@ _Required_: Yes
 
 _Type_: String
 
-_Minimum_: <code>24</code>
+_Minimum Length_: <code>24</code>
 
-_Maximum_: <code>24</code>
+_Maximum Length_: <code>24</code>
 
 _Pattern_: <code>^([a-f0-9]{24})$</code>
 
@@ -77,9 +77,9 @@ _Required_: Yes
 
 _Type_: String
 
-_Minimum_: <code>24</code>
+_Minimum Length_: <code>24</code>
 
-_Maximum_: <code>24</code>
+_Maximum Length_: <code>24</code>
 
 _Pattern_: <code>^([a-f0-9]{24})$</code>
 

cfn-resources/cloud-backup-snapshot-export-bucket/resource-role.yaml

@@ -15,6 +15,13 @@ Resources:
             Principal:
               Service: resources.cloudformation.amazonaws.com
             Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount:
+                  Ref: AWS::AccountId
+              StringLike:
+                aws:SourceArn:
+                  Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:type/resource/MongoDB-Atlas-CloudBackupSnapshotExportBucket/*
       Path: "/"
       Policies:
         - PolicyName: ResourceTypePolicy
@@ -23,27 +30,7 @@ Resources:
             Statement:
               - Effect: Allow
                 Action:
-                - "secretsmanager:CreateSecret"
-                - "secretsmanager:DescribeSecret"
                 - "secretsmanager:GetSecretValue"
-                - "secretsmanager:PutSecretValue"
-                - "secretsmanager:UpdateSecretVersionStage"
-                - "ec2:CreateVpcEndpoint"
-                - "ec2:DeleteVpcEndpoints"
-                - "cloudformation:CreateResource"
-                - "cloudformation:DeleteResource"
-                - "cloudformation:GetResource"
-                - "cloudformation:GetResourceRequestStatus"
-                - "cloudformation:ListResources"
-                - "cloudformation:UpdateResource"
-                - "iam:AttachRolePolicy"
-                - "iam:CreateRole"
-                - "iam:DeleteRole"
-                - "iam:GetRole"
-                - "iam:GetRolePolicy"
-                - "iam:ListAttachedRolePolicies"
-                - "iam:ListRolePolicies"
-                - "iam:PutRolePolicy"
                 Resource: "*"
 Outputs:
   ExecutionRoleArn:

cfn-resources/cloud-backup-snapshot/compliance/purls.txt

@@ -0,0 +1,17 @@
+pkg:golang/../vendor/go.mongodb.org/atlas-sdk/v20231115014@(devel)
+pkg:golang/github.com/aws-cloudformation/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/aws/[email protected]
+pkg:golang/github.com/google/[email protected]
+pkg:golang/github.com/jmespath/[email protected]
+pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb-labs/[email protected]
+pkg:golang/github.com/mongodb/mongodbatlas-cloudformation-resources@(devel)
+pkg:golang/github.com/rs/[email protected]
+pkg:golang/github.com/segmentio/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
+pkg:golang/go.mongodb.org/[email protected]
+pkg:golang/golang.org/x/[email protected]
+pkg:golang/gopkg.in/[email protected]