sumanmaity112/rotate_mongodb_database_user_credential.sh

## rotate_mongodb_database_user_credential.sh
#!/usr/bin/env bash

# aws-cli/2.9.1

_generate_random_password(){
  local length="${1}"

  #  You can fine tune the excluded characters
  aws secretsmanager get-random-password --password-length "${length}" --no-include-space --exclude-characters "{#\@\"\`'^&(/)%:;<>,_?}!$" --require-each-included-type --output text
}

_update_credential_in_secretsmanager() {
  local secret_id=${1}
  local password=${2}

  aws secretsmanager put-secret-value --secret-id "${secret_id}" --secret-string "${password}" 1> /dev/null
}

_fetch_mongodb_user_details() {
  local cluster_username="${1}"
  local cluster_password="${2}"
  local project_id="${3}"
  local database_username="${4}"
  local database_name="${4}"

  # Refer MongoDB Atlas documentation https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Database-Users/operation/returnOneDatabaseUserFromOneProject for more info
  curl -u "${cluster_username}:${cluster_password}" --digest \
    --header 'Accept: application/json' \
    --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/${project_id}/databaseUsers/${database_name}/${database_username}"
}

_rotate_mongodb_database_user_credential() {
  local cluster_username="${1}" # Public key also can be used here
  local cluster_password="${2}" # Private key also can be used here
  local project_id="${3}"
  local database_username="${4}"
  local secret_id=${5}
  local database_name="${6:-admin}"
  local length=${7:-64}

  local new_password
  new_password=$(_generate_random_password "${length}")

  local update_user_payload

  update_user_payload=$(_fetch_mongodb_user_details "${cluster_username}" "${cluster_password}" "${project_id}" "${database_username}" "${database_name}" \
    | jq '{labels, roles, scopes}' \
    | jq --arg password "${new_password}" '. + {password: $password}')

  _update_credential_in_secretsmanager "${secret_id}" "${new_password}"

  # Refer MongoDB Atlas documentation https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Database-Users/operation/updateOneDatabaseUserInOneProject for more info
  curl -u "${cluster_username}:${cluster_password}" --digest \
      --header 'Content-Type: application/json' \
      --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/${project_id}/databaseUsers/${database_name}/${database_username}" \
      --data "${update_user_payload}" 1> /dev/null
}

_rotate_mongodb_database_user_credential "$@"

# ./rotate_mongodb_database_user_credential.sh <cluster username> <cluster password> <project id> <database username> <secret id> [database name] [new password length]
	#!/usr/bin/env bash

	# aws-cli/2.9.1

	_generate_random_password(){
	local length="${1}"

	# You can fine tune the excluded characters
	aws secretsmanager get-random-password --password-length "${length}" --no-include-space --exclude-characters "{#\@\"\`'^&(/)%:;<>,_?}!$" --require-each-included-type --output text
	}

	_update_credential_in_secretsmanager() {
	local secret_id=${1}
	local password=${2}

	aws secretsmanager put-secret-value --secret-id "${secret_id}" --secret-string "${password}" 1> /dev/null
	}

	_fetch_mongodb_user_details() {
	local cluster_username="${1}"
	local cluster_password="${2}"
	local project_id="${3}"
	local database_username="${4}"
	local database_name="${4}"

	# Refer MongoDB Atlas documentation https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Database-Users/operation/returnOneDatabaseUserFromOneProject for more info
	curl -u "${cluster_username}:${cluster_password}" --digest \
	--header 'Accept: application/json' \
	--request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/${project_id}/databaseUsers/${database_name}/${database_username}"
	}

	_rotate_mongodb_database_user_credential() {
	local cluster_username="${1}" # Public key also can be used here
	local cluster_password="${2}" # Private key also can be used here
	local project_id="${3}"
	local database_username="${4}"
	local secret_id=${5}
	local database_name="${6:-admin}"
	local length=${7:-64}

	local new_password
	new_password=$(_generate_random_password "${length}")

	local update_user_payload

	update_user_payload=$(_fetch_mongodb_user_details "${cluster_username}" "${cluster_password}" "${project_id}" "${database_username}" "${database_name}" \
	\| jq '{labels, roles, scopes}' \
	\| jq --arg password "${new_password}" '. + {password: $password}')

	_update_credential_in_secretsmanager "${secret_id}" "${new_password}"

	# Refer MongoDB Atlas documentation https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Database-Users/operation/updateOneDatabaseUserInOneProject for more info
	curl -u "${cluster_username}:${cluster_password}" --digest \
	--header 'Content-Type: application/json' \
	--request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/${project_id}/databaseUsers/${database_name}/${database_username}" \
	--data "${update_user_payload}" 1> /dev/null
	}

	_rotate_mongodb_database_user_credential "$@"

	# ./rotate_mongodb_database_user_credential.sh <cluster username> <cluster password> <project id> <database username> <secret id> [database name] [new password length]