Created
December 10, 2022 09:30
-
-
Save sumanmaity112/44b3d88ba8c600faaa57a8b4a131e424 to your computer and use it in GitHub Desktop.
Rotate MongoDB Atlas database user password with auto generated password and store password in AWS secrets manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# aws-cli/2.9.1 | |
_generate_random_password(){ | |
local length="${1}" | |
# You can fine tune the excluded characters | |
aws secretsmanager get-random-password --password-length "${length}" --no-include-space --exclude-characters "{#\@\"\`'^&(/)%:;<>,_?}!$" --require-each-included-type --output text | |
} | |
_update_credential_in_secretsmanager() { | |
local secret_id=${1} | |
local password=${2} | |
aws secretsmanager put-secret-value --secret-id "${secret_id}" --secret-string "${password}" 1> /dev/null | |
} | |
_fetch_mongodb_user_details() { | |
local cluster_username="${1}" | |
local cluster_password="${2}" | |
local project_id="${3}" | |
local database_username="${4}" | |
local database_name="${4}" | |
# Refer MongoDB Atlas documentation https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Database-Users/operation/returnOneDatabaseUserFromOneProject for more info | |
curl -u "${cluster_username}:${cluster_password}" --digest \ | |
--header 'Accept: application/json' \ | |
--request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/${project_id}/databaseUsers/${database_name}/${database_username}" | |
} | |
_rotate_mongodb_database_user_credential() { | |
local cluster_username="${1}" # Public key also can be used here | |
local cluster_password="${2}" # Private key also can be used here | |
local project_id="${3}" | |
local database_username="${4}" | |
local secret_id=${5} | |
local database_name="${6:-admin}" | |
local length=${7:-64} | |
local new_password | |
new_password=$(_generate_random_password "${length}") | |
local update_user_payload | |
update_user_payload=$(_fetch_mongodb_user_details "${cluster_username}" "${cluster_password}" "${project_id}" "${database_username}" "${database_name}" \ | |
| jq '{labels, roles, scopes}' \ | |
| jq --arg password "${new_password}" '. + {password: $password}') | |
_update_credential_in_secretsmanager "${secret_id}" "${new_password}" | |
# Refer MongoDB Atlas documentation https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Database-Users/operation/updateOneDatabaseUserInOneProject for more info | |
curl -u "${cluster_username}:${cluster_password}" --digest \ | |
--header 'Content-Type: application/json' \ | |
--request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/${project_id}/databaseUsers/${database_name}/${database_username}" \ | |
--data "${update_user_payload}" 1> /dev/null | |
} | |
_rotate_mongodb_database_user_credential "$@" | |
# ./rotate_mongodb_database_user_credential.sh <cluster username> <cluster password> <project id> <database username> <secret id> [database name] [new password length] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment