Skip to content

tomsaleeba/mongo-atlas-update-whitelist-for-aws

Repository files navigation

Home of the mawaws command!

Updates your MongoDB Atlas IP whitelist using the published IP ranges for AWS Services. This makes it easy to allow a whole region so, for example, a Lambda function on any EC2 instance in that region will be able to reach your database. This was built for this exact use case and when you cannot use VPC with EC2 NAT to give your Lambda a predicatable IP.

Install

npm install -g mongo-atlas-update-whitelist-for-aws
mawaws help

Running directly

  1. As a pre-requisite, you need to have an API key for MongoDB Atlas. Follow these instructions to get one. The API key must have Project Owner permission to be able to update the IP allowlist.
  2. We need to get the ID of the group we want to update:
    mawaws list-groups \
      --user=abcdef \
      --key=4c03c17c-25d8-42fa-a762-bd9c22b5a55a
    ...and you'll see output that looks like:
    # example output
    Listing MongoDB Atlas groups (AKA projects)
    Available groups:
      1ab2bf4c3b53b9822afa9364: Project 1
  3. Now we perform the update to the whitelist for that project, using the ID from the previous command:
    mawaws update-whitelist \
      --region=ap-southeast-2 \
      --groupid=1ab2bf4c3b53b9822afa9364 \
      --user=abcdef \
      --key=4c03c17c-25d8-42fa-a762-bd9c22b5a55a

Note: the default service to get IPs for is EC2, if you wish to target a different service, supply the --service param:

mawaws update-whitelist \
  --service=AMAZON \
  ... # continue with other params

Running with docker

  1. either pull the pre-built docker image with
    docker pull tomsaleeba/mongo-atlas-update-whitelist-for-aws:1.1.0
  2. or, build the image locally with
    # after you've cloned this repo
    docker build -t tomsaleeba/mongo-atlas-update-whitelist-for-aws:1.1.0 .
  3. run the container and pass args like you would to the raw command
    docker run --rm -it tomsaleeba/mongo-atlas-update-whitelist-for-aws:1.1.0 --help
    docker run --rm -it tomsaleeba/mongo-atlas-update-whitelist-for-aws:1.1.0 \
      list-groups --user=abcdef --key=123abc

Running using cron on AWS ECS Fargate

As the list of IP ranges is being updated semi-frequently, it makes sense to run this command on a regular schedule. See the instructions in aws-deploy/README.md for how to set this up.

TODO

  1. make delete function that can remove all entries for a region
  2. lots more validation of command line params