👋 Introduction

Managing database infrastructure for multiple environments (dev, staging, prod) can be a headache — especially when it comes to security, secrets, and scaling.

In this I’ll walk you through how we’ve automated the provisioning of MongoDB Atlas on top of Amazon EKS using Terraform, complete with:

  • Role-based access
  • Secure secret handling (via AWS Secrets Manager)
  • Dynamic environment setup (dev, stg, prod)
  • IP whitelisting based on your VPC setup

Terraform Project Structure

Here’s a high-level view of the files in our infrastructure setup:

.
├── data.tf
├── main.tf
├── provider.tf
├── secrets.tf
└── variables.tf

🧱 main.tf – MongoDB Cluster + Project Setup 

data "mongodbatlas_roles_org_id" "mongodbatlas_roles_org_id" {}

resource "mongodbatlas_project" "mongodbatlas_project" {
  name                                             = "Mongo-${var.environment}"
  org_id                                           = data.mongodbatlas_roles_org_id.mongodbatlas_roles_org_id.org_id
  is_collect_database_specifics_statistics_enabled = true
  is_data_explorer_enabled                         = true
  is_extended_storage_sizes_enabled                = true
  is_performance_advisor_enabled                   = true
  is_realtime_performance_panel_enabled            = true
  is_schema_advisor_enabled                        = true
}

resource "mongodbatlas_cluster" "mongodbatlas_cluster" {
  project_id                     = mongodbatlas_project.mongodbatlas_project[0].id
  name                           = "${var.environment}-cluster"
  cluster_type                   = "REPLICASET"
  provider_name                  = "TENANT"
  backing_provider_name          = "AWS"
  provider_region_name           = upper(replace(var.aws_region, "-", "_"))
  provider_instance_size_name    = "M10"
  auto_scaling_disk_gb_enabled   = false
  termination_protection_enabled = false
  mongo_db_major_version         = "7.0"
}

resource "mongodbatlas_project_ip_access_list" "mongodbatlas_project_ip_access_list" {
  project_id = mongodbatlas_project.mongodbatlas_project[0].id
  cidr_block = "${data.terraform_remote_state.vpc.outputs.nat_elastic_ip}/32"
  comment    = "cidr block for AWS ${var.environment}"
}

resource "mongodbatlas_project_ip_access_list" "mongodbatlas_project_ip_access_list_prod" {
  project_id = data.mongodbatlas_project.mongodbatlas_project[0].id
  cidr_block = "${data.terraform_remote_state.vpc.outputs.nat_elastic_ip}/32"
  comment    = "cidr block for AWS ${var.environment}"
}

resource "mongodbatlas_database_user" "mongodbatlas_database_user" {
  username           = var.environment
  password           = random_password.password[0].result
  project_id         = mongodbatlas_project.mongodbatlas_project[0].id
  auth_database_name = "admin"

  roles {
    role_name     = "readWriteAnyDatabase"
    database_name = "admin"
  }

  scopes {
    name = mongodbatlas_cluster.mongodbatlas_cluster[0].name
    type = "CLUSTER"
  }
}

🧾 In this setup, we automate the creation of a fully managed MongoDB Atlas environment using Terraform for the stage of our application. The Terraform script provisions the following resources:

A MongoDB Atlas Project inside the organization's Atlas account.

A MongoDB Cluster with a REPLICASET architecture, running MongoDB version 7.0, hosted on AWS with an M10 instance size—ideal for development workloads.

A Project IP Access List that whitelists the NAT Gateway IP of the AWS VPC to ensure secure and controlled access to the cluster from within our infrastructure.

A Database User with the same name as the environment , with readWriteAnyDatabase permissions scoped to the cluster, enabling it to interact with any database within that cluster securely.

This setup is part of our Infrastructure-as-Code (IaC) strategy to maintain consistency, improve security, and reduce manual operations during the lifecycle of our environment.

🔐 secrets.tf – MongoDB Secrets in AWS Secrets Manager 

data "aws_secretsmanager_secret" "aws_secretsmanager_secret" {
  name = "mongo"
}

data "aws_secretsmanager_secret_version" "aws_secretsmanager_secret_version" {
  secret_id = data.aws_secretsmanager_secret.aws_secretsmanager_secret.id
}

resource "aws_secretsmanager_secret" "mongo" {
  name                    = "/${var.environment}/mongo"
  recovery_window_in_days = 0
}

resource "aws_secretsmanager_secret_version" "mongo" {
  secret_id     = aws_secretsmanager_secret.mongo[0].id
  secret_string = <

This secret is then pulled securely by our app pods using Kubernetes External Secrets or the AWS Secrets CSI driver.

⚙️ provider.tf – AWS & MongoDB Atlas Providers 

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
    mongodbatlas = {
      source = "mongodb/mongodbatlas"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

provider "mongodbatlas" {
  "MONGO_PUBLIC_KEY": "your_mongodb_atlas_public_key",
  "MONGO_PRIVATE_KEY": "your_mongodb_atlas_private_key"
}

With this provider.tf setup, you can automate both cloud infrastructure and MongoDB Atlas resources in your development workflow. Using Terraform helps you stay consistent, reduce manual errors, and scale your deployments with ease.

🔑 data.tf – Account Info + Random Password 

data "aws_caller_identity" "caller" {}

resource "random_password" "password" {
  length      = 25
  upper       = true
  special     = false
  min_numeric = 5
}

}

Terraform generates a secure password for the MongoDB user that we store in Secrets Manager along with the URI.

✅ Final output.tf File 

output "mongodb_endpoint" {
  value = "mongodb+srv://${mongodbatlas_database_user.mongodbatlas_database_user[0].username}:${mongodbatlas_database_user.mongodbatlas_database_user[0].password}@${trimprefix(mongodbatlas_cluster.mongodbatlas_cluster[0].connection_strings[0].standard_srv, "mongodb+srv://")}/${var.environment}?authSource=${mongodbatlas_database_user.mongodbatlas_database_user[0].auth_database_name}"
}

📝 Description
This output block dynamically generates the MongoDB connection string depending on the environment

✅ Conclusion:

A Scalable, Secure, and Dev-Friendly MongoDB Setup on EKS
With this Terraform-driven approach, we’ve not only provisioned MongoDB Atlas clusters directly from our infrastructure code, but we’ve also implemented environment-specific behavior, secure secret management via AWS Secrets Manager, and seamless integration with our EKS-based platform.

This setup ensures:

🔐 Security-first practices for handling sensitive data

🔁 Reusability and scalability across environments (dev, stg, prod)

⚙️ Automation of cloud-native MongoDB provisioning with zero manual steps

☁️ Tight integration between MongoDB Atlas, AWS, and Kubernetes (EKS)

Whether you're spinning up a new feature branch or deploying production-grade infrastructure, this solution gives your team a solid and secure foundation to build, test, and scale apps faster.