Design Spec: mongodb-atlas-operations-health
Parent: #107
Target: rw-cli-codecollection
Spec
codebundle_name: "mongodb-atlas-operations-health"
target_collection: "rw-cli-codecollection"
display_name: "MongoDB Atlas Operations Health"
author: "rw-codebundle-agent"
purpose: |
Read-only operational posture checks for MongoDB Atlas projects: open alerts,
backup continuity, and network access controls. Surfaces misconfiguration and
reliability risks that cluster-only metrics might miss.
tasks:
- name: "Check MongoDB Atlas Open Alerts for Project `${ATLAS_PROJECT_ID}`"
description: "Queries Atlas alerting/events for OPEN or recent CRITICAL/WARNING items tied to project clusters and summarizes blast radius."
script_name: "check-atlas-open-alerts.sh"
expected_issue_severity: [2, 4]
access_level: "read-only"
data_type: "events"
- name: "Verify MongoDB Atlas Backup Configuration for Project `${ATLAS_PROJECT_ID}`"
description: "Confirms cloud backup is enabled where required, captures snapshot cadence/retention signals, and flags clusters lacking compliant backup coverage."
script_name: "verify-atlas-backup-config.sh"
expected_issue_severity: [2, 4]
access_level: "read-only"
data_type: "config"
- name: "Review MongoDB Atlas Network Access for Project `${ATLAS_PROJECT_ID}`"
description: "Audits project/cluster IP access lists (and VPC/peering indicators where applicable), flagging overly permissive entries or empty lists paired with public endpoints."
script_name: "review-atlas-network-access.sh"
expected_issue_severity: [2, 3]
access_level: "read-only"
data_type: "security-config"
scope:
level: "Project"
qualifiers:
- ATLAS_ORG_ID
- ATLAS_PROJECT_ID
iteration_pattern: |
One SLX per Atlas project. CLUSTER_FILTER optionally scopes backup and alert correlation
to specific clusters.
resource_types:
- "mongodb_atlas_project"
generation_strategy: |
Primary match on mongodb_atlas_project for organization-wide discovery; emit SLX per project.
When RunWhen indexes clusters only, reuse mongodb_atlas_cluster match but keep tasks project-scoped
via ATLAS_PROJECT_ID variable filled from discovery metadata.
env_vars:
- name: ATLAS_PROJECT_ID
description: "MongoDB Atlas project ID"
required: true
- name: ATLAS_ORG_ID
description: "MongoDB Atlas organization ID"
required: false
- name: CLUSTER_FILTER
description: "Comma-separated cluster names to scope backup/alert checks"
required: false
default: ""
- name: ALERT_LOOKBACK_HOURS
description: "Hours of alert/event history to evaluate"
required: false
default: "24"
secrets:
- name: atlas_api_key_credentials
description: "MongoDB Atlas programmatic API key pair"
format: |
JSON or env mapping with ATLAS_PUBLIC_API_KEY and ATLAS_PRIVATE_API_KEY
platform:
name: "mongodb_atlas"
cli_tools:
- "curl"
- "jq"
- "mongocli"
auth_methods:
- "Atlas Admin API key digest auth (public + private key)"
api_docs: "https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/"
related_bundles:
- name: "mongodb-atlas-cluster-health"
relationship: "complements"
notes: "Cluster bundle focuses on inventory, replica state, and metrics; this bundle covers alerting, backups, and network posture."
- name: "mongodb-health-gcp-promql"
relationship: "complements"
notes: "GCP PromQL bundle does not observe Atlas SaaS control plane; pair when workloads span self-managed and Atlas."
test_scenarios:
- name: "clean_operations"
description: "No open alerts, backups enabled, least-privilege network entries"
expected_issues: 0
- name: "backup_disabled"
description: "Production-typed cluster without continuous cloud backup"
expected_issues: 1
expected_severities: [4]
notes: |
Atlas APIs differ between M10+ dedicated tiers vs shared tiers—implementation should detect
unsupported endpoints gracefully and downgrade checks with clear stdout context rather than
hard failures. Align Robot tags with collection conventions (`access:read-only`, appropriate
`data:*`). Before merge, run `python -m scorer.score <bundle_path>` from codebundle-farm (threshold 70).
Design Spec: mongodb-atlas-operations-health
Parent: #107
Target:
rw-cli-codecollectionSpec