Add support for MongoDB user authenticationRestrictions #709
Description
SUMMARY
Add support for MongoDB user authenticationRestrictions in community.mongodb.mongodb_user.
This would allow playbooks to restrict where a user can authenticate from (by IP/CIDR) and/or which server addresses are valid, matching the native createUser/updateUser command capabilities.
ISSUE TYPE
Feature Idea
COMPONENT NAME
community.mongodb.mongodb_user
ADDITIONAL INFORMATION
MongoDB’s user management commands support an authenticationRestrictions array with clientSource and serverAddress fields. This enables IP/CIDR-based allowlisting for user authentication. Exposing this in mongodb_user makes it possible to create restrictions scoped to specific user.
Proposed interface
Add a new optional parameter to mongodb_user:
authentication_restrictions:
# list of restriction documents, applied as-is to createUser/updateUser
- clientSource: [ "127.0.0.1", "::1" ] # optional
serverAddress: [ "10.0.0.0/8" ] # optionalRelated docs
createUser syntax includes authenticationRestrictions with clientSource and serverAddress.
MongoDB Docs
updateUser likewise supports authenticationRestrictions
MongoDB Docs
usersInfo supports showAuthenticationRestrictions: true for reading current restrictions (for idempotence).
MongoDB Docs
Examples
# Example 1: localhost-only root
- name: Create localhost-only root
community.mongodb.mongodb_user:
login_host: "127.0.0.1"
login_port: 27017
replica_set: rs0
database: admin
name: root
password: "{{ vault_root_password }}"
roles:
- { db: admin, role: root }
authentication_restrictions:
- clientSource: ["127.0.0.1", "::1"]
state: present
# Example 2: app user restricted to private networks
- name: Create app user with CIDR restrictions
community.mongodb.mongodb_user:
login_host: "127.0.0.1"
login_port: 27017
replica_set: rs0
database: admin
login_user: root
login_password: "{{ vault_root_password }}"
name: app_rw
password: "{{ vault_app_rw_password }}"
roles:
- { db: appdb, role: readWrite }
- { db: logs, role: read }
authentication_restrictions:
- clientSource: ["10.0.0.0/8", "192.168.1.0/24"]
serverAddress: ["10.0.0.0/8"]
update_password: on_create
state: present