Internal Failure when creating CfnProject

[lockenj]

Describe the bug Getting the below error when attempting to create a CfnProject resource.

7:34:16 AM | CREATE_FAILED        | MongoDB::Atlas::Project     | EnvMongoAtlasEnvironmentProject69A3D7D5
Internal Failure

To Reproduce Steps to reproduce the behavior:

1. After following all the prerequisites, setting up an Organization API Key, activating the cloudformation extensions etc...
2. Run the included (below) cdk construct, with env variables for the API public/private keys.
3. After a few minutes will receive the Internal Failure error.

Expected behavior I am expecting the CDK to deploy successfully and to have a project created within Mongo Atlas.

Please complete the following information:

• CFN resource version:

  "node_modules/awscdk-resources-mongodbatlas": {
    "version": "3.0.0",
    "resolved": "https://registry.npmjs.org/awscdk-resources-mongodbatlas/-/awscdk-resources-mongodbatlas-3.0.0.tgz",
    "integrity": "sha512-qN6Or5seD2eYjzv6IaNh16+Zq8pxevI2WN9HoxL4ZCNJKq7TkCHO9NPGfu1a4jtmTW1xdNbztOin2rmj0r7ejQ==",
    "peerDependencies": {
      "aws-cdk-lib": "^2.103.0",
      "constructs": "^10.0.5"
    }
  },

• AWS region where you are running the CFN stack: Ohio us-east-2
• CDK constructor type and version: CfnProject
• Copy of the output of cdk synth

  Resources:
  EnvMongoAtlasEnvironmentSecretF9D8568A:
  Type: AWS::SecretsManager::Secret
  Properties:
    Description: Environment (my-env) Secret used for MongoDB Atlas Cloud Formation api keys.
    Name: cfn/atlas/profile/env-my-env
    SecretString: '{"PublicKey":"MY_PUB_KEY","PrivateKey":"MY_PRIV_KEY"}'
  UpdateReplacePolicy: Delete
  DeletionPolicy: Delete
  Metadata:
    aws:cdk:path: FooStack/Env/MongoAtlasEnvironmentSecret/Resource
  EnvMongoAtlasEnvironmentProject69A3D7D5:
  Type: MongoDB::Atlas::Project
  Properties:
    Name: TEST_PROJ
    OrgId: `MY_ORG_ID_HERE`
    ProjectSettings:
      IsCollectDatabaseSpecificsStatisticsEnabled: false
      IsDataExplorerEnabled: false
      IsExtendedStorageSizesEnabled: true
      IsPerformanceAdvisorEnabled: true
      IsRealtimePerformancePanelEnabled: false
      IsSchemaAdvisorEnabled: true
    Profile: env-my-env
    ProjectApiKeys:
      - Key: MY_PUB_KEY_HERE
        RoleNames:
          - GROUP_CLUSTER_MANAGER
    RegionUsageRestrictions: NONE
  UpdateReplacePolicy: Delete
  DeletionPolicy: Delete
  Metadata:
    aws:cdk:path: FooStack/Env/MongoAtlasEnvironmentProject
  CDKMetadata:
  Type: AWS::CDK::Metadata
  Properties:
    Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzQ00DNQTCwv1k1OydbNyUzSqw4uSUzO1gEKxRenJhellhTnJuYlpqcWAWXAfB3ntDwIqxbEDEotzi8tSk6t1cnLT0nVyyrWLzMy0DMHmppVnJmpW1SaV5KZm6oXBKEBtNn+OHIAAAA=
  Metadata:
    aws:cdk:path: FooStack/CDKMetadata/Default
  Parameters:
  BootstrapVersion:
  Type: AWS::SSM::Parameter::Value<String>
  Default: /cdk-bootstrap/hnb659fds/version
  Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
  Rules:
  CheckBootstrapVersion:
  Assertions:
    - Assert:
        Fn::Not:
          - Fn::Contains:
              - - "1"
                - "2"
                - "3"
                - "4"
                - "5"
              - Ref: BootstrapVersion
      AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

Additional context Here is the CDK code that I am using...

    /********************************************************************/
    // ATLAS API KEY SECRET
    /********************************************************************/
    const mongoDBAtlasSecretShortProfileName = `env-${this.#_environmentName}`;
    const mongoDBAtlasSecretProfileName = `cfn/atlas/profile/${mongoDBAtlasSecretShortProfileName}`;

    //createMongoDBAtlasSecret
    const mongoDBAtlasSecret = new secretsmanager.Secret(this, 'MongoAtlasEnvironmentSecret', {
      secretName: mongoDBAtlasSecretProfileName,
      description: `Environment (${this.#_environmentName}) Secret used for MongoDB Atlas Cloud Formation api keys.`,
      secretObjectValue: {
        PublicKey: cdk.SecretValue.unsafePlainText(this.#_mongoPublicKey),
        PrivateKey: cdk.SecretValue.unsafePlainText(this.#_mongoPrivateKey),
      },
    });
    mongoDBAtlasSecret.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);

    /********************************************************************/
    // SETUP/RETRIEVE ATLAS PROJECT
    /********************************************************************/
    const atlasProject = new CfnProject(this, 'MongoAtlasEnvironmentProject', {
      name: this.#_projectName,
      orgId: this.#_organizationId,
      profile: mongoDBAtlasSecretShortProfileName,
      regionUsageRestrictions: 'NONE',
      projectSettings: {
        isPerformanceAdvisorEnabled: true,//Flag that indicates whether to enable the Performance Advisor and Profiler for the specified project.
        isSchemaAdvisorEnabled: true,//Flag that indicates whether to enable the Schema Advisor for the specified project.
        isExtendedStorageSizesEnabled: true, //Flag that indicates whether to enable extended storage sizes for the specified project.
        isCollectDatabaseSpecificsStatisticsEnabled: false,//Flag that indicates whether to collect database-specific metrics for the specified project.
        isDataExplorerEnabled: false,//Flag that indicates whether to enable the Data Explorer for the specified project.
        isRealtimePerformancePanelEnabled: false,//Flag that indicates whether to enable the Real Time Performance Panel for the specified project.
      },
      projectApiKeys: [
        {
          key: this.#_mongoPublicKey,
          roleNames: ["GROUP_CLUSTER_MANAGER"]
        }
      ]
    });
    atlasProject.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);

[github-actions[bot]]

Thanks for opening this issue! Please make sure to provide the following information to help us reproduce the issue:

• CDK code used by the customer
• The output of cdk synth
• List of Public CFN Resources that are activated in the AWS account with their release version
• AWS Region where the CFN stack is running

Thanks for opening this issue. The ticket INTMDB-1397 was created for internal tracking.

[lockenj]

Just in case I attempted deploying this to us-east-1 as well. Same results!

[lockenj]

I see the same issue if I use the AtlasBasic example (https://github.com/mongodb/awscdk-resources-mongodbatlas/blob/main/examples/l3-resources/atlas-basic.ts)

[lockenj]

I also see the same error if I downgrade awscdk-resources-mongodbatlas to ^2.0.0

[lockenj]

I came across this post https://www.mongodb.com/community/forums/t/cloudformation-resources-atlas-project-not-working-in-cdk/183440/6 which is what I needed to figure this out.

I had multiple things wrong:

1. I did not need the projectApiKeys: [] in the props of the CfnProject
2. The role that is being used for the activation needed secretsmanager:GetSecretValue permissions
3. I needed to open up the API Access List of the organization API key. I just used 0.0.0.0/1