Appearance
MongoDB Atlas Setup Runbook
Status: Phase 1 in progress. Last updated April 12, 2026. Purpose: SOC 2 evidence for CC7.1 (Infrastructure Management), CC8.1 (Change Management)
Cluster Details
| Field | Value |
|---|---|
| Atlas Organization | AskFlorence |
| Atlas Project | AskFlorence |
| Cluster Name | askflorence-prod-01 |
| Tier | M10 (HIPAA-eligible) |
| Cloud Provider | AWS |
| Region | us-east-1 |
| MongoDB Version | 7.x (latest stable) |
| Created Date | April 12, 2026 |
| Created By | Taha Abbasi (Founder) |
Compliance Configuration
| Setting | Status | Notes |
|---|---|---|
| BAA (HIPAA) | Pending signature | Available in Atlas Organization → Compliance |
| Encryption at Rest | Enabled | AES-256, Atlas default on M10+ |
| Encryption in Transit | Required | TLS for all connections, Atlas default |
| Atlas Audit Logging | Pending enablement | Captures auth events, CRUD operations |
| Continuous Backup | Enabled | Atlas default on M10+, verify ≥7 day retention |
| Network Access | IP allowlist | Development IPs only; VPC peering deferred until ECS deployment |
Database
| Field | Value |
|---|---|
| Database Name | askflorence |
| Created | April 12, 2026 |
Phase 1 Collections
| Collection | Purpose | Created |
|---|---|---|
plan_years | State+year configuration (FPL, SLCSP, contribution brackets, Essential Plan tiers, tier multipliers, standard cost-sharing) | April 12, 2026 |
plans | Full plan data: premiums by region, ~54 benefit/copay fields, deductible, MOOP, issuer, metal, URLs, counties served | April 12, 2026 |
regions | Rating regions with county lists, SLCSP, lowest Silver premium, plan count | April 12, 2026 |
zip_county | Zip code → county name, FIPS code, state, region lookup | April 12, 2026 |
audit_log | API access events, data ingestion actions, PHI access trail | April 12, 2026 |
Indexes
plan_years
{ state: 1, year: 1 } — uniqueplans
{ state: 1, year: 1, program: 1 }
{ countiesServed: 1 }
{ hiosId: 1, year: 1 } — unique
{ state: 1, year: 1, metal: 1 }regions
{ state: 1, year: 1, regionId: 1 } — uniquezip_county
{ zip: 1 } — uniqueaudit_log
{ timestamp: -1 } — query ordering
{ timestamp: 1 } — TTL: 7 years (220,752,000 seconds)Database Users
Bootstrap User (created during setup)
| User | Role | Purpose |
|---|---|---|
atlas-admin-taha | Atlas admin | Initial setup and administration |
Scoped Service Users (deferred — to be created after collections exist)
| User | Access | Purpose |
|---|---|---|
app-read | Read-only on plan_years, plans, regions, zip_county | API server queries |
app-write | Read-write on all Phase 1 collections | Data ingestion scripts |
audit-write | Insert-only on audit_log | API audit trail writes |
Status: Scoped users are intentionally deferred until Phase 1 collections are created and verified. This ensures permissions are scoped against real database resources, not overly broad bootstrap grants.
Connection String Format
mongodb+srv://<user>:<password>@askflorence-prod-01.njkihm.mongodb.net/askflorence?retryWrites=true&w=majorityCredentials are stored in:
- Development:
.env.local(gitignored) - Production: AWS Secrets Manager (future)
Never committed to source control. See .env.example for placeholder format.
Backup Configuration
| Setting | Value |
|---|---|
| Backup type | Continuous (Atlas managed) |
| Retention | Minimum 7 days |
| Point-in-time recovery | Available within retention window |
| Backup encryption | Same as cluster encryption (AES-256) |
Network Access
| Entry | IP/CIDR | Purpose | Added | Remove By |
|---|---|---|---|---|
| Development (open) | 0.0.0.0/0 | Development phase — open access | April 12, 2026 | Before production launch |
Future: VPC peering with AWS ECS when the API service is deployed. At that point, development IPs will be removed and all access will flow through the VPC peer.
Setup Script
Database and collection creation is automated via:
node scripts/db/setup-collections.jsThis script:
- Connects using
MONGODB_URIfrom.env.local - Creates the
askflorencedatabase - Creates all 5 Phase 1 collections
- Creates all indexes (idempotent — safe to re-run)
- Prints verification summary
Next Steps
- [ ] Sign Atlas BAA
- [ ] Enable Atlas audit logging
- [ ] Create scoped service users after collections are verified
- [ ] Verify backup retention is ≥7 days
- [ ] Load NY 2026 plan data (Issue #45)
- [ ] Set up VPC peering when ECS is deployed