feat: Supports configuring BYOK encryption on search nodes (#3142)

* use SDK preview in encryption_at_rest

* changelog

* Revert "use SDK preview in encryption_at_rest"

This reverts commit 609c9dc.

* trigger change in EAR

* Revert "trigger change in EAR"

This reverts commit 15794dd.

* Reapply "use SDK preview in encryption_at_rest"

This reverts commit 1c2db30.

* TEMPORARY: send enabled_for_search_nodes = true

* finish resource implementation and tests

* data source implementation and test

* doc update

* default and refactor test

* remove old migration test

* default value in resource

* unit test

---------

Co-authored-by: Oriol Arbusi <[email protected]>

Author: lantoli

.changelog/3142.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest: Adds `enabled_for_search_nodes` attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_encryption_at_rest: Adds `enabled_for_search_nodes` attribute
+```

docs/data-sources/encryption_at_rest.md

@@ -135,6 +135,7 @@ output "is_gcp_encryption_at_rest_valid" {
 
 - `aws_kms_config` (Attributes) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedatt--aws_kms_config))
 - `azure_key_vault_config` (Attributes) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedatt--azure_key_vault_config))
+- `enabled_for_search_nodes` (Boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
 - `google_cloud_kms_config` (Attributes) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedatt--google_cloud_kms_config))
 - `id` (String) The ID of this resource.
 

docs/resources/encryption_at_rest.md

@@ -155,6 +155,7 @@ resource "mongodbatlas_encryption_at_rest" "test" {
 
 - `aws_kms_config` (Block List) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedblock--aws_kms_config))
 - `azure_key_vault_config` (Block List) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedblock--azure_key_vault_config))
+- `enabled_for_search_nodes` (Boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
 - `google_cloud_kms_config` (Block List) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedblock--google_cloud_kms_config))
 
 ### Read-Only

internal/service/encryptionatrest/data_source.go

@@ -36,7 +36,8 @@ func (d *encryptionAtRestDS) Read(ctx context.Context, req datasource.ReadReques
 		return
 	}
 
-	connV2 := d.Client.AtlasV2
+	// TODO: update before merging to master: connV2 := d.Client.AtlasV2
+	connV2 := d.Client.AtlasPreview
 	projectID := earConfig.ProjectID.ValueString()
 
 	encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute()

internal/service/encryptionatrest/data_source_schema.go

@@ -3,7 +3,8 @@ package encryptionatrest
 import (
 	"context"
 
-	"go.mongodb.org/atlas-sdk/v20250219001/admin"
+	// TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin"
+	"github.com/mongodb/atlas-sdk-go/admin"
 
 	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/types"
@@ -139,24 +140,30 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 			"id": schema.StringAttribute{
 				Computed: true,
 			},
+			"enabled_for_search_nodes": schema.BoolAttribute{
+				Computed:            true,
+				MarkdownDescription: "Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.",
+			},
 		},
 	}
 }
 
 type TFEncryptionAtRestDSModel struct {
-	AzureKeyVaultConfig  *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
-	AwsKmsConfig         *TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
-	GoogleCloudKmsConfig *TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
-	ID                   types.String                `tfsdk:"id"`
-	ProjectID            types.String                `tfsdk:"project_id"`
+	AzureKeyVaultConfig   *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
+	AwsKmsConfig          *TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
+	GoogleCloudKmsConfig  *TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
+	ID                    types.String                `tfsdk:"id"`
+	ProjectID             types.String                `tfsdk:"project_id"`
+	EnabledForSearchNodes types.Bool                  `tfsdk:"enabled_for_search_nodes"`
 }
 
 func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TFEncryptionAtRestDSModel {
 	return &TFEncryptionAtRestDSModel{
-		ID:                   types.StringValue(projectID),
-		ProjectID:            types.StringValue(projectID),
-		AwsKmsConfig:         NewTFAwsKmsConfigItem(encryptionResp.AwsKms),
-		AzureKeyVaultConfig:  NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault),
-		GoogleCloudKmsConfig: NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms),
+		ID:                    types.StringValue(projectID),
+		ProjectID:             types.StringValue(projectID),
+		AwsKmsConfig:          NewTFAwsKmsConfigItem(encryptionResp.AwsKms),
+		AzureKeyVaultConfig:   NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault),
+		GoogleCloudKmsConfig:  NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms),
+		EnabledForSearchNodes: types.BoolPointerValue(encryptionResp.EnabledForSearchNodes),
 	}
 }

internal/service/encryptionatrest/model.go

@@ -3,20 +3,26 @@ package encryptionatrest
 import (
 	"context"
 
-	"go.mongodb.org/atlas-sdk/v20250219001/admin"
+	// TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin"
+	"github.com/mongodb/atlas-sdk-go/admin"
 
 	"github.com/hashicorp/terraform-plugin-framework/types"
 
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 )
 
 func NewTFEncryptionAtRestRSModel(ctx context.Context, projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestRSModel {
+	enabledForSearchNodes := false
+	if encryptionResp.EnabledForSearchNodes != nil {
+		enabledForSearchNodes = encryptionResp.GetEnabledForSearchNodes()
+	}
 	return &TfEncryptionAtRestRSModel{
-		ID:                   types.StringValue(projectID),
-		ProjectID:            types.StringValue(projectID),
-		AwsKmsConfig:         NewTFAwsKmsConfig(ctx, encryptionResp.AwsKms),
-		AzureKeyVaultConfig:  NewTFAzureKeyVaultConfig(ctx, encryptionResp.AzureKeyVault),
-		GoogleCloudKmsConfig: NewTFGcpKmsConfig(ctx, encryptionResp.GoogleCloudKms),
+		ID:                    types.StringValue(projectID),
+		ProjectID:             types.StringValue(projectID),
+		AwsKmsConfig:          NewTFAwsKmsConfig(ctx, encryptionResp.AwsKms),
+		AzureKeyVaultConfig:   NewTFAzureKeyVaultConfig(ctx, encryptionResp.AzureKeyVault),
+		GoogleCloudKmsConfig:  NewTFGcpKmsConfig(ctx, encryptionResp.GoogleCloudKms),
+		EnabledForSearchNodes: types.BoolValue(enabledForSearchNodes),
 	}
 }
 
@@ -151,3 +157,19 @@ func NewAtlasAzureKeyVault(tfAzKeyVaultConfigSlice []TFAzureKeyVaultConfigModel)
 		RequirePrivateNetworking: v.RequirePrivateNetworking.ValueBoolPointer(),
 	}
 }
+
+func NewAtlasEncryptionAtRest(encryptionAtRestPlan, encryptionAtRestState *TfEncryptionAtRestRSModel, atlasEncryptionAtRest *admin.EncryptionAtRest) *admin.EncryptionAtRest {
+	if hasAwsKmsConfigChanged(encryptionAtRestPlan.AwsKmsConfig, encryptionAtRestState.AwsKmsConfig) {
+		atlasEncryptionAtRest.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig)
+	}
+	if hasAzureKeyVaultConfigChanged(encryptionAtRestPlan.AzureKeyVaultConfig, encryptionAtRestState.AzureKeyVaultConfig) {
+		atlasEncryptionAtRest.AzureKeyVault = NewAtlasAzureKeyVault(encryptionAtRestPlan.AzureKeyVaultConfig)
+	}
+	if hasGcpKmsConfigChanged(encryptionAtRestPlan.GoogleCloudKmsConfig, encryptionAtRestState.GoogleCloudKmsConfig) {
+		atlasEncryptionAtRest.GoogleCloudKms = NewAtlasGcpKms(encryptionAtRestPlan.GoogleCloudKmsConfig)
+	}
+	if encryptionAtRestPlan.EnabledForSearchNodes != encryptionAtRestState.EnabledForSearchNodes {
+		atlasEncryptionAtRest.EnabledForSearchNodes = encryptionAtRestPlan.EnabledForSearchNodes.ValueBoolPointer()
+	}
+	return atlasEncryptionAtRest
+}

internal/service/encryptionatrest/model_test.go

@@ -4,7 +4,8 @@ import (
 	"context"
 	"testing"
 
-	"go.mongodb.org/atlas-sdk/v20250219001/admin"
+	// TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin"
+	"github.com/mongodb/atlas-sdk-go/admin"
 
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/stretchr/testify/assert"
@@ -84,9 +85,10 @@ var (
 		ServiceAccountKey:    types.StringValue(serviceAccountKey),
 	}
 	EncryptionAtRest = &admin.EncryptionAtRest{
-		AwsKms:         AWSKMSConfiguration,
-		AzureKeyVault:  AzureKeyVault,
-		GoogleCloudKms: GoogleCloudKMS,
+		AwsKms:                AWSKMSConfiguration,
+		AzureKeyVault:         AzureKeyVault,
+		GoogleCloudKms:        GoogleCloudKMS,
+		EnabledForSearchNodes: &enabled,
 	}
 )
 
@@ -100,11 +102,12 @@ func TestNewTfEncryptionAtRestRSModel(t *testing.T) {
 			name:     "Success NewTFAwsKmsConfig",
 			sdkModel: EncryptionAtRest,
 			expectedResult: &encryptionatrest.TfEncryptionAtRestRSModel{
-				ID:                   types.StringValue(projectID),
-				ProjectID:            types.StringValue(projectID),
-				AwsKmsConfig:         []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel},
-				AzureKeyVaultConfig:  []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel},
-				GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel},
+				ID:                    types.StringValue(projectID),
+				ProjectID:             types.StringValue(projectID),
+				AwsKmsConfig:          []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel},
+				AzureKeyVaultConfig:   []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel},
+				GoogleCloudKmsConfig:  []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel},
+				EnabledForSearchNodes: types.BoolValue(enabled),
 			},
 		},
 	}

internal/service/encryptionatrest/resource.go

@@ -8,12 +8,14 @@ import (
 	"reflect"
 	"time"
 
-	"go.mongodb.org/atlas-sdk/v20250219001/admin"
+	// TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin"
+	"github.com/mongodb/atlas-sdk-go/admin"
 
 	"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
@@ -52,11 +54,12 @@ type encryptionAtRestRS struct {
 }
 
 type TfEncryptionAtRestRSModel struct {
-	ID                   types.String                 `tfsdk:"id"`
-	ProjectID            types.String                 `tfsdk:"project_id"`
-	AwsKmsConfig         []TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
-	AzureKeyVaultConfig  []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
-	GoogleCloudKmsConfig []TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
+	ID                    types.String                 `tfsdk:"id"`
+	ProjectID             types.String                 `tfsdk:"project_id"`
+	AwsKmsConfig          []TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
+	AzureKeyVaultConfig   []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
+	GoogleCloudKmsConfig  []TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
+	EnabledForSearchNodes types.Bool                   `tfsdk:"enabled_for_search_nodes"`
 }
 
 type TFAwsKmsConfigModel struct {
@@ -105,6 +108,12 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ
 				},
 				MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.",
 			},
+			"enabled_for_search_nodes": schema.BoolAttribute{
+				Optional:            true,
+				Computed:            true,
+				Default:             booldefault.StaticBool(false),
+				MarkdownDescription: "Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.",
+			},
 		},
 		Blocks: map[string]schema.Block{
 			"aws_kms_config": schema.ListNestedBlock{
@@ -262,7 +271,8 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ
 func (r *encryptionAtRestRS) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
 	var encryptionAtRestPlan *TfEncryptionAtRestRSModel
 	var encryptionAtRestConfig *TfEncryptionAtRestRSModel
-	connV2 := r.Client.AtlasV2
+	// TODO: update before merging to master: connV2 := d.Client.AtlasV2
+	connV2 := r.Client.AtlasPreview
 
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &encryptionAtRestPlan)...)
 	resp.Diagnostics.Append(req.Config.Get(ctx, &encryptionAtRestConfig)...)
@@ -272,6 +282,9 @@ func (r *encryptionAtRestRS) Create(ctx context.Context, req resource.CreateRequ
 
 	projectID := encryptionAtRestPlan.ProjectID.ValueString()
 	encryptionAtRestReq := &admin.EncryptionAtRest{}
+	if !encryptionAtRestPlan.EnabledForSearchNodes.IsNull() {
+		encryptionAtRestReq.EnabledForSearchNodes = conversion.Pointer(encryptionAtRestPlan.EnabledForSearchNodes.ValueBool())
+	}
 	if encryptionAtRestPlan.AwsKmsConfig != nil {
 		encryptionAtRestReq.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig)
 	}
@@ -344,7 +357,8 @@ func (r *encryptionAtRestRS) Read(ctx context.Context, req resource.ReadRequest,
 		isImport = true
 	}
 
-	connV2 := r.Client.AtlasV2
+	// TODO: update before merging to master: connV2 := d.Client.AtlasV2
+	connV2 := r.Client.AtlasPreview
 
 	encryptionResp, getResp, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute()
 	if err != nil {
@@ -374,7 +388,8 @@ func (r *encryptionAtRestRS) Update(ctx context.Context, req resource.UpdateRequ
 	var encryptionAtRestState *TfEncryptionAtRestRSModel
 	var encryptionAtRestConfig *TfEncryptionAtRestRSModel
 	var encryptionAtRestPlan *TfEncryptionAtRestRSModel
-	connV2 := r.Client.AtlasV2
+	// TODO: update before merging to master: connV2 := d.Client.AtlasV2
+	connV2 := r.Client.AtlasPreview
 
 	// get current config
 	resp.Diagnostics.Append(req.Config.Get(ctx, &encryptionAtRestConfig)...)
@@ -398,17 +413,8 @@ func (r *encryptionAtRestRS) Update(ctx context.Context, req resource.UpdateRequ
 		return
 	}
 
-	if hasAwsKmsConfigChanged(encryptionAtRestPlan.AwsKmsConfig, encryptionAtRestState.AwsKmsConfig) {
-		atlasEncryptionAtRest.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig)
-	}
-	if hasAzureKeyVaultConfigChanged(encryptionAtRestPlan.AzureKeyVaultConfig, encryptionAtRestState.AzureKeyVaultConfig) {
-		atlasEncryptionAtRest.AzureKeyVault = NewAtlasAzureKeyVault(encryptionAtRestPlan.AzureKeyVaultConfig)
-	}
-	if hasGcpKmsConfigChanged(encryptionAtRestPlan.GoogleCloudKmsConfig, encryptionAtRestState.GoogleCloudKmsConfig) {
-		atlasEncryptionAtRest.GoogleCloudKms = NewAtlasGcpKms(encryptionAtRestPlan.GoogleCloudKmsConfig)
-	}
-
-	encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(ctx, projectID, atlasEncryptionAtRest).Execute()
+	updateReq := NewAtlasEncryptionAtRest(encryptionAtRestPlan, encryptionAtRestState, atlasEncryptionAtRest)
+	encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(ctx, projectID, updateReq).Execute()
 	if err != nil {
 		resp.Diagnostics.AddError("error updating encryption at rest", fmt.Sprintf(errorUpdateEncryptionAtRest, err.Error()))
 		return
@@ -431,7 +437,8 @@ func (r *encryptionAtRestRS) Delete(ctx context.Context, req resource.DeleteRequ
 	}
 
 	enabled := false
-	connV2 := r.Client.AtlasV2
+	// TODO: update before merging to master: connV2 := d.Client.AtlasV2
+	connV2 := r.Client.AtlasPreview
 	projectID := encryptionAtRestState.ProjectID.ValueString()
 
 	_, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute()

internal/service/encryptionatrest/resource_migration_test.go

@@ -5,7 +5,8 @@ import (
 	"strconv"
 	"testing"
 
-	"go.mongodb.org/atlas-sdk/v20250219001/admin"
+	// TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin"
+	"github.com/mongodb/atlas-sdk-go/admin"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 
@@ -27,6 +28,7 @@ func TestMigEncryptionAtRest_basicAWS(t *testing.T) {
 		}
 		useDatasource               = mig.IsProviderVersionAtLeast("1.19.0") // data source introduced in this version
 		useRequirePrivateNetworking = mig.IsProviderVersionAtLeast("1.28.0") // require_private_networking introduced in this version
+		useEnabledForSearchNodes    = mig.IsProviderVersionAtLeast("1.30.0") // enabled_for_search_nodes introduced in this version
 	)
 
 	resource.Test(t, resource.TestCase{
@@ -35,13 +37,13 @@ func TestMigEncryptionAtRest_basicAWS(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				ExternalProviders: mig.ExternalProviders(),
-				Config:            acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking),
+				Config:            acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking, useEnabledForSearchNodes),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					acc.CheckEARExists(resourceName),
 					resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.enabled", "true"),
 				),
 			},
-			mig.TestStepCheckEmptyPlan(acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking)),
+			mig.TestStepCheckEmptyPlan(acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking, useEnabledForSearchNodes)),
 		},
 	})
 }
@@ -135,40 +137,3 @@ func TestMigEncryptionAtRest_basicGCP(t *testing.T) {
 		},
 	})
 }
-
-func TestMigEncryptionAtRest_basicAWS_from_v1_11_0(t *testing.T) {
-	var (
-		resourceName = "mongodbatlas_encryption_at_rest.test"
-		projectID    = os.Getenv("MONGODB_ATLAS_PROJECT_EAR_PE_AWS_ID") // to use RequirePrivateNetworking, Atlas Project is required to have FF enabled
-
-		awsKms = admin.AWSKMSConfiguration{
-			Enabled:             conversion.Pointer(true),
-			AccessKeyID:         conversion.StringPtr(os.Getenv("AWS_ACCESS_KEY_ID")),
-			SecretAccessKey:     conversion.StringPtr(os.Getenv("AWS_SECRET_ACCESS_KEY")),
-			CustomerMasterKeyID: conversion.StringPtr(os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")),
-			Region:              conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))),
-			RoleId:              conversion.StringPtr(os.Getenv("AWS_EAR_ROLE_ID")),
-		}
-		useDatasource               = mig.IsProviderVersionAtLeast("1.19.0") // data source introduced in this version
-		useRequirePrivateNetworking = mig.IsProviderVersionAtLeast("1.28.0") // require_private_networking introduced in this version
-	)
-
-	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { acc.PreCheckAwsEnv(t) },
-		CheckDestroy: acc.EARDestroy,
-		Steps: []resource.TestStep{
-			{
-				ExternalProviders: acc.ExternalProvidersWithAWS("1.11.0"),
-				Config:            acc.ConfigAwsKms(projectID, &awsKms, false, false),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					acc.CheckEARExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.enabled", "true"),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.region", awsKms.GetRegion()),
-					resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.role_id", awsKms.GetRoleId()),
-				),
-			},
-			mig.TestStepCheckEmptyPlan(acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking)),
-		},
-	})
-}