feat: Support configuring BYOK encryption on search nodes (#3199)

* feat: Supports configuring BYOK encryption on search nodes (#3142)

* use SDK preview in encryption_at_rest

* changelog

* Revert "use SDK preview in encryption_at_rest"

This reverts commit 609c9dc.

* trigger change in EAR

* Revert "trigger change in EAR"

This reverts commit 15794dd.

* Reapply "use SDK preview in encryption_at_rest"

This reverts commit 1c2db30.

* TEMPORARY: send enabled_for_search_nodes = true

* finish resource implementation and tests

* data source implementation and test

* doc update

* default and refactor test

* remove old migration test

* default value in resource

* unit test

---------

Co-authored-by: Oriol Arbusi <[email protected]>

* feat: Adds `encryption_at_rest_provider` to `mongodbatlas_search_deployment` resource and data source (#3152)

* use preview

* add encryption_at_rest_provider computed attribute

* remove check

* dosc

* rename files

* move adv_cluster config out of resources

* fix config

* project id

* add TODO to version

* doc: Updates examples with newly added attributes to `mongodbatlas_search_deployment` and `mongodbatlas_encryption_at_rest` (#3174)

* add new attribute to the example

* examples updates

* nit: end with new line

* fix tf validate

* todos

* PR suggestions + test failure

---------

Co-authored-by: Leo Antoli <[email protected]>

Author: oarbusi

.changelog/3142.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest: Adds `enabled_for_search_nodes` attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_encryption_at_rest: Adds `enabled_for_search_nodes` attribute
+```

.changelog/3152.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_search_deployment: Adds `encryption_at_rest_provider` computed attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_search_deployment: Adds `encryption_at_rest_provider` computed attribute
+```

docs/data-sources/encryption_at_rest.md

@@ -41,6 +41,8 @@ resource "mongodbatlas_encryption_at_rest" "test" {
     region                 = var.atlas_region
     role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
   }
+
+  enabled_for_search_nodes = true
 }
 
 resource "mongodbatlas_advanced_cluster" "cluster" {
@@ -135,6 +137,7 @@ output "is_gcp_encryption_at_rest_valid" {
 
 - `aws_kms_config` (Attributes) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedatt--aws_kms_config))
 - `azure_key_vault_config` (Attributes) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedatt--azure_key_vault_config))
+- `enabled_for_search_nodes` (Boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
 - `google_cloud_kms_config` (Attributes) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedatt--google_cloud_kms_config))
 - `id` (String) The ID of this resource.
 

docs/data-sources/search_deployment.md

@@ -46,6 +46,10 @@ data "mongodbatlas_search_deployment" "example" {
 output "mongodbatlas_search_deployment_id" {
   value = data.mongodbatlas_search_deployment.example.id
 }
+
+output "mongodbatlas_search_deployment_encryption_at_rest_provider" {
+  value = data.mongodbatlas_search_deployment.example.encryption_at_rest_provider
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -58,6 +62,7 @@ output "mongodbatlas_search_deployment_id" {
 
 ### Read-Only
 
+- `encryption_at_rest_provider` (String) Cloud service provider that manages your customer keys to provide an additional layer of Encryption At Rest for the cluster.
 - `id` (String) Unique 24-hexadecimal digit string that identifies the search deployment.
 - `specs` (Attributes List) List of settings that configure the search nodes for your cluster. This list is currently limited to defining a single element. (see [below for nested schema](#nestedatt--specs))
 - `state_name` (String) Human-readable label that indicates the current operating condition of this search deployment.

docs/resources/encryption_at_rest.md

@@ -56,6 +56,8 @@ resource "mongodbatlas_encryption_at_rest" "test" {
     region                 = var.atlas_region
     role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
   }
+
+  enabled_for_search_nodes = true
 }
 
 resource "mongodbatlas_advanced_cluster" "cluster" {
@@ -155,6 +157,7 @@ resource "mongodbatlas_encryption_at_rest" "test" {
 
 - `aws_kms_config` (Block List) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedblock--aws_kms_config))
 - `azure_key_vault_config` (Block List) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedblock--azure_key_vault_config))
+- `enabled_for_search_nodes` (Boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.
 - `google_cloud_kms_config` (Block List) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedblock--google_cloud_kms_config))
 
 ### Read-Only

docs/resources/search_deployment.md

@@ -51,6 +51,10 @@ data "mongodbatlas_search_deployment" "example" {
 output "mongodbatlas_search_deployment_id" {
   value = data.mongodbatlas_search_deployment.example.id
 }
+
+output "mongodbatlas_search_deployment_encryption_at_rest_provider" {
+  value = data.mongodbatlas_search_deployment.example.encryption_at_rest_provider
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -68,6 +72,7 @@ output "mongodbatlas_search_deployment_id" {
 
 ### Read-Only
 
+- `encryption_at_rest_provider` (String) Cloud service provider that manages your customer keys to provide an additional layer of Encryption At Rest for the cluster.
 - `id` (String) Unique 24-hexadecimal digit string that identifies the search deployment.
 - `state_name` (String) Human-readable label that indicates the current operating condition of this search deployment.
 

examples/mongodbatlas_encryption_at_rest/aws/atlas-cluster/main.tf

@@ -21,6 +21,8 @@ resource "mongodbatlas_encryption_at_rest" "test" {
     region                 = var.atlas_region
     role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
   }
+
+  enabled_for_search_nodes = true
 }
 
 resource "mongodbatlas_advanced_cluster" "cluster" {

examples/mongodbatlas_search_deployment/main.tf

@@ -40,3 +40,7 @@ data "mongodbatlas_search_deployment" "example" {
 output "mongodbatlas_search_deployment_id" {
   value = data.mongodbatlas_search_deployment.example.id
 }
+
+output "mongodbatlas_search_deployment_encryption_at_rest_provider" {
+  value = data.mongodbatlas_search_deployment.example.encryption_at_rest_provider
+}

internal/service/advancedcluster/resource_advanced_cluster_test.go

@@ -136,7 +136,7 @@ func testAccAdvancedClusterFlexUpgrade(t *testing.T, instanceSize string, includ
 	}
 	if includeDedicated {
 		steps = append(steps, resource.TestStep{
-			Config: acc.ConvertAdvancedClusterToPreviewProviderV2(t, true, configBasicDedicated(projectID, clusterName, defaultZoneName)),
+			Config: acc.ConvertAdvancedClusterToPreviewProviderV2(t, true, acc.ConfigBasicDedicated(projectID, clusterName, defaultZoneName)),
 			Check:  checksBasicDedicated(projectID, clusterName),
 		})
 	}
@@ -171,7 +171,7 @@ func TestAccMockableAdvancedCluster_tenantUpgrade(t *testing.T) {
 				Check:  checkTenant(true, projectID, clusterName),
 			},
 			{
-				Config: acc.ConvertAdvancedClusterToPreviewProviderV2(t, true, configBasicDedicated(projectID, clusterName, defaultZoneName)),
+				Config: acc.ConvertAdvancedClusterToPreviewProviderV2(t, true, acc.ConfigBasicDedicated(projectID, clusterName, defaultZoneName)),
 				Check:  checksBasicDedicated(projectID, clusterName),
 			},
 			acc.TestStepImportCluster(resourceName),
@@ -1659,33 +1659,6 @@ func checkTenant(usePreviewProvider bool, projectID, name string) resource.TestC
 		pluralChecks...)
 }
 
-func configBasicDedicated(projectID, name, zoneName string) string {
-	zoneNameLine := ""
-	if zoneName != "" {
-		zoneNameLine = fmt.Sprintf("zone_name = %q", zoneName)
-	}
-	return fmt.Sprintf(`
-	resource "mongodbatlas_advanced_cluster" "test" {
-		project_id   = %[1]q
-		name         = %[2]q
-		cluster_type = "REPLICASET"
-		
-		replication_specs {
-			region_configs {
-				priority        = 7
-				provider_name = "AWS"
-				region_name     = "US_EAST_1"
-				electable_specs {
-					node_count = 3
-					instance_size = "M10"
-				}
-			}
-			%[3]s
-		}
-	}
-	`, projectID, name, zoneNameLine) + dataSourcesTFNewSchema
-}
-
 func checksBasicDedicated(projectID, name string) resource.TestCheckFunc {
 	originalChecks := checkTenant(true, projectID, name)
 	checkMap := map[string]string{

internal/service/encryptionatrest/data_source_schema.go

@@ -139,24 +139,30 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 			"id": schema.StringAttribute{
 				Computed: true,
 			},
+			"enabled_for_search_nodes": schema.BoolAttribute{
+				Computed:            true,
+				MarkdownDescription: "Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.",
+			},
 		},
 	}
 }
 
 type TFEncryptionAtRestDSModel struct {
-	AzureKeyVaultConfig  *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
-	AwsKmsConfig         *TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
-	GoogleCloudKmsConfig *TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
-	ID                   types.String                `tfsdk:"id"`
-	ProjectID            types.String                `tfsdk:"project_id"`
+	AzureKeyVaultConfig   *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
+	AwsKmsConfig          *TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
+	GoogleCloudKmsConfig  *TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
+	ID                    types.String                `tfsdk:"id"`
+	ProjectID             types.String                `tfsdk:"project_id"`
+	EnabledForSearchNodes types.Bool                  `tfsdk:"enabled_for_search_nodes"`
 }
 
 func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TFEncryptionAtRestDSModel {
 	return &TFEncryptionAtRestDSModel{
-		ID:                   types.StringValue(projectID),
-		ProjectID:            types.StringValue(projectID),
-		AwsKmsConfig:         NewTFAwsKmsConfigItem(encryptionResp.AwsKms),
-		AzureKeyVaultConfig:  NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault),
-		GoogleCloudKmsConfig: NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms),
+		ID:                    types.StringValue(projectID),
+		ProjectID:             types.StringValue(projectID),
+		AwsKmsConfig:          NewTFAwsKmsConfigItem(encryptionResp.AwsKms),
+		AzureKeyVaultConfig:   NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault),
+		GoogleCloudKmsConfig:  NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms),
+		EnabledForSearchNodes: types.BoolPointerValue(encryptionResp.EnabledForSearchNodes),
 	}
 }

internal/service/encryptionatrest/model.go

@@ -11,12 +11,17 @@ import (
 )
 
 func NewTFEncryptionAtRestRSModel(ctx context.Context, projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestRSModel {
+	enabledForSearchNodes := false
+	if encryptionResp.EnabledForSearchNodes != nil {
+		enabledForSearchNodes = encryptionResp.GetEnabledForSearchNodes()
+	}
 	return &TfEncryptionAtRestRSModel{
-		ID:                   types.StringValue(projectID),
-		ProjectID:            types.StringValue(projectID),
-		AwsKmsConfig:         NewTFAwsKmsConfig(ctx, encryptionResp.AwsKms),
-		AzureKeyVaultConfig:  NewTFAzureKeyVaultConfig(ctx, encryptionResp.AzureKeyVault),
-		GoogleCloudKmsConfig: NewTFGcpKmsConfig(ctx, encryptionResp.GoogleCloudKms),
+		ID:                    types.StringValue(projectID),
+		ProjectID:             types.StringValue(projectID),
+		AwsKmsConfig:          NewTFAwsKmsConfig(ctx, encryptionResp.AwsKms),
+		AzureKeyVaultConfig:   NewTFAzureKeyVaultConfig(ctx, encryptionResp.AzureKeyVault),
+		GoogleCloudKmsConfig:  NewTFGcpKmsConfig(ctx, encryptionResp.GoogleCloudKms),
+		EnabledForSearchNodes: types.BoolValue(enabledForSearchNodes),
 	}
 }
 
@@ -151,3 +156,19 @@ func NewAtlasAzureKeyVault(tfAzKeyVaultConfigSlice []TFAzureKeyVaultConfigModel)
 		RequirePrivateNetworking: v.RequirePrivateNetworking.ValueBoolPointer(),
 	}
 }
+
+func NewAtlasEncryptionAtRest(encryptionAtRestPlan, encryptionAtRestState *TfEncryptionAtRestRSModel, atlasEncryptionAtRest *admin.EncryptionAtRest) *admin.EncryptionAtRest {
+	if hasAwsKmsConfigChanged(encryptionAtRestPlan.AwsKmsConfig, encryptionAtRestState.AwsKmsConfig) {
+		atlasEncryptionAtRest.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig)
+	}
+	if hasAzureKeyVaultConfigChanged(encryptionAtRestPlan.AzureKeyVaultConfig, encryptionAtRestState.AzureKeyVaultConfig) {
+		atlasEncryptionAtRest.AzureKeyVault = NewAtlasAzureKeyVault(encryptionAtRestPlan.AzureKeyVaultConfig)
+	}
+	if hasGcpKmsConfigChanged(encryptionAtRestPlan.GoogleCloudKmsConfig, encryptionAtRestState.GoogleCloudKmsConfig) {
+		atlasEncryptionAtRest.GoogleCloudKms = NewAtlasGcpKms(encryptionAtRestPlan.GoogleCloudKmsConfig)
+	}
+	if encryptionAtRestPlan.EnabledForSearchNodes != encryptionAtRestState.EnabledForSearchNodes {
+		atlasEncryptionAtRest.EnabledForSearchNodes = encryptionAtRestPlan.EnabledForSearchNodes.ValueBoolPointer()
+	}
+	return atlasEncryptionAtRest
+}

internal/service/encryptionatrest/model_test.go

@@ -83,9 +83,10 @@ var (
 		ServiceAccountKey:    types.StringValue(serviceAccountKey),
 	}
 	EncryptionAtRest = &admin.EncryptionAtRest{
-		AwsKms:         AWSKMSConfiguration,
-		AzureKeyVault:  AzureKeyVault,
-		GoogleCloudKms: GoogleCloudKMS,
+		AwsKms:                AWSKMSConfiguration,
+		AzureKeyVault:         AzureKeyVault,
+		GoogleCloudKms:        GoogleCloudKMS,
+		EnabledForSearchNodes: &enabled,
 	}
 )
 
@@ -99,11 +100,12 @@ func TestNewTfEncryptionAtRestRSModel(t *testing.T) {
 			name:     "Success NewTFAwsKmsConfig",
 			sdkModel: EncryptionAtRest,
 			expectedResult: &encryptionatrest.TfEncryptionAtRestRSModel{
-				ID:                   types.StringValue(projectID),
-				ProjectID:            types.StringValue(projectID),
-				AwsKmsConfig:         []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel},
-				AzureKeyVaultConfig:  []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel},
-				GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel},
+				ID:                    types.StringValue(projectID),
+				ProjectID:             types.StringValue(projectID),
+				AwsKmsConfig:          []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel},
+				AzureKeyVaultConfig:   []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel},
+				GoogleCloudKmsConfig:  []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel},
+				EnabledForSearchNodes: types.BoolValue(enabled),
 			},
 		},
 	}

internal/service/encryptionatrest/resource.go

@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
@@ -52,11 +53,12 @@ type encryptionAtRestRS struct {
 }
 
 type TfEncryptionAtRestRSModel struct {
-	ID                   types.String                 `tfsdk:"id"`
-	ProjectID            types.String                 `tfsdk:"project_id"`
-	AwsKmsConfig         []TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
-	AzureKeyVaultConfig  []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
-	GoogleCloudKmsConfig []TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
+	ID                    types.String                 `tfsdk:"id"`
+	ProjectID             types.String                 `tfsdk:"project_id"`
+	AwsKmsConfig          []TFAwsKmsConfigModel        `tfsdk:"aws_kms_config"`
+	AzureKeyVaultConfig   []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"`
+	GoogleCloudKmsConfig  []TFGcpKmsConfigModel        `tfsdk:"google_cloud_kms_config"`
+	EnabledForSearchNodes types.Bool                   `tfsdk:"enabled_for_search_nodes"`
 }
 
 type TFAwsKmsConfigModel struct {
@@ -105,6 +107,12 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ
 				},
 				MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.",
 			},
+			"enabled_for_search_nodes": schema.BoolAttribute{
+				Optional:            true,
+				Computed:            true,
+				Default:             booldefault.StaticBool(false),
+				MarkdownDescription: "Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.",
+			},
 		},
 		Blocks: map[string]schema.Block{
 			"aws_kms_config": schema.ListNestedBlock{
@@ -272,6 +280,9 @@ func (r *encryptionAtRestRS) Create(ctx context.Context, req resource.CreateRequ
 
 	projectID := encryptionAtRestPlan.ProjectID.ValueString()
 	encryptionAtRestReq := &admin.EncryptionAtRest{}
+	if !encryptionAtRestPlan.EnabledForSearchNodes.IsNull() {
+		encryptionAtRestReq.EnabledForSearchNodes = encryptionAtRestPlan.EnabledForSearchNodes.ValueBoolPointer()
+	}
 	if encryptionAtRestPlan.AwsKmsConfig != nil {
 		encryptionAtRestReq.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig)
 	}
@@ -398,17 +409,8 @@ func (r *encryptionAtRestRS) Update(ctx context.Context, req resource.UpdateRequ
 		return
 	}
 
-	if hasAwsKmsConfigChanged(encryptionAtRestPlan.AwsKmsConfig, encryptionAtRestState.AwsKmsConfig) {
-		atlasEncryptionAtRest.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig)
-	}
-	if hasAzureKeyVaultConfigChanged(encryptionAtRestPlan.AzureKeyVaultConfig, encryptionAtRestState.AzureKeyVaultConfig) {
-		atlasEncryptionAtRest.AzureKeyVault = NewAtlasAzureKeyVault(encryptionAtRestPlan.AzureKeyVaultConfig)
-	}
-	if hasGcpKmsConfigChanged(encryptionAtRestPlan.GoogleCloudKmsConfig, encryptionAtRestState.GoogleCloudKmsConfig) {
-		atlasEncryptionAtRest.GoogleCloudKms = NewAtlasGcpKms(encryptionAtRestPlan.GoogleCloudKmsConfig)
-	}
-
-	encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(ctx, projectID, atlasEncryptionAtRest).Execute()
+	updateReq := NewAtlasEncryptionAtRest(encryptionAtRestPlan, encryptionAtRestState, atlasEncryptionAtRest)
+	encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(ctx, projectID, updateReq).Execute()
 	if err != nil {
 		resp.Diagnostics.AddError("error updating encryption at rest", fmt.Sprintf(errorUpdateEncryptionAtRest, err.Error()))
 		return