diff --git a/.changelog/3142.txt b/.changelog/3142.txt new file mode 100644 index 0000000000..ed68b1282a --- /dev/null +++ b/.changelog/3142.txt @@ -0,0 +1,7 @@ +```release-note:enhancement +resource/mongodbatlas_encryption_at_rest: Adds `enabled_for_search_nodes` attribute +``` + +```release-note:enhancement +data-source/mongodbatlas_encryption_at_rest: Adds `enabled_for_search_nodes` attribute +``` diff --git a/docs/data-sources/encryption_at_rest.md b/docs/data-sources/encryption_at_rest.md index f8724fe9b1..844042da4d 100644 --- a/docs/data-sources/encryption_at_rest.md +++ b/docs/data-sources/encryption_at_rest.md @@ -135,6 +135,7 @@ output "is_gcp_encryption_at_rest_valid" { - `aws_kms_config` (Attributes) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedatt--aws_kms_config)) - `azure_key_vault_config` (Attributes) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedatt--azure_key_vault_config)) +- `enabled_for_search_nodes` (Boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project. - `google_cloud_kms_config` (Attributes) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedatt--google_cloud_kms_config)) - `id` (String) The ID of this resource. diff --git a/docs/resources/encryption_at_rest.md b/docs/resources/encryption_at_rest.md index 92c16cf166..fba5191689 100644 --- a/docs/resources/encryption_at_rest.md +++ b/docs/resources/encryption_at_rest.md @@ -155,6 +155,7 @@ resource "mongodbatlas_encryption_at_rest" "test" { - `aws_kms_config` (Block List) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedblock--aws_kms_config)) - `azure_key_vault_config` (Block List) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedblock--azure_key_vault_config)) +- `enabled_for_search_nodes` (Boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project. - `google_cloud_kms_config` (Block List) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedblock--google_cloud_kms_config)) ### Read-Only diff --git a/internal/service/encryptionatrest/data_source.go b/internal/service/encryptionatrest/data_source.go index bf25826a9b..fb2d62e685 100644 --- a/internal/service/encryptionatrest/data_source.go +++ b/internal/service/encryptionatrest/data_source.go @@ -36,7 +36,8 @@ func (d *encryptionAtRestDS) Read(ctx context.Context, req datasource.ReadReques return } - connV2 := d.Client.AtlasV2 + // TODO: update before merging to master: connV2 := d.Client.AtlasV2 + connV2 := d.Client.AtlasPreview projectID := earConfig.ProjectID.ValueString() encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute() diff --git a/internal/service/encryptionatrest/data_source_schema.go b/internal/service/encryptionatrest/data_source_schema.go index 8f819730ec..ff4a40d685 100644 --- a/internal/service/encryptionatrest/data_source_schema.go +++ b/internal/service/encryptionatrest/data_source_schema.go @@ -3,7 +3,8 @@ package encryptionatrest import ( "context" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-framework/datasource/schema" "github.com/hashicorp/terraform-plugin-framework/types" @@ -139,24 +140,30 @@ func DataSourceSchema(ctx context.Context) schema.Schema { "id": schema.StringAttribute{ Computed: true, }, + "enabled_for_search_nodes": schema.BoolAttribute{ + Computed: true, + MarkdownDescription: "Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.", + }, }, } } type TFEncryptionAtRestDSModel struct { - AzureKeyVaultConfig *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` - AwsKmsConfig *TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` - GoogleCloudKmsConfig *TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` - ID types.String `tfsdk:"id"` - ProjectID types.String `tfsdk:"project_id"` + AzureKeyVaultConfig *TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` + AwsKmsConfig *TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` + GoogleCloudKmsConfig *TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + ID types.String `tfsdk:"id"` + ProjectID types.String `tfsdk:"project_id"` + EnabledForSearchNodes types.Bool `tfsdk:"enabled_for_search_nodes"` } func NewTFEncryptionAtRestDSModel(projectID string, encryptionResp *admin.EncryptionAtRest) *TFEncryptionAtRestDSModel { return &TFEncryptionAtRestDSModel{ - ID: types.StringValue(projectID), - ProjectID: types.StringValue(projectID), - AwsKmsConfig: NewTFAwsKmsConfigItem(encryptionResp.AwsKms), - AzureKeyVaultConfig: NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault), - GoogleCloudKmsConfig: NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms), + ID: types.StringValue(projectID), + ProjectID: types.StringValue(projectID), + AwsKmsConfig: NewTFAwsKmsConfigItem(encryptionResp.AwsKms), + AzureKeyVaultConfig: NewTFAzureKeyVaultConfigItem(encryptionResp.AzureKeyVault), + GoogleCloudKmsConfig: NewTFGcpKmsConfigItem(encryptionResp.GoogleCloudKms), + EnabledForSearchNodes: types.BoolPointerValue(encryptionResp.EnabledForSearchNodes), } } diff --git a/internal/service/encryptionatrest/model.go b/internal/service/encryptionatrest/model.go index e34802726f..9c1e88d80b 100644 --- a/internal/service/encryptionatrest/model.go +++ b/internal/service/encryptionatrest/model.go @@ -3,7 +3,8 @@ package encryptionatrest import ( "context" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-framework/types" @@ -11,12 +12,17 @@ import ( ) func NewTFEncryptionAtRestRSModel(ctx context.Context, projectID string, encryptionResp *admin.EncryptionAtRest) *TfEncryptionAtRestRSModel { + enabledForSearchNodes := false + if encryptionResp.EnabledForSearchNodes != nil { + enabledForSearchNodes = encryptionResp.GetEnabledForSearchNodes() + } return &TfEncryptionAtRestRSModel{ - ID: types.StringValue(projectID), - ProjectID: types.StringValue(projectID), - AwsKmsConfig: NewTFAwsKmsConfig(ctx, encryptionResp.AwsKms), - AzureKeyVaultConfig: NewTFAzureKeyVaultConfig(ctx, encryptionResp.AzureKeyVault), - GoogleCloudKmsConfig: NewTFGcpKmsConfig(ctx, encryptionResp.GoogleCloudKms), + ID: types.StringValue(projectID), + ProjectID: types.StringValue(projectID), + AwsKmsConfig: NewTFAwsKmsConfig(ctx, encryptionResp.AwsKms), + AzureKeyVaultConfig: NewTFAzureKeyVaultConfig(ctx, encryptionResp.AzureKeyVault), + GoogleCloudKmsConfig: NewTFGcpKmsConfig(ctx, encryptionResp.GoogleCloudKms), + EnabledForSearchNodes: types.BoolValue(enabledForSearchNodes), } } @@ -151,3 +157,19 @@ func NewAtlasAzureKeyVault(tfAzKeyVaultConfigSlice []TFAzureKeyVaultConfigModel) RequirePrivateNetworking: v.RequirePrivateNetworking.ValueBoolPointer(), } } + +func NewAtlasEncryptionAtRest(encryptionAtRestPlan, encryptionAtRestState *TfEncryptionAtRestRSModel, atlasEncryptionAtRest *admin.EncryptionAtRest) *admin.EncryptionAtRest { + if hasAwsKmsConfigChanged(encryptionAtRestPlan.AwsKmsConfig, encryptionAtRestState.AwsKmsConfig) { + atlasEncryptionAtRest.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig) + } + if hasAzureKeyVaultConfigChanged(encryptionAtRestPlan.AzureKeyVaultConfig, encryptionAtRestState.AzureKeyVaultConfig) { + atlasEncryptionAtRest.AzureKeyVault = NewAtlasAzureKeyVault(encryptionAtRestPlan.AzureKeyVaultConfig) + } + if hasGcpKmsConfigChanged(encryptionAtRestPlan.GoogleCloudKmsConfig, encryptionAtRestState.GoogleCloudKmsConfig) { + atlasEncryptionAtRest.GoogleCloudKms = NewAtlasGcpKms(encryptionAtRestPlan.GoogleCloudKmsConfig) + } + if encryptionAtRestPlan.EnabledForSearchNodes != encryptionAtRestState.EnabledForSearchNodes { + atlasEncryptionAtRest.EnabledForSearchNodes = encryptionAtRestPlan.EnabledForSearchNodes.ValueBoolPointer() + } + return atlasEncryptionAtRest +} diff --git a/internal/service/encryptionatrest/model_test.go b/internal/service/encryptionatrest/model_test.go index 9052ef12ad..170345fe9e 100644 --- a/internal/service/encryptionatrest/model_test.go +++ b/internal/service/encryptionatrest/model_test.go @@ -4,7 +4,8 @@ import ( "context" "testing" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-framework/types" "github.com/stretchr/testify/assert" @@ -84,9 +85,10 @@ var ( ServiceAccountKey: types.StringValue(serviceAccountKey), } EncryptionAtRest = &admin.EncryptionAtRest{ - AwsKms: AWSKMSConfiguration, - AzureKeyVault: AzureKeyVault, - GoogleCloudKms: GoogleCloudKMS, + AwsKms: AWSKMSConfiguration, + AzureKeyVault: AzureKeyVault, + GoogleCloudKms: GoogleCloudKMS, + EnabledForSearchNodes: &enabled, } ) @@ -100,11 +102,12 @@ func TestNewTfEncryptionAtRestRSModel(t *testing.T) { name: "Success NewTFAwsKmsConfig", sdkModel: EncryptionAtRest, expectedResult: &encryptionatrest.TfEncryptionAtRestRSModel{ - ID: types.StringValue(projectID), - ProjectID: types.StringValue(projectID), - AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel}, - AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel}, - GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel}, + ID: types.StringValue(projectID), + ProjectID: types.StringValue(projectID), + AwsKmsConfig: []encryptionatrest.TFAwsKmsConfigModel{TfAwsKmsConfigModel}, + AzureKeyVaultConfig: []encryptionatrest.TFAzureKeyVaultConfigModel{TfAzureKeyVaultConfigModel}, + GoogleCloudKmsConfig: []encryptionatrest.TFGcpKmsConfigModel{TfGcpKmsConfigModel}, + EnabledForSearchNodes: types.BoolValue(enabled), }, }, } diff --git a/internal/service/encryptionatrest/resource.go b/internal/service/encryptionatrest/resource.go index ae64b38b7d..a66ed01781 100644 --- a/internal/service/encryptionatrest/resource.go +++ b/internal/service/encryptionatrest/resource.go @@ -8,12 +8,14 @@ import ( "reflect" "time" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-framework-validators/listvalidator" "github.com/hashicorp/terraform-plugin-framework/path" "github.com/hashicorp/terraform-plugin-framework/resource" "github.com/hashicorp/terraform-plugin-framework/resource/schema" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault" "github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier" "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier" "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier" @@ -52,11 +54,12 @@ type encryptionAtRestRS struct { } type TfEncryptionAtRestRSModel struct { - ID types.String `tfsdk:"id"` - ProjectID types.String `tfsdk:"project_id"` - AwsKmsConfig []TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` - AzureKeyVaultConfig []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` - GoogleCloudKmsConfig []TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + ID types.String `tfsdk:"id"` + ProjectID types.String `tfsdk:"project_id"` + AwsKmsConfig []TFAwsKmsConfigModel `tfsdk:"aws_kms_config"` + AzureKeyVaultConfig []TFAzureKeyVaultConfigModel `tfsdk:"azure_key_vault_config"` + GoogleCloudKmsConfig []TFGcpKmsConfigModel `tfsdk:"google_cloud_kms_config"` + EnabledForSearchNodes types.Bool `tfsdk:"enabled_for_search_nodes"` } type TFAwsKmsConfigModel struct { @@ -105,6 +108,12 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ }, MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.", }, + "enabled_for_search_nodes": schema.BoolAttribute{ + Optional: true, + Computed: true, + Default: booldefault.StaticBool(false), + MarkdownDescription: "Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project.", + }, }, Blocks: map[string]schema.Block{ "aws_kms_config": schema.ListNestedBlock{ @@ -262,7 +271,8 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ func (r *encryptionAtRestRS) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { var encryptionAtRestPlan *TfEncryptionAtRestRSModel var encryptionAtRestConfig *TfEncryptionAtRestRSModel - connV2 := r.Client.AtlasV2 + // TODO: update before merging to master: connV2 := d.Client.AtlasV2 + connV2 := r.Client.AtlasPreview resp.Diagnostics.Append(req.Plan.Get(ctx, &encryptionAtRestPlan)...) resp.Diagnostics.Append(req.Config.Get(ctx, &encryptionAtRestConfig)...) @@ -272,6 +282,9 @@ func (r *encryptionAtRestRS) Create(ctx context.Context, req resource.CreateRequ projectID := encryptionAtRestPlan.ProjectID.ValueString() encryptionAtRestReq := &admin.EncryptionAtRest{} + if !encryptionAtRestPlan.EnabledForSearchNodes.IsNull() { + encryptionAtRestReq.EnabledForSearchNodes = conversion.Pointer(encryptionAtRestPlan.EnabledForSearchNodes.ValueBool()) + } if encryptionAtRestPlan.AwsKmsConfig != nil { encryptionAtRestReq.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig) } @@ -344,7 +357,8 @@ func (r *encryptionAtRestRS) Read(ctx context.Context, req resource.ReadRequest, isImport = true } - connV2 := r.Client.AtlasV2 + // TODO: update before merging to master: connV2 := d.Client.AtlasV2 + connV2 := r.Client.AtlasPreview encryptionResp, getResp, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute() if err != nil { @@ -374,7 +388,8 @@ func (r *encryptionAtRestRS) Update(ctx context.Context, req resource.UpdateRequ var encryptionAtRestState *TfEncryptionAtRestRSModel var encryptionAtRestConfig *TfEncryptionAtRestRSModel var encryptionAtRestPlan *TfEncryptionAtRestRSModel - connV2 := r.Client.AtlasV2 + // TODO: update before merging to master: connV2 := d.Client.AtlasV2 + connV2 := r.Client.AtlasPreview // get current config resp.Diagnostics.Append(req.Config.Get(ctx, &encryptionAtRestConfig)...) @@ -398,17 +413,8 @@ func (r *encryptionAtRestRS) Update(ctx context.Context, req resource.UpdateRequ return } - if hasAwsKmsConfigChanged(encryptionAtRestPlan.AwsKmsConfig, encryptionAtRestState.AwsKmsConfig) { - atlasEncryptionAtRest.AwsKms = NewAtlasAwsKms(encryptionAtRestPlan.AwsKmsConfig) - } - if hasAzureKeyVaultConfigChanged(encryptionAtRestPlan.AzureKeyVaultConfig, encryptionAtRestState.AzureKeyVaultConfig) { - atlasEncryptionAtRest.AzureKeyVault = NewAtlasAzureKeyVault(encryptionAtRestPlan.AzureKeyVaultConfig) - } - if hasGcpKmsConfigChanged(encryptionAtRestPlan.GoogleCloudKmsConfig, encryptionAtRestState.GoogleCloudKmsConfig) { - atlasEncryptionAtRest.GoogleCloudKms = NewAtlasGcpKms(encryptionAtRestPlan.GoogleCloudKmsConfig) - } - - encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(ctx, projectID, atlasEncryptionAtRest).Execute() + updateReq := NewAtlasEncryptionAtRest(encryptionAtRestPlan, encryptionAtRestState, atlasEncryptionAtRest) + encryptionResp, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(ctx, projectID, updateReq).Execute() if err != nil { resp.Diagnostics.AddError("error updating encryption at rest", fmt.Sprintf(errorUpdateEncryptionAtRest, err.Error())) return @@ -431,7 +437,8 @@ func (r *encryptionAtRestRS) Delete(ctx context.Context, req resource.DeleteRequ } enabled := false - connV2 := r.Client.AtlasV2 + // TODO: update before merging to master: connV2 := d.Client.AtlasV2 + connV2 := r.Client.AtlasPreview projectID := encryptionAtRestState.ProjectID.ValueString() _, _, err := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.GetEncryptionAtRest(context.Background(), projectID).Execute() diff --git a/internal/service/encryptionatrest/resource_migration_test.go b/internal/service/encryptionatrest/resource_migration_test.go index 5e27ef171b..dd2c952e6b 100644 --- a/internal/service/encryptionatrest/resource_migration_test.go +++ b/internal/service/encryptionatrest/resource_migration_test.go @@ -5,7 +5,8 @@ import ( "strconv" "testing" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -27,6 +28,7 @@ func TestMigEncryptionAtRest_basicAWS(t *testing.T) { } useDatasource = mig.IsProviderVersionAtLeast("1.19.0") // data source introduced in this version useRequirePrivateNetworking = mig.IsProviderVersionAtLeast("1.28.0") // require_private_networking introduced in this version + useEnabledForSearchNodes = mig.IsProviderVersionAtLeast("1.30.0") // enabled_for_search_nodes introduced in this version ) resource.Test(t, resource.TestCase{ @@ -35,13 +37,13 @@ func TestMigEncryptionAtRest_basicAWS(t *testing.T) { Steps: []resource.TestStep{ { ExternalProviders: mig.ExternalProviders(), - Config: acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking), + Config: acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking, useEnabledForSearchNodes), Check: resource.ComposeAggregateTestCheckFunc( acc.CheckEARExists(resourceName), resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.enabled", "true"), ), }, - mig.TestStepCheckEmptyPlan(acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking)), + mig.TestStepCheckEmptyPlan(acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking, useEnabledForSearchNodes)), }, }) } @@ -135,40 +137,3 @@ func TestMigEncryptionAtRest_basicGCP(t *testing.T) { }, }) } - -func TestMigEncryptionAtRest_basicAWS_from_v1_11_0(t *testing.T) { - var ( - resourceName = "mongodbatlas_encryption_at_rest.test" - projectID = os.Getenv("MONGODB_ATLAS_PROJECT_EAR_PE_AWS_ID") // to use RequirePrivateNetworking, Atlas Project is required to have FF enabled - - awsKms = admin.AWSKMSConfiguration{ - Enabled: conversion.Pointer(true), - AccessKeyID: conversion.StringPtr(os.Getenv("AWS_ACCESS_KEY_ID")), - SecretAccessKey: conversion.StringPtr(os.Getenv("AWS_SECRET_ACCESS_KEY")), - CustomerMasterKeyID: conversion.StringPtr(os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")), - Region: conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))), - RoleId: conversion.StringPtr(os.Getenv("AWS_EAR_ROLE_ID")), - } - useDatasource = mig.IsProviderVersionAtLeast("1.19.0") // data source introduced in this version - useRequirePrivateNetworking = mig.IsProviderVersionAtLeast("1.28.0") // require_private_networking introduced in this version - ) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.PreCheckAwsEnv(t) }, - CheckDestroy: acc.EARDestroy, - Steps: []resource.TestStep{ - { - ExternalProviders: acc.ExternalProvidersWithAWS("1.11.0"), - Config: acc.ConfigAwsKms(projectID, &awsKms, false, false), - Check: resource.ComposeAggregateTestCheckFunc( - acc.CheckEARExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.enabled", "true"), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.region", awsKms.GetRegion()), - resource.TestCheckResourceAttr(resourceName, "aws_kms_config.0.role_id", awsKms.GetRoleId()), - ), - }, - mig.TestStepCheckEmptyPlan(acc.ConfigAwsKms(projectID, &awsKms, useDatasource, useRequirePrivateNetworking)), - }, - }) -} diff --git a/internal/service/encryptionatrest/resource_test.go b/internal/service/encryptionatrest/resource_test.go index 8c21d56aab..247f55f47b 100644 --- a/internal/service/encryptionatrest/resource_test.go +++ b/internal/service/encryptionatrest/resource_test.go @@ -5,10 +5,14 @@ import ( "errors" "fmt" "os" + "strconv" "testing" - "go.mongodb.org/atlas-sdk/v20250219001/admin" - "go.mongodb.org/atlas-sdk/v20250219001/mockadmin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" + + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/mockadmin" + "github.com/mongodb/atlas-sdk-go/mockadmin" "github.com/hashicorp/terraform-plugin-framework/types" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -46,7 +50,8 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { RoleId: conversion.StringPtr(os.Getenv("AWS_EAR_ROLE_ID")), RequirePrivateNetworking: conversion.Pointer(true), } - awsKmsUpdatedAttrMap = acc.ConvertToAwsKmsEARAttrMap(&awsKmsUpdated) + awsKmsUpdatedAttrMap = acc.ConvertToAwsKmsEARAttrMap(&awsKmsUpdated) + enabledForSearchNodes = true ) resource.Test(t, resource.TestCase{ @@ -55,32 +60,16 @@ func TestAccEncryptionAtRest_basicAWS(t *testing.T) { CheckDestroy: acc.EARDestroy, Steps: []resource.TestStep{ { - Config: acc.ConfigAwsKms(projectID, &awsKms, true, false), - Check: resource.ComposeAggregateTestCheckFunc( - acc.CheckEARExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - acc.EARCheckResourceAttr(resourceName, "aws_kms_config.0", awsKmsAttrMap), - - resource.TestCheckNoResourceAttr(resourceName, "azure_key_vault_config.#"), - resource.TestCheckNoResourceAttr(resourceName, "google_cloud_kms_config.#"), - - resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), - acc.EARCheckResourceAttr(datasourceName, "aws_kms_config.", awsKmsAttrMap), - ), + Config: acc.ConfigAwsKms(projectID, &awsKms, true, false, false), + Check: checkEARResourceAWS(projectID, false, awsKmsAttrMap), }, { - Config: acc.ConfigAwsKms(projectID, &awsKmsUpdated, true, true), - Check: resource.ComposeAggregateTestCheckFunc( - acc.CheckEARExists(resourceName), - resource.TestCheckResourceAttr(resourceName, "project_id", projectID), - acc.EARCheckResourceAttr(resourceName, "aws_kms_config.0", awsKmsUpdatedAttrMap), - - resource.TestCheckNoResourceAttr(resourceName, "azure_key_vault_config.#"), - resource.TestCheckNoResourceAttr(resourceName, "google_cloud_kms_config.#"), - - resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), - acc.EARCheckResourceAttr(datasourceName, "aws_kms_config", awsKmsUpdatedAttrMap), - ), + Config: acc.ConfigAwsKms(projectID, &awsKmsUpdated, true, true, enabledForSearchNodes), + Check: checkEARResourceAWS(projectID, enabledForSearchNodes, awsKmsUpdatedAttrMap), + }, + { + Config: acc.ConfigAwsKms(projectID, &awsKmsUpdated, true, true, false), + Check: checkEARResourceAWS(projectID, false, awsKmsUpdatedAttrMap), }, { ResourceName: resourceName, @@ -618,3 +607,20 @@ resource "mongodbatlas_encryption_at_rest" "test" { } `, awsEar.GetEnabled(), awsEar.GetRegion(), awsEar.GetCustomerMasterKeyID(), awsEar.GetRequirePrivateNetworking()) } + +// Helper function to perform common AWS resource checks +func checkEARResourceAWS(projectID string, enabledForSearchNodes bool, awsKmsAttrMap map[string]string) resource.TestCheckFunc { + return resource.ComposeAggregateTestCheckFunc( + acc.CheckEARExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "project_id", projectID), + resource.TestCheckResourceAttr(resourceName, "enabled_for_search_nodes", strconv.FormatBool(enabledForSearchNodes)), + acc.EARCheckResourceAttr(resourceName, "aws_kms_config.0", awsKmsAttrMap), + + resource.TestCheckNoResourceAttr(resourceName, "azure_key_vault_config.#"), + resource.TestCheckNoResourceAttr(resourceName, "google_cloud_kms_config.#"), + + resource.TestCheckResourceAttr(datasourceName, "project_id", projectID), + resource.TestCheckResourceAttr(datasourceName, "enabled_for_search_nodes", strconv.FormatBool(enabledForSearchNodes)), + acc.EARCheckResourceAttr(datasourceName, "aws_kms_config.", awsKmsAttrMap), + ) +} diff --git a/internal/service/encryptionatrestprivateendpoint/resource_test.go b/internal/service/encryptionatrestprivateendpoint/resource_test.go index f9217fe39c..af09a2c649 100644 --- a/internal/service/encryptionatrestprivateendpoint/resource_test.go +++ b/internal/service/encryptionatrestprivateendpoint/resource_test.go @@ -7,7 +7,8 @@ import ( "testing" "time" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-framework/diag" "github.com/hashicorp/terraform-plugin-testing/helper/resource" @@ -157,7 +158,7 @@ func basicTestCaseAWS(tb testing.TB) *resource.TestCase { CheckDestroy: checkDestroy, Steps: []resource.TestStep{ { - Config: acc.ConfigAwsKms(projectID, &awsKms, false, true), + Config: acc.ConfigAwsKms(projectID, &awsKms, false, true, false), Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttr(earResourceName, "aws_kms_config.0.enabled", "true"), resource.TestCheckResourceAttr(earResourceName, "aws_kms_config.0.require_private_networking", "false"), @@ -233,12 +234,27 @@ func TestCheckErrorMessageAndStatus(t *testing.T) { for testName, tc := range testCases { t.Run(testName, func(t *testing.T) { - diags := encryptionatrestprivateendpoint.CheckErrorMessageAndStatus(tc.SDKResp) + // TODO: update before merging to master: diags := encryptionatrestprivateendpoint.CheckErrorMessageAndStatus(tc.SDKResp) + diags := checkErrorMessageAndStatusPreview(tc.SDKResp) assert.Equal(t, tc.diags, diags, "diagnostics did not match expected output") }) } } +// TODO: update before merging to master: remove func checkErrorMessageAndStatusPreview +func checkErrorMessageAndStatusPreview(model *admin.EARPrivateEndpoint) diag.Diagnostics { + var diags diag.Diagnostics + switch { + case model.GetStatus() == retrystrategy.RetryStrategyFailedState: + diags = append(diags, diag.NewErrorDiagnostic(encryptionatrestprivateendpoint.FailedStatusErrorMessageSummary, model.GetErrorMessage())) + case model.GetErrorMessage() != "": + diags = append(diags, diag.NewWarningDiagnostic(encryptionatrestprivateendpoint.NonEmptyErrorMessageFieldSummary, model.GetErrorMessage())) + case model.GetStatus() == retrystrategy.RetryStrategyPendingAcceptanceState: + diags = append(diags, diag.NewWarningDiagnostic(encryptionatrestprivateendpoint.PendingAcceptanceWarnMsgSummary, encryptionatrestprivateendpoint.PendingAcceptanceWarnMsg)) + } + return diags +} + func importStateIDFunc(resourceName string) resource.ImportStateIdFunc { return func(s *terraform.State) (string, error) { rs, ok := s.RootModule().Resources[resourceName] @@ -316,7 +332,7 @@ func checkBasic(projectID, cloudProvider, region string, expectApproved bool) re } func configAWSBasic(projectID string, awsKms *admin.AWSKMSConfiguration, region string) string { - encryptionAtRestConfig := acc.ConfigAwsKms(projectID, awsKms, false, true) + encryptionAtRestConfig := acc.ConfigAwsKms(projectID, awsKms, false, true, false) config := fmt.Sprintf(` %[1]s diff --git a/internal/testutil/acc/encryption_at_rest.go b/internal/testutil/acc/encryption_at_rest.go index aa6ec5d0e3..123b6cd2c5 100644 --- a/internal/testutil/acc/encryption_at_rest.go +++ b/internal/testutil/acc/encryption_at_rest.go @@ -5,7 +5,8 @@ import ( "fmt" "strconv" - "go.mongodb.org/atlas-sdk/v20250219001/admin" + // TODO: update before merging to master: "go.mongodb.org/atlas-sdk/v20250219001/admin" + "github.com/mongodb/atlas-sdk-go/admin" "github.com/hashicorp/terraform-plugin-testing/helper/resource" "github.com/hashicorp/terraform-plugin-testing/terraform" @@ -43,25 +44,29 @@ func ConfigEARAzureKeyVault(projectID string, azure *admin.AzureKeyVault, useReq return config } -func ConfigAwsKms(projectID string, aws *admin.AWSKMSConfiguration, useDatasource, useRequirePrivateNetworking bool) string { +func ConfigAwsKms(projectID string, aws *admin.AWSKMSConfiguration, useDatasource, useRequirePrivateNetworking, useEnabledForSearchNodes bool) string { requirePrivateNetworkingStr := "" if useRequirePrivateNetworking { requirePrivateNetworkingStr = fmt.Sprintf("require_private_networking = %t", aws.GetRequirePrivateNetworking()) } + enabledForSearchNodes := "" + if useEnabledForSearchNodes { + enabledForSearchNodes = fmt.Sprintf("enabled_for_search_nodes = %t", useEnabledForSearchNodes) + } config := fmt.Sprintf(` resource "mongodbatlas_encryption_at_rest" "test" { project_id = %[1]q - aws_kms_config { + aws_kms_config { enabled = %[2]t customer_master_key_id = %[3]q region = %[4]q role_id = %[5]q - %[6]s } + %[7]s } - `, projectID, aws.GetEnabled(), aws.GetCustomerMasterKeyID(), aws.GetRegion(), aws.GetRoleId(), requirePrivateNetworkingStr) + `, projectID, aws.GetEnabled(), aws.GetCustomerMasterKeyID(), aws.GetRegion(), aws.GetRoleId(), requirePrivateNetworkingStr, enabledForSearchNodes) if useDatasource { return fmt.Sprintf(`%s %s`, config, EARDatasourceConfig())