mongodb · maastha · Sep 9, 2024 · Aug 12, 2024 · Aug 13, 2024 · Aug 13, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest: Adds new `azure_key_vault_config.#.require_private_networking` field to enable connection to Azure Key Vault over private networking
+```
@@ -0,0 +1,3 @@
+```release-note:new-resource
+resource/mongodbatlas_encryption_at_rest_private_endpoint
+```
@@ -0,0 +1,3 @@
+```release-note:new-datasource
+data-source/mongodbatlas_encryption_at_rest_private_endpoint
+```
@@ -0,0 +1,3 @@
+```release-note:new-datasource
+data-source/mongodbatlas_encryption_at_rest_private_endpoints
+```
@@ -0,0 +1,7 @@
+```release-note:new-datasource
+data-source/mongodbatlas_encryption_at_rest
+```
+
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest: Adds `aws_kms_config.0.valid`, `azure_key_vault_config.0.valid` and `google_cloud_kms_config.0.valid` attribute
+```
@@ -86,6 +86,15 @@ on:
       mongodb_atlas_federated_settings_associated_domain:
         type: string
         required: true
+      mongodb_atlas_project_ear_pe_id:
+        type: string
+        required: true
+      mongodb_atlas_enable_preview:
+        type: string
+        required: true
+      azure_private_endpoint_region:
+        type: string
+        required: true
     secrets: # all secrets are passed explicitly in this workflow
       mongodb_atlas_public_key:
         required: true
@@ -135,6 +144,18 @@ on:
         required: true
       azure_vnet_name_updated:
         required: true
+      azure_client_id:
+        required: true
+      azure_key_vault_name:
+        required: true
+      azure_key_identifier:
+        required: true
+      azure_key_vault_name_updated:
+        required: true
+      azure_key_identifier_updated:
+        required: true
+      azure_app_secret:
+        required: true
 
 env:
   TF_ACC: 1
@@ -238,7 +259,8 @@ jobs:
           data_lake:
             - 'internal/service/datalakepipeline/*.go'
           encryption:
-            - 'internal/service/encryptionatrest/*.go'  
+            - 'internal/service/encryptionatrest/*.go' 
+            - 'internal/service/encryptionatrestprivateendpoint/*.go'
           event_trigger:
             - 'internal/service/eventtrigger/*.go'  
           federated:
@@ -515,7 +537,21 @@ jobs:
       - name: Acceptance Tests
         env:
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
-          ACCTEST_PACKAGES: ./internal/service/encryptionatrest
+          ACCTEST_PACKAGES: |
+           ./internal/service/encryptionatrest
+           ./internal/service/encryptionatrestprivateendpoint
+          MONGODB_ATLAS_PROJECT_EAR_PE_ID: ${{ inputs.mongodb_atlas_project_ear_pe_id }}
+          AZURE_PRIVATE_ENDPOINT_REGION: ${{ inputs.azure_private_endpoint_region }}
+          AZURE_CLIENT_ID: ${{ secrets.azure_client_id }}
+          AZURE_RESOURCE_GROUP_NAME: ${{ secrets.azure_resource_group_name }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.azure_subscription_id }}
+          AZURE_TENANT_ID: ${{ vars.azure_tenant_id }}
+          AZURE_APP_SECRET: ${{ secrets.azure_app_secret }}
+          AZURE_KEY_VAULT_NAME: ${{ secrets.azure_key_vault_name }}
+          AZURE_KEY_IDENTIFIER: ${{ secrets.azure_key_identifier }}
+          AZURE_KEY_VAULT_NAME_UPDATED: ${{ secrets.azure_key_vault_name_updated }}
+          AZURE_KEY_IDENTIFIER_UPDATED: ${{ secrets.azure_key_identifier_updated }}
+          MONGODB_ATLAS_ENABLE_PREVIEW: ${{ inputs.mongodb_atlas_enable_preview }}
         run: make testacc
 
   event_trigger:

@@ -77,6 +77,12 @@ jobs:
       azure_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       azure_vnet_name: ${{ secrets.AZURE_VNET_NAME }}
       azure_vnet_name_updated: ${{ secrets.AZURE_VNET_NAME_UPDATED }}
+      azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
+      azure_key_vault_name: ${{ secrets.AZURE_KEY_VAULT_NAME }}
+      azure_key_identifier: ${{ secrets.AZURE_KEY_IDENTIFIER }}
+      azure_key_vault_name_updated: ${{ secrets.AZURE_KEY_VAULT_NAME_UPDATED }}
+      azure_key_identifier_updated: ${{ secrets.AZURE_KEY_IDENTIFIER_UPDATED }}
+      azure_app_secret: ${{ secrets.AZURE_APP_SECRET }}
 
     with:
       terraform_version: ${{ inputs.terraform_version || vars.TF_VERSION_LATEST }}
@@ -104,3 +110,6 @@ jobs:
       mongodb_atlas_gov_org_id: ${{ inputs.atlas_cloud_env == 'qa' && vars.MONGODB_ATLAS_GOV_ORG_ID_QA || vars.MONGODB_ATLAS_GOV_ORG_ID_DEV }}
       mongodb_atlas_gov_project_owner_id: ${{ inputs.atlas_cloud_env == 'qa' && vars.MONGODB_ATLAS_GOV_PROJECT_OWNER_ID_QA || vars.MONGODB_ATLAS_GOV_PROJECT_OWNER_ID_DEV }}
       mongodb_atlas_federated_settings_associated_domain: ${{ vars.MONGODB_ATLAS_FEDERATED_SETTINGS_ASSOCIATED_DOMAIN }}
+      mongodb_atlas_project_ear_pe_id: ${{ inputs.atlas_cloud_env == 'qa' && vars.MONGODB_ATLAS_PROJECT_EAR_PE_ID_QA || vars.MONGODB_ATLAS_PROJECT_EAR_PE_ID_DEV }}
+      mongodb_atlas_enable_preview: ${{ vars.MONGODB_ATLAS_ENABLE_PREVIEW }}
+      azure_private_endpoint_region: ${{ vars.AZURE_PRIVATE_ENDPOINT_REGION }}
@@ -70,13 +70,17 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - run: make tools # all resources with auto-generated doc must be specified below here 
       - name: Doc for control_plane_ip_addresses
-        run: export resource_name=control_plane_ip_addresses && make generate-doc
+        run: make generate-doc resource_name=control_plane_ip_addresses
       - name: Doc for push_based_log_export
-        run: export resource_name=push_based_log_export && make generate-doc
+        run: make generate-doc resource_name=push_based_log_export
       - name: Doc for search_deployment
-        run: export resource_name=search_deployment && make generate-doc
+        run: make generate-doc resource_name=search_deployment
+      - name: Doc for encryption_at_rest
+        run: make generate-doc resource_name=encryption_at_rest
+      - name: Doc for encryption_at_rest_private_endpoint
+        run: make generate-doc resource_name=encryption_at_rest_private_endpoint
       - name: Doc for project_ip_addresses
-        run: export resource_name=project_ip_addresses && make generate-doc
+        run: make generate-doc resource_name=project_ip_addresses
       - name: Find mutations
         id: self_mutation
         run: |-

@@ -124,8 +124,10 @@ scaffold-schemas:
 
 
 .PHONY: generate-doc
-generate-doc: ## Generate the resource documentation via tfplugindocs
-	./scripts/generate-doc.sh ${resource_name}
+# e.g. run: make generate-doc resource_name=search_deployment
+# generate the resource documentation via tfplugindocs
+generate-doc: 
+	@scripts/generate-doc.sh ${resource_name}
 
 .PHONY: update-tf-compatibility-matrix
 update-tf-compatibility-matrix: ## Update Terraform Compatibility Matrix documentation

@@ -218,15 +218,12 @@ You must also configure the following environment variables before running the t
   export AZURE_CLIENT_ID=<YOUR_CLIENT_ID>
   export AZURE_SUBSCRIPTION_ID=<YOUR_SUBSCRIPTION_ID>
   export AZURE_RESOURCE_GROUP_NAME=<YOUR_RESOURCE_GROUP_NAME>
-  export AZURE_SECRET=<YOUR_SECRET>
+  export AZURE_APP_SECRET=<YOUR_SECRET>
   export AZURE_KEY_VAULT_NAME=<YOUR_KEY_VAULT_NAME>
   export AZURE_KEY_IDENTIFIER=<YOUR_KEY_IDENTIFIER>
   export AZURE_TENANT_ID=<YOUR_TENANT_ID>
   export AZURE_DIRECTORY_ID=<YOUR_DIRECTORY_ID>
 
-  export AZURE_CLIENT_ID_UPDATED=<YOUR_CLIENT_ID_UPDATED>
-  export AZURE_RESOURCE_GROUP_NAME_UPDATED=<YOUR_RESOURCE_GROUP_NAME_UPDATED>
-  export AZURE_SECRET_UPDATED=<YOUR_SECRET_UPDATED>
   export AZURE_KEY_VAULT_NAME_UPDATED=<YOUR_KEY_VAULT_NAME_UPDATED>
   export AZURE_KEY_IDENTIFIER_UPDATED=<YOUR_KEY_IDENTIFIER_UPDATED>
   ```

@@ -12,5 +12,5 @@ We autogenerate the documentation of our provider resources and data sources via
 - Add the resource/data source templates to the [templates](https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/templates) folder. See [README.md](https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/templates/README.md) for more info.
 - Run the Makefile command `generate-doc`
 ```bash
-export resource_name=search_deployment && make generate-doc
+make generate-doc resource_name=search_deployment
 ```
@@ -0,0 +1,190 @@
+# Data Source: mongodbatlas_encryption_at_rest
+
+`mongodbatlas_encryption_at_rest` describes encryption at rest configuration for an Atlas project with one of the following providers:
+
+[Amazon Web Services Key Management Service](https://docs.atlas.mongodb.com/security-aws-kms/#security-aws-kms)
+[Azure Key Vault](https://docs.atlas.mongodb.com/security-azure-kms/#security-azure-kms)
+[Google Cloud KMS](https://docs.atlas.mongodb.com/security-gcp-kms/#security-gcp-kms)
+
+
+~> **IMPORTANT** Atlas encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest, by default.
+
+~> **IMPORTANT** Atlas limits this feature to dedicated cluster tiers of M10 and greater. For more information see: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management
+
+-> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
+
+
+## Example Usages
+
+### Configuring encryption at rest using customer key management in AWS
+```terraform
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+  project_id    = var.atlas_project_id
+  provider_name = "AWS"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+  project_id = var.atlas_project_id
+  role_id    = mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+  aws {
+    iam_assumed_role_arn = aws_iam_role.test_role.arn
+  }
+}
+
+resource "mongodbatlas_encryption_at_rest" "test" {
+  project_id = var.atlas_project_id
+
+  aws_kms_config {
+    enabled                = true
+    customer_master_key_id = aws_kms_key.kms_key.id
+    region                 = var.atlas_region
+    role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+  }
+}
+
+resource "mongodbatlas_advanced_cluster" "cluster" {
+  project_id                  = mongodbatlas_encryption_at_rest.test.project_id
+  name                        = "MyCluster"
+  cluster_type                = "REPLICASET"
+  backup_enabled              = true
+  encryption_at_rest_provider = "AWS"
+
+  replication_specs {
+    region_configs {
+      priority      = 7
+      provider_name = "AWS"
+      region_name   = "US_EAST_1"
+      electable_specs {
+        instance_size = "M10"
+        node_count    = 3
+      }
+    }
+  }
+}
+
+data "mongodbatlas_encryption_at_rest" "test" {
+  project_id = mongodbatlas_encryption_at_rest.test.project_id
+}
+
+output "is_aws_kms_encryption_at_rest_valid" {
+  value = data.mongodbatlas_encryption_at_rest.test.aws_kms_config.valid
+}
+```
+
+### Configuring encryption at rest using customer key management in Azure
+```terraform
+resource "mongodbatlas_encryption_at_rest" "test" {
+  project_id = var.atlas_project_id
+
+  azure_key_vault_config {
+    enabled           = true
+    azure_environment = "AZURE"
+
+    tenant_id       = var.azure_tenant_id
+    subscription_id = var.azure_subscription_id
+    client_id       = var.azure_client_id
+    secret          = var.azure_client_secret
+
+    resource_group_name = var.azure_resource_group_name
+    key_vault_name      = var.azure_key_vault_name
+    key_identifier      = var.azure_key_identifier
+  }
+}
+
+data "mongodbatlas_encryption_at_rest" "test" {
+  project_id = mongodbatlas_encryption_at_rest.test.project_id
+}
+
+output "is_azure_encryption_at_rest_valid" {
+  value = data.mongodbatlas_encryption_at_rest.test.azure_key_vault_config.valid
+}
+```
+
+-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details.
+
+### Configuring encryption at rest using customer key management in GCP
+```terraform
+resource "mongodbatlas_encryption_at_rest" "test" {
+  project_id = var.atlas_project_id
+
+  google_cloud_kms_config {
+    enabled                 = true
+    service_account_key     = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"[email protected]\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}"
+    key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"
+  }
+}
+
+data "mongodbatlas_encryption_at_rest" "test" {
+  project_id = mongodbatlas_encryption_at_rest.test.project_id
+}
+
+output "is_gcp_encryption_at_rest_valid" {
+  value = data.mongodbatlas_encryption_at_rest.test.google_cloud_kms_config.valid
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project.
+
+### Read-Only
+
+- `aws_kms_config` (Attributes) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. (see [below for nested schema](#nestedatt--aws_kms_config))
+- `azure_key_vault_config` (Attributes) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). (see [below for nested schema](#nestedatt--azure_key_vault_config))
+- `google_cloud_kms_config` (Attributes) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). (see [below for nested schema](#nestedatt--google_cloud_kms_config))
+- `id` (String) The ID of this resource.
+
+<a id="nestedatt--aws_kms_config"></a>
+### Nested Schema for `aws_kms_config`
+
+Read-Only:
+
+- `access_key_id` (String, Sensitive) Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).
+- `customer_master_key_id` (String, Sensitive) Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.
+- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
+- `region` (String) Physical location where MongoDB Atlas deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Atlas deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Atlas creates them as part of the deployment. MongoDB Atlas assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.
+- `role_id` (String) Unique 24-hexadecimal digit string that identifies an Amazon Web Services (AWS) Identity and Access Management (IAM) role. This IAM role has the permissions required to manage your AWS customer master key.
+- `secret_access_key` (String, Sensitive) Human-readable label of the Identity and Access Management (IAM) secret access key with permissions required to access your Amazon Web Services (AWS) customer master key.
+- `valid` (Boolean) Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.
+
+
+<a id="nestedatt--azure_key_vault_config"></a>
+### Nested Schema for `azure_key_vault_config`
+
+Read-Only:
+
+- `azure_environment` (String) Azure environment in which your account credentials reside.
+- `client_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.
+- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified  project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
+- `key_identifier` (String, Sensitive) Web address with a unique key that identifies for your Azure Key Vault.
+- `key_vault_name` (String) Unique string that identifies the Azure Key Vault that contains your key.
+- `require_private_networking` (Boolean) Enable connection to your Azure Key Vault over private networking.
+- `resource_group_name` (String) Name of the Azure resource group that contains your Azure Key Vault.
+- `secret` (String, Sensitive) Private data that you need secured and that belongs to the specified Azure Key Vault (AKV) tenant (**azureKeyVault.tenantID**). This data can include any type of sensitive data such as passwords, database connection strings, API keys, and the like. AKV stores this information as encrypted binary data.
+- `subscription_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies your Azure subscription.
+- `tenant_id` (String, Sensitive) Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.
+- `valid` (Boolean) Flag that indicates whether the Azure encryption key can encrypt and decrypt data.
+
+
+<a id="nestedatt--google_cloud_kms_config"></a>
+### Nested Schema for `google_cloud_kms_config`
+
+Read-Only:
+
+- `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified  project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
+- `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS.
+- `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
+- `valid` (Boolean) Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
+
+# Import 
+Encryption at Rest Settings can be imported using project ID, in the format `project_id`, e.g.
+
+```
+$ terraform import mongodbatlas_encryption_at_rest.example 1112222b3bf99403840e8934
+```
+
+For more information see: [MongoDB Atlas API Reference for Encryption at Rest using Customer Key Management.](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management)