feat: Long-running operation improvements for mongodbatlas_encryption_at_rest_private_endpoint resource (#3561)

* implement timeout for create and delete

* implement delete_on_create_timeout

* implement test

* data sources fix

* docs and changelog

* fix unit test

* test fixes

* fix test

* use shared resources to avoid CANNOT_DISABLE_ENCRYPTION_AT_REST_DUE_TO_PRIVATE_ENDPOINTS

* non parallel test

* try new project for ear

* create project

* change description

* use configured project

* use correct projectn

* clean up shared resources

* skip test

* Update .changelog/3561.txt

Co-authored-by: Copilot <[email protected]>

* changes from dev

---------

Co-authored-by: Copilot <[email protected]>

Author: oarbusi

.changelog/3561.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest_private_endpoint: Adds `timeouts` attribute for create and delete operations
+```
+
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest_private_endpoint: Adds `delete_on_create_timeout` attribute to indicate whether to delete the resource if its creation times out
+```

docs/guides/2.0.0-upgrade-guide.md

@@ -16,6 +16,7 @@ The Terraform MongoDB Atlas Provider version 2.0.0 has the following new feature
   - `mongodbatlas_advanced_cluster`
   - `mongodbatlas_cloud_backup_snapshot` 
   - `mongodbatlas_cluster_outage_simulation`
+  - `mongodbatlas_encryption_at_rest_private_endpoint`
   - `mongodbatlas_flex_cluster`
   - `mongodbatlas_network_peering`
   - `mongodbatlas_online_archive`

docs/resources/encryption_at_rest_private_endpoint.md

@@ -99,13 +99,26 @@ resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" {
 - `project_id` (String) Unique 24-hexadecimal digit string that identifies your project.
 - `region_name` (String) Cloud provider region in which the Encryption At Rest private endpoint is located.
 
+### Optional
+
+- `delete_on_create_timeout` (Boolean) Indicates whether to delete the resource being created if a timeout is reached when waiting for completion. When set to `true` and timeout occurs, it triggers the deletion and returns immediately without waiting for deletion to complete. When set to `false`, the timeout will not trigger resource deletion. If you suspect a transient error when the value is `true`, wait before retrying to allow resource deletion to finish. Default is `true`.
+- `timeouts` (Attributes) (see [below for nested schema](#nestedatt--timeouts))
+
 ### Read-Only
 
 - `error_message` (String) Error message for failures associated with the Encryption At Rest private endpoint.
 - `id` (String) Unique 24-hexadecimal digit string that identifies the Private Endpoint Service.
 - `private_endpoint_connection_name` (String) Connection name of the Azure Private Endpoint.
 - `status` (String) State of the Encryption At Rest private endpoint.
 
+<a id="nestedatt--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- `create` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
+- `delete` (String) A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
+
 ## Import 
 Encryption At Rest Private Endpoint resource can be imported using the project ID, cloud provider, and private endpoint ID. The format must be `{project_id}-{cloud_provider}-{private_endpoint_id}` e.g.
 

internal/service/encryptionatrestprivateendpoint/data_source.go

@@ -31,7 +31,7 @@ func (d *encryptionAtRestPrivateEndpointDS) Schema(ctx context.Context, req data
 }
 
 func (d *encryptionAtRestPrivateEndpointDS) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
-	var earPrivateEndpointConfig TFEarPrivateEndpointModel
+	var earPrivateEndpointConfig TFEarPrivateEndpointModelDS
 	resp.Diagnostics.Append(req.Config.Get(ctx, &earPrivateEndpointConfig)...)
 	if resp.Diagnostics.HasError() {
 		return
@@ -48,5 +48,5 @@ func (d *encryptionAtRestPrivateEndpointDS) Read(ctx context.Context, req dataso
 		return
 	}
 
-	resp.Diagnostics.Append(resp.State.Set(ctx, NewTFEarPrivateEndpoint(*endpointModel, projectID))...)
+	resp.Diagnostics.Append(resp.State.Set(ctx, NewTFEarPrivateEndpointDS(*endpointModel, projectID))...)
 }

internal/service/encryptionatrestprivateendpoint/data_source_schema.go

@@ -41,8 +41,19 @@ func DSAttributes(withArguments bool) map[string]schema.Attribute {
 	}
 }
 
+// TFEarPrivateEndpointModelDS represents the model for data sources (without timeout fields)
+type TFEarPrivateEndpointModelDS struct {
+	CloudProvider                 types.String `tfsdk:"cloud_provider"`
+	ErrorMessage                  types.String `tfsdk:"error_message"`
+	ProjectID                     types.String `tfsdk:"project_id"`
+	ID                            types.String `tfsdk:"id"`
+	PrivateEndpointConnectionName types.String `tfsdk:"private_endpoint_connection_name"`
+	RegionName                    types.String `tfsdk:"region_name"`
+	Status                        types.String `tfsdk:"status"`
+}
+
 type TFEncryptionAtRestPrivateEndpointsDSModel struct {
-	CloudProvider types.String                `tfsdk:"cloud_provider"`
-	ProjectID     types.String                `tfsdk:"project_id"`
-	Results       []TFEarPrivateEndpointModel `tfsdk:"results"`
+	CloudProvider types.String                  `tfsdk:"cloud_provider"`
+	ProjectID     types.String                  `tfsdk:"project_id"`
+	Results       []TFEarPrivateEndpointModelDS `tfsdk:"results"`
 }

internal/service/encryptionatrestprivateendpoint/model.go

@@ -31,9 +31,9 @@ func NewEarPrivateEndpointReq(tfPlan *TFEarPrivateEndpointModel) *admin.EARPriva
 }
 
 func NewTFEarPrivateEndpoints(projectID, cloudProvider string, sdkResults []admin.EARPrivateEndpoint) *TFEncryptionAtRestPrivateEndpointsDSModel {
-	results := make([]TFEarPrivateEndpointModel, len(sdkResults))
+	results := make([]TFEarPrivateEndpointModelDS, len(sdkResults))
 	for i := range sdkResults {
-		result := NewTFEarPrivateEndpoint(sdkResults[i], projectID)
+		result := NewTFEarPrivateEndpointDS(sdkResults[i], projectID)
 		results[i] = result
 	}
 	return &TFEncryptionAtRestPrivateEndpointsDSModel{
@@ -42,3 +42,16 @@ func NewTFEarPrivateEndpoints(projectID, cloudProvider string, sdkResults []admi
 		Results:       results,
 	}
 }
+
+// NewTFEarPrivateEndpointDS creates a new data source model without timeout fields
+func NewTFEarPrivateEndpointDS(apiResp admin.EARPrivateEndpoint, projectID string) TFEarPrivateEndpointModelDS {
+	return TFEarPrivateEndpointModelDS{
+		ProjectID:                     types.StringValue(projectID),
+		CloudProvider:                 conversion.StringNullIfEmpty(apiResp.GetCloudProvider()),
+		ErrorMessage:                  conversion.StringNullIfEmpty(apiResp.GetErrorMessage()),
+		ID:                            conversion.StringNullIfEmpty(apiResp.GetId()),
+		RegionName:                    conversion.StringNullIfEmpty(apiResp.GetRegionName()),
+		Status:                        conversion.StringNullIfEmpty(apiResp.GetStatus()),
+		PrivateEndpointConnectionName: conversion.StringNullIfEmpty(apiResp.GetPrivateEndpointConnectionName()),
+	}
+}

internal/service/encryptionatrestprivateendpoint/model_test.go

@@ -174,7 +174,7 @@ func TestEncryptionAtRestPrivateEndpointPluralDSSDKToTFModel(t *testing.T) {
 			expectedTFModel: &encryptionatrestprivateendpoint.TFEncryptionAtRestPrivateEndpointsDSModel{
 				CloudProvider: types.StringValue(testCloudProvider),
 				ProjectID:     types.StringValue(testProjectID),
-				Results: []encryptionatrestprivateendpoint.TFEarPrivateEndpointModel{
+				Results: []encryptionatrestprivateendpoint.TFEarPrivateEndpointModelDS{
 					{
 						CloudProvider:                 types.StringValue(testCloudProvider),
 						ErrorMessage:                  types.StringNull(),

internal/service/encryptionatrestprivateendpoint/resource.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/cleanup"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/retrystrategy"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/validate"
@@ -63,13 +64,28 @@ func (r *encryptionAtRestPrivateEndpointRS) Create(ctx context.Context, req reso
 		return
 	}
 
-	finalResp, err := waitStateTransition(ctx, projectID, cloudProvider, createResp.GetId(), connV2.EncryptionAtRestUsingCustomerKeyManagementApi)
+	createTimeout := cleanup.ResolveTimeout(ctx, &earPrivateEndpointPlan.Timeouts, cleanup.OperationCreate, &resp.Diagnostics)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	finalResp, err := waitStateTransition(ctx, projectID, cloudProvider, createResp.GetId(), connV2.EncryptionAtRestUsingCustomerKeyManagementApi, createTimeout)
+	err = cleanup.HandleCreateTimeout(cleanup.ResolveDeleteOnCreateTimeout(earPrivateEndpointPlan.DeleteOnCreateTimeout), err, func(ctxCleanup context.Context) error {
+		cleanResp, cleanErr := connV2.EncryptionAtRestUsingCustomerKeyManagementApi.RequestEncryptionAtRestPrivateEndpointDeletion(ctxCleanup, projectID, cloudProvider, createResp.GetId()).Execute()
+		if validate.StatusNotFound(cleanResp) {
+			return nil
+		}
+		return cleanErr
+	})
+
 	if err != nil {
 		resp.Diagnostics.AddError("error when waiting for status transition in creation", err.Error())
 		return
 	}
 
 	privateEndpointModel := NewTFEarPrivateEndpoint(*finalResp, projectID)
+	privateEndpointModel.Timeouts = earPrivateEndpointPlan.Timeouts
+	privateEndpointModel.DeleteOnCreateTimeout = earPrivateEndpointPlan.DeleteOnCreateTimeout
 	resp.Diagnostics.Append(resp.State.Set(ctx, privateEndpointModel)...)
 
 	diags := CheckErrorMessageAndStatus(finalResp)
@@ -98,7 +114,10 @@ func (r *encryptionAtRestPrivateEndpointRS) Read(ctx context.Context, req resour
 		return
 	}
 
-	resp.Diagnostics.Append(resp.State.Set(ctx, NewTFEarPrivateEndpoint(*endpointModel, projectID))...)
+	privateEndpointModel := NewTFEarPrivateEndpoint(*endpointModel, projectID)
+	privateEndpointModel.Timeouts = earPrivateEndpointState.Timeouts
+	privateEndpointModel.DeleteOnCreateTimeout = earPrivateEndpointState.DeleteOnCreateTimeout
+	resp.Diagnostics.Append(resp.State.Set(ctx, privateEndpointModel)...)
 
 	diags := CheckErrorMessageAndStatus(endpointModel)
 	resp.Diagnostics.Append(diags...)
@@ -124,7 +143,12 @@ func (r *encryptionAtRestPrivateEndpointRS) Delete(ctx context.Context, req reso
 		return
 	}
 
-	model, err := WaitDeleteStateTransition(ctx, projectID, cloudProvider, endpointID, connV2.EncryptionAtRestUsingCustomerKeyManagementApi)
+	deleteTimeout := cleanup.ResolveTimeout(ctx, &earPrivateEndpointState.Timeouts, cleanup.OperationDelete, &resp.Diagnostics)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	model, err := WaitDeleteStateTransition(ctx, projectID, cloudProvider, endpointID, connV2.EncryptionAtRestUsingCustomerKeyManagementApi, deleteTimeout)
 	if err != nil {
 		resp.Diagnostics.AddError("error when waiting for status transition in delete", err.Error())
 		return

internal/service/encryptionatrestprivateendpoint/resource_schema.go

@@ -3,8 +3,11 @@ package encryptionatrestprivateendpoint
 import (
 	"context"
 
+	"github.com/hashicorp/terraform-plugin-framework-timeouts/resource/timeouts"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/customplanmodifier"
 )
 
 func ResourceSchema(ctx context.Context) schema.Schema {
@@ -38,16 +41,29 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 				Computed:            true,
 				MarkdownDescription: "State of the Encryption At Rest private endpoint.",
 			},
+			"timeouts": timeouts.Attributes(ctx, timeouts.Opts{
+				Create: true,
+				Delete: true,
+			}),
+			"delete_on_create_timeout": schema.BoolAttribute{
+				Optional: true,
+				PlanModifiers: []planmodifier.Bool{
+					customplanmodifier.CreateOnlyBoolPlanModifier(),
+				},
+				MarkdownDescription: "Indicates whether to delete the resource being created if a timeout is reached when waiting for completion. When set to `true` and timeout occurs, it triggers the deletion and returns immediately without waiting for deletion to complete. When set to `false`, the timeout will not trigger resource deletion. If you suspect a transient error when the value is `true`, wait before retrying to allow resource deletion to finish. Default is `true`.",
+			},
 		},
 	}
 }
 
 type TFEarPrivateEndpointModel struct {
-	CloudProvider                 types.String `tfsdk:"cloud_provider"`
-	ErrorMessage                  types.String `tfsdk:"error_message"`
-	ProjectID                     types.String `tfsdk:"project_id"`
-	ID                            types.String `tfsdk:"id"`
-	PrivateEndpointConnectionName types.String `tfsdk:"private_endpoint_connection_name"`
-	RegionName                    types.String `tfsdk:"region_name"`
-	Status                        types.String `tfsdk:"status"`
+	CloudProvider                 types.String   `tfsdk:"cloud_provider"`
+	ErrorMessage                  types.String   `tfsdk:"error_message"`
+	ProjectID                     types.String   `tfsdk:"project_id"`
+	ID                            types.String   `tfsdk:"id"`
+	PrivateEndpointConnectionName types.String   `tfsdk:"private_endpoint_connection_name"`
+	RegionName                    types.String   `tfsdk:"region_name"`
+	Status                        types.String   `tfsdk:"status"`
+	Timeouts                      timeouts.Value `tfsdk:"timeouts"`
+	DeleteOnCreateTimeout         types.Bool     `tfsdk:"delete_on_create_timeout"`
 }

internal/service/encryptionatrestprivateendpoint/resource_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"regexp"
 	"testing"
 	"time"
 
@@ -32,6 +33,34 @@ func TestAccEncryptionAtRestPrivateEndpoint_Azure_basic(t *testing.T) {
 	resource.Test(t, *basicTestCaseAzure(t))
 }
 
+func TestAccEncryptionAtRestPrivateEndpoint_createTimeoutWithDeleteOnCreate(t *testing.T) {
+	// This test is skipped because it creates a race condition with other tests:
+	// 1. This test creates an encryption at rest private endpoint with a 1s timeout, causing it to fail and trigger cleanup
+	// 2. The private endpoint deletion doesn't complete immediately
+	// 3. Other tests share the same project and attempt to disable encryption at rest during cleanup
+	// 4. MongoDB Atlas returns "CANNOT_DISABLE_ENCRYPTION_AT_REST_REQUIRE_PRIVATE_NETWORKING_WHILE_PRIVATE_ENDPOINTS_EXIST"
+	//    because the private endpoint from this test is still being deleted
+	// This race condition occurs even when tests don't run in parallel due to the async nature of private endpoint deletion.
+	acc.SkipTestForCI(t)
+	var (
+		createTimeout         = "1s"
+		deleteOnCreateTimeout = true
+		region                = conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))
+		// Create encryption at rest configuration outside of test configuration to avoid cleanup issues
+		projectID = acc.EncryptionAtRestExecution(t)
+	)
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acc.PreCheckEncryptionAtRestEnvAWS(t) },
+		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
+		Steps: []resource.TestStep{
+			{
+				Config:      configEARPrivateEndpointWithTimeout(projectID, region, acc.TimeoutConfig(&createTimeout, nil, nil), &deleteOnCreateTimeout),
+				ExpectError: regexp.MustCompile("will run cleanup because delete_on_create_timeout is true"),
+			},
+		},
+	})
+}
+
 func basicTestCaseAzure(tb testing.TB) *resource.TestCase {
 	tb.Helper()
 	var (
@@ -316,19 +345,57 @@ func checkBasic(projectID, cloudProvider, region string, expectApproved bool) re
 }
 
 func configAWSBasic(projectID string, awsKms *admin.AWSKMSConfiguration, region string) string {
+	return configAWSBasicWithTimeout(projectID, awsKms, region, "", nil)
+}
+
+func configAWSBasicWithTimeout(projectID string, awsKms *admin.AWSKMSConfiguration, region, timeoutConfig string, deleteOnCreateTimeout *bool) string {
 	encryptionAtRestConfig := acc.ConfigAwsKms(projectID, awsKms, false, true, false)
+
+	deleteOnCreateTimeoutConfig := ""
+	if deleteOnCreateTimeout != nil {
+		deleteOnCreateTimeoutConfig = fmt.Sprintf(`
+			delete_on_create_timeout = %[1]t
+		`, *deleteOnCreateTimeout)
+	}
+
 	config := fmt.Sprintf(`
 		%[1]s
 
 		resource "mongodbatlas_encryption_at_rest_private_endpoint" "test" {
 		    project_id = mongodbatlas_encryption_at_rest.test.project_id
 		    cloud_provider = "AWS"
 		    region_name = %[2]q
+		    %[3]s
+		    %[4]s
 		}
 
-		%[3]s
+		%[5]s
 
-	`, encryptionAtRestConfig, region, configDS())
+	`, encryptionAtRestConfig, region, deleteOnCreateTimeoutConfig, timeoutConfig, configDS())
+
+	return config
+}
+
+func configEARPrivateEndpointWithTimeout(projectID, region, timeoutConfig string, deleteOnCreateTimeout *bool) string {
+	deleteOnCreateTimeoutConfig := ""
+	if deleteOnCreateTimeout != nil {
+		deleteOnCreateTimeoutConfig = fmt.Sprintf(`
+			delete_on_create_timeout = %[1]t
+		`, *deleteOnCreateTimeout)
+	}
+
+	config := fmt.Sprintf(`
+		resource "mongodbatlas_encryption_at_rest_private_endpoint" "test" {
+		    project_id = %[1]q
+		    cloud_provider = "AWS"
+		    region_name = %[2]q
+		    %[3]s
+		    %[4]s
+		}
+
+		%[5]s
+
+	`, projectID, region, deleteOnCreateTimeoutConfig, timeoutConfig, configDS())
 
 	return config
 }