doc: Adds example for GCP in mongodbatlas_cloud_provider_access resources and mongodbatlas_encryption_at_rest resource (#3645)

* example

* required_version

* example for ear

* make cloud provider access example focused

* fixes

* mention need to delete the old

* update docs

* Address PR comments for documentation improvements

* Address PR comments

* Add missing dot por documentation

* Address docs generated modifications from PR comments

---------

Co-authored-by: Mar Cabrera <[email protected]>

Author: oarbusi

docs/resources/encryption_at_rest.md

@@ -134,20 +134,37 @@ Please review the [`mongodbatlas_encryption_at_rest_private_endpoint` resource d
 
 
 ### Configuring encryption at rest using customer key management in GCP
-For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication). Once roleId is configured, serviceAccountKey is no longer supported.
+For GCP environments using static service account key, we recommend configuring encryption at rest with customer key management. This approach uses role-based authentication through Cloud Provider Access for a more secure solution
 
 ```terraform
+resource "mongodbatlas_cloud_provider_access_setup" "this" {
+  project_id    = var.atlas_project_id
+  provider_name = "GCP"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "this" {
+  project_id = var.atlas_project_id
+  role_id    = mongodbatlas_cloud_provider_access_setup.this.role_id
+}
+
 resource "mongodbatlas_encryption_at_rest" "test" {
   project_id = var.atlas_project_id
 
   google_cloud_kms_config {
     enabled                 = true
-    service_account_key     = "{\"type\": \"service_account\",\"project_id\": \"my-project-common-0\",\"private_key_id\": \"e120598ea4f88249469fcdd75a9a785c1bb3\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\\nMIIEuwIBA(truncated)SfecnS0mT94D9\\n-----END PRIVATE KEY-----\\n\",\"client_email\": \"[email protected]\",\"client_id\": \"10180967717292066\",\"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/my-email-kms-0%40my-project-common-0.iam.gserviceaccount.com\"}"
-    key_version_resource_id = "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"
+    key_version_resource_id = google_kms_crypto_key.crypto_key.primary[0].name
+    role_id                 = mongodbatlas_cloud_provider_access_authorization.this.role_id
   }
+
+  depends_on = [
+    google_kms_crypto_key_iam_binding.encrypter_decrypter_binding,
+    google_kms_crypto_key_iam_binding.viewer_binding
+  ]
 }
 ```
 
+For a complete example that includes GCP KMS resource creation and IAM binding setup, see the [GCP encryption at rest example](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_encryption_at_rest/gcp/).
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

examples/mongodbatlas_cloud_provider_access/gcp/README.md

@@ -0,0 +1,93 @@
+# MongoDB Atlas Cloud Provider Access with Google Cloud Platform (GCP)
+
+This example demonstrates how to set up MongoDB Atlas Cloud Provider Access with Google Cloud Platform (GCP). This creates the necessary setup and authorization for MongoDB Atlas to access GCP resources on behalf of your project.
+
+## What This Example Does
+
+The following Terraform configurations:
+
+1. **Creates Cloud Provider Access Setup**: Establishes the initial setup for MongoDB Atlas to access GCP resources
+2. **Authorizes the Access Role**: Completes the authorization process, creating a GCP service account that MongoDB Atlas can use
+
+## Architecture Overview
+
+```mermaid
+graph LR
+      subgraph "MongoDB Atlas"
+          A[Project<br/>Cloud Provider<br/>Access]
+      end
+
+      subgraph "Google Cloud"
+          B[Service Account<br/>Created by Atlas]
+      end
+      A <--> B
+```
+
+## Prerequisites
+
+Before running this example, you need:
+
+1. **MongoDB Atlas Account**: With API keys that have project owner permissions
+2. **Google Cloud Platform Account**: With a project (no specific GCP permissions required for this setup)
+3. **Terraform**: Version 0.13 or later
+
+## Procedure
+
+### 1. Set Up Variables
+
+Create a `terraform.tfvars` file:
+
+```hcl
+atlas_public_key  = "<ATLAS_PUBLIC_KEY>"
+atlas_private_key = "<ATLAS_PRIVATE_KEY>"
+atlas_project_id  = "<ATLAS_PROJECT_ID>"
+```
+
+### 2. Deploy the Infrastructure
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+### 3. Verify the Setup
+
+After having successfully deployed your infrastructure, you should get the following outputs:
+- Atlas role ID
+- GCP service account email created by Atlas
+
+## Important Notes
+
+### GCP-Specific Behavior
+
+Unlike AWS and Azure, GCP Cloud Provider Access:
+- **No Configuration Updates**: GCP authorization only requires a role ID and has no additional configuration parameters
+- **Immutable After Creation**: Once authorized, you cannot "update" a GCP cloud provider access role
+- **New Authorization = New Resource**: If you need to change GCP settings, create a new `mongodbatlas_cloud_provider_access_setup` and `mongodbatlas_cloud_provider_access_authorization` resource and then delete the old one
+
+### Next Steps
+
+After setting up cloud provider access, you can use the created service account for various integrations such as Encryption at Rest using Google Cloud KMS. See the full example [here](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_encryption_at_rest/gcp)
+
+## Variables
+
+| Variable | Description | Type | Required |
+|----------|-------------|------|----------|
+| `atlas_public_key` | MongoDB Atlas public API key | string | Yes |
+| `atlas_private_key` | MongoDB Atlas private API key | string | Yes |
+| `atlas_project_id` | MongoDB Atlas project ID | string | Yes |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `atlas_role_id` | The MongoDB Atlas cloud provider access role ID |
+| `gcp_service_account_email` | GCP service account email created by Atlas |
+
+## Related Documentation
+
+- [MongoDB Atlas Cloud Provider Access](https://www.mongodb.com/docs/atlas/security/customer-key-management/)
+- [Terraform MongoDB Atlas Provider](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs)
+- [mongodbatlas_cloud_provider_access_setup](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/cloud_provider_access)
+- [mongodbatlas_cloud_provider_access_authorization](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/cloud_provider_access)

examples/mongodbatlas_cloud_provider_access/gcp/main.tf

@@ -0,0 +1,10 @@
+resource "mongodbatlas_cloud_provider_access_setup" "this" {
+  project_id    = var.atlas_project_id
+  provider_name = "GCP"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "this" {
+  project_id = var.atlas_project_id
+  role_id    = mongodbatlas_cloud_provider_access_setup.this.role_id
+}
+

examples/mongodbatlas_cloud_provider_access/gcp/outputs.tf

@@ -0,0 +1,9 @@
+output "atlas_role_id" {
+  description = "The MongoDB Atlas cloud provider access role ID"
+  value       = mongodbatlas_cloud_provider_access_authorization.this.role_id
+}
+
+output "gcp_service_account_email" {
+  description = "The GCP service account email created by MongoDB Atlas"
+  value       = mongodbatlas_cloud_provider_access_authorization.this.gcp[0].service_account_for_atlas
+}

examples/mongodbatlas_cloud_provider_access/gcp/providers.tf

@@ -0,0 +1,4 @@
+provider "mongodbatlas" {
+  public_key  = var.atlas_public_key
+  private_key = var.atlas_private_key
+}

examples/mongodbatlas_cloud_provider_access/gcp/variables.tf

@@ -0,0 +1,15 @@
+variable "atlas_public_key" {
+  description = "MongoDB Atlas public API key for authentication"
+  type        = string
+}
+
+variable "atlas_private_key" {
+  description = "MongoDB Atlas private API key for authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "atlas_project_id" {
+  description = "MongoDB Atlas project ID where the cloud provider access will be configured"
+  type        = string
+}

examples/mongodbatlas_cloud_provider_access/gcp/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+    }
+  }
+  required_version = ">= 0.13"
+}

examples/mongodbatlas_encryption_at_rest/gcp/README.md

@@ -0,0 +1,125 @@
+# MongoDB Atlas Cloud Provider Access with Google Cloud Platform (GCP)
+
+This example demonstrates how to set up MongoDB Atlas Cloud Provider Access with Google Cloud Platform (GCP) to enable Customer-Managed Encryption Keys (CMEK) using Google Cloud KMS.
+
+## What This Example Does
+
+The following Terraform configurations:
+
+1. **Creates Cloud Provider Access Setup**: Establishes the initial setup for MongoDB Atlas to access GCP resources
+2. **Authorizes the Access Role**: Completes the authorization process, creating a GCP service account that MongoDB Atlas can use
+3. **Creates GCP KMS Resources**: Sets up a Key Ring and Crypto Key in Google Cloud KMS for encryption
+4. **Configures IAM Permissions**: Grants the MongoDB Atlas service account the necessary permissions to use the KMS key
+5. **Enables Encryption at Rest**: Configures MongoDB Atlas to use the GCP KMS key for encrypting data at rest
+
+## Architecture Overview
+
+```
+┌─────────────────────┐    ┌─────────────────────────┐
+│   MongoDB Atlas     │    │     Google Cloud        │
+│                     │    │                         │
+│  ┌───────────────┐  │    │  ┌─────────────────┐    │
+│  │   Project     │  │    │  │   KMS Key Ring  │    │
+│  │               │  │◄───┤  │                 │    │
+│  │ Cloud Provider│  │    │  │ ┌─────────────┐ │    │
+│  │    Access     │  │    │  │ │ Crypto Key  │ │    │
+│  │               │  │    │  │ └─────────────┘ │    │
+│  └───────────────┘  │    │  └─────────────────┘    │
+│                     │    │                         │
+│  Service Account ───┼────┤► IAM Permissions        │
+│  (Created by Atlas) │    │  - cryptoKeyEncrypter   │
+│                     │    │    Decrypter            │
+│                     │    │  - viewer               │
+└─────────────────────┘    └─────────────────────────┘
+```
+
+## Prerequisites
+
+Before running this example, you need:
+
+1. **MongoDB Atlas Account**: With API keys that have project owner permissions
+2. **Google Cloud Platform Account**: With a project and appropriate permissions to:
+   - Create KMS resources (Key Rings and Crypto Keys)
+   - Manage IAM bindings on KMS resources
+3. **Terraform**: Version 0.13 or later
+4. **Google Cloud Terraform Provider**: The Google provider must be configured in your Terraform environment. See the [Google provider documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs) for authentication methods 
+
+### Required GCP Permissions
+
+Your user or service account needs the following IAM roles:
+- `roles/cloudkms.admin` - To create and manage KMS resources
+- `roles/resourcemanager.projectIamAdmin` - To manage IAM bindings
+
+## Procedure
+
+### 1. Set Up Variables
+
+Create a `terraform.tfvars` file:
+
+```hcl
+atlas_public_key  = <ATLAS_PUBLIC_KEY>
+atlas_private_key = <ATLAS_PRIVATE_KEY>
+atlas_project_id  = <ATLAS_PROJECT_ID>
+gcp_project_id    = <GCP_PROJECT_ID>
+
+# Optional: Customize KMS resources
+key_ring_name    = <KEY_RING_NAME>
+crypto_key_name  = <CRYPTO_KEY_NAME>
+location         = <GCP_LOCATION>
+```
+
+### 2. Deploy the Infrastructure
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+### 3. Verify the Setup
+
+After having successfully deployed your infrastructure, you should get the following outputs:
+- Atlas role ID
+- GCP service account email created by Atlas
+- KMS key ring and crypto key IDs
+- Key version resource ID used for encryption
+
+### Resource Dependencies
+
+The configuration manages dependencies between resources:
+- KMS resources are created first
+- Atlas authorization completes before encryption configuration
+- IAM bindings are established before Atlas tries to use the key
+
+### Security Considerations
+
+- The Atlas service account gets minimal required permissions (`cryptoKeyEncrypterDecrypter` and `viewer`)
+- KMS keys are created with `ENCRYPT_DECRYPT` purpose only
+
+## Variables
+
+| Variable | Description | Type | Default | Required |
+|----------|-------------|------|---------|----------|
+| `atlas_public_key` | MongoDB Atlas public API key | string | - | Yes |
+| `atlas_private_key` | MongoDB Atlas private API key | string | - | Yes |
+| `atlas_project_id` | MongoDB Atlas project ID | string | - | Yes |
+| `gcp_project_id` | GCP project ID | string | - | Yes |
+| `key_ring_name` | Name of the KMS key ring | string | `"atlas-key-ring"` | No |
+| `crypto_key_name` | Name of the crypto key | string | `"atlas-crypto-key"` | No |
+| `location` | GCP region for KMS resources | string | `"us-central1"` | No |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `atlas_role_id` | The MongoDB Atlas cloud provider access role ID |
+| `gcp_service_account_email` | GCP service account email created by Atlas |
+| `kms_key_ring_id` | Full ID of the created KMS key ring |
+| `kms_crypto_key_id` | Full ID of the created crypto key |
+| `kms_key_version_resource_id` | Resource ID of the primary key version |
+
+## Related Documentation
+
+- [MongoDB Atlas Cloud Provider Access](https://www.mongodb.com/docs/atlas/security/customer-key-management/)
+- [Google Cloud KMS Documentation](https://cloud.google.com/kms/docs)
+- [Terraform MongoDB Atlas Provider](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs)

examples/mongodbatlas_encryption_at_rest/gcp/gcp-kms.tf

@@ -0,0 +1,32 @@
+# Create the Key Ring
+resource "google_kms_key_ring" "key_ring" {
+  name     = var.key_ring_name
+  location = var.location
+}
+
+# Create the Crypto Key in the Key Ring
+resource "google_kms_crypto_key" "crypto_key" {
+  name     = var.crypto_key_name
+  key_ring = google_kms_key_ring.key_ring.id
+  purpose  = "ENCRYPT_DECRYPT"
+}
+
+# IAM Binding: Grant 'cryptoKeyEncrypterDecrypter' role
+resource "google_kms_crypto_key_iam_binding" "encrypter_decrypter_binding" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  members = [
+    "serviceAccount:${mongodbatlas_cloud_provider_access_authorization.this.gcp[0].service_account_for_atlas}"
+  ]
+}
+
+# IAM Binding: Grant 'viewer' role
+resource "google_kms_crypto_key_iam_binding" "viewer_binding" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  role          = "roles/cloudkms.viewer"
+
+  members = [
+    "serviceAccount:${mongodbatlas_cloud_provider_access_authorization.this.gcp[0].service_account_for_atlas}"
+  ]
+}

examples/mongodbatlas_encryption_at_rest/gcp/main.tf

@@ -0,0 +1,24 @@
+resource "mongodbatlas_cloud_provider_access_setup" "this" {
+  project_id    = var.atlas_project_id
+  provider_name = "GCP"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "this" {
+  project_id = var.atlas_project_id
+  role_id    = mongodbatlas_cloud_provider_access_setup.this.role_id
+}
+
+resource "mongodbatlas_encryption_at_rest" "test" {
+  project_id = var.atlas_project_id
+
+  google_cloud_kms_config {
+    enabled                 = true
+    key_version_resource_id = google_kms_crypto_key.crypto_key.primary[0].name
+    role_id                 = mongodbatlas_cloud_provider_access_authorization.this.role_id
+  }
+
+  depends_on = [
+    google_kms_crypto_key_iam_binding.encrypter_decrypter_binding,
+    google_kms_crypto_key_iam_binding.viewer_binding
+  ]
+}