chore: Implement better logging on network issues (#3359)

* add logs

* adjust doc

* add error details

* run acc tests when config folder changes

* use NewTransport

* improve doc

* add config acc tests

* don't log headers

* make tests less verbose

* remove header example from doc

* remove headers from tests

* rename NewNetworkLoggingTransport to NewTransportWithNetworkLogging

* remove name

* undo realm changes

* log Digest challenge requests

* note about logging.NewTransport

* adjust doc

* fix doc examples

* enable network logging only when TF loglevel is debug or higher

* fix TestAccNetworkLogging

* TestNetworkLoggingTransport_Disabled

Author: lantoli

.github/workflows/acceptance-tests-runner.yml

@@ -296,6 +296,7 @@ jobs:
           cluster_outage_simulation:
             - 'internal/service/clusteroutagesimulation/*.go'  
           config:
+            - 'internal/config/*.go'
             - 'internal/service/alertconfiguration/*.go'
             - 'internal/service/apikey/*.go'
             - 'internal/service/atlasuser/*.go'
@@ -649,6 +650,7 @@ jobs:
           AWS_S3_BUCKET: ${{ secrets.aws_s3_bucket_federation }}
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
           ACCTEST_PACKAGES: |
+            ./internal/config
             ./internal/service/alertconfiguration
             ./internal/service/atlasuser
             ./internal/service/cloudprovideraccess

contributing/README.md

@@ -8,3 +8,4 @@ Thanks for your interest in contributing to MongoDB Atlas Terraform Provider, th
 - [Documentation](documentation.md)
 - [Changelog process](changelog-process.md)
 - [Atlas SDK](atlas-sdk.md)
+- [Enhanced Network Logging](network-logging.md)

contributing/network-logging.md

@@ -0,0 +1,109 @@
+# Enhanced Network Logging for MongoDB Atlas Terraform Provider
+
+## Overview
+
+The MongoDB Atlas Terraform provider now includes enhanced network logging capabilities to provide better visibility into HTTP requests and responses when communicating with the MongoDB Atlas API. This feature helps diagnose API connectivity issues, timeouts, and status code errors.
+
+## Features
+
+### 1. Detailed Request/Response Timing
+- Logs the start time of each HTTP request
+- Measures and reports the total duration of each request
+
+### 2. Comprehensive Error Context
+The logging transport analyzes network errors and provides specific context for common issues:
+
+- **Timeout errors**: Indicates potential API server overload or network connectivity issues
+- **Connection refused**: Suggests API server may be down or unreachable
+- **DNS resolution failures**: Points to DNS configuration or network connectivity problems
+- **TLS certificate errors**: Highlights certificate validity or trust chain issues
+- **Request deadline exceeded**: Shows when requests exceed configured timeouts
+- **Connection reset**: Indicates unexpected server connection closures
+
+### 3. HTTP Status Code Analysis
+- Categorizes responses as Success (2xx), Redirection (3xx), Client Error (4xx), or Server Error (5xx)
+- Logs additional details for non-2xx responses
+- Includes relevant response headers for debugging
+- **Special handling for 401 Unauthorized**: Recognizes digest authentication challenges and logs them as expected behavior rather than errors
+
+### 4. Response Header Logging
+For error responses, the transport logs important debugging headers:
+
+## Log Examples
+
+### Successful Request With Authentication Challenge
+```
+[DEBUG] Network Request Start: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters (started at 2025-01-15T10:30:00.123Z)
+[DEBUG] Network Request Complete: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Status: 401 (Client Error) - Duration: 120ms
+[DEBUG] Digest Authentication Challenge: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Status: 401 - Expected first request in digest authentication flow
+[DEBUG] Network Request Start: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters (started at 2025-01-15T10:30:00.245Z)
+[DEBUG] Network Request Complete: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Status: 200 (Success) - Duration: 180ms
+```
+
+### HTTP Error Response
+```
+[DEBUG] Network Request Start: POST https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters (started at 2025-01-15T10:30:00.123Z)
+[DEBUG] Network Request Complete: POST https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Status: 400 (Client Error) - Duration: 180ms
+[WARN] HTTP Error Response: POST https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Status: 400 Bad Request - Duration: 180ms - Content-Type: application/json
+```
+
+### Network Error
+```
+[DEBUG] Network Request Start: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters (started at 2025-01-15T10:30:00.123Z)
+[ERROR] Network Request Failed: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Duration: 30s - Error: context deadline exceeded
+[ERROR] Request Deadline Exceeded: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Duration: 30s - Request took longer than configured timeout
+```
+
+### Connection Refused Error
+```
+[DEBUG] Network Request Start: POST https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters (started at 2025-01-15T10:30:00.123Z)
+[ERROR] Network Request Failed: POST https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Duration: 5s - Error: dial tcp 192.168.1.1:443: connect: connection refused
+[ERROR] Connection Refused: POST https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Duration: 5s - API server may be down or unreachable
+```
+
+### DNS Resolution Error
+```
+[DEBUG] Network Request Start: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters (started at 2025-01-15T10:30:00.123Z)
+[ERROR] Network Request Failed: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Duration: 2s - Error: dial tcp: lookup cloud.mongodb.com: no such host
+[ERROR] DNS Resolution Failed: GET https://cloud.mongodb.com/api/atlas/v2/groups/123/clusters - Duration: 2s - Check DNS configuration and network connectivity
+```
+
+## Implementation Details
+
+### Transport Chain
+The enhanced logging is implemented as a custom HTTP transport that wraps the existing transport chain:
+
+```mermaid
+flowchart LR
+    A[baseTransport] --> B[NetworkLoggingTransport]
+    B --> C[digestTransport]
+    C --> D[tfLoggingTransport]
+```
+
+This ensures:
+1. **Network-level logging happens before digest authentication** - captures the initial 401 digest challenge requests
+2. **All HTTP operations are captured** - including the authentication flow
+3. **Terraform logging happens after digest authentication** - prevents logging of sensitive authentication details
+4. **Existing functionality is preserved** - maintains compatibility with all existing features
+5. **Consistent logging across all MongoDB Atlas API clients** - same transport chain for all SDK versions
+
+## Troubleshooting Common Issues
+
+### Digest Authentication Flow
+MongoDB Atlas uses digest authentication, which requires a two-step process:
+1. **Initial request (401 response)**: The first request to any endpoint will return a 401 status with a digest challenge
+2. **Authenticated request**: The client automatically retries with proper digest credentials
+
+When you see a 401 status in the logs with the message "Expected first request in digest authentication flow", this is normal behavior and not an error. The digest authentication library will automatically handle the challenge and retry the request with proper credentials.
+
+### Timeout Errors
+For "Request Deadline Exceeded" errors:
+- Check if the configured timeout is appropriate for your use case
+- Verify network stability
+- Consider if Atlas API is experiencing high load
+
+### Connection Issues
+For "Connection Refused" or "DNS Resolution Failed" errors:
+- Verify network connectivity
+- Check DNS configuration
+- Ensure firewall rules allow HTTPS traffic to MongoDB Atlas

internal/config/client.go

@@ -96,18 +96,14 @@ type UAMetadata struct {
 	Value string
 }
 
-// NewClient func...
 func (c *Config) NewClient(ctx context.Context) (any, error) {
-	// setup a transport to handle digest
-	transport := digest.NewTransportWithHTTPTransport(cast.ToString(c.PublicKey), cast.ToString(c.PrivateKey), baseTransport)
-
-	// initialize the client
-	client, err := transport.Client()
-	if err != nil {
-		return nil, err
-	}
-
-	client.Transport = logging.NewTransport("MongoDB Atlas", transport)
+	// Network Logging transport is before Digest transport so it can log the first Digest requests with 401 Unauthorized.
+	// Terraform logging transport is after Digest transport so the Unauthorized request bodies are not logged.
+	networkLoggingTransport := NewTransportWithNetworkLogging(baseTransport, logging.IsDebugOrHigher())
+	digestTransport := digest.NewTransportWithHTTPRoundTripper(cast.ToString(c.PublicKey), cast.ToString(c.PrivateKey), networkLoggingTransport)
+	// Don't change logging.NewTransport to NewSubsystemLoggingHTTPTransport until all resources are in TPF.
+	tfLoggingTransport := logging.NewTransport("Atlas", digestTransport)
+	client := &http.Client{Transport: tfLoggingTransport}
 
 	optsAtlas := []matlasClient.ClientOpt{matlasClient.SetUserAgent(userAgent(c))}
 	if c.BaseURL != "" {

internal/config/transport.go

@@ -0,0 +1,108 @@
+package config
+
+import (
+	"log"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// NetworkLoggingTransport wraps an http.RoundTripper to provide enhanced logging
+// for network operations, including timing, status codes, and error details.
+type NetworkLoggingTransport struct {
+	Transport http.RoundTripper
+	Enabled   bool
+}
+
+// NewTransportWithNetworkLogging creates a new NetworkLoggingTransport that wraps
+// the provided transport with enhanced network logging capabilities.
+func NewTransportWithNetworkLogging(transport http.RoundTripper, enabled bool) *NetworkLoggingTransport {
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+	return &NetworkLoggingTransport{
+		Transport: transport,
+		Enabled:   enabled,
+	}
+}
+
+// RoundTrip implements the http.RoundTripper interface and adds enhanced logging
+// around the HTTP request/response cycle.
+func (t *NetworkLoggingTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if !t.Enabled {
+		return t.Transport.RoundTrip(req)
+	}
+
+	startTime := time.Now()
+	log.Printf("[DEBUG] Network Request Start: %s %s (started at %s)",
+		req.Method, req.URL.String(), startTime.Format(time.RFC3339Nano))
+
+	resp, err := t.Transport.RoundTrip(req)
+	duration := time.Since(startTime)
+	if err != nil {
+		log.Printf("[ERROR] Network Request Failed: %s %s - Duration: %v - Error: %v",
+			req.Method, req.URL.String(), duration, err)
+
+		t.logNetworkErrorContext(err, req, duration)
+		return resp, err
+	}
+	statusCode := resp.StatusCode
+	statusClass := GetStatusClass(statusCode)
+
+	log.Printf("[DEBUG] Network Request Complete: %s %s - Status: %d (%s) - Duration: %v",
+		req.Method, req.URL.String(), statusCode, statusClass, duration)
+
+	if statusCode == http.StatusUnauthorized {
+		log.Printf("[DEBUG] Digest Authentication Challenge: %s %s - Status: 401 - Expected first request in digest authentication flow",
+			req.Method, req.URL.String())
+	} else if statusCode >= 300 {
+		log.Printf("[WARN] HTTP Error Response: %s %s - Status: %d %s - Duration: %v - Content-Type: %s",
+			req.Method, req.URL.String(), statusCode, http.StatusText(statusCode),
+			duration, resp.Header.Get("Content-Type"))
+	}
+	return resp, nil
+}
+
+// logNetworkErrorContext provides additional context for common network errors
+func (t *NetworkLoggingTransport) logNetworkErrorContext(err error, req *http.Request, duration time.Duration) {
+	errStr := err.Error()
+	switch {
+	case strings.Contains(errStr, "timeout"):
+		log.Printf("[ERROR] Network Timeout: %s %s - Duration: %v - This may indicate API server overload or network connectivity issues",
+			req.Method, req.URL.String(), duration)
+	case strings.Contains(errStr, "connection refused"):
+		log.Printf("[ERROR] Connection Refused: %s %s - Duration: %v - API server may be down or unreachable",
+			req.Method, req.URL.String(), duration)
+	case strings.Contains(errStr, "no such host"):
+		log.Printf("[ERROR] DNS Resolution Failed: %s %s - Duration: %v - Check DNS configuration and network connectivity",
+			req.Method, req.URL.String(), duration)
+	case strings.Contains(errStr, "certificate"):
+		log.Printf("[ERROR] TLS Certificate Error: %s %s - Duration: %v - Check certificate validity and trust chain",
+			req.Method, req.URL.String(), duration)
+	case strings.Contains(errStr, "context deadline exceeded"):
+		log.Printf("[ERROR] Request Deadline Exceeded: %s %s - Duration: %v - Request took longer than configured timeout",
+			req.Method, req.URL.String(), duration)
+	case strings.Contains(errStr, "connection reset"):
+		log.Printf("[ERROR] Connection Reset: %s %s - Duration: %v - Server closed connection unexpectedly",
+			req.Method, req.URL.String(), duration)
+	default:
+		log.Printf("[ERROR] Network Error: %s %s - Duration: %v - Error details: %v",
+			req.Method, req.URL.String(), duration, err)
+	}
+}
+
+// GetStatusClass returns a human-readable status class for the HTTP status code
+func GetStatusClass(statusCode int) string {
+	switch {
+	case statusCode >= 200 && statusCode < 300:
+		return "Success"
+	case statusCode >= 300 && statusCode < 400:
+		return "Redirection"
+	case statusCode >= 400 && statusCode < 500:
+		return "Client Error"
+	case statusCode >= 500 && statusCode < 600:
+		return "Server Error"
+	default:
+		return "Unknown"
+	}
+}