feat: Add import support for mongodbatlas_organization resource (#3475)

* import

* optional

* getAtlasV2Connection

* changelog

* creation-only attributes

* doc

* examples

* rename

* rename

* improve import example

* Update internal/service/organization/resource_organization.go

Co-authored-by: Copilot <[email protected]>

* fix version.tf

* fix example linter

* Update .changelog/3475.txt

Co-authored-by: maastha <[email protected]>

* mention import only in its section

* update example doc

* improve federation_settings_id in examples

* validate creation required and creation only attributes

* federation_settings_id doc

* simplify example main readme

* update federation_settings_id in examples

* revert changes to step-1

* guide

* import test

* SkipInUnitTest

* Update docs/guides/importing-organization.md

Co-authored-by: Marco Suma <[email protected]>

* Update docs/guides/importing-organization.md

Co-authored-by: Marco Suma <[email protected]>

* Update docs/guides/importing-organization.md

Co-authored-by: Marco Suma <[email protected]>

* API credentials doc

* PreCheckBasic,  project_id is not needed

* Update docs/guides/importing-organization.md

Co-authored-by: Marco Suma <[email protected]>

* add prevent_destroy

* don't mention TF version

* reference guide from resource doc

* remove output from example

* import block

* join how and why

* typo

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: maastha <[email protected]>
Co-authored-by: Marco Suma <[email protected]>

Author: 4 people

.changelog/3475.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_organization: Adds import support
+```

docs/guides/importing-organization.md

@@ -0,0 +1,153 @@
+---
+page_title: "Guide: Importing MongoDB Atlas Organizations"
+---
+
+# Importing MongoDB Atlas Organizations
+
+**Objective**: Learn how to import existing MongoDB Atlas organizations into Terraform management, understand why certain attributes are optional for imports, and successfully manage your existing organizations using Infrastructure as Code.
+
+## Overview
+
+Starting with version 1.38.0 of the MongoDB Atlas Provider, you can now import existing MongoDB Atlas organizations into your Terraform state. This feature allows you to bring organizations that were created outside of Terraform under Infrastructure as Code (IaC) management.
+
+## Why Import Organizations?
+
+Before version 1.38.0, the `mongodbatlas_organization` resource did not support the import functionality. Organizations could only be created through Terraform, which meant:
+
+- Existing organizations created through the Atlas UI or API couldn't be managed by Terraform.
+- Teams had to maintain organizations outside of their IaC workflows.
+- There was no migration path to bring existing organizations under Terraform management.
+
+With import support, you can now:
+- Bring existing organizations into Terraform management.
+- Standardize organization configuration across your infrastructure.
+- Apply consistent security settings and policies using IaC.
+
+## Important Changes to Required Attributes
+
+To enable import functionality, several attributes that were previously marked as required have been made optional:
+
+- `org_owner_id`
+- `description` 
+- `role_names`
+
+This change was done because these attributes are only needed when creating a new organization and are not returned by the Atlas API when reading existing organizations so they will be empty if the resource is imported.
+
+While these attributes are now optional in the schema, they are still **required when creating a new organization**. The provider will validate that these attributes are present during the creation process.
+
+## How to Import an Organization
+
+### Prerequisites
+
+Before importing an organization, ensure you have:
+- MongoDB Atlas API credentials with Organization Owner permissions.
+- The Organization ID of the organization you want to import.
+- MongoDB Atlas Provider version 1.38.0 or later.
+
+### Finding Your Organization ID
+
+You can find your organization ID in several ways:
+
+1. **Atlas UI**: Navigate to your organization settings - the ID is visible in the URL.
+2. **Atlas CLI**: Use `atlas organizations list` if you have the Atlas CLI installed.
+3. **Atlas API**: Use the organizations endpoint to list all organizations.
+
+### Import Process
+
+#### Step 1: Create the Terraform Configuration
+
+Create a Terraform configuration file that describes the organization you want to import and the `import block`. **Do not include** the creation-only attributes:
+
+```hcl
+resource "mongodbatlas_organization" "imported" {
+  name = "My Existing Organization"
+}
+
+import {
+  id = "<ORG_ID>"
+  to = mongodbatlas_organization.imported
+}
+
+```
+
+#### Step 2: Run the Import Command
+
+Alternatively, you can use the `import command` instead of the `import block`:
+
+```bash
+terraform import mongodbatlas_organization.imported <ORG_ID>
+```
+
+Replace `<ORG_ID>` with your actual organization ID.
+
+#### Step 3: Verify the Import
+
+Run `terraform plan` to verify that the import was successful and see if any configuration adjustments are needed:
+
+```bash
+terraform plan
+```
+
+The plan should show minimal or no changes if your configuration matches the existing organization settings.
+
+#### Step 4: Apply Any Updates
+
+If you want to update any organization settings, modify your configuration and apply changs, e.g.:
+
+```bash
+resource "mongodbatlas_organization" "imported" {
+  name = "My Existing Organization"
+
+  # Add any settings that you want to modify
+  api_access_list_required     = false
+  multi_factor_auth_required   = true
+  restrict_employee_access     = true
+  gen_ai_features_enabled      = true
+  security_contact             = "[email protected]"
+  skip_default_alerts_settings = true
+}
+```
+
+## Important Considerations
+
+### API Credentials Usage  
+
+- When importing an organization, the provider API credentials are used. Ensure that your API key has Organization Owner permissions for the organization being imported.
+- When creating an organization, the process remains unchanged: new API keys are generated as part of the resource creation, and these keys will be used for subsequent `mongodbatlas_organization` resource operations.
+
+**Important**: API credentials stored in the `mongodbatlas_organization` Terraform state will take precedence, regardless of their validity.
+
+### Creation-Only Attributes
+
+The newly-declared optional attributes **cannot be specified** when importing:
+- `org_owner_id` - The organization owner is already set.
+- `description` - API key description from organization creation.
+- `role_names` - API key roles from organization creation.
+- `federation_settings_id` - Federation settings from organization creation.
+
+If you include these in your configuration when importing, Terraform will show them as changes that cannot be applied.
+
+### State Management
+
+After a successful import:
+- The organization will be fully managed by Terraform.
+- You can update any modifiable attributes through Terraform.
+- The `private_key` and `public_key` attributes will be empty (as these are only generated during organization creation).
+
+## Example: Complete Import Workflow
+
+For a complete example of importing an organization, including all configuration files and detailed instructions, see the [organization-import example](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_organization/organization-import) in the provider repository.
+
+## Troubleshooting
+
+### Common Issues
+
+1. **"cannot be changed after creation" errors during import**: Ensure you haven't included creation-only attributes in your configuration
+2. **Permission errors**: Verify your provider API key has Organization Owner role
+3. **Resource not found**: Double-check the organization ID is correct
+
+## See Also
+
+- [mongodbatlas_organization Resource Documentation](../resources/organization)
+- [Example: Creating a New Organization](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_organization) 
+- [MongoDB Atlas Admin API Organization](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-organizations).

docs/resources/organization.md

@@ -6,13 +6,11 @@
 
 ~> **IMPORTANT NOTE:** To use this resource, the requesting API Key must have the Organization Owner role. The requesting API Key's organization must be a paying organization. To learn more, see Configure a Paying Organization in the MongoDB Atlas documentation.
 
-~> **NOTE** Import command is currently not supported for this resource.
-
 ## Example Usage
 
 ```terraform
 resource "mongodbatlas_organization" "test" {
-  org_owner_id = "6205e5fffff79cde6f"
+  org_owner_id = "<ORG_OWNER_ID>"
   name = "testCreateORG"
   description = "test API key from Org Creation Test"
   role_names = ["ORG_OWNER"]
@@ -21,14 +19,14 @@ resource "mongodbatlas_organization" "test" {
 
 ## Argument Reference
 
-* `name` - (Required) The name of the organization you want to create. (Cannot be changed via this Provider after creation.)
-* `org_owner_id` - (Required) Unique 24-hexadecimal digit string that identifies the Atlas user that you want to assign the Organization Owner role. This user must be a member of the same organization as the calling API key.  This is only required when authenticating with Programmatic API Keys. [MongoDB Atlas Admin API - Get User By Username](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/MongoDB-Cloud-Users/operation/getUserByUsername)
-* `description` - (Required) Programmatic API Key description
+* `name` - (Required) The name of the organization.
+* `org_owner_id` - (Optional) Unique 24-hexadecimal digit string that identifies the Atlas user that you want to assign the Organization Owner role. This user must be a member of the same organization as the calling API key.  This is only required when authenticating with Programmatic API Keys. [MongoDB Atlas Admin API - Get User By Username](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/MongoDB-Cloud-Users/operation/getUserByUsername). This attribute is required in creation and can't be updated later.
+* `description` - (Optional) Programmatic API Key description. This attribute is required in creation and can't be updated later.
 
-~> **NOTE:** Creating an organization will return a new API Key pair that can be used to authenticate and manage the new organization  with MongoDB Atlas Terraform modules/blueprints.  You cannot use the newly created API key pair to manage the newly created organization in the same Terraform module/blueprint that the organization is created in.
+~> **NOTE:** Creating an organization will return a new API Key pair that can be used to authenticate and manage the new organization  with MongoDB Atlas Terraform modules/blueprints.  These credentials will be used by the `mongodbatlas_organization` resource. In case of importing the resource, these credentials will be empty so the provider credentials will be used instead.
 
-* `role_names` - (Required) List of Organization roles that the Programmatic API key needs to have. Ensure that you provide at least one role and ensure all roles are valid for the Organization.  You must specify an array even if you are only associating a single role with the Programmatic API key. The [MongoDB Documentation](https://www.mongodb.com/docs/atlas/reference/user-roles/#organization-roles) describes the roles that you can assign to a Programmatic API key.
-* `federation_settings_id` - (Optional) Unique 24-hexadecimal digit string that identifies the federation to link the newly created organization to. If specified, the proposed Organization Owner of the new organization must have the Organization Owner role in an organization associated with the federation.
+* `role_names` - (Optional) List of Organization roles that the Programmatic API key needs to have. Ensure that you provide at least one role and ensure all roles are valid for the Organization.  You must specify an array even if you are only associating a single role with the Programmatic API key. The [MongoDB Documentation](https://www.mongodb.com/docs/atlas/reference/user-roles/#organization-roles) describes the roles that you can assign to a Programmatic API key. This attribute is required in creation and can't be updated later.
+* `federation_settings_id` - (Optional) Unique 24-hexadecimal digit string that identifies the federation to link the newly created organization to. If specified, the proposed Organization Owner of the new organization must have the Organization Owner role in an organization associated with the federation. This attribute can't be updated after creation.
 * `api_access_list_required` - (Optional) Flag that indicates whether to require API operations to originate from an IP Address added to the API access list for the specified organization.
 * `multi_factor_auth_required` - (Optional) Flag that indicates whether to require users to set up Multi-Factor Authentication (MFA) before accessing the specified organization. To learn more, see: https://www.mongodb.com/docs/atlas/security-multi-factor-authentication/.
 * `restrict_employee_access` - (Optional) Flag that indicates whether to block MongoDB Support from accessing Atlas infrastructure for any deployment in the specified organization without explicit permission. Once this setting is turned on, you can grant MongoDB Support a 24-hour bypass access to the Atlas deployment to resolve support issues. To learn more, see: https://www.mongodb.com/docs/atlas/security-restrict-support-access/.
@@ -38,8 +36,6 @@ resource "mongodbatlas_organization" "test" {
 
 ~> **NOTE:** - If you create an organization with our Terraform provider version >=1.30.0, this field is set to `true` by default.<br> - If you have an existing organization created with our Terraform provider version <1.30.0, this field might be `false`, which is the [API default value](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-createorganization). To prevent the creation of future default alerts, set this explicitly to `true`.
 
-
-
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
@@ -48,5 +44,16 @@ In addition to all arguments above, the following attributes are exported:
 * `public_key` - Public API key value set for the specified organization API key.
 * `private_key` - Redacted private key returned for this organization API key. This key displays unredacted when first created and is saved within the Terraform state file.
 
+## Import
+
+You can import an existing organization using the organization ID, e.g.:
+
+```
+$ terraform import mongodbatlas_organization.example 5d09d6a59ccf6445652a444a
+```
+
+~> **IMPORTANT:** When importing an existing organization, you should **NOT** specify the creation-only attributes (`org_owner_id`, `description`, `role_names`, `federation_settings_id`) in your Terraform configuration.
+
+See the [Guide: Importing MongoDB Atlas Organizations](../guides/importing-organization) for more information.
 
-For more information see: [MongoDB Atlas Admin API Organization](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Organizations/operation/createOrganization)  Documentation for more information.
+For more information about the `mongodbatlas_organization` resource see: [MongoDB Atlas Admin API Organization](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-organizations).

examples/mongodbatlas_organization/Readme.md renamed to examples/mongodbatlas_organization/README.md

@@ -1,7 +1,7 @@
 
-# Example - A basic example to create and Orgnization with MongoDB Atlas and Terraform
+# Example - MongoDB Atlas Organization with Terraform
 
-This project aims to provide a very straight-forward example of setting up a MongoDB Atlas Organization with Terraform. This will create the following resources in MongoDB Atlas:
+This project provides examples for both creating new MongoDB Atlas Organizations and importing existing ones using Terraform.
 
 - MongoDB Atlas organization
 - Private Key
@@ -13,11 +13,11 @@ This project aims to provide a very straight-forward example of setting up a Mon
 
 * Terraform v0.15 or greater
 * A MongoDB Atlas account 
-* provider.mongodbatlas: version = "~> 1.10.0"
+* provider.mongodbatlas: version = "~> 1.10.0" for creating an organization, 1.38.0 for importing an existing organization.
 * [Cross-organization billing](https://www.mongodb.com/docs/atlas/billing/#cross-organization-billing) enabled and the requesting API Key's organization must be a paying organization. 
 * Some users (see [here](https://github.com/mongodb/terraform-provider-mongodbatlas/issues/1083)) have reported issues deploying this starter example with Mac M1 CPU. you encounter this issue, try deploying instead on x86 linux if possible. See list of supported binaries [here](https://github.com/mongodb/terraform-provider-mongodbatlas/releases/tag/v1.8.1)  
 
-## Usage
+## Usage - New organization
 **1\. change working directry to folder organization-step-1.**
 
 **2\. Ensure your MongoDB Atlas credentials are set up.**
@@ -67,9 +67,9 @@ Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
 
 Outputs:
 
-org_id = "647ffffffe9903b4"
-org_private_key = "a6300e-ffffffff-8c1168f0"
-org_public_key = "yqffje"
+org_id = "<ORG_ID>"
+org_private_key = "<ORG_PRIVATE_KEY>"
+org_public_key = "<ORG_PUBLIC_KEY>"
 
 **5\. Retain values for org_private_key and org_public_key for next stage of example as new API key has access to create resources in new organization.**
 
@@ -153,3 +153,9 @@ mongodbatlas_organization.test: Destruction complete after 9s
 
 Destroy complete! Resources: 1 destroyed.
 
+
+## Usage - Importing an existing organization
+
+This is useful when you already have the MongoDB Atlas organization created but you want to start managing its settings with Infrastructure as Code.
+
+See the example in directory [./organization-import](./organization-import).

examples/mongodbatlas_organization/organization-import/README.md

@@ -0,0 +1,85 @@
+# MongoDB Atlas Organization Import Example
+
+This example demonstrates how to import an existing MongoDB Atlas organization into Terraform management.
+
+## Overview
+
+When you have an existing MongoDB Atlas organization that you want to manage with Terraform, you can import it using the organization ID. This is useful when you have an existing organization that was created outside of Terraform and want to start managing its settings with Infrastructure as Code.
+
+Don't include `org_owner_id`, `description`, `role_names` or `federation_settings_id` when importing an organization as they are creation-only attributes.
+
+## Dependencies
+
+- Terraform v0.15 or greater
+- provider.mongodbatlas: version = "~> 1.38.0"
+- MongoDB Atlas account with an existing organization
+- API key with Organization Owner permissions for the organization you want to import
+- Organization ID of the existing organization
+
+## Usage
+
+### 1. Set up your credentials
+
+Create a `terraform.tfvars` file with your Atlas credentials:
+
+```hcl
+public_key  = "<PUBLIC_KEY>"
+private_key = "<PRIVATE_KEY>"
+org_name    = "<ORG_NAME>"
+
+# Optional: Configure organization settings
+api_access_list_required   = false
+multi_factor_auth_required = true
+restrict_employee_access   = true
+gen_ai_features_enabled    = true
+security_contact          = "<SECURITY_CONTACT_EMAIL>"
+skip_default_alerts_settings = true
+```
+
+### 2. Initialize Terraform
+
+```bash
+terraform init
+```
+
+### 3. Import the organization
+
+Replace `<ORG_ID>` with your actual organization ID:
+
+```bash
+terraform import mongodbatlas_organization.imported <ORG_ID>
+```
+
+To find your organization ID:
+1. Log into MongoDB Atlas
+2. Go to your organization settings
+3. The organization ID is displayed in the URL or settings page
+
+### 4. Review the plan
+
+```bash
+terraform plan
+```
+
+This will show you what changes (if any) Terraform will make to align your organization with the configuration.
+
+### 5. Apply changes
+
+```bash
+terraform apply
+```
+
+## Finding Your Organization ID
+
+You can find your organization ID in several ways:
+
+1. **Atlas UI**: Navigate to your organization settings - the ID is visible in the URL
+2. **Atlas API**: Use the `organizations` endpoint to list all organizations
+3. **Atlas CLI**: Use `atlas organizations list` if you have the Atlas CLI installed
+
+## Outputs
+
+After successful import, you'll have access to:
+- `org_name` - The organization name
+
+**Note**: Unlike when creating a new organization, importing does not provide `public_key` and `private_key` outputs since these are only generated during organization creation.

examples/mongodbatlas_organization/organization-import/main.tf

@@ -0,0 +1,13 @@
+# Example configuration for importing an existing MongoDB Atlas organization
+
+resource "mongodbatlas_organization" "imported" {
+  name = var.org_name
+
+  # Optional settings - configure these to match your existing organization
+  api_access_list_required     = var.api_access_list_required
+  multi_factor_auth_required   = var.multi_factor_auth_required
+  restrict_employee_access     = var.restrict_employee_access
+  gen_ai_features_enabled      = var.gen_ai_features_enabled
+  security_contact             = var.security_contact
+  skip_default_alerts_settings = var.skip_default_alerts_settings
+}

examples/mongodbatlas_organization/organization-import/provider.tf

@@ -0,0 +1,4 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}