feat: Add support for long running operations on mongodbatlas_cloud_provider_access_setup for GCP (#3644)

* Add GCP cloud provider access to mongodbatlas_cloud_provider_access_setup

* Fix typo for function name

* Add GCP configuration for schema on data source

* Change optional field to computed as required per provider

* Refactor function to accomodate for Cloud Provider Access - GCP

* Add documentation for resource

* Add GCP Cloud provider documentation for data source

* Add GCP provider for data source validation

* Add resource and resouce acceptance test for GCP Cloud Provider Access setup

* Fix format

* Add changelog

* Fix issue where role ID was missing for Azure config

* Fix format

* Fix issues for refactor on GCP

* Address PR comments

* Address further PR comments

* Refactor setup function to handle different cloud providers, and return error if provider used is not correct

Add error handling for cloud provider access

* Refactor multiple if/else statements into switch in order to avoid lint errors

* Address nit comments

* Substitute cloud provider string names with constants

* Add implementation on long running operation for GCP Cloud provider

* Fix issue where wrong role ID was being used for GCP provider

* Remove duplicated client

* Refactor error handling for refresh state

* Add changelog

* Remove GCP pre-check as it's not necessary for acceptance tests of this resource

* Address PR comments

* Rename constants since cloudprovideraccess package is explicit

Author: marcabreracast

.changelog/3644.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_cloud_provider_access_setup: Adds long running operation support for GCP
+```

internal/service/cloudprovideraccess/data_source_cloud_provider_access_setup.go

@@ -104,17 +104,17 @@ func dataSourceMongoDBAtlasCloudProviderAccessSetupRead(ctx context.Context, d *
 
 	role, _, err := conn.CloudProviderAccessApi.GetCloudProviderAccessRole(ctx, projectID, roleID).Execute()
 	if err != nil {
-		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+		return diag.FromErr(fmt.Errorf(ErrorGetRead, err))
 	}
 
 	roleSchema, err := roleToSchemaSetup(role)
 	if err != nil {
-		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+		return diag.FromErr(fmt.Errorf(ErrorGetRead, err))
 	}
 
 	for key, val := range roleSchema {
 		if err := d.Set(key, val); err != nil {
-			return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+			return diag.FromErr(fmt.Errorf(ErrorGetRead, err))
 		}
 	}
 

internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization.go

@@ -125,13 +125,13 @@ func resourceCloudProviderAccessAuthorizationRead(ctx context.Context, d *schema
 	}
 
 	if targetRole == nil {
-		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, "cloud provider access role not found in mongodbatlas, please create it first"))
+		return diag.FromErr(fmt.Errorf(ErrorGetRead, "cloud provider access role not found in mongodbatlas, please create it first"))
 	}
 
 	roleSchema := roleToSchemaAuthorization(targetRole)
 	for key, val := range roleSchema {
 		if err := d.Set(key, val); err != nil {
-			return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+			return diag.FromErr(fmt.Errorf(ErrorGetRead, err))
 		}
 	}
 
@@ -158,7 +158,7 @@ func resourceCloudProviderAccessAuthorizationCreate(ctx context.Context, d *sche
 	}
 
 	if targetRole == nil {
-		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, "cloud provider access role not found in mongodbatlas, please create it first"))
+		return diag.FromErr(fmt.Errorf(ErrorGetRead, "cloud provider access role not found in mongodbatlas, please create it first"))
 	}
 
 	return authorizeRole(ctx, conn, d, projectID, targetRole)
@@ -178,7 +178,7 @@ func resourceCloudProviderAccessAuthorizationUpdate(ctx context.Context, d *sche
 	}
 
 	if targetRole == nil {
-		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, "cloud provider access role not found in mongodbatlas, please create it first"))
+		return diag.FromErr(fmt.Errorf(ErrorGetRead, "cloud provider access role not found in mongodbatlas, please create it first"))
 	}
 
 	if d.HasChange("aws") || d.HasChange("azure") {
@@ -240,7 +240,7 @@ func roleToSchemaAuthorization(role *admin.CloudProviderAccessRole) map[string]a
 func FindRole(ctx context.Context, conn *admin.APIClient, projectID, roleID string) (*admin.CloudProviderAccessRole, error) {
 	role, _, err := conn.CloudProviderAccessApi.GetCloudProviderAccessRole(ctx, projectID, roleID).Execute()
 	if err != nil {
-		return nil, fmt.Errorf(ErrorCloudProviderGetRead, err)
+		return nil, fmt.Errorf(ErrorGetRead, err)
 	}
 
 	return role, nil
@@ -345,7 +345,7 @@ func authorizeRole(ctx context.Context, client *admin.APIClient, d *schema.Resou
 
 	for key, val := range authSchema {
 		if err := d.Set(key, val); err != nil {
-			return diag.FromErr(fmt.Errorf(errorCloudProviderAccessCreate, err))
+			return diag.FromErr(fmt.Errorf(errorCreate, err))
 		}
 	}
 

internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization_test.go

@@ -199,7 +199,7 @@ func checkDestroy(s *terraform.State) error {
 		id := ids["id"]
 		role, _, err := acc.ConnV2().CloudProviderAccessApi.GetCloudProviderAccessRole(context.Background(), ids["project_id"], id).Execute()
 		if err != nil {
-			return fmt.Errorf(cloudprovideraccess.ErrorCloudProviderGetRead, err)
+			return fmt.Errorf(cloudprovideraccess.ErrorGetRead, err)
 		}
 		if role.GetId() == id || role.GetRoleId() == id {
 			return nil

internal/service/cloudprovideraccess/resource_cloud_provider_access_setup.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"fmt"
 	"regexp"
+	"time"
 
 	"go.mongodb.org/atlas-sdk/v20250312006/admin"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/constant"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
@@ -22,11 +24,12 @@ import (
 */
 
 const (
-	errorCloudProviderAccessCreate   = "error creating cloud provider access %s"
-	errorCloudProviderAccessUpdate   = "error updating cloud provider access %s"
-	errorCloudProviderAccessDelete   = "error deleting cloud provider access %s"
-	errorCloudProviderAccessImporter = "error importing cloud provider access %s"
-	ErrorCloudProviderGetRead        = "error reading cloud provider access %s"
+	errorCreate                  = "error creating cloud provider access %s"
+	errorUpdate                  = "error updating cloud provider access %s"
+	errorDelete                  = "error deleting cloud provider access %s"
+	errorImporter                = "error importing cloud provider access %s"
+	ErrorGetRead                 = "error reading cloud provider access %s"
+	defaultTimeout time.Duration = 20 * time.Minute
 )
 
 func ResourceSetup() *schema.Resource {
@@ -130,16 +133,16 @@ func resourceCloudProviderAccessSetupRead(ctx context.Context, d *schema.Resourc
 			return nil
 		}
 
-		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+		return diag.FromErr(fmt.Errorf(ErrorGetRead, err))
 	}
 
 	roleSchema, err := roleToSchemaSetup(role)
 	if err != nil {
-		return diag.Errorf(errorCloudProviderAccessCreate, err)
+		return diag.Errorf(errorCreate, err)
 	}
 	for key, val := range roleSchema {
 		if err := d.Set(key, val); err != nil {
-			return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+			return diag.FromErr(fmt.Errorf(ErrorGetRead, err))
 		}
 	}
 
@@ -169,18 +172,26 @@ func resourceCloudProviderAccessSetupCreate(ctx context.Context, d *schema.Resou
 
 	role, _, err := conn.CloudProviderAccessApi.CreateCloudProviderAccessRole(ctx, projectID, requestParameters).Execute()
 	if err != nil {
-		return diag.FromErr(fmt.Errorf(errorCloudProviderAccessCreate, err))
+		return diag.FromErr(fmt.Errorf(errorCreate, err))
+	}
+
+	resourceID := role.GetRoleId()
+	if role.ProviderName == constant.AZURE {
+		resourceID = role.GetId() // For Azure, the unique identifier is in the "id" field, not "roleId".
+	}
+
+	if role.ProviderName == constant.GCP {
+		r, err := waitForGCPProviderAccessCompletion(ctx, projectID, resourceID, conn)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		role = r
 	}
 
 	// once multiple providers enable here do a switch, select for provider type
 	roleSchema, err := roleToSchemaSetup(role)
 	if err != nil {
-		return diag.Errorf(errorCloudProviderAccessCreate, err)
-	}
-
-	resourceID := role.GetRoleId()
-	if role.ProviderName == constant.AZURE {
-		resourceID = role.GetId()
+		return diag.Errorf(errorCreate, err)
 	}
 
 	d.SetId(conversion.EncodeStateID(map[string]string{
@@ -191,13 +202,60 @@ func resourceCloudProviderAccessSetupCreate(ctx context.Context, d *schema.Resou
 
 	for key, val := range roleSchema {
 		if err := d.Set(key, val); err != nil {
-			return diag.FromErr(fmt.Errorf(errorCloudProviderAccessCreate, err))
+			return diag.FromErr(fmt.Errorf(errorCreate, err))
 		}
 	}
 
 	return nil
 }
 
+func waitForGCPProviderAccessCompletion(ctx context.Context, projectID, resourceID string, conn *admin.APIClient) (*admin.CloudProviderAccessRole, error) {
+	requestParams := &admin.GetCloudProviderAccessRoleApiParams{
+		RoleId:  resourceID,
+		GroupId: projectID,
+	}
+
+	stateConf := retry.StateChangeConf{
+		Pending:    []string{"IN_PROGRESS", "NOT_INITIATED"},
+		Target:     []string{"COMPLETE", "FAILED"},
+		Refresh:    resourceRefreshFunc(ctx, requestParams, conn),
+		Timeout:    defaultTimeout,
+		MinTimeout: 60 * time.Second,
+		Delay:      30 * time.Second,
+	}
+
+	finalResponse, err := stateConf.WaitForStateContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	r, ok := finalResponse.(*admin.CloudProviderAccessRole)
+	if !ok {
+		return nil, fmt.Errorf("unexpected type for result: %T", finalResponse)
+	}
+	return r, nil
+}
+
+func resourceRefreshFunc(ctx context.Context, requestParams *admin.GetCloudProviderAccessRoleApiParams, conn *admin.APIClient) retry.StateRefreshFunc {
+	return func() (any, string, error) {
+		role, resp, err := conn.CloudProviderAccessApi.GetCloudProviderAccessRoleWithParams(ctx, requestParams).Execute()
+		if err != nil {
+			if validate.StatusNotFound(resp) {
+				return nil, "", fmt.Errorf("cloud provider access role %q not found in project %q", requestParams.RoleId, requestParams.GroupId)
+			}
+			return nil, "", err
+		}
+
+		status := role.GetStatus()
+		switch status {
+		case "IN_PROGRESS", "NOT_INITIATED", "COMPLETE":
+			return role, status, nil
+		default:
+			return nil, status, fmt.Errorf("cloud provider access setup failed %q for role %q", status, requestParams.RoleId)
+		}
+	}
+}
+
 func resourceCloudProviderAccessSetupDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	conn := meta.(*config.MongoDBClient).AtlasV2
 	ids := conversion.DecodeStateID(d.Id())
@@ -214,7 +272,7 @@ func resourceCloudProviderAccessSetupDelete(ctx context.Context, d *schema.Resou
 
 	_, err := conn.CloudProviderAccessApi.DeauthorizeCloudProviderAccessRoleWithParams(ctx, req).Execute()
 	if err != nil {
-		return diag.FromErr(fmt.Errorf(errorCloudProviderAccessDelete, err))
+		return diag.FromErr(fmt.Errorf(errorDelete, err))
 	}
 
 	d.SetId("")
@@ -232,7 +290,7 @@ func roleToSchemaSetup(role *admin.CloudProviderAccessRole) (map[string]any, err
 			}},
 			"gcp_config":   []any{map[string]any{}},
 			"created_date": conversion.TimeToString(role.GetCreatedDate()),
-			"role_id":      role.GetRoleId(),
+			"role_id":      role.GetRoleId(), // For AWS, the unique identifier is in the "roleId" field
 		}, nil
 	case constant.AZURE:
 		return map[string]any{
@@ -246,7 +304,7 @@ func roleToSchemaSetup(role *admin.CloudProviderAccessRole) (map[string]any, err
 			"gcp_config":        []any{map[string]any{}},
 			"created_date":      conversion.TimeToString(role.GetCreatedDate()),
 			"last_updated_date": conversion.TimeToString(role.GetLastUpdatedDate()),
-			"role_id":           role.GetId(),
+			"role_id":           role.GetId(), // For Azure, the unique identifier is in the "id" field, not "roleId".
 		}, nil
 	case constant.GCP:
 		return map[string]any{
@@ -256,7 +314,7 @@ func roleToSchemaSetup(role *admin.CloudProviderAccessRole) (map[string]any, err
 				"service_account_for_atlas": role.GetGcpServiceAccountForAtlas(),
 			}},
 			"aws_config":   []any{map[string]any{}},
-			"role_id":      role.GetId(),
+			"role_id":      role.GetRoleId(), // For GCP, the unique identifier is in the "roleId"
 			"created_date": conversion.TimeToString(role.GetCreatedDate()),
 		}, nil
 	default:
@@ -268,7 +326,7 @@ func resourceCloudProviderAccessSetupImportState(ctx context.Context, d *schema.
 	projectID, providerName, roleID, err := splitCloudProviderAccessID(d.Id())
 
 	if err != nil {
-		return nil, fmt.Errorf(errorCloudProviderAccessImporter, err)
+		return nil, fmt.Errorf(errorImporter, err)
 	}
 
 	// searching id in internal format
@@ -281,17 +339,17 @@ func resourceCloudProviderAccessSetupImportState(ctx context.Context, d *schema.
 	err2 := resourceCloudProviderAccessSetupRead(ctx, d, meta)
 
 	if err2 != nil {
-		return nil, fmt.Errorf(errorCloudProviderAccessImporter, err)
+		return nil, fmt.Errorf(errorImporter, err)
 	}
 
 	// case of not found
 	if d.Id() == "" {
-		return nil, fmt.Errorf(errorCloudProviderAccessImporter, " Resource not found at the cloud please check your id")
+		return nil, fmt.Errorf(errorImporter, " Resource not found at the cloud please check your id")
 	}
 
 	// params syncing
 	if err = d.Set("project_id", projectID); err != nil {
-		return nil, fmt.Errorf(errorCloudProviderAccessImporter, err)
+		return nil, fmt.Errorf(errorImporter, err)
 	}
 
 	return []*schema.ResourceData{d}, nil
@@ -303,7 +361,7 @@ func splitCloudProviderAccessID(id string) (projectID, providerName, roleID stri
 	parts := re.FindStringSubmatch(id)
 
 	if len(parts) != 4 {
-		err = fmt.Errorf(errorCloudProviderAccessImporter, "format please use {project_id}-{provider-name}-{role-id}")
+		err = fmt.Errorf(errorImporter, "format please use {project_id}-{provider-name}-{role-id}")
 		return
 	}
 

internal/service/cloudprovideraccess/resource_cloud_provider_access_setup_test.go

@@ -63,15 +63,14 @@ func TestAccCloudProviderAccessSetupAzure_basic(t *testing.T) {
 	)
 }
 func TestAccCloudProviderAccessSetupGCP_basic(t *testing.T) {
-	acc.SkipTestForCI(t) // Code needs to support long running operations for successful test: CLOUDP-341440
 	var (
 		resourceName   = "mongodbatlas_cloud_provider_access_setup.test"
 		dataSourceName = "data.mongodbatlas_cloud_provider_access_setup.test"
 		projectID      = acc.ProjectIDExecution(t)
 	)
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:                 func() { acc.PreCheckGCPEnv(t) },
+		PreCheck:                 func() { acc.PreCheckBasic(t) },
 		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
 		Steps: []resource.TestStep{
 			{
@@ -169,7 +168,7 @@ func checkExists(resourceName string) resource.TestCheckFunc {
 
 		role, _, err := acc.ConnV2().CloudProviderAccessApi.GetCloudProviderAccessRole(context.Background(), ids["project_id"], id).Execute()
 		if err != nil {
-			return fmt.Errorf(cloudprovideraccess.ErrorCloudProviderGetRead, err)
+			return fmt.Errorf(cloudprovideraccess.ErrorGetRead, err)
 		}
 		if role.GetId() == id || role.GetRoleId() == id {
 			return nil