feat: Adds support for role_id in google_cloud_kms_config on mongodbatlas_encryption_at_rest resource and data source (#3636)

* implement role_id

* docs and changelog

* fix unit test

* refactor checks

* fix inconsistent result after apply null/empty string

* docs notice

* pr suggestion missing period

Author: oarbusi

.changelog/3636.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest: Supports role_id in google_cloud_kms_config
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_encryption_at_rest: Supports role_id in google_cloud_kms_config
+```

docs/data-sources/encryption_at_rest.md

@@ -106,6 +106,8 @@ output "is_azure_encryption_at_rest_valid" {
 -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Customer Managed Keys (Azure Key Vault or AWS KMS) over private network interfaces (Azure Private Link or AWS PrivateLink). This requires enabling the `azure_key_vault_config.require_private_networking` or the `aws_kms_config.require_private_networking` attribute, together with the configuration of the `mongodbatlas_encryption_at_rest_private_endpoint` resource. Please review the `mongodbatlas_encryption_at_rest_private_endpoint` resource for details.
 
 ### Configuring encryption at rest using customer key management in GCP
+For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication). Once roleId is configured, serviceAccountKey is no longer supported.
+
 ```terraform
 resource "mongodbatlas_encryption_at_rest" "test" {
   project_id = var.atlas_project_id
@@ -181,6 +183,7 @@ Read-Only:
 
 - `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified  project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
 - `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS.
+- `role_id` (String) Unique 24-hexadecimal digit string that identifies the Google Cloud Provider Access Role that MongoDB Cloud uses to access the Google Cloud KMS.
 - `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
 - `valid` (Boolean) Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
 

docs/resources/encryption_at_rest.md

@@ -134,6 +134,8 @@ Please review the [`mongodbatlas_encryption_at_rest_private_endpoint` resource d
 
 
 ### Configuring encryption at rest using customer key management in GCP
+For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication). Once roleId is configured, serviceAccountKey is no longer supported.
+
 ```terraform
 resource "mongodbatlas_encryption_at_rest" "test" {
   project_id = var.atlas_project_id
@@ -210,6 +212,7 @@ Optional:
 
 - `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified  project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
 - `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS.
+- `role_id` (String) Unique 24-hexadecimal digit string that identifies the Google Cloud Provider Access Role that MongoDB Cloud uses to access the Google Cloud KMS.
 - `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
 
 Read-Only:

internal/service/encryptionatrest/data_source_schema.go

@@ -128,6 +128,10 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 						Computed:            true,
 						MarkdownDescription: "Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.",
 					},
+					"role_id": schema.StringAttribute{
+						Computed:            true,
+						MarkdownDescription: "Unique 24-hexadecimal digit string that identifies the Google Cloud Provider Access Role that MongoDB Cloud uses to access the Google Cloud KMS.",
+					},
 				},
 				Computed:            true,
 				MarkdownDescription: "Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).",

internal/service/encryptionatrest/model.go

@@ -102,6 +102,7 @@ func NewTFGcpKmsConfigItem(gcpKms *admin.GoogleCloudKMS) *TFGcpKmsConfigModel {
 		KeyVersionResourceID: types.StringValue(gcpKms.GetKeyVersionResourceID()),
 		ServiceAccountKey:    conversion.StringNullIfEmpty(gcpKms.GetServiceAccountKey()),
 		Valid:                types.BoolPointerValue(gcpKms.Valid),
+		RoleID:               conversion.StringNullIfEmpty(gcpKms.GetRoleId()),
 	}
 }
 
@@ -134,6 +135,7 @@ func NewAtlasGcpKms(tfGcpKmsConfigSlice []TFGcpKmsConfigModel) *admin.GoogleClou
 		Enabled:              v.Enabled.ValueBoolPointer(),
 		ServiceAccountKey:    v.ServiceAccountKey.ValueStringPointer(),
 		KeyVersionResourceID: v.KeyVersionResourceID.ValueStringPointer(),
+		RoleId:               v.RoleID.ValueStringPointer(),
 	}
 }
 

internal/service/encryptionatrest/model_test.go

@@ -76,11 +76,13 @@ var (
 		Enabled:              &enabled,
 		KeyVersionResourceID: &keyVersionResourceID,
 		ServiceAccountKey:    &serviceAccountKey,
+		RoleId:               &roleID,
 	}
 	TfGcpKmsConfigModel = encryptionatrest.TFGcpKmsConfigModel{
 		Enabled:              types.BoolValue(enabled),
 		KeyVersionResourceID: types.StringValue(keyVersionResourceID),
 		ServiceAccountKey:    types.StringValue(serviceAccountKey),
+		RoleID:               types.StringValue(roleID),
 	}
 	EncryptionAtRest = &admin.EncryptionAtRest{
 		AwsKms:                AWSKMSConfiguration,

internal/service/encryptionatrest/resource.go

@@ -87,6 +87,7 @@ type TFAzureKeyVaultConfigModel struct {
 type TFGcpKmsConfigModel struct {
 	ServiceAccountKey    types.String `tfsdk:"service_account_key"`
 	KeyVersionResourceID types.String `tfsdk:"key_version_resource_id"`
+	RoleID               types.String `tfsdk:"role_id"`
 	Enabled              types.Bool   `tfsdk:"enabled"`
 	Valid                types.Bool   `tfsdk:"valid"`
 }
@@ -259,6 +260,10 @@ func (r *encryptionAtRestRS) Schema(ctx context.Context, req resource.SchemaRequ
 							Computed:            true,
 							MarkdownDescription: "Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.",
 						},
+						"role_id": schema.StringAttribute{
+							Optional:            true,
+							MarkdownDescription: "Unique 24-hexadecimal digit string that identifies the Google Cloud Provider Access Role that MongoDB Cloud uses to access the Google Cloud KMS.",
+						},
 					},
 				},
 			},

internal/service/encryptionatrest/resource_test.go

@@ -215,6 +215,32 @@ func TestAccEncryptionAtRest_basicGCP(t *testing.T) {
 	})
 }
 
+func TestAccEncryptionAtRest_basicGCPWithRole(t *testing.T) {
+	acc.SkipTestForCI(t) // needs GCP configuration
+
+	var (
+		projectID = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
+
+		googleCloudKms = admin.GoogleCloudKMS{
+			Enabled:              conversion.Pointer(true),
+			RoleId:               conversion.StringPtr(os.Getenv("GCP_ROLE_ID")),
+			KeyVersionResourceID: conversion.StringPtr(os.Getenv("GCP_KEY_VERSION_RESOURCE_ID")),
+		}
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acc.PreCheck(t); acc.PreCheckGCPEnvWithRole(t) },
+		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
+		CheckDestroy:             acc.EARDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: configGoogleCloudKmsWithRole(projectID, &googleCloudKms, true),
+				Check:  checkEARResourceGCPWithRole(projectID),
+			},
+		},
+	})
+}
+
 func TestAccEncryptionAtRestWithRole_basicAWS(t *testing.T) {
 	acc.SkipTestForCI(t) // needs AWS configuration. This test case is similar to TestAccEncryptionAtRest_basicAWS except that it creates it's own AWS resources such as IAM roles, cloud provider access, etc so we don't need to run this in CI but may be used for local testing.
 
@@ -516,6 +542,25 @@ func configGoogleCloudKms(projectID string, google *admin.GoogleCloudKMS, useDat
 	return config
 }
 
+func configGoogleCloudKmsWithRole(projectID string, google *admin.GoogleCloudKMS, useDatasource bool) string {
+	config := fmt.Sprintf(`
+		resource "mongodbatlas_encryption_at_rest" "test" {
+			project_id = "%s"
+
+		  google_cloud_kms_config {
+				enabled                 = %t
+				role_id                 = "%s"
+				key_version_resource_id = "%s"
+			}
+		}
+	`, projectID, *google.Enabled, google.GetRoleId(), google.GetKeyVersionResourceID())
+
+	if useDatasource {
+		return fmt.Sprintf(`%s %s`, config, acc.EARDatasourceConfig())
+	}
+	return config
+}
+
 func testAccMongoDBAtlasEncryptionAtRestConfigAwsKmsWithRole(projectID, awsIAMRoleName, awsIAMRolePolicyName, awsKeyName string, awsEar *admin.AWSKMSConfiguration) string {
 	test := fmt.Sprintf(`
 	locals {
@@ -620,3 +665,19 @@ func checkEARResourceAWS(projectID string, enabledForSearchNodes bool, awsKmsAtt
 		acc.EARCheckResourceAttr(datasourceName, "aws_kms_config.", awsKmsAttrMap),
 	)
 }
+
+func checkEARResourceGCPWithRole(projectID string) resource.TestCheckFunc {
+	return resource.ComposeAggregateTestCheckFunc(
+		acc.CheckEARExists(resourceName),
+		resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
+		resource.TestCheckResourceAttr(resourceName, "google_cloud_kms_config.0.role_id", os.Getenv("GCP_ROLE_ID")),
+		resource.TestCheckResourceAttr(resourceName, "google_cloud_kms_config.0.enabled", "true"),
+		resource.TestCheckResourceAttr(resourceName, "google_cloud_kms_config.0.valid", "true"),
+		resource.TestCheckResourceAttrSet(resourceName, "google_cloud_kms_config.0.key_version_resource_id"),
+
+		resource.TestCheckResourceAttr(datasourceName, "project_id", projectID),
+		resource.TestCheckResourceAttr(datasourceName, "google_cloud_kms_config.enabled", "true"),
+		resource.TestCheckResourceAttr(datasourceName, "google_cloud_kms_config.valid", "true"),
+		resource.TestCheckResourceAttrSet(datasourceName, "google_cloud_kms_config.key_version_resource_id"),
+	)
+}

internal/testutil/acc/pre_check.go

@@ -155,6 +155,13 @@ func PreCheckGPCEnv(tb testing.TB) {
 	}
 }
 
+func PreCheckGCPEnvWithRole(tb testing.TB) {
+	tb.Helper()
+	if os.Getenv("GCP_ROLE_ID") == "" || os.Getenv("GCP_KEY_VERSION_RESOURCE_ID") == "" {
+		tb.Fatal("`GCP_ROLE_ID` and `GCP_KEY_VERSION_RESOURCE_ID` must be set for acceptance testing")
+	}
+}
+
 func PreCheckPeeringEnvAWS(tb testing.TB) {
 	tb.Helper()
 	if os.Getenv("AWS_ACCOUNT_ID") == "" ||

templates/data-sources/encryption_at_rest.md.tmpl

@@ -25,6 +25,8 @@
 -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Customer Managed Keys (Azure Key Vault or AWS KMS) over private network interfaces (Azure Private Link or AWS PrivateLink). This requires enabling the `azure_key_vault_config.require_private_networking` or the `aws_kms_config.require_private_networking` attribute, together with the configuration of the `mongodbatlas_encryption_at_rest_private_endpoint` resource. Please review the `mongodbatlas_encryption_at_rest_private_endpoint` resource for details.
 
 ### Configuring encryption at rest using customer key management in GCP
+For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication). Once roleId is configured, serviceAccountKey is no longer supported.
+
 ```terraform
 resource "mongodbatlas_encryption_at_rest" "test" {
   project_id = var.atlas_project_id