feat: Adds new mongodbatlas_api_key_project_assignment resource (#3461)

* [New Resource] api_key_project_assignment

* fix: dots on the i for acctests and unittests

* correct SDK version and minor fixes

* fix check functions and improve test

* changelog

* data sources

* fix unit test

* acc test

* add depends on to plural data source in test

* return all in plural data source

* pr comments

* diags

* import split

* change import format in test

* fix importSplit unit test

* add comment with CLOUDP

* get after update

* fail on api key not found

* doc: Adds `mongodbatlas_api_key_project_assignment` documentation, examples and migration guide (#3465)

* delete old examples

* example

* api_key_project_assignment docs

* migration guide and notes on old resource

* format

* format

* doc

* remove referende of old example

* espen comments

* remove duplicated

* fix example

* marco comments

* example seo

* module example and migration path

* module example and migration path

* comment

* attach access list to api key in the example

* remove unnecessary space

* gen doc

* Update docs/guides/project-api-key-migration.md

Co-authored-by: Leo Antoli <[email protected]>

* import block

* table change

* pr comments

* Update docs/guides/project-api-key-migration.md

Co-authored-by: maastha <[email protected]>

* assign one api key to multiple projects example

* update docs

* add limitations and note on migration not being necessary

* fix import

* Update docs/guides/project-api-key-migration.md

Co-authored-by: Marco Suma <[email protected]>

* Update docs/data-sources/project_api_keys.md

Co-authored-by: Marco Suma <[email protected]>

* Update docs/resources/project_api_key.md

Co-authored-by: Marco Suma <[email protected]>

* Update docs/data-sources/project_api_key.md

Co-authored-by: Marco Suma <[email protected]>

* fix docs

---------

Co-authored-by: Leo Antoli <[email protected]>
Co-authored-by: maastha <[email protected]>
Co-authored-by: Marco Suma <[email protected]>

---------

Co-authored-by: aristosvo <[email protected]>
Co-authored-by: Leo Antoli <[email protected]>
Co-authored-by: maastha <[email protected]>
Co-authored-by: Marco Suma <[email protected]>

Author: 5 people

.changelog/3461.txt

@@ -0,0 +1,11 @@
+```release-note:new-resource
+resource/mongodbatlas_api_key_project_assignment
+```
+
+```release-note:new-datasource
+data-source/mongodbatlas_api_key_project_assignment
+```
+
+```release-note:new-datasource
+data-source/mongodbatlas_api_key_project_assignments
+```

.github/workflows/acceptance-tests-runner.yml

@@ -307,6 +307,7 @@ jobs:
             - 'internal/config/*.go'
             - 'internal/service/alertconfiguration/*.go'
             - 'internal/service/apikey/*.go'
+            - 'internal/service/apikeyprojectassignment/*.go'
             - 'internal/service/atlasuser/*.go'
             - 'internal/service/cloudprovideraccess/*.go'
             - 'internal/service/customdbrole/*.go'
@@ -674,6 +675,7 @@ jobs:
             ./internal/service/organization
             ./internal/service/orginvitation
             ./internal/service/projectapikey
+            ./internal/service/apikeyprojectassignment
             ./internal/service/apikey
             ./internal/service/rolesorgid
             ./internal/service/team

contributing/development-setup.md

@@ -17,7 +17,7 @@
 - Fork the repository.
 - Clone your forked repository locally.
 - We use Go Modules to manage dependencies, so you can develop outside your `$GOPATH`.
-- We use [golangci-lint](https://github.com/golangci/golangci-lint) to lint our code, you can install it locally via `make setup`.
+- We use [golangci-lint](https://github.com/golangci/golangci-lint) to lint our code, you can install it locally via `make tools`.
 ### Building
 - Enter the provider directory
 - Run `make tools` to install the needed tools for the provider

docs/data-sources/api_key_project_assignment.md

@@ -0,0 +1,58 @@
+# Data Source: mongodbatlas_api_key_project_assignment
+
+`mongodbatlas_api_key_project_assignment` describes an API Key Project Assignment.
+
+## Example Usages
+
+```terraform
+resource "mongodbatlas_api_key" "this" {
+  org_id      = var.org_id
+  description = "Test API Key"
+  role_names  = ["ORG_READ_ONLY"]
+}
+
+resource "mongodbatlas_project" "first_project" {
+  name   = "First Project"
+  org_id = var.org_id
+}
+
+resource "mongodbatlas_project" "second_project" {
+  name   = "Second Project"
+  org_id = var.org_id
+}
+
+resource "mongodbatlas_api_key_project_assignment" "first_assignment" {
+  project_id = mongodbatlas_project.first_project.id
+  api_key_id = mongodbatlas_api_key.this.api_key_id
+  roles      = ["GROUP_OWNER"]
+}
+
+resource "mongodbatlas_api_key_project_assignment" "second_assignment" {
+  project_id = mongodbatlas_project.second_project.id
+  api_key_id = mongodbatlas_api_key.this.api_key_id
+  roles      = ["GROUP_OWNER"]
+}
+
+# Add IP Access List Entry to Programmatic API Key 
+resource "mongodbatlas_access_list_api_key" "this" {
+  org_id     = var.org_id
+  cidr_block = "0.0.0.0/1"
+  api_key_id = mongodbatlas_api_key.this.api_key_id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `api_key_id` (String) Unique 24-hexadecimal digit string that identifies this organization API key that you want to assign to one project.
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.
+
+**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.
+
+### Read-Only
+
+- `roles` (Set of String) Human-readable label that identifies the collection of privileges that MongoDB Cloud grants a specific API key, MongoDB Cloud user, or MongoDB Cloud team. These roles include only the specific project-level roles.
+
+For more information see: [MongoDB Atlas API - Programmatic API Keys Project Assignment](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-programmatic-api-keys) Documentation.

docs/data-sources/api_key_project_assignments.md

@@ -0,0 +1,68 @@
+# Data Source: mongodbatlas_api_key_project_assignments
+
+`mongodbatlas_api_key_project_assignments` provides an API Key Project Assignments data source. The data source lets you list all API key project assignments for an organization.
+
+## Example Usages
+
+```terraform
+resource "mongodbatlas_api_key" "this" {
+  org_id      = var.org_id
+  description = "Test API Key"
+  role_names  = ["ORG_READ_ONLY"]
+}
+
+resource "mongodbatlas_project" "first_project" {
+  name   = "First Project"
+  org_id = var.org_id
+}
+
+resource "mongodbatlas_project" "second_project" {
+  name   = "Second Project"
+  org_id = var.org_id
+}
+
+resource "mongodbatlas_api_key_project_assignment" "first_assignment" {
+  project_id = mongodbatlas_project.first_project.id
+  api_key_id = mongodbatlas_api_key.this.api_key_id
+  roles      = ["GROUP_OWNER"]
+}
+
+resource "mongodbatlas_api_key_project_assignment" "second_assignment" {
+  project_id = mongodbatlas_project.second_project.id
+  api_key_id = mongodbatlas_api_key.this.api_key_id
+  roles      = ["GROUP_OWNER"]
+}
+
+# Add IP Access List Entry to Programmatic API Key 
+resource "mongodbatlas_access_list_api_key" "this" {
+  org_id     = var.org_id
+  cidr_block = "0.0.0.0/1"
+  api_key_id = mongodbatlas_api_key.this.api_key_id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.
+
+**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.
+
+### Read-Only
+
+- `results` (Attributes List) List of documents that MongoDB Cloud returns for this request. (see [below for nested schema](#nestedatt--results))
+
+<a id="nestedatt--results"></a>
+### Nested Schema for `results`
+
+Read-Only:
+
+- `api_key_id` (String) Unique 24-hexadecimal digit string that identifies this organization API key that you want to assign to one project.
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.
+
+**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.
+- `roles` (Set of String) Human-readable label that identifies the collection of privileges that MongoDB Cloud grants a specific API key, MongoDB Cloud user, or MongoDB Cloud team. These roles include only the specific project-level roles.
+
+For more information see: [MongoDB Atlas API - Programmatic API Keys Project Assignment](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/group/endpoint-programmatic-api-keys) Documentation.

docs/data-sources/project_api_key.md

@@ -2,6 +2,8 @@
 
 `mongodbatlas_project_api_key` describes a MongoDB Atlas Project API Key. This represents a Project API Key that has been created.
 
+~> **IMPORTANT NOTE** The use of `mongodbatlas_project_api_key` data source is no longer the recommended approach. For new configurations, we recommend using the `mongodbatlas_api_key` resource and the `mongodbatlas_api_key_project_assignment` resource to assign the API Keys to projects. This approach is more flexible and aligns with best practices. For existing configurations, the migration to the new pattern is **not required**. If you want to migrate, see the [Migration Guide](../guides/project-api-key-migration.md) for step-by-step instructions on migrating from `mongodbatlas_project_api_key` to the new pattern.
+
 ~> **IMPORTANT WARNING:** Managing Atlas Programmatic API Keys (PAKs) with Terraform will expose sensitive organizational secrets in Terraform's state. We suggest following [Terraform's best practices](https://developer.hashicorp.com/terraform/language/state/sensitive-data). You may also want to consider managing your PAKs via a more secure method, such as the [HashiCorp Vault MongoDB Atlas Secrets Engine](https://developer.hashicorp.com/vault/docs/secrets/mongodbatlas).
 
 -> **NOTE:** You may find project_id in the official documentation.

docs/data-sources/project_api_keys.md

@@ -1,6 +1,8 @@
-# Data Source: mongodbatlas_api_keys
+# Data Source: mongodbatlas_project_api_keys
 
-`mongodbatlas_api_keys` describes all API Keys. This represents API Keys that have been created.
+`mongodbatlas_project_api_keys` describes all API Keys. This represents API Keys that have been created.
+
+~> **IMPORTANT NOTE** The use of `mongodbatlas_project_api_keys` data source is no longer the recommended approach. For new configurations, we recommend using the `mongodbatlas_api_key` resource and the `mongodbatlas_api_key_project_assignment` resource to assign the API Keys to projects. This approach is more flexible and aligns with best practices. For existing configurations, the migration to the new pattern is **not required**. If you want to migrate, see the [Migration Guide](../guides/project-api-key-migration.md) for step-by-step instructions on migrating from `mongodbatlas_project_api_key` to the new pattern.
 
 ~> **IMPORTANT WARNING:** Managing Atlas Programmatic API Keys (PAKs) with Terraform will expose sensitive organizational secrets in Terraform's state. We suggest following [Terraform's best practices](https://developer.hashicorp.com/terraform/language/state/sensitive-data). You may also want to consider managing your PAKs via a more secure method, such as the [HashiCorp Vault MongoDB Atlas Secrets Engine](https://developer.hashicorp.com/vault/docs/secrets/mongodbatlas).