Merge branch 'master' into CLOUDP-320243-dev-2.0.0

Author: maastha

.changelog/3554.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_stream_privatelink_endpoint: Support S3 PrivateLink Endpoints for Atlas Stream Processing
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_stream_privatelink_endpoint: Support S3 PrivateLink Endpoints for Atlas Stream Processing
+```

.github/workflows/issues.yml

@@ -79,7 +79,7 @@
             ISSUE_NUMBER=${{ github.event.issue.number }}
             JIRA_API_TOKEN=${{ secrets.JIRA_API_TOKEN }}
 
-            JIRA_QUERY="project = CLOUDP AND issuetype = Story AND resolution = Declined AND text ~ \"TF HELP: GitHub Issue n. $ISSUE_NUMBER\""
+            JIRA_QUERY="project = CLOUDP AND issuetype in (Story,Bug,Investigation) AND resolution = Declined AND text ~ \"TF HELP: GitHub Issue n. $ISSUE_NUMBER\""
             
             # URL encode the query
             JIRA_URL=$(echo "$JIRA_QUERY" | jq -s -R -r @uri)            
@@ -129,7 +129,7 @@
             ISSUE_NUMBER=${{ github.event.issue.number }}
             JIRA_API_TOKEN=${{ secrets.JIRA_API_TOKEN }}
 
-            JIRA_QUERY="project = CLOUDP AND issuetype = Story AND resolution = Unresolved AND text ~ \"TF HELP: GitHub Issue n. $ISSUE_NUMBER\""
+            JIRA_QUERY="project = CLOUDP AND issuetype in (Story,Bug,Investigation) AND resolution = Unresolved AND text ~ \"TF HELP: GitHub Issue n. $ISSUE_NUMBER\""
             
             # URL encode the query
             JIRA_URL=$(echo "$JIRA_QUERY" | jq -s -R -r @uri)            

CHANGELOG.md

@@ -1,5 +1,10 @@
 ## (Unreleased)
 
+ENHANCEMENTS:
+
+* data-source/mongodbatlas_stream_privatelink_endpoint: Support S3 PrivateLink Endpoints for Atlas Stream Processing ([#3554](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3554))
+* resource/mongodbatlas_stream_privatelink_endpoint: Support S3 PrivateLink Endpoints for Atlas Stream Processing ([#3554](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3554))
+
 ## 1.39.0 (July 24, 2025)
 
 NOTES:

docs/data-sources/stream_privatelink_endpoint.md

@@ -207,6 +207,48 @@ output "privatelink_endpoint_id" {
 }
 ```
 
+### AWS S3 Privatelink
+```terraform
+# S3 bucket for stream data
+resource "aws_s3_bucket" "stream_bucket" {
+  provider      = aws.s3_region
+  bucket        = var.s3_bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_versioning" "stream_bucket_versioning" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "stream_bucket_encryption" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+# PrivateLink for S3
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id          = var.project_id
+  provider_name       = "AWS"
+  vendor              = "S3"
+  region              = var.region
+  service_endpoint_id = var.service_endpoint_id
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -218,16 +260,24 @@ output "privatelink_endpoint_id" {
 ### Read-Only
 
 - `arn` (String) Amazon Resource Name (ARN). Required for AWS Provider and MSK vendor.
-- `dns_domain` (String) The domain hostname. Required for the following provider and vendor combinations:<br>- AWS provider with CONFLUENT vendor.<br>- AZURE provider with EVENTHUB or CONFLUENT vendor.
+- `dns_domain` (String) The domain hostname. Required for the following provider and vendor combinations:
+				
+	* AWS provider with CONFLUENT vendor.
+
+	* AZURE provider with EVENTHUB or CONFLUENT vendor.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones. Required for AWS Provider and CONFLUENT vendor. If your AWS CONFLUENT cluster doesn't use subdomains, you must set this to the empty array [].
 - `error_message` (String) Error message if the connection is in a failed state.
 - `interface_endpoint_id` (String) Interface endpoint ID that is created from the specified service endpoint ID.
 - `interface_endpoint_name` (String) Name of interface endpoint that is created from the specified service endpoint ID.
 - `provider_account_id` (String) Account ID from the cloud provider.
-- `provider_name` (String) Provider where the Kafka cluster is deployed. Valid values are AWS and AZURE.
+- `provider_name` (String) Provider where the endpoint is deployed. Valid values are AWS and AZURE.
 - `region` (String) The region of the Provider’s cluster. See [AZURE](https://www.mongodb.com/docs/atlas/reference/microsoft-azure/#stream-processing-instances) and [AWS](https://www.mongodb.com/docs/atlas/reference/amazon-aws/#stream-processing-instances) supported regions. When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html).
 - `state` (String) Status of the connection.
-- `vendor` (String) Vendor that manages the Kafka cluster. The following are the vendor values per provider:<br>- MSK and CONFLUENT for the AWS provider.<br>- EVENTHUB and CONFLUENT for the AZURE provider.
+- `vendor` (String) Vendor that manages the endpoint. The following are the vendor values per provider:
+
+	* **AWS**: MSK, CONFLUENT, and S3
+
+	* **Azure**: EVENTHUB and CONFLUENT
 
 For more information see: [MongoDB Atlas API - Streams Privatelink](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-createprivatelinkconnection) Documentation.

docs/data-sources/stream_privatelink_endpoints.md

@@ -207,6 +207,48 @@ output "privatelink_endpoint_id" {
 }
 ```
 
+### AWS S3 Privatelink
+```terraform
+# S3 bucket for stream data
+resource "aws_s3_bucket" "stream_bucket" {
+  provider      = aws.s3_region
+  bucket        = var.s3_bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_versioning" "stream_bucket_versioning" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "stream_bucket_encryption" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+# PrivateLink for S3
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id          = var.project_id
+  provider_name       = "AWS"
+  vendor              = "S3"
+  region              = var.region
+  service_endpoint_id = var.service_endpoint_id
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -224,18 +266,26 @@ output "privatelink_endpoint_id" {
 Read-Only:
 
 - `arn` (String) Amazon Resource Name (ARN). Required for AWS Provider and MSK vendor.
-- `dns_domain` (String) The domain hostname. Required for the following provider and vendor combinations:<br>- AWS provider with CONFLUENT vendor.<br>- AZURE provider with EVENTHUB or CONFLUENT vendor.
+- `dns_domain` (String) The domain hostname. Required for the following provider and vendor combinations:
+				
+	* AWS provider with CONFLUENT vendor.
+
+	* AZURE provider with EVENTHUB or CONFLUENT vendor.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones. Required for AWS Provider and CONFLUENT vendor. If your AWS CONFLUENT cluster doesn't use subdomains, you must set this to the empty array [].
 - `error_message` (String) Error message if the connection is in a failed state.
 - `id` (String) The ID of the Private Link connection.
 - `interface_endpoint_id` (String) Interface endpoint ID that is created from the specified service endpoint ID.
 - `interface_endpoint_name` (String) Name of interface endpoint that is created from the specified service endpoint ID.
 - `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.<br>**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group or project id remains the same. The resource and corresponding endpoints use the term groups.
 - `provider_account_id` (String) Account ID from the cloud provider.
-- `provider_name` (String) Provider where the Kafka cluster is deployed. Valid values are AWS and AZURE.
+- `provider_name` (String) Provider where the endpoint is deployed. Valid values are AWS and AZURE.
 - `region` (String) The region of the Provider’s cluster. See [AZURE](https://www.mongodb.com/docs/atlas/reference/microsoft-azure/#stream-processing-instances) and [AWS](https://www.mongodb.com/docs/atlas/reference/amazon-aws/#stream-processing-instances) supported regions. When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html).
 - `state` (String) Status of the connection.
-- `vendor` (String) Vendor that manages the Kafka cluster. The following are the vendor values per provider:<br>- MSK and CONFLUENT for the AWS provider.<br>- EVENTHUB and CONFLUENT for the AZURE provider.
+- `vendor` (String) Vendor that manages the endpoint. The following are the vendor values per provider:
+
+	* **AWS**: MSK, CONFLUENT, and S3
+
+	* **Azure**: EVENTHUB and CONFLUENT
 
 For more information see: [MongoDB Atlas API - Streams Privatelink](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-createprivatelinkconnection) Documentation.

docs/resources/stream_privatelink_endpoint.md

@@ -207,19 +207,69 @@ output "privatelink_endpoint_id" {
 }
 ```
 
+### AWS S3 Privatelink
+```terraform
+# S3 bucket for stream data
+resource "aws_s3_bucket" "stream_bucket" {
+  provider      = aws.s3_region
+  bucket        = var.s3_bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_versioning" "stream_bucket_versioning" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "stream_bucket_encryption" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+# PrivateLink for S3
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id          = var.project_id
+  provider_name       = "AWS"
+  vendor              = "S3"
+  region              = var.region
+  service_endpoint_id = var.service_endpoint_id
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
 ### Required
 
 - `project_id` (String) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.<br>**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group or project id remains the same. The resource and corresponding endpoints use the term groups.
-- `provider_name` (String) Provider where the Kafka cluster is deployed. Valid values are AWS and AZURE.
-- `vendor` (String) Vendor that manages the Kafka cluster. The following are the vendor values per provider:<br>- MSK and CONFLUENT for the AWS provider.<br>- EVENTHUB and CONFLUENT for the AZURE provider.
+- `provider_name` (String) Provider where the endpoint is deployed. Valid values are AWS and AZURE.
+- `vendor` (String) Vendor that manages the endpoint. The following are the vendor values per provider:
+
+	* **AWS**: MSK, CONFLUENT, and S3
+
+	* **Azure**: EVENTHUB and CONFLUENT
 
 ### Optional
 
 - `arn` (String) Amazon Resource Name (ARN). Required for AWS Provider and MSK vendor.
-- `dns_domain` (String) The domain hostname. Required for the following provider and vendor combinations:<br>- AWS provider with CONFLUENT vendor.<br>- AZURE provider with EVENTHUB or CONFLUENT vendor.
+- `dns_domain` (String) The domain hostname. Required for the following provider and vendor combinations:
+				
+	* AWS provider with CONFLUENT vendor.
+
+	* AZURE provider with EVENTHUB or CONFLUENT vendor.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones. Required for AWS Provider and CONFLUENT vendor. If your AWS CONFLUENT cluster doesn't use subdomains, you must set this to the empty array [].
 - `region` (String) The region of the Provider’s cluster. See [AZURE](https://www.mongodb.com/docs/atlas/reference/microsoft-azure/#stream-processing-instances) and [AWS](https://www.mongodb.com/docs/atlas/reference/amazon-aws/#stream-processing-instances) supported regions. When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_endpoint_id` (String) For AZURE EVENTHUB, this is the [namespace endpoint ID](https://learn.microsoft.com/en-us/rest/api/eventhub/namespaces/get). For AWS CONFLUENT cluster, this is the [VPC Endpoint service name](https://docs.confluent.io/cloud/current/networking/private-links/aws-privatelink.html).

examples/mongodbatlas_stream_privatelink_endpoint/s3/README.md

@@ -0,0 +1,12 @@
+# MongoDB Atlas Provider - AWS S3 Privatelink for Atlas Streams
+
+This example shows how to use AWS Privatelink for Atlas Streams with an AWS S3 bucket.
+
+You must set the following variables:
+
+- `project_id`: Unique 24-hexadecimal digit string that identifies your project
+- `public_key`: Public API key to authenticate to Atlas
+- `private_key`: Private API key to authenticate to Atlas
+- `region`: Region where the S3 bucket is located
+- `service_endpoint_id`: Service endpoint ID (should follow the format `com.amazonaws.<region>.s3`)
+- `s3_bucket_name`: Name of the S3 bucket for stream data

examples/mongodbatlas_stream_privatelink_endpoint/s3/main.tf

@@ -0,0 +1,38 @@
+# S3 bucket for stream data
+resource "aws_s3_bucket" "stream_bucket" {
+  provider      = aws.s3_region
+  bucket        = var.s3_bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_versioning" "stream_bucket_versioning" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "stream_bucket_encryption" {
+  provider = aws.s3_region
+  bucket   = aws_s3_bucket.stream_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+# PrivateLink for S3
+resource "mongodbatlas_stream_privatelink_endpoint" "this" {
+  project_id          = var.project_id
+  provider_name       = "AWS"
+  vendor              = "S3"
+  region              = var.region
+  service_endpoint_id = var.service_endpoint_id
+}
+
+output "privatelink_endpoint_id" {
+  value = mongodbatlas_stream_privatelink_endpoint.this.id
+}

examples/mongodbatlas_stream_privatelink_endpoint/s3/provider.tf

@@ -0,0 +1,9 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+
+provider "aws" {
+  alias  = "s3_region"
+  region = var.region
+}

examples/mongodbatlas_stream_privatelink_endpoint/s3/variables.tf

@@ -0,0 +1,30 @@
+variable "project_id" {
+  description = "Unique 24-hexadecimal digit string that identifies your project"
+  type        = string
+}
+
+variable "public_key" {
+  description = "Public API key to authenticate to Atlas"
+  type        = string
+}
+
+variable "private_key" {
+  description = "Private API key to authenticate to Atlas"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region where the S3 bucket is located"
+  type        = string
+}
+
+variable "service_endpoint_id" {
+  description = "service_endpoint_id should follow the format 'com.amazonaws.<region>.s3', for example 'com.amazonaws.us-east-1.s3'"
+  type        = string
+}
+
+variable "s3_bucket_name" {
+  description = "Name of the S3 bucket for stream data"
+  type        = string
+  default     = "mongodbatlas-stream-data"
+}