chore: Supports Atlas Resource Policies (#2657)

* use SDK dev-preview

* chore: Creates schema for the new `mongodbatlas_resource_policy` (#2548)

* chore: Creates TF models & interfaces for new

* fix: attribute computed-optional-required types

* only include schema changes in PR

* chore: copy solution for making build test from `CLOUDP-246459-ear-kms-dev` branch

* fix: add missing OrgID to model

* chore: add non_compliant and remove comment from generator_config.yml

* fix: add plan modifier to `version`

* chore: add markdown descriptions

* chore: Creates schema for the new mongodbatlas_resource_policy data sources (#2563)

* chore: data-source schemas for resource_policy

* chore: copy solution for making build test from `CLOUDP-246459-ear-kms-dev` branch

* chore: add markdown descriptions

* chore: Adds `resource_policy` model conversions (#2575)

* feat: sdk -> tf conversion test

* chore: add add check for policy too

* refactor: use stringPointerValue and avoid types.ObjectValueMust

* refactor: use auto-generated version

* chore: rename apiResp to input

* test: add more test cases and support NewTFPoliciesModelToSDK

* chore: nil check

* fix: nil object pointers

* refactor: use `diags *diag.Diagnostics` as argument instead of return value

* refactor: continued simplifications to avoid *types.Object|List

* refactor: return variable directly

* refactor: another round

* test: refactor test to create the TF model

* test: add utility function for creating TF objects/lists for framework types

* chore: remove leftover comment

* refactor: use a []TFPolicy directly in the schema

* chore: remove accidental AttributeTypes function

* feat: Implements `resource_policy` (#2585)

* feat: initial resource implementation

* test: minor fixes

* test: add a new client for RP organization

* chore: add variables for dev to CI

* test: use new variables in resource policy test

* test: add the default main_test.go file

* chore: fix accidental indentation

* chore: add changelog file

* test: fix use explicit provider config in the resource test

* test: add test case for NewTFPoliciesModelToSDK

* ci: remove rp_base_url and support qa environment

* chore: remove base url from RP

* fix: avoid using MONGODB_ATLAS_BASE_URL

* test: remember to set the BaseURL

* test: remove additional provider, instead map the inut/secret variables in GH action

* fix: address PR comments

* feat: Implements and tests resource_policy data-source (#2598)

* feat: resource_policy data-source implementation and test

* chore: remove unused data_source test

* feat: resource_policies data-source implementation and test

* doc: include changelog file

* chore: minor fixes

* perform review suggestions

* chore: Merges master and use `name` as required (#2620)

* chore: Supports detecting policy errors during terraform plan (#2621)

* chore: support validating during plan

* refactor: move AddJSONErrDiagnostics to separate function

* chore: avoid POLICY_CANNOT_CONTAIN_A_DUPLICATE_NAME by using a random name when validating

* address PR comments

* test: Adds migration tests and more acceptance tests (#2622)

* test: Adds migration test

* refactor: includes name in error message

* test: Add case for multiple nested policies

* test: cleanup assertions and run sequentially to avoid assertion errors

* chore: address PR comment

* fix: link to correct upstream issue

* doc: Adds example and registry docs for resource_policy (#2623)

* doc: Adds initial  example

* doc: Adds registry documentation for resource_policy

* doc: Apply doc review suggestions

* chore: Uses name of resource policy instead of random value when validating (#2644)

* fix resource policy sdk api change

* Update .changelog/2585.txt

Co-authored-by: Leo Antoli <[email protected]>

* revert change

---------

Co-authored-by: EspenAlbert <[email protected]>
Co-authored-by: Espen Albert <[email protected]>
Co-authored-by: Leo Antoli <[email protected]>

Author: 3 people

.changelog/2585.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+resource/mongodbatlas_resource_policy
+```

.changelog/2598.txt

@@ -0,0 +1,7 @@
+```release-note:new-datasource
+data-source/mongodbatlas_resource_policy
+```
+
+```release-note:new-datasource
+data-source/mongodbatlas_resource_policies
+```

.github/workflows/acceptance-tests-runner.yml

@@ -80,6 +80,9 @@ on:
       mongodb_atlas_gov_base_url:
         type: string
         required: true
+      mongodb_atlas_rp_org_id:
+        type: string
+        required: true
       mongodb_atlas_gov_project_owner_id:
         type: string
         required: true
@@ -134,6 +137,10 @@ on:
         required: true
       mongodb_atlas_gov_public_key:
         required: true
+      mongodb_atlas_rp_private_key:
+        required: true
+      mongodb_atlas_rp_public_key:
+        required: true
       azure_directory_id:
         required: true
       azure_resource_group_name:
@@ -215,6 +222,7 @@ jobs:
       network: ${{ steps.filter.outputs.network == 'true' || env.mustTrigger == 'true' }}
       project: ${{ steps.filter.outputs.project == 'true' || env.mustTrigger == 'true' }}
       push_based_log_export: ${{ steps.filter.outputs.push_based_log_export == 'true' || env.mustTrigger == 'true' }}
+      resource_policy: ${{ steps.filter.outputs.resource_policy == 'true' || env.mustTrigger == 'true' }}
       search_deployment: ${{ steps.filter.outputs.search_deployment == 'true' || env.mustTrigger == 'true' }}
       search_index: ${{ steps.filter.outputs.search_index == 'true' || env.mustTrigger == 'true' }}
       serverless: ${{ steps.filter.outputs.serverless == 'true' || env.mustTrigger == 'true' }}
@@ -295,6 +303,8 @@ jobs:
             - 'internal/service/projectipaddresses/*.go'
           push_based_log_export:
             - 'internal/service/pushbasedlogexport/*.go'
+          resource_policy:
+            - 'internal/service/resourcepolicy/*.go'
           search_deployment:
             - 'internal/service/searchdeployment/*.go'
           search_index:
@@ -823,9 +833,9 @@ jobs:
           ACCTEST_PACKAGES: ./internal/service/pushbasedlogexport
         run: make testacc
 
-  search_deployment:
+  resource_policy:
     needs: [ change-detection, get-provider-version ]
-    if: ${{ needs.change-detection.outputs.search_deployment == 'true' || inputs.test_group == 'search_deployment' }}
+    if: ${{ needs.change-detection.outputs.resource_policy == 'true' || inputs.test_group == 'resource_policy' }}
     runs-on: ubuntu-latest
     permissions: {}
     steps:
@@ -841,13 +851,18 @@ jobs:
           terraform_wrapper: false  
       - name: Acceptance Tests
         env:
+          MONGODB_ATLAS_ORG_ID: ${{ inputs.mongodb_atlas_rp_org_id }}
+          MONGODB_ATLAS_PUBLIC_KEY: ${{ secrets.mongodb_atlas_rp_public_key }}
+          MONGODB_ATLAS_PRIVATE_KEY:  ${{ secrets.mongodb_atlas_rp_private_key }}
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
-          ACCTEST_PACKAGES: ./internal/service/searchdeployment
+          MONGODB_ATLAS_ENABLE_PREVIEW: "true"
+          ACCTEST_PACKAGES: |
+            ./internal/service/resourcepolicy
         run: make testacc
-
-  search_index:
+  
+  search_deployment:
     needs: [ change-detection, get-provider-version ]
-    if: ${{ needs.change-detection.outputs.search_index == 'true' || inputs.test_group == 'search_index' }}
+    if: ${{ needs.change-detection.outputs.search_deployment == 'true' || inputs.test_group == 'search_deployment' }}
     runs-on: ubuntu-latest
     permissions: {}
     steps:
@@ -860,16 +875,16 @@ jobs:
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
         with:
           terraform_version: ${{ inputs.terraform_version }}
-          terraform_wrapper: false    
+          terraform_wrapper: false  
       - name: Acceptance Tests
         env:
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
-          ACCTEST_PACKAGES: ./internal/service/searchindex
+          ACCTEST_PACKAGES: ./internal/service/searchdeployment
         run: make testacc
-  
-  serverless:
+
+  search_index:
     needs: [ change-detection, get-provider-version ]
-    if: ${{ needs.change-detection.outputs.serverless == 'true' || inputs.test_group == 'serverless' }}
+    if: ${{ needs.change-detection.outputs.search_index == 'true' || inputs.test_group == 'search_index' }}
     runs-on: ubuntu-latest
     permissions: {}
     steps:
@@ -885,18 +900,13 @@ jobs:
           terraform_wrapper: false    
       - name: Acceptance Tests
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
-          ACCTEST_PACKAGES: |
-            ./internal/service/privatelinkendpointserverless
-            ./internal/service/privatelinkendpointserviceserverless
-            ./internal/service/serverlessinstance
+          ACCTEST_PACKAGES: ./internal/service/searchindex
         run: make testacc
 
-  stream:
+  serverless:
     needs: [ change-detection, get-provider-version ]
-    if: ${{ needs.change-detection.outputs.stream == 'true' || inputs.test_group == 'stream' }}
+    if: ${{ needs.change-detection.outputs.serverless == 'true' || inputs.test_group == 'serverless' }}
     runs-on: ubuntu-latest
     permissions: {}
     steps:
@@ -909,12 +919,38 @@ jobs:
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
         with:
           terraform_version: ${{ inputs.terraform_version }}
-          terraform_wrapper: false  
+          terraform_wrapper: false    
       - name: Acceptance Tests
         env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
           MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
           ACCTEST_PACKAGES: |
-            ./internal/service/streamconnection
-            ./internal/service/streaminstance
-            ./internal/service/streamprocessor
+            ./internal/service/privatelinkendpointserverless
+            ./internal/service/privatelinkendpointserviceserverless
+            ./internal/service/serverlessinstance
         run: make testacc
+  stream:
+      needs: [ change-detection, get-provider-version ]
+      if: ${{ needs.change-detection.outputs.stream == 'true' || inputs.test_group == 'stream' }}
+      runs-on: ubuntu-latest
+      permissions: {}
+      steps:
+        - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+          with:
+            ref: ${{ inputs.ref || github.ref }}
+        - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+          with:
+            go-version-file: 'go.mod'
+        - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+          with:
+            terraform_version: ${{ inputs.terraform_version }}
+            terraform_wrapper: false  
+        - name: Acceptance Tests
+          env:
+            MONGODB_ATLAS_LAST_VERSION: ${{ needs.get-provider-version.outputs.provider_version }}
+            ACCTEST_PACKAGES: |
+              ./internal/service/streamconnection
+              ./internal/service/streaminstance
+              ./internal/service/streamprocessor
+          run: make testacc

.github/workflows/acceptance-tests.yml

@@ -57,6 +57,8 @@ jobs:
       mongodb_atlas_private_key: ${{ inputs.atlas_cloud_env == 'qa' && secrets.MONGODB_ATLAS_PRIVATE_KEY_CLOUD_QA || secrets.MONGODB_ATLAS_PRIVATE_KEY_CLOUD_DEV }}
       mongodb_atlas_gov_public_key: ${{ inputs.atlas_cloud_env == 'qa' && secrets.MONGODB_ATLAS_GOV_PUBLIC_KEY_QA || secrets.MONGODB_ATLAS_GOV_PUBLIC_KEY_DEV }}
       mongodb_atlas_gov_private_key: ${{ inputs.atlas_cloud_env == 'qa' && secrets.MONGODB_ATLAS_GOV_PRIVATE_KEY_QA || secrets.MONGODB_ATLAS_GOV_PRIVATE_KEY_DEV }}
+      mongodb_atlas_rp_public_key: ${{ inputs.atlas_cloud_env == 'qa' && secrets.MONGODB_ATLAS_RP_PUBLIC_KEY_QA || secrets.MONGODB_ATLAS_RP_PUBLIC_KEY_DEV }}
+      mongodb_atlas_rp_private_key: ${{ inputs.atlas_cloud_env == 'qa' && secrets.MONGODB_ATLAS_RP_PRIVATE_KEY_QA || secrets.MONGODB_ATLAS_RP_PRIVATE_KEY_DEV }}
       ca_cert: ${{ secrets.CA_CERT }}
       aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -113,3 +115,4 @@ jobs:
       mongodb_atlas_project_ear_pe_id: ${{ inputs.atlas_cloud_env == 'qa' && vars.MONGODB_ATLAS_PROJECT_EAR_PE_ID_QA || vars.MONGODB_ATLAS_PROJECT_EAR_PE_ID_DEV }}
       mongodb_atlas_enable_preview: ${{ vars.MONGODB_ATLAS_ENABLE_PREVIEW }}
       azure_private_endpoint_region: ${{ vars.AZURE_PRIVATE_ENDPOINT_REGION }}
+      mongodb_atlas_rp_org_id: ${{ inputs.atlas_cloud_env == 'qa' && vars.MONGODB_ATLAS_RP_ORG_ID_QA || vars.MONGODB_ATLAS_RP_ORG_ID_DEV }}

docs/data-sources/resource_policies.md

@@ -0,0 +1,142 @@
+# Data Source: mongodbatlas_resource_policies
+
+`mongodbatlas_resource_policies` returns all resource policies in an organization.
+
+-> **NOTE**: Resource Policies are currently in Public Preview. To use this feature, you must take the following actions:
+1. Enable the `Atlas Resource Policies` Beta Feature in your organization (contact MongoDB Support).
+2. Enable the [Preview Features](https://github.com/mongodb/terraform-provider-mongodbatlas?tab=readme-ov-file#preview-features) when running `terraform` commands.
+
+## Example Usages
+```terraform
+resource "mongodbatlas_resource_policy" "project_ip_access_list" {
+  org_id = var.org_id
+  name   = "forbid-access-from-anywhere"
+
+  policies = [
+    {
+      body = <<EOF
+        forbid (
+                principal,
+                action == cloud::Action::"project.edit",
+                resource
+        )
+                when {
+                context.project.ipAccessList.contains(ip("0.0.0.0/0"))
+        };
+EOF
+    },
+  ]
+}
+
+resource "mongodbatlas_resource_policy" "cloud_provider" {
+  org_id = var.org_id
+  name   = "forbid-cloud-provider"
+  policies = [
+    {
+      body = templatefile("${path.module}/cloud-provider.cedar", {
+        CLOUD_PROVIDER = "azure"
+      })
+    },
+    {
+      body = templatefile("${path.module}/cloud-provider.cedar", {
+        CLOUD_PROVIDER = "aws"
+      })
+    },
+  ]
+}
+
+data "cedar_policyset" "cloud_region" {
+  policy {
+    any_principal = true
+    effect        = "forbid"
+    action = {
+      type = " cloud::Action"
+      id   = "cluster.createEdit"
+    }
+    any_resource = true
+    when {
+      text = "context.cluster.regions.contains(cloud::region::\"gcp:us-east1\")"
+    }
+  }
+}
+
+resource "mongodbatlas_resource_policy" "cloud_region" {
+  org_id = var.org_id
+  name   = "forbid-cloud-region"
+  policies = [
+    {
+      body = data.cedar_policyset.cloud_region.text
+    },
+  ]
+}
+
+
+data "mongodbatlas_resource_policy" "project_ip_access_list" {
+  org_id = mongodbatlas_resource_policy.project_ip_access_list.org_id
+  id     = mongodbatlas_resource_policy.project_ip_access_list.id
+}
+
+data "mongodbatlas_resource_policies" "this" {
+  org_id = data.mongodbatlas_resource_policy.project_ip_access_list.org_id
+
+  depends_on = [mongodbatlas_resource_policy.project_ip_access_list, mongodbatlas_resource_policy.cloud_provider, mongodbatlas_resource_policy.cloud_region]
+}
+
+
+output "policy_ids" {
+  value = { for policy in data.mongodbatlas_resource_policies.this.resource_policies : policy.name => policy.id }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `org_id` (String) Unique 24-hexadecimal digit string that identifies the organization that contains your projects. Use the [/orgs](#tag/Organizations/operation/listOrganizations) endpoint to retrieve all organizations to which the authenticated user has access.
+
+### Read-Only
+
+- `resource_policies` (Attributes List) (see [below for nested schema](#nestedatt--resource_policies))
+
+<a id="nestedatt--resource_policies"></a>
+### Nested Schema for `resource_policies`
+
+Read-Only:
+
+- `created_by_user` (Attributes) The user that last updated the Atlas resource policy. (see [below for nested schema](#nestedatt--resource_policies--created_by_user))
+- `created_date` (String) Date and time in UTC when the Atlas resource policy was created.
+- `id` (String) Unique 24-hexadecimal digit string that identifies an Atlas resource policy.
+- `last_updated_by_user` (Attributes) The user that last updated the Atlas resource policy. (see [below for nested schema](#nestedatt--resource_policies--last_updated_by_user))
+- `last_updated_date` (String) Date and time in UTC when the Atlas resource policy was last updated.
+- `name` (String) Human-readable label that describes the Atlas resource policy.
+- `org_id` (String) Unique 24-hexadecimal digit string that identifies the organization that contains your projects. Use the [/orgs](#tag/Organizations/operation/listOrganizations) endpoint to retrieve all organizations to which the authenticated user has access.
+- `policies` (Attributes List) List of policies that make up the Atlas resource policy. (see [below for nested schema](#nestedatt--resource_policies--policies))
+- `version` (String) A string that identifies the version of the Atlas resource policy.
+
+<a id="nestedatt--resource_policies--created_by_user"></a>
+### Nested Schema for `resource_policies.created_by_user`
+
+Read-Only:
+
+- `id` (String) Unique 24-hexadecimal character string that identifies a user.
+- `name` (String) Human-readable label that describes a user.
+
+
+<a id="nestedatt--resource_policies--last_updated_by_user"></a>
+### Nested Schema for `resource_policies.last_updated_by_user`
+
+Read-Only:
+
+- `id` (String) Unique 24-hexadecimal character string that identifies a user.
+- `name` (String) Human-readable label that describes a user.
+
+
+<a id="nestedatt--resource_policies--policies"></a>
+### Nested Schema for `resource_policies.policies`
+
+Read-Only:
+
+- `body` (String) A string that defines the permissions for the policy. The syntax used is the Cedar Policy language.
+- `id` (String) Unique 24-hexadecimal character string that identifies the policy.
+