feat: Supports GCP for mongodbatlas_cloud_provider_access_authorization resource (#3639)

* gcp for authorization resource

* cloud provider

* gcp is computed

* remove max items

* set gcp

* remove gcp from if in update

* add missing azure attribute in docs

* explain gcp update

Author: oarbusi

.changelog/3639.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_cloud_provider_access_authorization: Supports GCP cloud provider
+```

docs/resources/cloud_provider_access.md

@@ -135,13 +135,18 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
 Conditional 
 * `aws`
    * `iam_assumed_role_arn` - (Required) ARN of the IAM Role that Atlas assumes when accessing resources in your AWS account. This value is required after the creation (register of the role) as part of [Set Up Unified AWS Access](https://docs.atlas.mongodb.com/security/set-up-unified-aws-access/#set-up-unified-aws-access).
-   
+* `azure`
+   * `atlas_azure_app_id` - (Required) Azure Active Directory Application ID of Atlas.
+   * `service_principal_id` - (Required) UUID string that identifies the Azure Service Principal.
+   * `tenant_id` - (Required) UUID String that identifies the Azure Active Directory Tenant ID.
 
 ## Attributes Reference
 
 * `id`               - Unique identifier used by terraform for internal management.
 * `authorized_date`  - Date on which this role was authorized.
 * `feature_usages`   - Atlas features this AWS IAM role is linked to.
+* `gcp`
+   * `service_account_for_atlas` - Email address for the Google Service Account created by Atlas.
 
 
 

internal/service/cloudprovideraccess/resource_cloud_provider_access_authorization.go

@@ -70,6 +70,18 @@ func ResourceAuthorization() *schema.Resource {
 					},
 				},
 			},
+			"gcp": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"service_account_for_atlas": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"feature_usages": {
 				Type:     schema.TypeList,
 				Elem:     featureUsagesSchema(),
@@ -168,6 +180,10 @@ func resourceCloudProviderAccessAuthorizationUpdate(ctx context.Context, d *sche
 	}
 
 	if d.HasChange("aws") || d.HasChange("azure") {
+		// Re-authorize the role with updated AWS or Azure configuration.
+		// GCP authorization only requires a role ID and has no additional configuration to update.
+		// Therefore, "updating" a GCP role would effectively be creating a new authorization,
+		// which should be handled by creating a new resource rather than updating an existing one.
 		return authorizeRole(ctx, conn, d, projectID, targetRole)
 	}
 
@@ -186,6 +202,7 @@ func roleToSchemaAuthorization(role *admin.CloudProviderAccessRole) map[string]a
 			"iam_assumed_role_arn": role.GetIamAssumedRoleArn(),
 		}},
 		"authorized_date": conversion.TimeToString(role.GetAuthorizedDate()),
+		"gcp":             []any{map[string]any{}},
 	}
 
 	if role.ProviderName == "AZURE" {
@@ -197,6 +214,15 @@ func roleToSchemaAuthorization(role *admin.CloudProviderAccessRole) map[string]a
 				"tenant_id":            role.GetTenantId(),
 			}},
 			"authorized_date": conversion.TimeToString(role.GetAuthorizedDate()),
+			"gcp":             []any{map[string]any{}},
+		}
+	}
+	if role.ProviderName == "GCP" {
+		out = map[string]any{
+			"role_id": role.GetRoleId(),
+			"gcp": []any{map[string]any{
+				"service_account_for_atlas": role.GetGcpServiceAccountForAtlas(),
+			}},
 		}
 	}
 
@@ -281,6 +307,7 @@ func authorizeRole(ctx context.Context, client *admin.APIClient, d *schema.Resou
 		req.SetServicePrincipalId(targetRole.GetServicePrincipalId())
 		roleID = targetRole.GetId()
 	}
+	// No specific GCP config is needed, only providerName and roleID are needed
 
 	var role *admin.CloudProviderAccessRole
 	var err error