INTMDB-133: Updated Encryption At Rest to work with IAM Roles (#365)

* chore: updated vendor from mongodb client master

* feat: added parameter role_id

* set parameters in read

* chore: updated vendor for terrastest

* test: added testacc for encryption at rest

* test: added examples for encryption at rest using iam roles in tf

* feat: added folder for testing using terratest

* docs: updated docs

* fixes linter errors

* fixes linter

* fix error tests

* test: changed skip to skipnow func

* fix: changed version mongodb plugin to normal version

* added env var in workflow for automated tests

* added env var in workflow for automated tests

* deleted examples, mod for terratest and run again go mod vendor

* chore:updated vendor

* docs: made changes suggested by melissa

Co-authored-by: Edgar López <[email protected]>

Author: coderGo93

GNUmakefile

@@ -78,3 +78,4 @@ endif
 	@$(MAKE) -C $(GOPATH)/src/$(WEBSITE_REPO) website-provider-test PROVIDER_PATH=$(shell pwd) PROVIDER_NAME=$(PKG_NAME)
 
 .PHONY: build test testacc fmt fmtcheck lint check tools test-compile website website-lint website-test
+

go.mod

@@ -11,5 +11,5 @@ require (
 	github.com/spf13/cast v1.3.1
 	github.com/terraform-providers/terraform-provider-aws v1.60.1-0.20200518153306-40099de47e37
 	github.com/terraform-providers/terraform-provider-google v1.20.1-0.20200518165017-1dd21651c496
-	go.mongodb.org/atlas v0.5.1-0.20201123170532-371c0d8194fe
+	go.mongodb.org/atlas v0.5.1-0.20201208195148-2ef1965cb1ef
 )

go.sum

@@ -94,6 +94,7 @@ github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8Nz
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -134,6 +135,7 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
@@ -489,6 +491,7 @@ github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/ryancurrah/gomodguard v1.0.4 h1:oCreMAt9GuFXDe9jW4HBpc3GjdX3R/sUEcLAGh1zPx8=
 github.com/ryancurrah/gomodguard v1.0.4/go.mod h1:9T/Cfuxs5StfsocWr4WzDL36HqnX0fVb9d5fSEaLhoE=
@@ -601,26 +604,8 @@ github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
 github.com/zclconf/go-cty-yaml v1.0.1 h1:up11wlgAaDvlAGENcFDnZgkn0qUJurso7k6EpURKNF8=
 github.com/zclconf/go-cty-yaml v1.0.1/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.mongodb.org/atlas v0.3.1-0.20200716160607-1b4e8b15eadf h1:uphQUeBtEbNSmlhg1MRVJOMMhFBtrT6+K6rSmXGxCPk=
-go.mongodb.org/atlas v0.3.1-0.20200716160607-1b4e8b15eadf/go.mod h1:xa/V3muNuVoReSG0y2pigUUnfPOx1cHF0ZV2uCE+c7I=
-go.mongodb.org/atlas v0.4.1-0.20200817181428-cd1e61b39f75 h1:aXDdZDxIeD37cn0uVGQl+oHbT//g9OYybLF+R4u2NHk=
-go.mongodb.org/atlas v0.4.1-0.20200817181428-cd1e61b39f75/go.mod h1:QlKvZKT43+R6lhHlaTy2E7Q/3AoAljMI6v5apfqslIs=
-go.mongodb.org/atlas v0.4.1-0.20200819194203-09c49e85aa0d h1:5GrmSNMip4s758EBOchuRTLarSxpRMOclvUjo9Dez7M=
-go.mongodb.org/atlas v0.4.1-0.20200819194203-09c49e85aa0d/go.mod h1:QlKvZKT43+R6lhHlaTy2E7Q/3AoAljMI6v5apfqslIs=
-go.mongodb.org/atlas v0.4.1-0.20200820152733-8dc4a7c19a2b h1:AuAQZDrQLesdmz9mIPaIn07OJRoG4Vfm+M3xd31HGgo=
-go.mongodb.org/atlas v0.4.1-0.20200820152733-8dc4a7c19a2b/go.mod h1:QlKvZKT43+R6lhHlaTy2E7Q/3AoAljMI6v5apfqslIs=
-go.mongodb.org/atlas v0.4.1-0.20200903102338-049d0778b833 h1:gH8Ih2OacuB6qVitO+wI5EBKdbtM/YdbhJstiMR2Vfw=
-go.mongodb.org/atlas v0.4.1-0.20200903102338-049d0778b833/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
-go.mongodb.org/atlas v0.4.1-0.20200916170654-ac3833accfa2 h1:qjEP4bC8yTi57jBYHtSSA8gzPN4vJl3XG23YBMXCgUg=
-go.mongodb.org/atlas v0.4.1-0.20200916170654-ac3833accfa2/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
-go.mongodb.org/atlas v0.5.1-0.20201007214134-b315fe7503d2 h1:b4Ng7d2sCSgYKwLMOetbwLcPE732SiBnJqH5rQrhZOs=
-go.mongodb.org/atlas v0.5.1-0.20201007214134-b315fe7503d2/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
-go.mongodb.org/atlas v0.5.1-0.20201106143903-ab022d8c43b5 h1:/U1ze48A0J3td+rItu+/jpNCLQxdNKtkIkpnuy2ZKHc=
-go.mongodb.org/atlas v0.5.1-0.20201106143903-ab022d8c43b5/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
-go.mongodb.org/atlas v0.5.1-0.20201117180402-049456a13b6e h1:mAoOV+XVJ1bwVIojwXRe3oDTpycfN+zraR6oEqkroic=
-go.mongodb.org/atlas v0.5.1-0.20201117180402-049456a13b6e/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
-go.mongodb.org/atlas v0.5.1-0.20201123170532-371c0d8194fe h1:xyaNXTRtHfWGYtKIdBdwuPxxumSbqEF5QI5r7kdOGcw=
-go.mongodb.org/atlas v0.5.1-0.20201123170532-371c0d8194fe/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
+go.mongodb.org/atlas v0.5.1-0.20201208195148-2ef1965cb1ef h1:W356PZzBuIdUwuxAq94SSIniPO7C1Wl8KYwmU+MPHYc=
+go.mongodb.org/atlas v0.5.1-0.20201208195148-2ef1965cb1ef/go.mod h1:CIaBeO8GLHhtYLw7xSSXsw7N90Z4MFY87Oy9qcPyuEs=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -759,6 +744,7 @@ golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20170915040203-e531a2a1c15f/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

mongodbatlas/resource_mongodbatlas_encryption_at_rest.go

@@ -11,6 +11,14 @@ import (
 	matlas "go.mongodb.org/atlas/mongodbatlas"
 )
 
+const (
+	errorCreateEncryptionAtRest       = "error creating Encryption At Rest: %s"
+	errorReadEncryptionAtRest         = "error getting Encryption At Rest: %s"
+	errorDeleteEncryptionAtRest       = "error deleting Encryption At Rest: (%s): %s"
+	errorUpdateEncryptionAtRest       = "error updating Encryption At Rest: %s"
+	errorAlertEncryptionAtRestSetting = "error setting `%s` for Encryption At Rest (%s): %s"
+)
+
 func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
 	return &schema.Resource{
 		Create:   resourceMongoDBAtlasEncryptionAtRestCreate,
@@ -52,6 +60,10 @@ func resourceMongoDBAtlasEncryptionAtRest() *schema.Resource {
 							Type:     schema.TypeString,
 							Required: true,
 						},
+						"role_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 					},
 				},
 			},
@@ -142,7 +154,7 @@ func resourceMongoDBAtlasEncryptionAtRestCreate(d *schema.ResourceData, meta int
 
 	_, _, err := conn.EncryptionsAtRest.Create(context.Background(), encryptionAtRestReq)
 	if err != nil {
-		return fmt.Errorf("error creating Encryption at Rest: %s", err)
+		return fmt.Errorf(errorCreateEncryptionAtRest, err)
 	}
 
 	d.SetId(d.Get("project_id").(string))
@@ -153,9 +165,25 @@ func resourceMongoDBAtlasEncryptionAtRestCreate(d *schema.ResourceData, meta int
 func resourceMongoDBAtlasEncryptionAtRestRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*matlas.Client)
 
-	_, _, err := conn.EncryptionsAtRest.Get(context.Background(), d.Id())
+	resp, _, err := conn.EncryptionsAtRest.Get(context.Background(), d.Id())
 	if err != nil {
-		return fmt.Errorf("error getting Encryption at Rest information: %s", err)
+		return fmt.Errorf(errorReadEncryptionAtRest, err)
+	}
+
+	if err := d.Set("project_id", resp.GroupID); err != nil {
+		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "project_id", d.Id(), err)
+	}
+
+	if err := d.Set("aws_kms", flattenAWSKMS(&resp.AwsKms)); err != nil {
+		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "aws_kms", d.Id(), err)
+	}
+
+	if err := d.Set("azure_key_vault", flattenAzureVault(&resp.AzureKeyVault)); err != nil {
+		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "azure_key_vault", d.Id(), err)
+	}
+
+	if err := d.Set("google_cloud_kms", flattenGCPKms(&resp.GoogleCloudKms)); err != nil {
+		return fmt.Errorf(errorAlertEncryptionAtRestSetting, "google_cloud_kms", d.Id(), err)
 	}
 
 	return nil
@@ -167,7 +195,7 @@ func resourceMongoDBAtlasEncryptionAtRestUpdate(d *schema.ResourceData, meta int
 
 	encrypt, _, err := conn.EncryptionsAtRest.Get(context.Background(), projectID)
 	if err != nil {
-		return fmt.Errorf("error getting encryption at rest information: %s", err)
+		return fmt.Errorf(errorUpdateEncryptionAtRest, err)
 	}
 
 	encrypt.GroupID = projectID
@@ -197,7 +225,7 @@ func resourceMongoDBAtlasEncryptionAtRestDelete(d *schema.ResourceData, meta int
 
 	_, err := conn.EncryptionsAtRest.Delete(context.Background(), d.Id())
 	if err != nil {
-		return fmt.Errorf("error removing encryption at rest (%s): %s", d.Id(), err)
+		return fmt.Errorf(errorDeleteEncryptionAtRest, d.Id(), err)
 	}
 
 	return nil
@@ -212,6 +240,7 @@ func expandAwsKms(awsKms map[string]interface{}) matlas.AwsKms {
 		SecretAccessKey:     cast.ToString(awsKms["secret_access_key"]),
 		CustomerMasterKeyID: cast.ToString(awsKms["customer_master_key_id"]),
 		Region:              awsRegion,
+		RoleID:              cast.ToString(awsKms["role_id"]),
 	}
 }
 
@@ -236,3 +265,48 @@ func expandGCPKms(gcpKms map[string]interface{}) matlas.GoogleCloudKms {
 		KeyVersionResourceID: cast.ToString(gcpKms["key_version_resource_id"]),
 	}
 }
+
+func flattenAWSKMS(m *matlas.AwsKms) map[string]interface{} {
+	if m != nil {
+		return map[string]interface{}{
+			"enabled":                cast.ToString(m.Enabled),
+			"access_key_id":          m.AccessKeyID,
+			"secret_access_key":      m.SecretAccessKey,
+			"customer_master_key_id": m.CustomerMasterKeyID,
+			"region":                 m.Region,
+			"role_id":                m.RoleID,
+		}
+	}
+
+	return map[string]interface{}{}
+}
+
+func flattenAzureVault(m *matlas.AzureKeyVault) map[string]interface{} {
+	if m != nil {
+		return map[string]interface{}{
+			"enabled":             cast.ToString(m.Enabled),
+			"client_id":           m.ClientID,
+			"azure_environment":   m.AzureEnvironment,
+			"subscription_id":     m.SubscriptionID,
+			"resource_group_name": m.ResourceGroupName,
+			"key_vault_name":      m.KeyVaultName,
+			"key_identifier":      m.KeyIdentifier,
+			"secret":              m.Secret,
+			"tenant_id":           m.TenantID,
+		}
+	}
+
+	return map[string]interface{}{}
+}
+
+func flattenGCPKms(m *matlas.GoogleCloudKms) map[string]interface{} {
+	if m != nil {
+		return map[string]interface{}{
+			"enabled":                 cast.ToString(m.Enabled),
+			"service_account_key":     m.ServiceAccountKey,
+			"key_version_resource_id": m.KeyVersionResourceID,
+		}
+	}
+
+	return map[string]interface{}{}
+}

mongodbatlas/resource_mongodbatlas_encryption_at_rest_test.go

@@ -6,13 +6,97 @@ import (
 	"os"
 	"testing"
 
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
 	"github.com/mwielbut/pointy"
 	"github.com/spf13/cast"
 	matlas "go.mongodb.org/atlas/mongodbatlas"
 )
 
+const (
+	initialConfigEncryptionRestRoleAWS = `
+provider "aws" {
+	region     = lower(replace("%[1]s", "_", "-"))
+	access_key = "%[2]s"
+	secret_key = "%[3]s"
+}
+
+%[7]s
+
+resource "mongodbatlas_cloud_provider_access" "test" {
+	project_id = "%[4]s"
+	provider_name = "AWS"
+	%[8]s
+		
+}
+
+resource "aws_iam_role_policy" "test_policy" {
+  name = "%[5]s"
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+ name = "%[6]s"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access.test.atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access.test.atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+
+}
+
+%[9]s
+
+`
+	configEncryptionRest = `
+resource "mongodbatlas_encryption_at_rest" "test" {
+	project_id = "%s"
+
+	aws_kms = {
+		enabled                = %t
+		customer_master_key_id = "%s"
+		region                 = "%s"
+		role_id = mongodbatlas_cloud_provider_access.test.role_id
+	}
+}`
+	dataAWSARNConfig = `
+data "aws_iam_role" "test" {
+  name = "%s"
+}
+
+`
+)
+
 func TestAccResourceMongoDBAtlasEncryptionAtRest_basicAWS(t *testing.T) {
 	SkipTestExtCred(t)
 	var (
@@ -189,6 +273,46 @@ func TestAccResourceMongoDBAtlasEncryptionAtRest_basicGCP(t *testing.T) {
 	})
 }
 
+func TestAccResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testing.T) {
+	SkipTest(t) // For now it will skipped because of aws errors reasons, already made another test using terratest.
+	SkipTestExtCred(t)
+	var (
+		resourceName = "mongodbatlas_encryption_at_rest.test"
+		projectID    = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
+		accessKeyID  = os.Getenv("AWS_ACCESS_KEY_ID")
+		secretKey    = os.Getenv("AWS_SECRET_ACCESS_KEY")
+		policyName   = acctest.RandomWithPrefix("test-aws-policy")
+		roleName     = acctest.RandomWithPrefix("test-aws-role")
+
+		awsKms = matlas.AwsKms{
+			Enabled:             pointy.Bool(true),
+			CustomerMasterKeyID: os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID"),
+			Region:              os.Getenv("AWS_REGION"),
+		}
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); checkAwsEnv(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckMongoDBAtlasEncryptionAtRestDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccMongoDBAtlasEncryptionAtRestConfigAwsKmsWithRole(awsKms.Region, accessKeyID, secretKey, projectID, policyName, roleName, false, &awsKms),
+			},
+			{
+				Config: testAccMongoDBAtlasEncryptionAtRestConfigAwsKmsWithRole(awsKms.Region, accessKeyID, secretKey, projectID, policyName, roleName, true, &awsKms),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
+					resource.TestCheckResourceAttr(resourceName, "aws_kms.enabled", cast.ToString(awsKms.Enabled)),
+					resource.TestCheckResourceAttr(resourceName, "aws_kms.customer_master_key_id", awsKms.CustomerMasterKeyID),
+					resource.TestCheckResourceAttr(resourceName, "aws_kms.region", awsKms.Region),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckMongoDBAtlasEncryptionAtRestExists(resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		conn := testAccProvider.Meta().(*matlas.Client)
@@ -281,3 +405,14 @@ func testAccMongoDBAtlasEncryptionAtRestConfigGoogleCloudKms(projectID string, g
 		}
 	`, projectID, *google.Enabled, google.ServiceAccountKey, google.KeyVersionResourceID)
 }
+
+func testAccMongoDBAtlasEncryptionAtRestConfigAwsKmsWithRole(region, awsAccesKey, awsSecretKey, projectID, policyName, awsRoleName string, isUpdate bool, aws *matlas.AwsKms) string {
+	config := fmt.Sprintf(initialConfigEncryptionRestRoleAWS, region, awsAccesKey, awsSecretKey, projectID, policyName, awsRoleName, "", "", "")
+	if isUpdate {
+		configEncrypt := fmt.Sprintf(configEncryptionRest, projectID, *aws.Enabled, aws.CustomerMasterKeyID, aws.Region)
+		dataAWSARN := fmt.Sprintf(dataAWSARNConfig, awsRoleName)
+		dataARN := `iam_assumed_role_arn = data.aws_iam_role.test.arn`
+		config = fmt.Sprintf(initialConfigEncryptionRestRoleAWS, region, awsAccesKey, awsSecretKey, projectID, policyName, awsRoleName, dataAWSARN, dataARN, configEncrypt)
+	}
+	return config
+}