feat: Long-running operation improvements for mongodbatlas_privatelink_endpoint_service resource (#3545)

* renames and timeout fixes

* changelog

* changelog

* wait for delete to complete

* Revert "wait for delete to complete"

This reverts commit e994e9f.

* use existing privatelink_endpoint and clean up

Author: oarbusi

.changelog/3545.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_privatelink_endpoint_service: Adds `delete_on_create_timeout` attribute to indicate whether to delete the resource if its creation times out
+``` 

docs/resources/privatelink_endpoint_service.md

@@ -153,6 +153,7 @@ resource "mongodbatlas_privatelink_endpoint_service" "test" {
 * `gcp_project_id` - (Optional) Unique identifier of the GCP project in which you created your endpoints. Only for `GCP`.
 * `endpoints` - (Optional) Collection of individual private endpoints that comprise your endpoint group. Only for `GCP`. See below.
 * `timeouts`- (Optional) The duration of time to wait for Private Endpoint Service to be created or deleted. The timeout value is defined by a signed sequence of decimal numbers with a time unit suffix such as: `1h45m`, `300s`, `10m`, etc. The valid time units are:  `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. The default timeout for Private Endpoint create & delete is `2h`. Learn more about timeouts [here](https://www.terraform.io/plugin/sdkv2/resources/retries-and-customizable-timeouts).
+* `delete_on_create_timeout`- (Optional) Flag that indicates whether to delete the resource if creation times out. Default is `true`. When Terraform apply fails, it returns immediately without waiting for cleanup to complete. If you suspect a transient error, wait before retrying to allow resource deletion to finish.
 
 ### `endpoints`
 * `ip_address` - (Optional) Private IP address of the endpoint you created in GCP.

internal/service/privatelinkendpoint/resource.go

@@ -24,7 +24,6 @@ const (
 	errorPrivateLinkEndpointsRead    = "error reading MongoDB Private Endpoints Connection(%s): %s"
 	errorPrivateLinkEndpointsDelete  = "error deleting MongoDB Private Endpoints Connection(%s): %s"
 	ErrorPrivateLinkEndpointsSetting = "error setting `%s` for MongoDB Private Endpoints Connection(%s): %s"
-	oneMinute                        = 1 * time.Minute
 	delayAndMinTimeout               = 5 * time.Second
 )
 
@@ -139,16 +138,7 @@ func resourceCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.
 		return diag.FromErr(fmt.Errorf(errorPrivateLinkEndpointsCreate, err))
 	}
 
-	stateConf := &retry.StateChangeConf{
-		Pending:    []string{"INITIATING", "DELETING"},
-		Target:     []string{"WAITING_FOR_USER", "FAILED", "DELETED", "AVAILABLE"},
-		Refresh:    refreshFunc(ctx, connV2, projectID, providerName, privateEndpoint.GetId()),
-		Timeout:    d.Timeout(schema.TimeoutCreate) - oneMinute, // If using a CRUD function with a timeout, any StateChangeConf timeouts should be configured below that duration to avoid returning the SDK context: deadline exceeded error instead of the retry logic error.
-		MinTimeout: delayAndMinTimeout,
-		Delay:      delayAndMinTimeout,
-	}
-
-	// Wait, catching any errors
+	stateConf := CreateStateChangeConfig(ctx, connV2, projectID, providerName, privateEndpoint.GetId(), d.Timeout(schema.TimeoutCreate))
 	_, errWait := stateConf.WaitForStateContext(ctx)
 	deleteOnCreateTimeout := true // default value when not set
 	if v, ok := d.GetOkExists("delete_on_create_timeout"); ok {
@@ -267,15 +257,7 @@ func resourceDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.
 
 	log.Println("[INFO] Waiting for MongoDB Private Endpoints Connection to be destroyed")
 
-	stateConf := &retry.StateChangeConf{
-		Pending:    []string{"DELETING"},
-		Target:     []string{"DELETED", "FAILED"},
-		Refresh:    refreshFunc(ctx, connV2, projectID, providerName, privateLinkID),
-		Timeout:    d.Timeout(schema.TimeoutDelete),
-		MinTimeout: delayAndMinTimeout,
-		Delay:      delayAndMinTimeout,
-	}
-
+	stateConf := DeleteStateChangeConfig(ctx, connV2, projectID, providerName, privateLinkID, d.Timeout(schema.TimeoutDelete))
 	_, err = stateConf.WaitForStateContext(ctx)
 	if err != nil {
 		return diag.FromErr(fmt.Errorf(errorPrivateLinkEndpointsDelete, privateLinkID, err))
@@ -346,3 +328,25 @@ func refreshFunc(ctx context.Context, client *admin.APIClient, projectID, provid
 		return p, status, nil
 	}
 }
+
+func CreateStateChangeConfig(ctx context.Context, connV2 *admin.APIClient, projectID, providerName, privateLinkID string, timeout time.Duration) retry.StateChangeConf {
+	return retry.StateChangeConf{
+		Pending:    []string{"INITIATING", "DELETING"},
+		Target:     []string{"WAITING_FOR_USER", "FAILED", "DELETED", "AVAILABLE"},
+		Refresh:    refreshFunc(ctx, connV2, projectID, providerName, privateLinkID),
+		Timeout:    timeout,
+		MinTimeout: delayAndMinTimeout,
+		Delay:      delayAndMinTimeout,
+	}
+}
+
+func DeleteStateChangeConfig(ctx context.Context, connV2 *admin.APIClient, projectID, providerName, privateLinkID string, timeout time.Duration) retry.StateChangeConf {
+	return retry.StateChangeConf{
+		Pending:    []string{"DELETING"},
+		Target:     []string{"DELETED", "FAILED"},
+		Refresh:    refreshFunc(ctx, connV2, projectID, providerName, privateLinkID),
+		Timeout:    timeout,
+		MinTimeout: delayAndMinTimeout,
+		Delay:      delayAndMinTimeout,
+	}
+}

internal/service/privatelinkendpointservice/data_source_privatelink_endpoint_service.go renamed to internal/service/privatelinkendpointservice/data_source.go

@@ -12,6 +12,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/cleanup"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/validate"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/config"
@@ -24,13 +26,15 @@ const (
 	ErrorServiceEndpointRead = "error reading MongoDB Private Service Endpoint Connection(%s): %s"
 	errorEndpointDelete      = "error deleting MongoDB Private Service Endpoint Connection(%s): %s"
 	ErrorEndpointSetting     = "error setting `%s` for MongoDB Private Service Endpoint Connection(%s): %s"
+	oneMinute                = 1 * time.Minute
+	delayAndMinTimeout       = 10 * time.Second
 )
 
 func Resource() *schema.Resource {
 	return &schema.Resource{
-		CreateContext:      resourceCreate,
-		ReadWithoutTimeout: resourceRead,
-		DeleteContext:      resourceDelete,
+		CreateWithoutTimeout: resourceCreate,
+		ReadWithoutTimeout:   resourceRead,
+		DeleteWithoutTimeout: resourceDelete,
 		Importer: &schema.ResourceImporter{
 			StateContext: resourceImportState,
 		},
@@ -100,6 +104,12 @@ func Resource() *schema.Resource {
 				ForceNew:      true,
 				ConflictsWith: []string{"private_endpoint_ip_address"},
 			},
+			"delete_on_create_timeout": { // Don't use Default: true to avoid unplanned changes when upgrading from previous versions.
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Flag that indicates whether to delete the resource if creation times out. Default is true.",
+			},
 			"endpoints": {
 				Type:          schema.TypeList,
 				Optional:      true,
@@ -173,23 +183,31 @@ func resourceCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.
 		Pending:    []string{"NONE", "INITIATING", "PENDING_ACCEPTANCE", "PENDING", "DELETING", "VERIFIED"},
 		Target:     []string{"AVAILABLE", "REJECTED", "DELETED", "FAILED"},
 		Refresh:    resourceRefreshFunc(ctx, connV2, projectID, providerName, privateLinkID, endpointServiceID),
-		Timeout:    d.Timeout(schema.TimeoutCreate) - time.Minute, // When using a CRUD function with a timeout, any StateChangeConf timeouts must be configured below that duration to avoid returning the SDK context: deadline exceeded error instead of the retry logic error.
-		MinTimeout: 5 * time.Second,
-		Delay:      1 * time.Minute,
+		Timeout:    d.Timeout(schema.TimeoutCreate) - oneMinute, // When using a CRUD function with a timeout, any StateChangeConf timeouts must be configured below that duration to avoid returning the SDK context: deadline exceeded error instead of the retry logic error.
+		MinTimeout: delayAndMinTimeout,
+		Delay:      delayAndMinTimeout,
 	}
 	// Wait, catching any errors
-	_, err = stateConf.WaitForStateContext(ctx)
-	if err != nil {
-		return diag.FromErr(fmt.Errorf(errorServiceEndpointAdd, endpointServiceID, privateLinkID, err))
+	_, errWait := stateConf.WaitForStateContext(ctx)
+	deleteOnCreateTimeout := true // default value when not set
+	if v, ok := d.GetOkExists("delete_on_create_timeout"); ok {
+		deleteOnCreateTimeout = v.(bool)
+	}
+	errWait = cleanup.HandleCreateTimeout(deleteOnCreateTimeout, errWait, func(ctxCleanup context.Context) error {
+		_, errCleanup := connV2.PrivateEndpointServicesApi.DeletePrivateEndpoint(ctxCleanup, projectID, providerName, endpointServiceID, privateLinkID).Execute()
+		return errCleanup
+	})
+	if errWait != nil {
+		return diag.FromErr(fmt.Errorf(errorServiceEndpointAdd, endpointServiceID, privateLinkID, errWait))
 	}
 
 	clusterConf := &retry.StateChangeConf{
 		Pending:    []string{"REPEATING", "PENDING"},
 		Target:     []string{"IDLE", "DELETED"},
 		Refresh:    advancedcluster.ResourceClusterListAdvancedRefreshFunc(ctx, projectID, connV2.ClustersApi),
-		Timeout:    d.Timeout(schema.TimeoutCreate) - time.Minute, // When using a CRUD function with a timeout, any StateChangeConf timeouts must be configured below that duration to avoid returning the SDK context: deadline exceeded error instead of the retry logic error.
-		MinTimeout: 5 * time.Second,
-		Delay:      1 * time.Minute,
+		Timeout:    d.Timeout(schema.TimeoutCreate) - oneMinute, // When using a CRUD function with a timeout, any StateChangeConf timeouts must be configured below that duration to avoid returning the SDK context: deadline exceeded error instead of the retry logic error.
+		MinTimeout: delayAndMinTimeout,
+		Delay:      delayAndMinTimeout,
 	}
 
 	if _, err = clusterConf.WaitForStateContext(ctx); err != nil {
@@ -299,8 +317,8 @@ func resourceDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.
 			Target:     []string{"REJECTED", "DELETED", "FAILED"},
 			Refresh:    resourceRefreshFunc(ctx, connV2, projectID, providerName, privateLinkID, endpointServiceID),
 			Timeout:    d.Timeout(schema.TimeoutDelete),
-			MinTimeout: 5 * time.Second,
-			Delay:      3 * time.Second,
+			MinTimeout: delayAndMinTimeout,
+			Delay:      delayAndMinTimeout,
 		}
 
 		// Wait, catching any errors
@@ -314,8 +332,8 @@ func resourceDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.
 			Target:     []string{"IDLE", "DELETED"},
 			Refresh:    advancedcluster.ResourceClusterListAdvancedRefreshFunc(ctx, projectID, connV2.ClustersApi),
 			Timeout:    d.Timeout(schema.TimeoutDelete),
-			MinTimeout: 5 * time.Second,
-			Delay:      1 * time.Minute,
+			MinTimeout: delayAndMinTimeout,
+			Delay:      delayAndMinTimeout,
 		}
 
 		if _, err = clusterConf.WaitForStateContext(ctx); err != nil {

internal/service/privatelinkendpointservice/resource_privatelink_endpoint_service.go renamed to internal/service/privatelinkendpointservice/resource.go

@@ -42,6 +42,30 @@ func TestAccNetworkRSPrivateLinkEndpointServiceAWS_Failed(t *testing.T) {
 	})
 }
 
+func TestAccNetworkRSPrivateLinkEndpointService_deleteOnCreateTimeout(t *testing.T) {
+	var (
+		resourceSuffix = "test"
+		providerName   = "AWS"
+		region         = os.Getenv("AWS_REGION")
+		// Create private link endpoint outside of test configuration to avoid cleanup issues
+		projectID, privateLinkEndpointID = acc.PrivateLinkEndpointIDExecution(t, providerName, region)
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acc.PreCheckBasic(t) },
+		CheckDestroy:             checkDestroy,
+		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
+		Steps: []resource.TestStep{
+			{
+				Config: configDeleteOnCreateTimeoutWithExistingEndpoint(
+					projectID, providerName, privateLinkEndpointID, resourceSuffix, "1s", true,
+				),
+				ExpectError: regexp.MustCompile("will run cleanup because delete_on_create_timeout is true"),
+			},
+		},
+	})
+}
+
 func basicAWSTestCase(tb testing.TB) *resource.TestCase {
 	tb.Helper()
 	acc.SkipTestForCI(tb) // needs AWS configuration
@@ -189,3 +213,19 @@ func configFailAWS(projectID, providerName, region, resourceSuffix string) strin
 		}
 	`, projectID, providerName, region, resourceSuffix)
 }
+
+func configDeleteOnCreateTimeoutWithExistingEndpoint(projectID, providerName, privateLinkEndpointID, resourceSuffix, timeout string, deleteOnTimeout bool) string {
+	return fmt.Sprintf(`
+		resource "mongodbatlas_privatelink_endpoint_service" %[4]q {
+			project_id            = %[1]q
+			private_link_id       = %[3]q
+			endpoint_service_id   = "vpce-11111111111111111"
+			provider_name         = %[2]q
+			delete_on_create_timeout = %[6]t
+			
+			timeouts {
+				create = %[5]q
+			}
+		}
+	`, projectID, providerName, privateLinkEndpointID, resourceSuffix, timeout, deleteOnTimeout)
+}

internal/service/privatelinkendpointservice/resource_privatelink_endpoint_service_migration_test.go renamed to internal/service/privatelinkendpointservice/resource_migration_test.go

@@ -0,0 +1,43 @@
+package acc
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/service/privatelinkendpoint"
+	"github.com/stretchr/testify/require"
+	"go.mongodb.org/atlas-sdk/v20250312005/admin"
+)
+
+func createPrivateLinkEndpoint(tb testing.TB, projectID, providerName, region string) string {
+	tb.Helper()
+
+	request := &admin.CloudProviderEndpointServiceRequest{
+		ProviderName: providerName,
+		Region:       region,
+	}
+
+	privateEndpoint, _, err := ConnV2().PrivateEndpointServicesApi.CreatePrivateEndpointService(tb.Context(), projectID, request).Execute()
+	require.NoError(tb, err)
+
+	stateConf := privatelinkendpoint.CreateStateChangeConfig(tb.Context(), ConnV2(), projectID, providerName, privateEndpoint.GetId(), 1*time.Hour)
+	_, err = stateConf.WaitForStateContext(tb.Context())
+	require.NoError(tb, err, "Private link endpoint creation failed: %s, err: %s", privateEndpoint.GetId(), err)
+
+	return privateEndpoint.GetId()
+}
+
+func deletePrivateLinkEndpoint(projectID, providerName, privateLinkEndpointID string) {
+	_, err := ConnV2().PrivateEndpointServicesApi.DeletePrivateEndpointService(context.Background(), projectID, providerName, privateLinkEndpointID).Execute()
+	if err != nil {
+		fmt.Printf("Failed to delete private link endpoint %s: %s\n", privateLinkEndpointID, err)
+		return
+	}
+	stateConf := privatelinkendpoint.DeleteStateChangeConfig(context.Background(), ConnV2(), projectID, providerName, privateLinkEndpointID, 1*time.Hour)
+	_, err = stateConf.WaitForStateContext(context.Background())
+	if err != nil {
+		fmt.Printf("Failed to delete private link endpoint %s: %s\n", privateLinkEndpointID, err)
+	}
+}

internal/service/privatelinkendpointservice/resource_privatelink_endpoint_service_test.go renamed to internal/service/privatelinkendpointservice/resource_test.go

@@ -44,6 +44,14 @@ func cleanupSharedResources() {
 			fmt.Printf("Failed to delete stream instances: for execution project %s, error: %s\n", projectID, err)
 		}
 	}
+	if sharedInfo.privateLinkEndpointID != "" {
+		projectID := sharedInfo.projectID
+		if projectID == "" {
+			projectID = projectIDLocal()
+		}
+		fmt.Printf("Deleting execution private link endpoint: %s, project id: %s, provider: %s\n", sharedInfo.privateLinkEndpointID, projectID, sharedInfo.privateLinkProviderName)
+		deletePrivateLinkEndpoint(projectID, sharedInfo.privateLinkProviderName, sharedInfo.privateLinkEndpointID)
+	}
 	if sharedInfo.projectID != "" {
 		fmt.Printf("Deleting execution project: %s, id: %s\n", sharedInfo.projectName, sharedInfo.projectID)
 		deleteProject(sharedInfo.projectID)
@@ -170,21 +178,46 @@ func SerialSleep(tb testing.TB) {
 	time.Sleep(5 * time.Second)
 }
 
+// PrivateLinkEndpointIDExecution returns a private link endpoint id created for the execution of the tests.
+// The endpoint is created with provider "AWS" and region from environment variable.
+// When `MONGODB_ATLAS_PROJECT_ID` is defined, it is used instead of creating a project.
+func PrivateLinkEndpointIDExecution(tb testing.TB, providerName, region string) (projectID, privateLinkEndpointID string) {
+	tb.Helper()
+	SkipInUnitTest(tb)
+	require.True(tb, sharedInfo.init, "SetupSharedResources must called from TestMain test package")
+
+	projectID = ProjectIDExecution(tb) // ensure the execution project is created before endpoint creation
+
+	sharedInfo.mu.Lock()
+	defer sharedInfo.mu.Unlock()
+
+	// lazy creation so it's only done if really needed
+	if sharedInfo.privateLinkEndpointID == "" {
+		tb.Logf("Creating execution private link endpoint for provider: %s, region: %s\n", providerName, region)
+		sharedInfo.privateLinkEndpointID = createPrivateLinkEndpoint(tb, projectID, providerName, region)
+		sharedInfo.privateLinkProviderName = providerName
+	}
+
+	return projectID, sharedInfo.privateLinkEndpointID
+}
+
 type projectInfo struct {
 	id        string
 	name      string
 	nodeCount int
 }
 
 var sharedInfo = struct {
-	projectID          string
-	projectName        string
-	clusterName        string
-	streamInstanceName string
-	projects           []projectInfo
-	mu                 sync.Mutex
-	muSleep            sync.Mutex
-	init               bool
+	projectID               string
+	projectName             string
+	clusterName             string
+	streamInstanceName      string
+	privateLinkEndpointID   string
+	privateLinkProviderName string
+	projects                []projectInfo
+	mu                      sync.Mutex
+	muSleep                 sync.Mutex
+	init                    bool
 }{
 	projects: []projectInfo{},
 }