feat: Adds support for AWS MSK clusters to mongodbatlas_stream_privatelink_endpoint (#3179)

* feat: Add support for AWS MSK clusters to `mongodbatlas_stream_privatelink_endpoint`

* add docs

* rename changelog file

* reformat main.tf

* update docs

* Update .changelog/3179.txt

Co-authored-by: Marco Suma <[email protected]>

* update version to 1.30

* remove unnecessary CI skip

* remove "failedUpdate" acceptance tests

* update docs

* fix test after merging

---------

Co-authored-by: Marco Suma <[email protected]>

Author: jasonrydberg

.changelog/3179.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_stream_privatelink_endpoint: Adds support for AWS MSK clusters
+```

docs/data-sources/stream_privatelink_endpoint.md

@@ -3,6 +3,8 @@
 `mongodbatlas_stream_privatelink_endpoint` describes a Privatelink Endpoint for Streams.
 
 ## Example Usages
+
+### AWS Confluent Privatelink
 ```terraform
 resource "confluent_environment" "staging" {
   display_name = "Staging"
@@ -79,6 +81,132 @@ output "interface_endpoint_ids" {
 }
 ```
 
+### AWS MSK Privatelink
+```terraform
+resource "aws_vpc" "vpc" {
+  cidr_block = "192.168.0.0/22"
+}
+
+data "aws_availability_zones" "azs" {
+  state = "available"
+}
+
+resource "aws_subnet" "subnet_az1" {
+  availability_zone = data.aws_availability_zones.azs.names[0]
+  cidr_block        = "192.168.0.0/24"
+  vpc_id            = aws_vpc.vpc.id
+}
+
+resource "aws_subnet" "subnet_az2" {
+  availability_zone = data.aws_availability_zones.azs.names[1]
+  cidr_block        = "192.168.1.0/24"
+  vpc_id            = aws_vpc.vpc.id
+}
+
+resource "aws_security_group" "sg" {
+  vpc_id = aws_vpc.vpc.id
+}
+
+resource "aws_msk_cluster" "example" {
+  cluster_name           = var.msk_cluster_name
+  kafka_version          = "3.6.0"
+  number_of_broker_nodes = 2
+
+  broker_node_group_info {
+    instance_type = "kafka.m5.large"
+    client_subnets = [
+      aws_subnet.subnet_az1.id,
+      aws_subnet.subnet_az2.id,
+    ]
+    security_groups = [aws_security_group.sg.id]
+
+    connectivity_info {
+      vpc_connectivity {
+        client_authentication {
+          sasl {
+            scram = true
+          }
+        }
+      }
+    }
+  }
+
+  client_authentication {
+    sasl {
+      scram = true
+    }
+  }
+
+  configuration_info {
+    arn      = aws_msk_configuration.example.arn
+    revision = aws_msk_configuration.example.latest_revision
+  }
+}
+
+resource "aws_msk_cluster_policy" "example" {
+  cluster_arn = aws_msk_cluster.example.arn
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        "AWS" = "arn:aws:iam::${var.aws_account_id}:root"
+      }
+      Action = [
+        "kafka:CreateVpcConnection",
+        "kafka:GetBootstrapBrokers",
+        "kafka:DescribeCluster",
+        "kafka:DescribeClusterV2"
+      ]
+      Resource = aws_msk_cluster.example.arn
+    }]
+  })
+}
+
+resource "aws_msk_single_scram_secret_association" "example" {
+  cluster_arn = aws_msk_cluster.example.arn
+  secret_arn  = var.aws_secret_arn
+}
+
+resource "aws_msk_configuration" "example" {
+  name = "${var.msk_cluster_name}-msk-configuration"
+
+  # Default ASW MSK configuration with "allow.everyone.if.no.acl.found=false" added
+  server_properties = <<PROPERTIES
+auto.create.topics.enable=false
+default.replication.factor=3
+min.insync.replicas=2
+num.io.threads=8
+num.network.threads=5
+num.partitions=1
+num.replica.fetchers=2
+replica.lag.time.max.ms=30000
+socket.receive.buffer.bytes=102400
+socket.request.max.bytes=104857600
+socket.send.buffer.bytes=102400
+unclean.leader.election.enable=true
+allow.everyone.if.no.acl.found=false
+PROPERTIES
+}
+
+resource "mongodbatlas_stream_privatelink_endpoint" "test" {
+  project_id    = var.project_id
+  provider_name = "AWS"
+  vendor        = "MSK"
+  arn           = aws_msk_cluster.example.arn
+}
+
+data "mongodbatlas_stream_privatelink_endpoint" "singular_datasource" {
+  project_id = var.project_id
+  id         = mongodbatlas_stream_privatelink_endpoint.test.id
+}
+
+output "privatelink_endpoint_id" {
+  value = data.mongodbatlas_stream_privatelink_endpoint.singular_datasource.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -91,14 +219,15 @@ output "interface_endpoint_ids" {
 
 ### Read-Only
 
+- `arn` (String) Amazon Resource Name (ARN).
 - `dns_domain` (String) Domain name of Privatelink connected cluster.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones.
 - `error_message` (String) Error message if the connection is in a failed state.
 - `interface_endpoint_id` (String) Interface endpoint ID that is created from the specified service endpoint ID.
 - `interface_endpoint_name` (String) Name of interface endpoint that is created from the specified service endpoint ID.
 - `provider_account_id` (String) Account ID from the cloud provider.
 - `provider_name` (String) Provider where the Kafka cluster is deployed.
-- `region` (String) Domain name of Confluent cluster.
+- `region` (String) When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_endpoint_id` (String) Service Endpoint ID.
 - `state` (String) Status of the connection.
 - `vendor` (String) Vendor who manages the Kafka cluster.

docs/data-sources/stream_privatelink_endpoints.md

@@ -3,6 +3,8 @@
 `mongodbatlas_stream_privatelink_endpoints` describes a Privatelink Endpoint for Streams.
 
 ## Example Usages
+
+### AWS Confluent Privatelink
 ```terraform
 resource "confluent_environment" "staging" {
   display_name = "Staging"
@@ -79,6 +81,132 @@ output "interface_endpoint_ids" {
 }
 ```
 
+### AWS MSK Privatelink
+```terraform
+resource "aws_vpc" "vpc" {
+  cidr_block = "192.168.0.0/22"
+}
+
+data "aws_availability_zones" "azs" {
+  state = "available"
+}
+
+resource "aws_subnet" "subnet_az1" {
+  availability_zone = data.aws_availability_zones.azs.names[0]
+  cidr_block        = "192.168.0.0/24"
+  vpc_id            = aws_vpc.vpc.id
+}
+
+resource "aws_subnet" "subnet_az2" {
+  availability_zone = data.aws_availability_zones.azs.names[1]
+  cidr_block        = "192.168.1.0/24"
+  vpc_id            = aws_vpc.vpc.id
+}
+
+resource "aws_security_group" "sg" {
+  vpc_id = aws_vpc.vpc.id
+}
+
+resource "aws_msk_cluster" "example" {
+  cluster_name           = var.msk_cluster_name
+  kafka_version          = "3.6.0"
+  number_of_broker_nodes = 2
+
+  broker_node_group_info {
+    instance_type = "kafka.m5.large"
+    client_subnets = [
+      aws_subnet.subnet_az1.id,
+      aws_subnet.subnet_az2.id,
+    ]
+    security_groups = [aws_security_group.sg.id]
+
+    connectivity_info {
+      vpc_connectivity {
+        client_authentication {
+          sasl {
+            scram = true
+          }
+        }
+      }
+    }
+  }
+
+  client_authentication {
+    sasl {
+      scram = true
+    }
+  }
+
+  configuration_info {
+    arn      = aws_msk_configuration.example.arn
+    revision = aws_msk_configuration.example.latest_revision
+  }
+}
+
+resource "aws_msk_cluster_policy" "example" {
+  cluster_arn = aws_msk_cluster.example.arn
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        "AWS" = "arn:aws:iam::${var.aws_account_id}:root"
+      }
+      Action = [
+        "kafka:CreateVpcConnection",
+        "kafka:GetBootstrapBrokers",
+        "kafka:DescribeCluster",
+        "kafka:DescribeClusterV2"
+      ]
+      Resource = aws_msk_cluster.example.arn
+    }]
+  })
+}
+
+resource "aws_msk_single_scram_secret_association" "example" {
+  cluster_arn = aws_msk_cluster.example.arn
+  secret_arn  = var.aws_secret_arn
+}
+
+resource "aws_msk_configuration" "example" {
+  name = "${var.msk_cluster_name}-msk-configuration"
+
+  # Default ASW MSK configuration with "allow.everyone.if.no.acl.found=false" added
+  server_properties = <<PROPERTIES
+auto.create.topics.enable=false
+default.replication.factor=3
+min.insync.replicas=2
+num.io.threads=8
+num.network.threads=5
+num.partitions=1
+num.replica.fetchers=2
+replica.lag.time.max.ms=30000
+socket.receive.buffer.bytes=102400
+socket.request.max.bytes=104857600
+socket.send.buffer.bytes=102400
+unclean.leader.election.enable=true
+allow.everyone.if.no.acl.found=false
+PROPERTIES
+}
+
+resource "mongodbatlas_stream_privatelink_endpoint" "test" {
+  project_id    = var.project_id
+  provider_name = "AWS"
+  vendor        = "MSK"
+  arn           = aws_msk_cluster.example.arn
+}
+
+data "mongodbatlas_stream_privatelink_endpoint" "singular_datasource" {
+  project_id = var.project_id
+  id         = mongodbatlas_stream_privatelink_endpoint.test.id
+}
+
+output "privatelink_endpoint_id" {
+  value = data.mongodbatlas_stream_privatelink_endpoint.singular_datasource.id
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -97,6 +225,7 @@ output "interface_endpoint_ids" {
 
 Read-Only:
 
+- `arn` (String) Amazon Resource Name (ARN).
 - `dns_domain` (String) Domain name of Privatelink connected cluster.
 - `dns_sub_domain` (List of String) Sub-Domain name of Confluent cluster. These are typically your availability zones.
 - `error_message` (String) Error message if the connection is in a failed state.
@@ -108,7 +237,7 @@ Read-Only:
 **NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group or project id remains the same. The resource and corresponding endpoints use the term groups.
 - `provider_account_id` (String) Account ID from the cloud provider.
 - `provider_name` (String) Provider where the Kafka cluster is deployed.
-- `region` (String) Domain name of Confluent cluster.
+- `region` (String) When the vendor is `CONFLUENT`, this is the domain name of Confluent cluster. When the vendor is `MSK`, this is computed by the API from the provided `arn`.
 - `service_endpoint_id` (String) Service Endpoint ID.
 - `state` (String) Status of the connection.
 - `vendor` (String) Vendor who manages the Kafka cluster.