use shared resources to avoid CANNOT_DISABLE_ENCRYPTION_AT_REST_DUE_TO_PRIVATE_ENDPOINTS

oarbusi · oarbusi · commit d77b3286fdf7 · 2025-08-07T09:35:21.000+02:00
diff --git a/internal/service/encryptionatrestprivateendpoint/resource_test.go b/internal/service/encryptionatrestprivateendpoint/resource_test.go
@@ -35,38 +35,18 @@ func TestAccEncryptionAtRestPrivateEndpoint_Azure_basic(t *testing.T) {
 
 func TestAccEncryptionAtRestPrivateEndpoint_createTimeoutWithDeleteOnCreate(t *testing.T) {
 	var (
-		projectID             = os.Getenv("MONGODB_ATLAS_PROJECT_EAR_PE_AWS_ID")
 		createTimeout         = "1s"
 		deleteOnCreateTimeout = true
-		awsKms                = admin.AWSKMSConfiguration{
-			Enabled:                  conversion.Pointer(true),
-			CustomerMasterKeyID:      conversion.StringPtr(os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")),
-			Region:                   conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))),
-			RoleId:                   conversion.StringPtr(os.Getenv("AWS_EAR_ROLE_ID")),
-			RequirePrivateNetworking: conversion.Pointer(false),
-		}
-		awsKmsPrivateNetworking = admin.AWSKMSConfiguration{
-			Enabled:                  conversion.Pointer(true),
-			CustomerMasterKeyID:      conversion.StringPtr(os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")),
-			Region:                   conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))),
-			RoleId:                   conversion.StringPtr(os.Getenv("AWS_EAR_ROLE_ID")),
-			RequirePrivateNetworking: conversion.Pointer(true),
-		}
-		region = conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))
+		region                = conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))
+		// Create encryption at rest configuration outside of test configuration to avoid cleanup issues
+		projectID = acc.EncryptionAtRestExecution(t)
 	)
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:                 func() { acc.PreCheckEncryptionAtRestEnvAWS(t) },
 		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
 		Steps: []resource.TestStep{
 			{
-				Config: acc.ConfigAwsKms(projectID, &awsKms, false, true, false),
-				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr(earResourceName, "aws_kms_config.0.enabled", "true"),
-					resource.TestCheckResourceAttr(earResourceName, "aws_kms_config.0.require_private_networking", "false"),
-				),
-			},
-			{
-				Config:      configAWSBasicWithTimeout(projectID, &awsKmsPrivateNetworking, region, acc.TimeoutConfig(&createTimeout, nil, nil, true), &deleteOnCreateTimeout),
+				Config:      configEARPrivateEndpointWithTimeout(projectID, region, acc.TimeoutConfig(&createTimeout, nil, nil, true), &deleteOnCreateTimeout),
 				ExpectError: regexp.MustCompile("will run cleanup because delete_on_create_timeout is true"),
 			},
 		},
@@ -388,6 +368,30 @@ func configAWSBasicWithTimeout(projectID string, awsKms *admin.AWSKMSConfigurati
 	return config
 }
 
+func configEARPrivateEndpointWithTimeout(projectID, region, timeoutConfig string, deleteOnCreateTimeout *bool) string {
+	deleteOnCreateTimeoutConfig := ""
+	if deleteOnCreateTimeout != nil {
+		deleteOnCreateTimeoutConfig = fmt.Sprintf(`
+			delete_on_create_timeout = %[1]t
+		`, *deleteOnCreateTimeout)
+	}
+
+	config := fmt.Sprintf(`
+		resource "mongodbatlas_encryption_at_rest_private_endpoint" "test" {
+		    project_id = %[1]q
+		    cloud_provider = "AWS"
+		    region_name = %[2]q
+		    %[3]s
+		    %[4]s
+		}
+
+		%[5]s
+
+	`, projectID, region, deleteOnCreateTimeoutConfig, timeoutConfig, configDS())
+
+	return config
+}
+
 func configDS() string {
 	return `
 	data "mongodbatlas_encryption_at_rest_private_endpoint" "test" {
diff --git a/internal/testutil/acc/encryption_at_rest.go b/internal/testutil/acc/encryption_at_rest.go
@@ -3,12 +3,16 @@ package acc
 import (
 	"context"
 	"fmt"
+	"os"
 	"strconv"
+	"testing"
 
 	"go.mongodb.org/atlas-sdk/v20250312005/admin"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
+	"github.com/stretchr/testify/require"
 )
 
 func ConfigEARAzureKeyVault(projectID string, azure *admin.AzureKeyVault, useRequirePrivateNetworking, useDatasource bool) string {
@@ -153,3 +157,65 @@ func EARImportStateIDFunc(resourceName string) resource.ImportStateIdFunc {
 		return rs.Primary.ID, nil
 	}
 }
+
+// EncryptionAtRestExecution creates an encryption at rest configuration for test execution.
+func EncryptionAtRestExecution(tb testing.TB) string {
+	tb.Helper()
+	SkipInUnitTest(tb)
+	require.True(tb, sharedInfo.init, "SetupSharedResources must called from TestMain test package")
+
+	projectID := ProjectIDExecution(tb)
+
+	sharedInfo.mu.Lock()
+	defer sharedInfo.mu.Unlock()
+
+	// lazy creation so it's only done if really needed
+	if !sharedInfo.encryptionAtRestEnabled {
+		tb.Logf("Creating execution encryption at rest configuration for project: %s\n", projectID)
+
+		// Create encryption at rest configuration using environment variables
+		awsKms := &admin.AWSKMSConfiguration{
+			Enabled:                  conversion.Pointer(true),
+			CustomerMasterKeyID:      conversion.StringPtr(os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")),
+			Region:                   conversion.StringPtr(conversion.AWSRegionToMongoDBRegion(os.Getenv("AWS_REGION"))),
+			RoleId:                   conversion.StringPtr(os.Getenv("AWS_EAR_ROLE_ID")),
+			RequirePrivateNetworking: conversion.Pointer(true),
+		}
+
+		createEncryptionAtRest(tb, projectID, awsKms)
+		sharedInfo.encryptionAtRestEnabled = true
+	}
+
+	return projectID
+}
+
+func createEncryptionAtRest(tb testing.TB, projectID string, aws *admin.AWSKMSConfiguration) {
+	tb.Helper()
+
+	encryptionAtRestReq := &admin.EncryptionAtRest{
+		AwsKms: aws,
+	}
+
+	_, _, err := ConnV2().EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(tb.Context(), projectID, encryptionAtRestReq).Execute()
+	require.NoError(tb, err, "Failed to create encryption at rest configuration for project: %s", projectID)
+}
+
+func deleteEncryptionAtRest(projectID string) {
+	// Disable encryption at rest by setting all providers to disabled
+	encryptionAtRestReq := &admin.EncryptionAtRest{
+		AwsKms: &admin.AWSKMSConfiguration{
+			Enabled: conversion.Pointer(false),
+		},
+		AzureKeyVault: &admin.AzureKeyVault{
+			Enabled: conversion.Pointer(false),
+		},
+		GoogleCloudKms: &admin.GoogleCloudKMS{
+			Enabled: conversion.Pointer(false),
+		},
+	}
+
+	_, _, err := ConnV2().EncryptionAtRestUsingCustomerKeyManagementApi.UpdateEncryptionAtRest(context.Background(), projectID, encryptionAtRestReq).Execute()
+	if err != nil {
+		fmt.Printf("Failed to delete encryption at rest for project %s: %s\n", projectID, err)
+	}
+}
diff --git a/internal/testutil/acc/shared_resource.go b/internal/testutil/acc/shared_resource.go
@@ -52,6 +52,14 @@ func cleanupSharedResources() {
 		fmt.Printf("Deleting execution private link endpoint: %s, project id: %s, provider: %s\n", sharedInfo.privateLinkEndpointID, projectID, sharedInfo.privateLinkProviderName)
 		deletePrivateLinkEndpoint(projectID, sharedInfo.privateLinkProviderName, sharedInfo.privateLinkEndpointID)
 	}
+	if sharedInfo.encryptionAtRestEnabled {
+		projectID := sharedInfo.projectID
+		if projectID == "" {
+			projectID = projectIDLocal()
+		}
+		fmt.Printf("Deleting execution encryption at rest: project id: %s\n", projectID)
+		deleteEncryptionAtRest(projectID)
+	}
 	if sharedInfo.projectID != "" {
 		fmt.Printf("Deleting execution project: %s, id: %s\n", sharedInfo.projectName, sharedInfo.projectID)
 		deleteProject(sharedInfo.projectID)
@@ -217,6 +225,7 @@ var sharedInfo = struct {
 	projects                []projectInfo
 	mu                      sync.Mutex
 	muSleep                 sync.Mutex
+	encryptionAtRestEnabled bool
 	init                    bool
 }{
 	projects: []projectInfo{},
