feat: Adds support for service_account_for_atlas and status fields on mongodbatlas_cloud_provider_access_setup resource and data source (#3637)

* Add GCP cloud provider access to mongodbatlas_cloud_provider_access_setup

* Fix typo for function name

* Add GCP configuration for schema on data source

* Change optional field to computed as required per provider

* Refactor function to accomodate for Cloud Provider Access - GCP

* Add documentation for resource

* Add GCP Cloud provider documentation for data source

* Add GCP provider for data source validation

* Add resource and resouce acceptance test for GCP Cloud Provider Access setup

* Fix format

* Add changelog

* Fix issue where role ID was missing for Azure config

* Fix format

* Fix issues for refactor on GCP

* Address PR comments

* Address further PR comments

* Refactor setup function to handle different cloud providers, and return error if provider used is not correct

Add error handling for cloud provider access

* Refactor multiple if/else statements into switch in order to avoid lint errors

* Address nit comments

* Substitute cloud provider string names with constants

Author: marcabreracast

.changelog/3637.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_cloud_provider_access_setup: Adds support for GCP as a Cloud Provider.
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_cloud_provider_access_setup: Adds support for GCP as a Cloud Provider.
+```

docs/data-sources/cloud_provider_access_setup.md

@@ -1,6 +1,6 @@
 # Data Source: mongodbatlas_cloud_provider_access_setup
 
-`mongodbatlas_cloud_provider_access_setup` allows you to get a single role for a provider access role setup, currently only AWS and Azure are supported.
+`mongodbatlas_cloud_provider_access_setup` allows you to get a single role for a provider access role setup. Supported providers: AWS, AZURE and GCP.
 
 -> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
 
@@ -36,27 +36,43 @@ data "mongodbatlas_cloud_provider_access_setup" "single_setup" {
    role_id = mongodbatlas_cloud_provider_access_setup.test_role.role_id
 }
 ```
+
+## Example Usage with GCP
+
+```terraform
+resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
+   project_id    = "64259ee860c43338194b0f8e"
+   provider_name = "GCP"
+}
+
+data "mongodbatlas_cloud_provider_access_setup" "single_setup" {
+   project_id    = mongodbatlas_cloud_provider_access_setup.test_role.project_id
+   provider_name = mongodbatlas_cloud_provider_access_setup.test_role.provider_name
+   role_id       = mongodbatlas_cloud_provider_access_setup.test_role.role_id
+}
+```
+
 ## Argument Reference
 
 * `project_id` - (Required) The unique ID for the project to get all Cloud Provider Access 
-* `provider_name` - (Required) cloud provider name, currently only AWS is supported
-* `role_id` - (Required) unique role id among all the aws roles provided by mongodb atlas 
+* `provider_name` - (Required) cloud provider name. Supported values: `AWS`, `AZURE`, and `GCP`.
+* `role_id` - (Required) unique role id among all the roles provided by MongoDB Atlas. 
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `id`              - Autogenerated Unique ID for this data source.
-* `aws`           - aws related role information
-    * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
-    * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
 * `aws_config`           - aws related role information
     * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
     * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
 * `azure_config` - azure related configurations 
    * `atlas_azure_app_id` - Azure Active Directory Application ID of Atlas.
    * `service_principal_id`- UUID string that identifies the Azure Service Principal.
    * `tenant_id`          - UUID String that identifies the Azure Active Directory Tenant ID.
+ * `gcp_config` - gcp related configurations
+   * `status` - The status of the GCP cloud provider access setup. See [MongoDB Atlas API](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-getgroupcloudprovideraccess#operation-getgroupcloudprovideraccess-200-body-application-vnd-atlas-2023-01-01-json-gcp-object-status).
+   * `service_account_for_atlas` - The GCP service account email that Atlas uses.
 * `created_date`  - Date on which this role was created.
 * `last_updated_date`                - Date and time when this Azure Service Principal was last updated. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
 

docs/resources/cloud_provider_access.md

@@ -44,10 +44,21 @@ resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
 
 ```
 
+## Example Usage with GCP
+
+```terraform
+
+resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
+   project_id = "64259ee860c43338194b0f8e"
+   provider_name = "GCP"
+}
+
+```
+
 ## Argument Reference
 
 * `project_id` - (Required) The unique ID for the project
-* `provider_name` - (Required) The cloud provider for which to create a new role. Currently only AWS and AZURE are supported. **WARNING** Changing the `provider_name` will result in destruction of the existing resource and the creation of a new resource.
+* `provider_name` - (Required) The cloud provider for which to create a new role. Currently, AWS, AZURE and GCP are supported. **WARNING** Changing the `provider_name` will result in destruction of the existing resource and the creation of a new resource.
 * `azure_config` - azure related configurations 
    * `atlas_azure_app_id` - Azure Active Directory Application ID of Atlas. This property is required when `provider_name = "AZURE".`
    * `service_principal_id`- UUID string that identifies the Azure Service Principal. This property is required when `provider_name = "AZURE".`
@@ -59,6 +70,9 @@ resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
 * `aws_config` - aws related arn roles 
    * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
    * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
+* `gcp_config` - gcp related configuration
+  * `status` - The status of the GCP cloud provider access setup. See [MongoDB Atlas API](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-getgroupcloudprovideraccess#operation-getgroupcloudprovideraccess-200-body-application-vnd-atlas-2023-01-01-json-gcp-object-status).
+  * `service_account_for_atlas` - The GCP service account email that Atlas uses.
 * `created_date`                   - Date on which this role was created.
 * `last_updated_date`                - Date and time when this Azure Service Principal was last updated. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
 * `role_id`                        - Unique ID of this role.

internal/service/cloudprovideraccess/data_source_cloud_provider_access_setup.go

@@ -7,7 +7,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/config"
 )
 
@@ -20,9 +19,8 @@ func DataSourceSetup() *schema.Resource {
 				Required: true,
 			},
 			"provider_name": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ValidateFunc: validation.StringInSlice([]string{"AWS", "AZURE"}, false),
+				Type:     schema.TypeString,
+				Required: true,
 			},
 			"role_id": {
 				Type:     schema.TypeString,
@@ -71,6 +69,22 @@ func DataSourceSetup() *schema.Resource {
 					},
 				},
 			},
+			"gcp_config": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"status": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"service_account_for_atlas": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"created_date": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -93,7 +107,11 @@ func dataSourceMongoDBAtlasCloudProviderAccessSetupRead(ctx context.Context, d *
 		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
 	}
 
-	roleSchema := roleToSchemaSetup(role)
+	roleSchema, err := roleToSchemaSetup(role)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
+	}
+
 	for key, val := range roleSchema {
 		if err := d.Set(key, val); err != nil {
 			return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))

internal/service/cloudprovideraccess/resource_cloud_provider_access_setup.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/constant"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/validate"
@@ -46,10 +45,9 @@ func ResourceSetup() *schema.Resource {
 				Required: true,
 			},
 			"provider_name": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ValidateFunc: validation.StringInSlice([]string{constant.AWS, constant.AZURE}, false),
-				ForceNew:     true,
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
 			},
 			"aws_config": {
 				Type:     schema.TypeList,
@@ -87,6 +85,22 @@ func ResourceSetup() *schema.Resource {
 					},
 				},
 			},
+			"gcp_config": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"status": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"service_account_for_atlas": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
 			"created_date": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -119,7 +133,10 @@ func resourceCloudProviderAccessSetupRead(ctx context.Context, d *schema.Resourc
 		return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
 	}
 
-	roleSchema := roleToSchemaSetup(role)
+	roleSchema, err := roleToSchemaSetup(role)
+	if err != nil {
+		return diag.Errorf(errorCloudProviderAccessCreate, err)
+	}
 	for key, val := range roleSchema {
 		if err := d.Set(key, val); err != nil {
 			return diag.FromErr(fmt.Errorf(ErrorCloudProviderGetRead, err))
@@ -156,7 +173,10 @@ func resourceCloudProviderAccessSetupCreate(ctx context.Context, d *schema.Resou
 	}
 
 	// once multiple providers enable here do a switch, select for provider type
-	roleSchema := roleToSchemaSetup(role)
+	roleSchema, err := roleToSchemaSetup(role)
+	if err != nil {
+		return diag.Errorf(errorCloudProviderAccessCreate, err)
+	}
 
 	resourceID := role.GetRoleId()
 	if role.ProviderName == constant.AZURE {
@@ -197,39 +217,51 @@ func resourceCloudProviderAccessSetupDelete(ctx context.Context, d *schema.Resou
 		return diag.FromErr(fmt.Errorf(errorCloudProviderAccessDelete, err))
 	}
 
-	d.SetId("")
 	d.SetId("")
 	return nil
 }
 
-func roleToSchemaSetup(role *admin.CloudProviderAccessRole) map[string]any {
-	if role.ProviderName == "AWS" {
-		out := map[string]any{
+func roleToSchemaSetup(role *admin.CloudProviderAccessRole) (map[string]any, error) {
+	switch role.ProviderName {
+	case constant.AWS:
+		return map[string]any{
 			"provider_name": role.GetProviderName(),
 			"aws_config": []any{map[string]any{
 				"atlas_aws_account_arn":          role.GetAtlasAWSAccountArn(),
 				"atlas_assumed_role_external_id": role.GetAtlasAssumedRoleExternalId(),
 			}},
+			"gcp_config":   []any{map[string]any{}},
 			"created_date": conversion.TimeToString(role.GetCreatedDate()),
 			"role_id":      role.GetRoleId(),
-		}
-		return out
-	}
-
-	out := map[string]any{
-		"provider_name": role.ProviderName,
-		"azure_config": []any{map[string]any{
-			"atlas_azure_app_id":   role.GetAtlasAzureAppId(),
-			"service_principal_id": role.GetServicePrincipalId(),
-			"tenant_id":            role.GetTenantId(),
-		}},
-		"aws_config":        []any{map[string]any{}},
-		"created_date":      conversion.TimeToString(role.GetCreatedDate()),
-		"last_updated_date": conversion.TimeToString(role.GetLastUpdatedDate()),
-		"role_id":           role.GetId(),
+		}, nil
+	case constant.AZURE:
+		return map[string]any{
+			"provider_name": role.ProviderName,
+			"azure_config": []any{map[string]any{
+				"atlas_azure_app_id":   role.GetAtlasAzureAppId(),
+				"service_principal_id": role.GetServicePrincipalId(),
+				"tenant_id":            role.GetTenantId(),
+			}},
+			"aws_config":        []any{map[string]any{}},
+			"gcp_config":        []any{map[string]any{}},
+			"created_date":      conversion.TimeToString(role.GetCreatedDate()),
+			"last_updated_date": conversion.TimeToString(role.GetLastUpdatedDate()),
+			"role_id":           role.GetId(),
+		}, nil
+	case constant.GCP:
+		return map[string]any{
+			"provider_name": role.GetProviderName(),
+			"gcp_config": []any{map[string]any{
+				"status":                    role.GetStatus(),
+				"service_account_for_atlas": role.GetGcpServiceAccountForAtlas(),
+			}},
+			"aws_config":   []any{map[string]any{}},
+			"role_id":      role.GetId(),
+			"created_date": conversion.TimeToString(role.GetCreatedDate()),
+		}, nil
+	default:
+		return nil, fmt.Errorf("unsupported provider: %s", role.GetProviderName())
 	}
-
-	return out
 }
 
 func resourceCloudProviderAccessSetupImportState(ctx context.Context, d *schema.ResourceData, meta any) ([]*schema.ResourceData, error) {

internal/service/cloudprovideraccess/resource_cloud_provider_access_setup_test.go

@@ -62,6 +62,33 @@ func TestAccCloudProviderAccessSetupAzure_basic(t *testing.T) {
 	},
 	)
 }
+func TestAccCloudProviderAccessSetupGCP_basic(t *testing.T) {
+	acc.SkipTestForCI(t) // Code needs to support long running operations for successful test: CLOUDP-341440
+	var (
+		resourceName   = "mongodbatlas_cloud_provider_access_setup.test"
+		dataSourceName = "data.mongodbatlas_cloud_provider_access_setup.test"
+		projectID      = acc.ProjectIDExecution(t)
+	)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acc.PreCheckGCPEnv(t) },
+		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
+		Steps: []resource.TestStep{
+			{
+				Config: configSetupGCP(projectID),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet(resourceName, "role_id"),
+					resource.TestCheckResourceAttrSet(resourceName, "gcp_config.0.service_account_for_atlas"),
+					resource.TestCheckResourceAttr(resourceName, "gcp_config.0.status", "COMPLETE"),
+
+					resource.TestCheckResourceAttrSet(dataSourceName, "role_id"),
+					resource.TestCheckResourceAttrSet(dataSourceName, "gcp_config.0.service_account_for_atlas"),
+					resource.TestCheckResourceAttr(dataSourceName, "gcp_config.0.status", "COMPLETE"),
+				),
+			},
+		},
+	})
+}
 
 func basicSetupTestCase(tb testing.TB) *resource.TestCase {
 	tb.Helper()
@@ -113,6 +140,21 @@ func configSetupAWS(projectID string) string {
 	`, projectID)
 }
 
+func configSetupGCP(projectID string) string {
+	return fmt.Sprintf(`
+    resource "mongodbatlas_cloud_provider_access_setup" "test" {
+        project_id = %[1]q
+        provider_name = "GCP"
+    }
+
+    data "mongodbatlas_cloud_provider_access_setup" "test" {
+        project_id = mongodbatlas_cloud_provider_access_setup.test.project_id
+        provider_name = mongodbatlas_cloud_provider_access_setup.test.provider_name
+        role_id = mongodbatlas_cloud_provider_access_setup.test.role_id
+    }
+    `, projectID)
+}
+
 func checkExists(resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[resourceName]

internal/service/encryptionatrest/resource_migration_test.go

@@ -119,7 +119,7 @@ func TestMigEncryptionAtRest_basicGCP(t *testing.T) {
 	)
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { mig.PreCheck(t); acc.PreCheckGPCEnv(t) },
+		PreCheck:     func() { mig.PreCheck(t); acc.PreCheckGCPEnv(t) },
 		CheckDestroy: acc.EARDestroy,
 		Steps: []resource.TestStep{
 			{

internal/service/encryptionatrest/resource_test.go

@@ -169,7 +169,7 @@ func TestAccEncryptionAtRest_basicGCP(t *testing.T) {
 	)
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:                 func() { acc.PreCheck(t); acc.PreCheckGPCEnv(t) },
+		PreCheck:                 func() { acc.PreCheck(t); acc.PreCheckGCPEnv(t) },
 		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
 		CheckDestroy:             acc.EARDestroy,
 		Steps: []resource.TestStep{

internal/testutil/acc/pre_check.go

@@ -148,7 +148,7 @@ func PreCheckPublicKey2(tb testing.TB) {
 	}
 }
 
-func PreCheckGPCEnv(tb testing.TB) {
+func PreCheckGCPEnv(tb testing.TB) {
 	tb.Helper()
 	if os.Getenv("GCP_SERVICE_ACCOUNT_KEY") == "" || os.Getenv("GCP_KEY_VERSION_RESOURCE_ID") == "" {
 		tb.Fatal("`GCP_SERVICE_ACCOUNT_KEY` and `GCP_KEY_VERSION_RESOURCE_ID` must be set for acceptance testing")