Remove https_ca_pem and add method

Author: LijieZhang1998

docs/data-sources/stream_connection.md

@@ -48,14 +48,14 @@ If `type` is of value `Https` the following additional attributes are defined:
 ### Authentication
 
 * `mechanism` - Style of authentication. Can be one of `PLAIN`, `SCRAM-256`, `SCRAM-512`, or `OAUTHBEARER`.
+* `method` - SASL OAUTHBEARER authentication method. Can only be `OIDC` currently.
 * `username` - Username of the account to connect to the Kafka cluster.
 * `password` - Password of the account to connect to the Kafka cluster.
 * `token_endpoint_url` -  OAUTH issuer(IdP provider) token endpoint HTTP(S) URI used to retrieve the token.
 * `client_id` - Public identifier for the Kafka client.
 * `client_secret` - Secret known only to the Kafka client and the authorization server.
 * `scope` - Kafka clients use this to specify the scope of the access request to the broker.
 * `sasl_oauthbearer_extensions` - Additional information to be provided to the Kafka broker.
-* `https_ca_pem` - The CA certificates as a PEM string.
 
 ### Security
 

docs/data-sources/stream_connections.md

@@ -59,14 +59,14 @@ If `type` is of value `Https` the following additional attributes are defined:
 ### Authentication
 
 * `mechanism` - Style of authentication. Can be one of `PLAIN`, `SCRAM-256`, `SCRAM-512`, or `OAUTHBEARER`.
+* `method` - SASL OAUTHBEARER authentication method. Can only be `OIDC` currently.
 * `username` - Username of the account to connect to the Kafka cluster.
 * `password` - Password of the account to connect to the Kafka cluster.
 * `token_endpoint_url` -  OAUTH issuer(IdP provider) token endpoint HTTP(S) URI used to retrieve the token.
 * `client_id` - Public identifier for the Kafka client. It must be unique across all clients that the authorization server handles.
 * `client_secret` - Secret known only to the Kafka client and the authorization server.
 * `scope` - Kafka clients use this to specify the scope of the access request to the broker.
 * `sasl_oauthbearer_extensions` - Additional information to be provided to the Kafka broker.
-* `https_ca_pem` - The CA certificates as a PEM string.
 
 ### Security
 

docs/resources/stream_connection.md

@@ -72,12 +72,12 @@ resource "mongodbatlas_stream_connection" "example-kafka-oauthbearer" {
     type            = "Kafka"
     authentication = {
         mechanism = "OAUTHBEARER"
+        method = "OIDC"
         token_endpoint_url = "https://example.com/oauth/token"
         client_id  = "auth0Client"
         client_secret  = var.kafka_client_secret
         scope = "read:messages write:messages"
         sasl_oauthbearer_extensions = "logicalCluster=lkc-kmom,identityPoolId=pool-lAr"
-        https_ca_pem = "pemtext"
     }
     bootstrap_servers = "localhost:9092,localhost:9092"
     config = {
@@ -180,12 +180,12 @@ If `type` is of value `Https` the following additional attributes are defined:
 * `mechanism` - Style of authentication. Can be one of `PLAIN`, `SCRAM-256`, or `SCRAM-512`.
 * `username` - Username of the account to connect to the Kafka cluster.
 * `password` - Password of the account to connect to the Kafka cluster.
+* `method` - SASL OAUTHBEARER authentication method. Can only be `OIDC` currently.
 * `token_endpoint_url` -  OAUTH issuer(IdP provider) token endpoint HTTP(S) URI used to retrieve the token.
 * `client_id` - Public identifier for the Kafka client.
 * `client_secret` - Secret known only to the Kafka client and the authorization server.
 * `scope` - Kafka clients use this to specify the scope of the access request to the broker.
 * `sasl_oauthbearer_extensions` - Additional information to be provided to the Kafka broker.
-* `https_ca_pem` - The CA certificates as a PEM string.
 
 ### Security
 

examples/mongodbatlas_stream_connection/main.tf

@@ -63,12 +63,12 @@ resource "mongodbatlas_stream_connection" "example-kafka-oauthbearer" {
   type            = "Kafka"
   authentication = {
     mechanism                   = "OAUTHBEARER"
+    method                      = "OIDC"
     token_endpoint_url          = "https://example.com/oauth/token"
     client_id                   = "auth0Client"
     client_secret               = var.kafka_client_secret
     scope                       = "read:messages write:messages"
     sasl_oauthbearer_extensions = "logicalCluster=lkc-kmom,identityPoolId=pool-lAr"
-    https_ca_pem                = "pemtext"
   }
   bootstrap_servers = "localhost:9092,localhost:9092"
   config = {

internal/service/streamconnection/model_stream_connection.go

@@ -28,14 +28,14 @@ func NewStreamConnectionReq(ctx context.Context, plan *TFStreamConnectionModel)
 		}
 		streamConnection.Authentication = &admin.StreamsKafkaAuthentication{
 			Mechanism:                 authenticationModel.Mechanism.ValueStringPointer(),
+			Method:                    authenticationModel.Method.ValueStringPointer(),
 			Password:                  authenticationModel.Password.ValueStringPointer(),
 			Username:                  authenticationModel.Username.ValueStringPointer(),
 			TokenEndpointUrl:          authenticationModel.TokenEndpointURL.ValueStringPointer(),
 			ClientId:                  authenticationModel.ClientID.ValueStringPointer(),
 			ClientSecret:              authenticationModel.ClientSecret.ValueStringPointer(),
 			Scope:                     authenticationModel.Scope.ValueStringPointer(),
 			SaslOauthbearerExtensions: authenticationModel.SaslOauthbearerExtensions.ValueStringPointer(),
-			HttpsCaPem:                authenticationModel.HTTPSCaPem.ValueStringPointer(),
 		}
 	}
 	if !plan.Security.IsNull() {
@@ -222,12 +222,12 @@ func newTFConnectionAuthenticationModel(ctx context.Context, currAuthConfig *typ
 	if authResp != nil {
 		resultAuthModel := TFConnectionAuthenticationModel{
 			Mechanism:                 types.StringPointerValue(authResp.Mechanism),
+			Method:                    types.StringPointerValue(authResp.Method),
 			Username:                  types.StringPointerValue(authResp.Username),
 			TokenEndpointURL:          types.StringPointerValue(authResp.TokenEndpointUrl),
 			ClientID:                  types.StringPointerValue(authResp.ClientId),
 			Scope:                     types.StringPointerValue(authResp.Scope),
 			SaslOauthbearerExtensions: types.StringPointerValue(authResp.SaslOauthbearerExtensions),
-			HTTPSCaPem:                types.StringPointerValue(authResp.HttpsCaPem),
 		}
 
 		if currAuthConfig != nil && !currAuthConfig.IsNull() { // if config is available (create & update of resource) password value is set in new state

internal/service/streamconnection/model_stream_connection_test.go

@@ -25,7 +25,7 @@ const (
 	tokenEndpointURL          = "https://your-domain.com/oauth2/token"
 	scope                     = "read:messages write:messages"
 	saslOauthbearerExtentions = "logicalCluster=cluster-kmo17m,identityPoolId=pool-l7Arl"
-	httpsCaPem                = "MHWER3343"
+	method                    = "OIDC"
 	securityProtocol          = "SASL_SSL"
 	bootstrapServers          = "localhost:9092,another.host:9092"
 	dbRole                    = "customRole"
@@ -58,7 +58,7 @@ type sdkToTFModelTestCase struct {
 
 func TestStreamConnectionSDKToTFModel(t *testing.T) {
 	var authConfigWithPasswordDefined = tfAuthenticationObject(t, authMechanism, authUsername, "raw password")
-	var authConfigWithOAuth = tfAuthenticationObjectForOAuth(t, authMechanismOAuth, clientID, clientSecret, tokenEndpointURL, scope, saslOauthbearerExtentions, httpsCaPem)
+	var authConfigWithOAuth = tfAuthenticationObjectForOAuth(t, authMechanismOAuth, clientID, clientSecret, tokenEndpointURL, scope, saslOauthbearerExtentions, method)
 
 	testCases := []sdkToTFModelTestCase{
 		{
@@ -162,11 +162,11 @@ func TestStreamConnectionSDKToTFModel(t *testing.T) {
 				Type: admin.PtrString("Kafka"),
 				Authentication: &admin.StreamsKafkaAuthentication{
 					Mechanism:                 admin.PtrString(authMechanismOAuth),
+					Method:                    admin.PtrString(method),
 					ClientId:                  admin.PtrString(clientID),
 					TokenEndpointUrl:          admin.PtrString(tokenEndpointURL),
 					Scope:                     admin.PtrString(scope),
 					SaslOauthbearerExtensions: admin.PtrString(saslOauthbearerExtentions),
-					HttpsCaPem:                admin.PtrString(httpsCaPem),
 				},
 				BootstrapServers: admin.PtrString(bootstrapServers),
 				Config:           &configMap,
@@ -183,7 +183,7 @@ func TestStreamConnectionSDKToTFModel(t *testing.T) {
 				InstanceName:     types.StringValue(instanceName),
 				ConnectionName:   types.StringValue(connectionName),
 				Type:             types.StringValue("Kafka"),
-				Authentication:   tfAuthenticationObjectForOAuth(t, authMechanismOAuth, clientID, clientSecret, tokenEndpointURL, scope, saslOauthbearerExtentions, httpsCaPem), // password value is obtained from config, not api resp.
+				Authentication:   tfAuthenticationObjectForOAuth(t, authMechanismOAuth, clientID, clientSecret, tokenEndpointURL, scope, saslOauthbearerExtentions, method), // password value is obtained from config, not api resp.
 				BootstrapServers: types.StringValue(bootstrapServers),
 				Config:           tfConfigMap(t, configMap),
 				Security:         tfSecurityObject(t, DummyCACert, securityProtocol),
@@ -643,16 +643,16 @@ func tfAuthenticationObject(t *testing.T, mechanism, username, password string)
 	return auth
 }
 
-func tfAuthenticationObjectForOAuth(t *testing.T, mechanism, clientID, clientSecret, tokenEndpointURL, scope, saslOauthbearerExtensions, httpsCaPem string) types.Object {
+func tfAuthenticationObjectForOAuth(t *testing.T, mechanism, clientID, clientSecret, tokenEndpointURL, scope, saslOauthbearerExtensions, method string) types.Object {
 	t.Helper()
 	auth, diags := types.ObjectValueFrom(t.Context(), streamconnection.ConnectionAuthenticationObjectType.AttrTypes, streamconnection.TFConnectionAuthenticationModel{
 		Mechanism:                 types.StringValue(mechanism),
+		Method:                    types.StringValue(method),
 		ClientID:                  types.StringValue(clientID),
 		ClientSecret:              types.StringValue(clientSecret),
 		TokenEndpointURL:          types.StringValue(tokenEndpointURL),
 		Scope:                     types.StringValue(scope),
 		SaslOauthbearerExtensions: types.StringValue(saslOauthbearerExtensions),
-		HTTPSCaPem:                types.StringValue(httpsCaPem),
 	})
 	if diags.HasError() {
 		t.Errorf("failed to create terraform data model: %s", diags.Errors()[0].Summary())

internal/service/streamconnection/resource_schema.go

@@ -75,6 +75,9 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 					"mechanism": schema.StringAttribute{
 						Optional: true,
 					},
+					"method": schema.StringAttribute{
+						Optional: true,
+					},
 					"password": schema.StringAttribute{
 						Optional:  true,
 						Sensitive: true,
@@ -98,9 +101,6 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 					"sasl_oauthbearer_extensions": schema.StringAttribute{
 						Optional: true,
 					},
-					"https_ca_pem": schema.StringAttribute{
-						Optional: true,
-					},
 				},
 			},
 			"bootstrap_servers": schema.StringAttribute{

internal/service/streamconnection/resource_stream_connection.go

@@ -57,24 +57,24 @@ type TFConnectionAuthenticationModel struct {
 	Mechanism                 types.String `tfsdk:"mechanism"`
 	Password                  types.String `tfsdk:"password"`
 	Username                  types.String `tfsdk:"username"`
+	Method                    types.String `tfsdk:"method"`
 	TokenEndpointURL          types.String `tfsdk:"token_endpoint_url"`
 	ClientID                  types.String `tfsdk:"client_id"`
 	ClientSecret              types.String `tfsdk:"client_secret"`
 	Scope                     types.String `tfsdk:"scope"`
 	SaslOauthbearerExtensions types.String `tfsdk:"sasl_oauthbearer_extensions"`
-	HTTPSCaPem                types.String `tfsdk:"https_ca_pem"`
 }
 
 var ConnectionAuthenticationObjectType = types.ObjectType{AttrTypes: map[string]attr.Type{
 	"mechanism":                   types.StringType,
+	"method":                      types.StringType,
 	"password":                    types.StringType,
 	"username":                    types.StringType,
 	"token_endpoint_url":          types.StringType,
 	"client_id":                   types.StringType,
 	"client_secret":               types.StringType,
 	"scope":                       types.StringType,
 	"sasl_oauthbearer_extensions": types.StringType,
-	"https_ca_pem":                types.StringType,
 }}
 
 type TFConnectionSecurityModel struct {

internal/service/streamconnection/resource_stream_connection_test.go

@@ -120,18 +120,18 @@ func TestAccStreamRSStreamConnection_kafkaOAuthBearer(t *testing.T) {
 		CheckDestroy:             CheckDestroyStreamConnection,
 		Steps: []resource.TestStep{
 			{
-				Config: dataSourcesConfig + configureKafka(projectID, instanceName, connectionName, getKafkaAuthenticationConfig("OAUTHBEARER", "", "", tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtentions, httpsCaPem), "localhost:9092,localhost:9092", "earliest", "", false),
+				Config: dataSourcesConfig + configureKafka(projectID, instanceName, connectionName, getKafkaAuthenticationConfig("OAUTHBEARER", "", "", tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtentions, method), "localhost:9092,localhost:9092", "earliest", "", false),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					checkKafkaOAuthAttributes(resourceName, instanceName, connectionName, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtentions, httpsCaPem, "localhost:9092,localhost:9092", "earliest", networkingTypePublic, false, true),
-					checkKafkaOAuthAttributes(dataSourceName, instanceName, connectionName, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtentions, httpsCaPem, "localhost:9092,localhost:9092", "earliest", networkingTypePublic, false, false),
+					checkKafkaOAuthAttributes(resourceName, instanceName, connectionName, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtentions, method, "localhost:9092,localhost:9092", "earliest", networkingTypePublic, false, true),
+					checkKafkaOAuthAttributes(dataSourceName, instanceName, connectionName, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtentions, method, "localhost:9092,localhost:9092", "earliest", networkingTypePublic, false, false),
 					streamConnectionsAttributeChecks(pluralDataSourceName, nil, nil),
 				),
 			},
 			{
-				Config: dataSourcesWithPagination + configureKafka(projectID, instanceName, connectionName, getKafkaAuthenticationConfig("OAUTHBEARER", "", "", tokenEndpointURL, "clientId2", "clientSecret", scope, saslOauthbearerExtentions, httpsCaPem), "localhost:9093", "latest", kafkaNetworkingPublic, false),
+				Config: dataSourcesWithPagination + configureKafka(projectID, instanceName, connectionName, getKafkaAuthenticationConfig("OAUTHBEARER", "", "", tokenEndpointURL, "clientId2", "clientSecret", scope, saslOauthbearerExtentions, method), "localhost:9093", "latest", kafkaNetworkingPublic, false),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					checkKafkaOAuthAttributes(resourceName, instanceName, connectionName, tokenEndpointURL, "clientId2", "clientSecret", scope, saslOauthbearerExtentions, httpsCaPem, "localhost:9093", "latest", networkingTypePublic, false, true),
-					checkKafkaOAuthAttributes(dataSourceName, instanceName, connectionName, tokenEndpointURL, "clientId2", "clientSecret", scope, saslOauthbearerExtentions, httpsCaPem, "localhost:9093", "latest", networkingTypePublic, false, false),
+					checkKafkaOAuthAttributes(resourceName, instanceName, connectionName, tokenEndpointURL, "clientId2", "clientSecret", scope, saslOauthbearerExtentions, method, "localhost:9093", "latest", networkingTypePublic, false, true),
+					checkKafkaOAuthAttributes(dataSourceName, instanceName, connectionName, tokenEndpointURL, "clientId2", "clientSecret", scope, saslOauthbearerExtentions, method, "localhost:9093", "latest", networkingTypePublic, false, false),
 					streamConnectionsAttributeChecks(pluralDataSourceName, conversion.Pointer(2), conversion.Pointer(1)),
 				),
 			},
@@ -400,7 +400,7 @@ func TestAccStreamRSStreamConnection_AWSLambda(t *testing.T) {
 	})
 }
 
-func getKafkaAuthenticationConfig(mechanism, username, password, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtensions, httpsCaPem string) string {
+func getKafkaAuthenticationConfig(mechanism, username, password, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtensions, method string) string {
 	if mechanism == "PLAIN" {
 		return fmt.Sprintf(`authentication = {
 			mechanism = %[1]q
@@ -410,13 +410,13 @@ func getKafkaAuthenticationConfig(mechanism, username, password, tokenEndpointUR
 	}
 	return fmt.Sprintf(`authentication = {
 			mechanism = %[1]q
-			token_endpoint_url = %[2]q
-			client_id = %[3]q
-			client_secret = %[4]q
-			scope = %[5]q
-			sasl_oauthbearer_extensions = %[6]q
-			https_ca_pem = %[7]q
-		}`, mechanism, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtensions, httpsCaPem)
+			method = %[2]q
+			token_endpoint_url = %[3]q
+			client_id = %[4]q
+			client_secret = %[5]q
+			scope = %[6]q
+			sasl_oauthbearer_extensions = %[7]q
+		}`, mechanism, method, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtensions)
 }
 
 func configureKafka(projectID, instanceName, connectionName, authenticationConfig, bootstrapServers, configValue, networkingConfig string, useSSL bool) string {
@@ -519,19 +519,19 @@ func checkKafkaAttributes(
 }
 
 func checkKafkaOAuthAttributes(
-	resourceName, instanceName, connectionName, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtensions, httpsCaPem, bootstrapServers, configValue, networkingType string, usesSSL, checkClientSecret bool) resource.TestCheckFunc {
+	resourceName, instanceName, connectionName, tokenEndpointURL, clientID, clientSecret, scope, saslOauthbearerExtensions, method, bootstrapServers, configValue, networkingType string, usesSSL, checkClientSecret bool) resource.TestCheckFunc {
 	resourceChecks := []resource.TestCheckFunc{
 		checkStreamConnectionExists(),
 		resource.TestCheckResourceAttrSet(resourceName, "project_id"),
 		resource.TestCheckResourceAttr(resourceName, "connection_name", connectionName),
 		resource.TestCheckResourceAttr(resourceName, "type", "Kafka"),
 		resource.TestCheckResourceAttr(resourceName, "instance_name", instanceName),
 		resource.TestCheckResourceAttr(resourceName, "authentication.mechanism", "OAUTHBEARER"),
+		resource.TestCheckResourceAttr(resourceName, "authentication.method", method),
 		resource.TestCheckResourceAttr(resourceName, "authentication.token_endpoint_url", tokenEndpointURL),
 		resource.TestCheckResourceAttr(resourceName, "authentication.client_id", clientID),
 		resource.TestCheckResourceAttr(resourceName, "authentication.scope", scope),
 		resource.TestCheckResourceAttr(resourceName, "authentication.sasl_oauthbearer_extensions", saslOauthbearerExtensions),
-		resource.TestCheckResourceAttr(resourceName, "authentication.https_ca_pem", httpsCaPem),
 		resource.TestCheckResourceAttr(resourceName, "bootstrap_servers", bootstrapServers),
 		resource.TestCheckResourceAttr(resourceName, "config.auto.offset.reset", configValue),
 	}