doc: Adds documentation for new encryption_at_rest_private_endpoint resource and data sources (#2547)

* adding documentation for encryption_at_rest_private_endpoint resource and data sources

* align generated docs

* minor typo fix

* Adjust description of project_id to make it more concise

* align note stating feature is available by request as defined in general docs

Author: AgustinBettati

.github/workflows/code-health.yml

@@ -70,11 +70,13 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - run: make tools # all resources with auto-generated doc must be specified below here 
       - name: Doc for control_plane_ip_addresses
-        run: export resource_name=control_plane_ip_addresses && make generate-doc
+        run: make generate-doc resource_name=control_plane_ip_addresses
       - name: Doc for push_based_log_export
-        run: export resource_name=push_based_log_export && make generate-doc
+        run: make generate-doc resource_name=push_based_log_export
       - name: Doc for search_deployment
-        run: export resource_name=search_deployment && make generate-doc
+        run: make generate-doc resource_name=search_deployment
+      - name: Doc for encryption_at_rest_private_endpoint
+        run: make generate-doc resource_name=encryption_at_rest_private_endpoint
       - name: Find mutations
         id: self_mutation
         run: |-

GNUmakefile

@@ -123,8 +123,10 @@ scaffold-schemas:
 
 
 .PHONY: generate-doc
-generate-doc: ## Generate the resource documentation via tfplugindocs
-	./scripts/generate-doc.sh ${resource_name}
+# e.g. run: make generate-doc resource_name=search_deployment
+# generate the resource documentation via tfplugindocs
+generate-doc: 
+	@scripts/generate-doc.sh ${resource_name}
 
 .PHONY: update-tf-compatibility-matrix
 update-tf-compatibility-matrix: ## Update Terraform Compatibility Matrix documentation

contributing/documentation.md

@@ -12,5 +12,5 @@ We autogenerate the documentation of our provider resources and data sources via
 - Add the resource/data source templates to the [templates](https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/templates) folder. See [README.md](https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/templates/README.md) for more info.
 - Run the Makefile command `generate-doc`
 ```bash
-export resource_name=search_deployment && make generate-doc
+make generate-doc resource_name=search_deployment
 ```

docs/data-sources/encryption_at_rest_private_endpoint.md

@@ -0,0 +1,37 @@
+# Data Source: mongodbatlas_encryption_at_rest_private_endpoint
+
+`mongodbatlas_encryption_at_rest_private_endpoint` describes a private endpoint used for encryption at rest using customer-managed keys.
+
+## Example Usages
+
+```terraform
+data "mongodbatlas_encryption_at_rest_private_endpoint" "single" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AZURE"
+  id             = mongodbatlas_encryption_at_rest_private_endpoint.endpoint.id
+}
+
+output "endpoint_connection_name" {
+  value = data.mongodbatlas_encryption_at_rest_private_endpoint.single.private_endpoint_connection_name
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cloud_provider` (String) Label that identifies the cloud provider of the private endpoint.
+- `id` (String) Unique 24-hexadecimal digit string that identifies the Private Endpoint Service.
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project.
+
+### Read-Only
+
+- `error_message` (String) Error message for failures associated with the Encryption At Rest private endpoint.
+- `private_endpoint_connection_name` (String) Connection name of the Azure Private Endpoint.
+- `region_name` (String) Cloud provider region in which the Encryption At Rest private endpoint is located.
+- `status` (String) State of the Encryption At Rest private endpoint.
+
+For more information see: 
+- [MongoDB Atlas API - Private Endpoint for Encryption at Rest Using Customer Key Management](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRestPrivateEndpoint) Documentation.
+- [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/).

docs/data-sources/encryption_at_rest_private_endpoints.md

@@ -0,0 +1,45 @@
+# Data Source: mongodbatlas_encryption_at_rest_private_endpoints
+
+`mongodbatlas_encryption_at_rest_private_endpoints` describes private endpoints of a particular cloud provider used for encryption at rest using customer-managed keys.
+
+## Example Usages
+
+```terraform
+data "mongodbatlas_encryption_at_rest_private_endpoints" "plural" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AZURE"
+}
+
+output "number_of_endpoints" {
+  value = length(data.mongodbatlas_encryption_at_rest_private_endpoints.plural.results)
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cloud_provider` (String) Human-readable label that identifies the cloud provider for the private endpoints to return.
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project.
+
+### Read-Only
+
+- `results` (Attributes List) List of returned documents that MongoDB Cloud providers when completing this request. (see [below for nested schema](#nestedatt--results))
+
+<a id="nestedatt--results"></a>
+### Nested Schema for `results`
+
+Read-Only:
+
+- `cloud_provider` (String) Label that identifies the cloud provider of the private endpoint.
+- `error_message` (String) Error message for failures associated with the Encryption At Rest private endpoint.
+- `id` (String) Unique 24-hexadecimal digit string that identifies the Private Endpoint Service.
+- `private_endpoint_connection_name` (String) Connection name of the Azure Private Endpoint.
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project.
+- `region_name` (String) Cloud provider region in which the Encryption At Rest private endpoint is located.
+- `status` (String) State of the Encryption At Rest private endpoint.
+
+For more information see: 
+- [MongoDB Atlas API - Private Endpoint for Encryption at Rest Using Customer Key Management](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRestPrivateEndpointsForCloudProvider) Documentation.
+- [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/).

docs/resources/encryption_at_rest_private_endpoint.md

@@ -0,0 +1,88 @@
+# Resource: mongodbatlas_encryption_at_rest_private_endpoint
+
+`mongodbatlas_encryption_at_rest_private_endpoint` provides a resource for managing a private endpoint used for encryption at rest with customer-managed keys. This ensures all traffic between Atlas and customer key management systems take place over private network interfaces.
+
+~> **IMPORTANT** The Encryption at Rest using Azure Key Vault over Private Endpoints feature is available by request. To request this functionality for you Atlas deployments, contact your Account Manager. 
+Additionally, you'll need to set the environment variable `MONGODB_ATLAS_ENABLE_PREVIEW=true` to use this resource. To learn more about existing limitations, see the [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
+
+-> **NOTE:** Only Azure Key Vault with Azure Private Link is supported at this time.
+
+## Example Usages
+
+### Configuring Atlas Encryption at Rest using Azure Key Vault with Azure Private Link
+
+```terraform
+resource "mongodbatlas_encryption_at_rest" "ear" {
+  project_id = var.atlas_project_id
+
+  azure_key_vault_config {
+    require_private_networking = true
+
+    enabled           = true
+    azure_environment = "AZURE"
+
+    tenant_id       = var.azure_tenant_id
+    subscription_id = var.azure_subscription_id
+    client_id       = var.azure_client_id
+    secret          = var.azure_client_secret
+
+    resource_group_name = var.azure_resource_group_name
+    key_vault_name      = var.azure_key_vault_name
+    key_identifier      = var.azure_key_identifier
+  }
+}
+
+# Creates private endpoint
+resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" {
+  project_id     = mongodbatlas_encryption_at_rest.ear.project_id
+  cloud_provider = "AZURE"
+  region_name    = var.azure_region_name
+}
+
+locals {
+  key_vault_resource_id = "/subscriptions/${var.azure_subscription_id}/resourceGroups/${var.azure_resource_group_name}/providers/Microsoft.KeyVault/vaults/${var.azure_key_vault_name}"
+}
+
+# Approves private endpoint connection from Azure Key Vault
+resource "azapi_update_resource" "approval" {
+  type      = "Microsoft.KeyVault/Vaults/PrivateEndpointConnections@2023-07-01"
+  name      = mongodbatlas_encryption_at_rest_private_endpoint.endpoint.private_endpoint_connection_name
+  parent_id = local.key_vault_resource_id
+
+  body = jsonencode({
+    properties = {
+      privateLinkServiceConnectionState = {
+        description = "Approved via Terraform"
+        status      = "Approved"
+      }
+    }
+  })
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cloud_provider` (String) Label that identifies the cloud provider for the Encryption At Rest private endpoint.
+- `project_id` (String) Unique 24-hexadecimal digit string that identifies your project.
+- `region_name` (String) Cloud provider region in which the Encryption At Rest private endpoint is located.
+
+### Read-Only
+
+- `error_message` (String) Error message for failures associated with the Encryption At Rest private endpoint.
+- `id` (String) Unique 24-hexadecimal digit string that identifies the Private Endpoint Service.
+- `private_endpoint_connection_name` (String) Connection name of the Azure Private Endpoint.
+- `status` (String) State of the Encryption At Rest private endpoint.
+
+# Import 
+Encryption At Rest Private Endpoint resource can be imported using the project ID, cloud provider, and private endpoint ID. The format must be `{project_id}-{cloud_provider}-{private_endpoint_id}` e.g.
+
+```
+$ terraform import mongodbatlas_encryption_at_rest_private_endpoint.test 650972848269185c55f40ca1-AZURE-650972848269185c55f40ca2
+```
+
+For more information see: 
+- [MongoDB Atlas API - Private Endpoint for Encryption at Rest Using Customer Key Management](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRestPrivateEndpoint) Documentation.
+- [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/).

examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/plural-data-source.tf

@@ -0,0 +1,8 @@
+data "mongodbatlas_encryption_at_rest_private_endpoints" "plural" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AZURE"
+}
+
+output "number_of_endpoints" {
+  value = length(data.mongodbatlas_encryption_at_rest_private_endpoints.plural.results)
+}

examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/singular-data-source.tf

@@ -0,0 +1,9 @@
+data "mongodbatlas_encryption_at_rest_private_endpoint" "single" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AZURE"
+  id             = mongodbatlas_encryption_at_rest_private_endpoint.endpoint.id
+}
+
+output "endpoint_connection_name" {
+  value = data.mongodbatlas_encryption_at_rest_private_endpoint.single.private_endpoint_connection_name
+}

internal/service/encryptionatrestprivateendpoint/data_source_schema.go

@@ -28,8 +28,8 @@ func DSAttributes(withArguments bool) map[string]schema.Attribute {
 		"project_id": schema.StringAttribute{
 			Required:            withArguments,
 			Computed:            !withArguments,
-			Description:         "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.",
-			MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.",
+			Description:         "Unique 24-hexadecimal digit string that identifies your project.",
+			MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.",
 		},
 		"id": schema.StringAttribute{
 			Required:            withArguments,

internal/service/encryptionatrestprivateendpoint/pural_data_source_schema.go

@@ -12,17 +12,17 @@ func PluralDataSourceSchema(ctx context.Context) schema.Schema {
 		Attributes: map[string]schema.Attribute{
 			"cloud_provider": schema.StringAttribute{
 				Required:            true,
-				Description:         "Human-readable label that identifies the cloud provider for the private endpoints to return.",
+				Description:         "Label that identifies the cloud provider for the private endpoints to return.",
 				MarkdownDescription: "Human-readable label that identifies the cloud provider for the private endpoints to return.",
 			},
 			"project_id": schema.StringAttribute{
 				Required:            true,
-				Description:         "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.",
-				MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.",
+				Description:         "Unique 24-hexadecimal digit string that identifies your project.",
+				MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.",
 			},
 			"results": schema.ListNestedAttribute{
 				NestedObject: schema.NestedAttributeObject{
-					Attributes: DSAttributes(true),
+					Attributes: DSAttributes(false),
 				},
 				Computed:            true,
 				Description:         "List of returned documents that MongoDB Cloud providers when completing this request.",

internal/service/encryptionatrestprivateendpoint/resource_schema.go

@@ -22,8 +22,8 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 			},
 			"project_id": schema.StringAttribute{
 				Required:            true,
-				Description:         "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.",
-				MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.\n\n**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.",
+				Description:         "Unique 24-hexadecimal digit string that identifies your project.",
+				MarkdownDescription: "Unique 24-hexadecimal digit string that identifies your project.",
 			},
 			"id": schema.StringAttribute{
 				Computed:            true,

scripts/generate-doc.sh

@@ -67,6 +67,9 @@ if [ ! -f "${TEMPLATE_FOLDER_PATH}/data-sources/${resource_name}s.md.tmpl" ]; th
     printf "Skipping this check: We assume that the resource does not have a plural data source.\n\n"
 fi
 
+# ensure preview resource and data sources are also included during generation
+export MONGODB_ATLAS_ENABLE_PREVIEW="true" 
+
 tfplugindocs generate --tf-version "${TF_VERSION}" --website-source-dir "${TEMPLATE_FOLDER_PATH}"  --rendered-website-dir "docs-out"
 
 if [ ! -f "docs-out/resources/${resource_name}.md" ]; then

templates/data-sources/encryption_at_rest_private_endpoint.md.tmpl

@@ -0,0 +1,13 @@
+# {{.Type}}: {{.Name}}
+
+`{{.Name}}` describes a private endpoint used for encryption at rest using customer-managed keys.
+
+## Example Usages
+
+{{ tffile (printf "examples/%s/azure/singular-data-source.tf" .Name )}}
+
+{{ .SchemaMarkdown | trimspace }}
+
+For more information see: 
+- [MongoDB Atlas API - Private Endpoint for Encryption at Rest Using Customer Key Management](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRestPrivateEndpoint) Documentation.
+- [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/).

templates/data-sources/encryption_at_rest_private_endpoints.md.tmpl

@@ -0,0 +1,13 @@
+# {{.Type}}: {{.Name}}
+
+`{{.Name}}` describes private endpoints of a particular cloud provider used for encryption at rest using customer-managed keys.
+
+## Example Usages
+
+{{ tffile ("examples/mongodbatlas_encryption_at_rest_private_endpoint/azure/plural-data-source.tf") }}
+
+{{ .SchemaMarkdown | trimspace }}
+
+For more information see: 
+- [MongoDB Atlas API - Private Endpoint for Encryption at Rest Using Customer Key Management](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRestPrivateEndpointsForCloudProvider) Documentation.
+- [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/).

templates/resources/encryption_at_rest_private_endpoint.md.tmpl

@@ -0,0 +1,27 @@
+# {{.Type}}: {{.Name}}
+
+`{{.Name}}` provides a resource for managing a private endpoint used for encryption at rest with customer-managed keys. This ensures all traffic between Atlas and customer key management systems take place over private network interfaces.
+
+~> **IMPORTANT** The Encryption at Rest using Azure Key Vault over Private Endpoints feature is available by request. To request this functionality for you Atlas deployments, contact your Account Manager. 
+Additionally, you'll need to set the environment variable `MONGODB_ATLAS_ENABLE_PREVIEW=true` to use this resource. To learn more about existing limitations, see the [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
+
+-> **NOTE:** Only Azure Key Vault with Azure Private Link is supported at this time.
+
+## Example Usages
+
+### Configuring Atlas Encryption at Rest using Azure Key Vault with Azure Private Link
+
+{{ tffile (printf "examples/%s/azure/main.tf" .Name )}}
+
+{{ .SchemaMarkdown | trimspace }}
+
+# Import 
+Encryption At Rest Private Endpoint resource can be imported using the project ID, cloud provider, and private endpoint ID. The format must be `{project_id}-{cloud_provider}-{private_endpoint_id}` e.g.
+
+```
+$ terraform import mongodbatlas_encryption_at_rest_private_endpoint.test 650972848269185c55f40ca1-AZURE-650972848269185c55f40ca2
+```
+
+For more information see: 
+- [MongoDB Atlas API - Private Endpoint for Encryption at Rest Using Customer Key Management](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRestPrivateEndpoint) Documentation.
+- [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/).