feat: Adds description field to mongodbatlas_database_user (#3280)

* feat: Adds description field to `mongodbatlas_database_user`

* test: Adds description test for database user

* test: Update unit tests

* refactor: Support not sending empty description on create

* update tests

* feat: Adds description field to data sources for `mongodbatlas_database_user`

* chore: Add changelog entry

* doc: Document new description field

* refactor: rename `TfDatabaseUserModel` variables

* rename to local diags

* move importID split to ImportState function

* fix: only switch back to state value when response is empty and state is null

Author: EspenAlbert

.changelog/3280.txt

@@ -0,0 +1,11 @@
+```release-note:enhancement
+resource/mongodbatlas_database_user: Adds `description` field
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_database_user: Adds `description` field
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_database_users: Adds `description` field
+```

docs/data-sources/database_user.md

@@ -75,6 +75,7 @@ Note: OIDC support is only avalible starting in [MongoDB 7.0](https://www.mongod
 In addition to all arguments above, the following attributes are exported:
 
 * `id` - Autogenerated Unique ID for this data source.
+* `description` - Description of this database user.
 * `roles` - List of user’s roles and the databases / collections on which the roles apply. A role allows the user to perform particular actions on the specified database. A role on the admin database can include privileges that apply to the other databases as well. See [Roles](#roles) below for more details.
 * `x509_type` - X.509 method by which the provided username is authenticated.
 * `aws_iam_type` - The new database user authenticates with AWS IAM credentials. Default is `NONE`, `USER` means user has AWS IAM user credentials, `ROLE` - means user has credentials associated with an AWS IAM role.

docs/data-sources/database_users.md

@@ -77,6 +77,7 @@ In addition to all arguments above, the following attributes are exported:
 
 * `project_id` - ID of the Atlas project the user belongs to.
 * `username` - Username for authenticating to MongoDB.
+* `description` - Description of this database user.
 * `roles` - List of user’s roles and the databases / collections on which the roles apply. A role allows the user to perform particular actions on the specified database. A role on the admin database can include privileges that apply to the other databases as well. See [Roles](#roles) below for more details.
 * `auth_database_name` - (Required) Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB.
 Possible values include:

docs/resources/database_user.md

@@ -125,6 +125,7 @@ Accepted values include:
 * `roles` - (Required) 	List of user’s roles and the databases / collections on which the roles apply. A role allows the user to perform particular actions on the specified database. A role on the admin database can include privileges that apply to the other databases as well. See [Roles](#roles) below for more details.
 * `username` - (Required) Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if `aws_iam_type` is USER or ROLE.
 * `password` - (Required) User's initial password. A value is required to create the database user, however the argument may be removed from your Terraform configuration after user creation without impacting the user, password or Terraform management. If you do change management of the password to outside of Terraform it is advised to remove the argument from the Terraform configuration. IMPORTANT --- Passwords may show up in Terraform related logs and it will be stored in the Terraform state file as plain-text. Password can be changed after creation using your preferred method, e.g. via the MongoDB Atlas UI, to ensure security.
+* `description` - (Optional) Description of this database user.
 
 * `x509_type` - (Optional) X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:
   * `NONE` -	The user does not use X.509 authentication.

internal/service/databaseuser/data_source_database_user.go

@@ -26,6 +26,7 @@ type TfDatabaseUserDSModel struct {
 	ProjectID        types.String   `tfsdk:"project_id"`
 	AuthDatabaseName types.String   `tfsdk:"auth_database_name"`
 	Username         types.String   `tfsdk:"username"`
+	Description      types.String   `tfsdk:"description"`
 	X509Type         types.String   `tfsdk:"x509_type"`
 	OIDCAuthType     types.String   `tfsdk:"oidc_auth_type"`
 	LDAPAuthType     types.String   `tfsdk:"ldap_auth_type"`
@@ -53,6 +54,9 @@ func (d *databaseUserDS) Schema(ctx context.Context, req datasource.SchemaReques
 			"username": schema.StringAttribute{
 				Required: true,
 			},
+			"description": schema.StringAttribute{
+				Computed: true,
+			},
 			"x509_type": schema.StringAttribute{
 				Computed: true,
 			},

internal/service/databaseuser/data_source_database_user_test.go

@@ -30,6 +30,7 @@ func TestAccConfigDSDatabaseUser_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(dataSourceName, "roles.0.role_name", roleName),
 					resource.TestCheckResourceAttr(dataSourceName, "roles.0.database_name", "admin"),
 					resource.TestCheckResourceAttr(dataSourceName, "labels.#", "2"),
+					resource.TestCheckNoResourceAttr(dataSourceName, "description"),
 				),
 			},
 		},

internal/service/databaseuser/data_source_database_users.go

@@ -60,6 +60,9 @@ func (d *DatabaseUsersDS) Schema(ctx context.Context, req datasource.SchemaReque
 						"username": schema.StringAttribute{
 							Computed: true,
 						},
+						"description": schema.StringAttribute{
+							Computed: true,
+						},
 						"x509_type": schema.StringAttribute{
 							Computed: true,
 						},

internal/service/databaseuser/data_source_database_users_test.go

@@ -27,9 +27,11 @@ func TestAccConfigDSDatabaseUsers_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(dataSourcePluralName, "results.0.username"),
 					resource.TestCheckResourceAttrSet(dataSourcePluralName, "results.0.roles.#"),
 					resource.TestCheckResourceAttrSet(dataSourcePluralName, "results.0.labels.#"),
+					resource.TestCheckNoResourceAttr(dataSourcePluralName, "results.0.description"),
 					resource.TestCheckResourceAttrSet(dataSourcePluralName, "results.1.username"),
 					resource.TestCheckResourceAttrSet(dataSourcePluralName, "results.1.roles.#"),
 					resource.TestCheckResourceAttrSet(dataSourcePluralName, "results.1.labels.#"),
+					resource.TestCheckNoResourceAttr(dataSourcePluralName, "results.1.description"),
 				),
 			},
 		},

internal/service/databaseuser/model_database_user.go

@@ -11,47 +11,53 @@ import (
 	"go.mongodb.org/atlas-sdk/v20250312002/admin"
 )
 
-func NewMongoDBDatabaseUser(ctx context.Context, statePasswordValue types.String, dbUserModel *TfDatabaseUserModel) (*admin.CloudDatabaseUser, diag.Diagnostics) {
+func NewMongoDBDatabaseUser(ctx context.Context, statePasswordValue, stateDescriptionValue types.String, plan *TfDatabaseUserModel) (*admin.CloudDatabaseUser, diag.Diagnostics) {
 	var rolesModel []*TfRoleModel
 	var labelsModel []*TfLabelModel
 	var scopesModel []*TfScopeModel
 
-	diags := dbUserModel.Roles.ElementsAs(ctx, &rolesModel, false)
+	diags := plan.Roles.ElementsAs(ctx, &rolesModel, false)
 	if diags.HasError() {
 		return nil, diags
 	}
 
-	diags = dbUserModel.Labels.ElementsAs(ctx, &labelsModel, false)
+	diags = plan.Labels.ElementsAs(ctx, &labelsModel, false)
 	if diags.HasError() {
 		return nil, diags
 	}
 
-	diags = dbUserModel.Scopes.ElementsAs(ctx, &scopesModel, false)
+	diags = plan.Scopes.ElementsAs(ctx, &scopesModel, false)
 	if diags.HasError() {
 		return nil, diags
 	}
 
 	result := admin.CloudDatabaseUser{
-		GroupId:      dbUserModel.ProjectID.ValueString(),
-		Username:     dbUserModel.Username.ValueString(),
-		X509Type:     dbUserModel.X509Type.ValueStringPointer(),
-		AwsIAMType:   dbUserModel.AWSIAMType.ValueStringPointer(),
-		OidcAuthType: dbUserModel.OIDCAuthType.ValueStringPointer(),
-		LdapAuthType: dbUserModel.LDAPAuthType.ValueStringPointer(),
-		DatabaseName: dbUserModel.AuthDatabaseName.ValueString(),
+		GroupId:      plan.ProjectID.ValueString(),
+		Username:     plan.Username.ValueString(),
+		Description:  plan.Description.ValueStringPointer(),
+		X509Type:     plan.X509Type.ValueStringPointer(),
+		AwsIAMType:   plan.AWSIAMType.ValueStringPointer(),
+		OidcAuthType: plan.OIDCAuthType.ValueStringPointer(),
+		LdapAuthType: plan.LDAPAuthType.ValueStringPointer(),
+		DatabaseName: plan.AuthDatabaseName.ValueString(),
 		Roles:        NewMongoDBAtlasRoles(rolesModel),
 		Labels:       NewMongoDBAtlasLabels(labelsModel),
 		Scopes:       NewMongoDBAtlasScopes(scopesModel),
 	}
 
-	if statePasswordValue != dbUserModel.Password {
+	if statePasswordValue != plan.Password {
 		// Password value has been modified or no previous state was present. Password is only updated if changed in the terraform configuration CLOUDP-235738
-		result.Password = dbUserModel.Password.ValueStringPointer()
+		result.Password = plan.Password.ValueStringPointer()
+	}
+	if plan.Description.IsNull() && !stateDescriptionValue.Equal(plan.Description) {
+		// description is an optional attribute (i.e. null by default), if it is removed from the config during an update
+		// (i.e. user wants to remove the existing description from the database user), we send an empty string ("") as the value in API request for update (dumping null is not supported in the SDK)
+		result.Description = conversion.Pointer("")
 	}
 	return &result, nil
 }
 
-func NewTfDatabaseUserModel(ctx context.Context, model *TfDatabaseUserModel, dbUser *admin.CloudDatabaseUser) (*TfDatabaseUserModel, diag.Diagnostics) {
+func NewTfDatabaseUserModel(ctx context.Context, inModel *TfDatabaseUserModel, dbUser *admin.CloudDatabaseUser) (*TfDatabaseUserModel, diag.Diagnostics) {
 	rolesSet, diagnostic := types.SetValueFrom(ctx, RoleObjectType, NewTFRolesModel(dbUser.GetRoles()))
 	if diagnostic.HasError() {
 		return nil, diagnostic
@@ -73,11 +79,12 @@ func NewTfDatabaseUserModel(ctx context.Context, model *TfDatabaseUserModel, dbU
 		"username":           dbUser.Username,
 		"auth_database_name": dbUser.DatabaseName,
 	})
-	databaseUserModel := &TfDatabaseUserModel{
+	outModel := &TfDatabaseUserModel{
 		ID:               types.StringValue(encodedID),
 		ProjectID:        types.StringValue(dbUser.GroupId),
 		AuthDatabaseName: types.StringValue(dbUser.DatabaseName),
 		Username:         types.StringValue(dbUser.Username),
+		Description:      types.StringPointerValue(dbUser.Description),
 		X509Type:         types.StringValue(dbUser.GetX509Type()),
 		OIDCAuthType:     types.StringValue(dbUser.GetOidcAuthType()),
 		LDAPAuthType:     types.StringValue(dbUser.GetLdapAuthType()),
@@ -87,12 +94,15 @@ func NewTfDatabaseUserModel(ctx context.Context, model *TfDatabaseUserModel, dbU
 		Scopes:           scopesSet,
 	}
 
-	if model != nil && model.Password.ValueString() != "" {
+	if inModel != nil && inModel.Password.ValueString() != "" {
 		// The Password is not retuned from the endpoint so we use the one provided in the model
-		databaseUserModel.Password = model.Password
+		outModel.Password = inModel.Password
 	}
-
-	return databaseUserModel, nil
+	if inModel != nil && outModel.Description.Equal(types.StringValue("")) && inModel.Description.IsNull() {
+		// null != "" in TPF:  Error: Provider produced inconsistent result after apply. .description: was null, but now cty.StringVal("")
+		outModel.Description = types.StringNull()
+	}
+	return outModel, nil
 }
 
 func NewTFDatabaseDSUserModel(ctx context.Context, dbUser *admin.CloudDatabaseUser) (*TfDatabaseUserDSModel, diag.Diagnostics) {
@@ -102,6 +112,7 @@ func NewTFDatabaseDSUserModel(ctx context.Context, dbUser *admin.CloudDatabaseUs
 		ProjectID:        types.StringValue(dbUser.GroupId),
 		AuthDatabaseName: types.StringValue(dbUser.DatabaseName),
 		Username:         types.StringValue(dbUser.Username),
+		Description:      types.StringPointerValue(dbUser.Description),
 		X509Type:         types.StringValue(dbUser.GetX509Type()),
 		OIDCAuthType:     types.StringValue(dbUser.GetOidcAuthType()),
 		LDAPAuthType:     types.StringValue(dbUser.GetLdapAuthType()),

internal/service/databaseuser/model_database_user_test.go

@@ -65,6 +65,7 @@ var (
 		GroupId:      projectID,
 		DatabaseName: authDatabaseName,
 		Username:     username,
+		Description:  conversion.Pointer(""),
 		Password:     &password,
 		X509Type:     &x509Type,
 		OidcAuthType: &oidCAuthType,
@@ -77,6 +78,7 @@ var (
 	cloudDatabaseUserWithoutPassword = &admin.CloudDatabaseUser{
 		GroupId:      projectID,
 		DatabaseName: authDatabaseName,
+		Description:  conversion.Pointer(""),
 		Username:     username,
 		X509Type:     &x509Type,
 		OidcAuthType: &oidCAuthType,
@@ -143,7 +145,7 @@ func TestNewMongoDBDatabaseUser(t *testing.T) {
 
 	for i, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			resultModel, err := databaseuser.NewMongoDBDatabaseUser(t.Context(), tc.passwordStateValue, &testCases[i].tfDatabaseUserModel)
+			resultModel, err := databaseuser.NewMongoDBDatabaseUser(t.Context(), tc.passwordStateValue, types.StringValue(""), &testCases[i].tfDatabaseUserModel)
 
 			if (err != nil) != tc.expectedError {
 				t.Errorf("Case %s: Received unexpected error: %v", tc.name, err)
@@ -164,7 +166,7 @@ func TestNewTfDatabaseUserModel(t *testing.T) {
 		{
 			name:            "Success TfDatabaseUserModel",
 			sdkDatabaseUser: cloudDatabaseUser,
-			currentModel:    databaseuser.TfDatabaseUserModel{Password: types.StringValue(password)},
+			currentModel:    databaseuser.TfDatabaseUserModel{Password: types.StringValue(password), Description: types.StringValue("")},
 			expectedResult:  getDatabaseUserModel(rolesSet, labelsSet, scopesSet, types.StringValue(password)),
 			expectedError:   false,
 		},
@@ -355,6 +357,7 @@ func getDatabaseUserModel(roles, labels, scopes basetypes.SetValue, password typ
 		ProjectID:        types.StringValue(projectID),
 		AuthDatabaseName: types.StringValue(authDatabaseName),
 		Username:         types.StringValue(username),
+		Description:      types.StringValue(""),
 		Password:         password,
 		X509Type:         types.StringValue(x509Type),
 		OIDCAuthType:     types.StringValue(oidCAuthType),