doc: Add example & documentation for mongodbatlas_encryption_at_rest_private_endpoint to specify AWS usage (#2999)

Author: maastha

docs/data-sources/encryption_at_rest.md

@@ -101,7 +101,7 @@ output "is_azure_encryption_at_rest_valid" {
 }
 ```
 
--> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. Please review `mongodbatlas_encryption_at_rest_private_endpoint` resource for details.
+-> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Customer Managed Keys (Azure Key Vault or AWS KMS) over private network interfaces (Azure Private Link or AWS PrivateLink). This requires enabling the `azure_key_vault_config.require_private_networking` or the `aws_kms_config.require_private_networking` attribute, together with the configuration of the `mongodbatlas_encryption_at_rest_private_endpoint` resource. Please review the `mongodbatlas_encryption_at_rest_private_endpoint` resource for details.
 
 ### Configuring encryption at rest using customer key management in GCP
 ```terraform

docs/data-sources/encryption_at_rest_private_endpoint.md

@@ -2,12 +2,12 @@
 
 `mongodbatlas_encryption_at_rest_private_endpoint` describes a private endpoint used for encryption at rest using customer-managed keys.
 
-~> **IMPORTANT** The Encryption at Rest using Azure Key Vault over Private Endpoints feature is available by request. To request this functionality for your Atlas deployments, contact your Account Manager. 
-To learn more about existing limitations, see [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
-
 ## Example Usages
 
--> **NOTE:** Only Azure Key Vault with Azure Private Link is supported at this time.
+-> **NOTE:** Only Azure Key Vault with Azure Private Link and AWS KMS over AWS PrivateLink is supported at this time.
+
+### Encryption At Rest Azure Key Vault Private Endpoint
+To learn more, see [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
 
 ```terraform
 data "mongodbatlas_encryption_at_rest_private_endpoint" "single" {
@@ -21,6 +21,19 @@ output "endpoint_connection_name" {
 }
 ```
 
+### Encryption At Rest AWS KMS Private Endpoint
+```terraform
+data "mongodbatlas_encryption_at_rest_private_endpoint" "single" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AWS"
+  id             = mongodbatlas_encryption_at_rest_private_endpoint.endpoint.id
+}
+
+output "status" {
+  value = data.mongodbatlas_encryption_at_rest_private_endpoint.single.status
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

docs/data-sources/encryption_at_rest_private_endpoints.md

@@ -2,12 +2,12 @@
 
 `mongodbatlas_encryption_at_rest_private_endpoints` describes private endpoints of a particular cloud provider used for encryption at rest using customer-managed keys.
 
-~> **IMPORTANT** The Encryption at Rest using Azure Key Vault over Private Endpoints feature is available by request. To request this functionality for your Atlas deployments, contact your Account Manager. 
-To learn more about existing limitations, see [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
-
 ## Example Usages
 
--> **NOTE:** Only Azure Key Vault with Azure Private Link is supported at this time.
+-> **NOTE:** Only Azure Key Vault with Azure Private Link and AWS KMS over AWS PrivateLink is supported at this time.
+
+### Encryption At Rest Azure Key Vault Private Endpoint
+To learn more about existing limitations, see [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
 
 ```terraform
 data "mongodbatlas_encryption_at_rest_private_endpoints" "plural" {
@@ -20,6 +20,18 @@ output "number_of_endpoints" {
 }
 ```
 
+### Encryption At Rest AWS KMS Private Endpoint
+```terraform
+data "mongodbatlas_encryption_at_rest_private_endpoints" "plural" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AWS"
+}
+
+output "number_of_endpoints" {
+  value = length(data.mongodbatlas_encryption_at_rest_private_endpoints.plural.results)
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

docs/resources/encryption_at_rest.md

@@ -126,9 +126,9 @@ output "is_azure_encryption_at_rest_valid" {
 ```
 
 #### Manage Customer Keys with Azure Key Vault Over Private Endpoints
-It is possible to configure Atlas Encryption at Rest to communicate with Azure Key Vault using Azure Private Link, ensuring that all traffic between Atlas and Key Vault takes place over Azure’s private network interfaces. This requires enabling `azure_key_vault_config.require_private_networking` attribute, together with the configuration of `mongodbatlas_encryption_at_rest_private_endpoint` resource. 
+It is possible to configure Atlas Encryption at Rest to communicate with Customer Managed Keys (Azure Key Vault or AWS KMS) over private network interfaces (Azure Private Link or AWS PrivateLink). This requires enabling the `azure_key_vault_config.require_private_networking` or the `aws_kms_config.require_private_networking` attribute, together with the configuration of the `mongodbatlas_encryption_at_rest_private_endpoint` resource. 
 
-Please review [`mongodbatlas_encryption_at_rest_private_endpoint` resource documentation](encryption_at_rest_private_endpoint) and [complete example](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure) for details on this functionality.
+Please review the [`mongodbatlas_encryption_at_rest_private_endpoint` resource documentation](encryption_at_rest_private_endpoint) and [complete the example](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_encryption_at_rest_private_endpoint/) for details on this functionality.
 
 
 ### Configuring encryption at rest using customer key management in GCP

docs/resources/encryption_at_rest_private_endpoint.md

@@ -2,18 +2,16 @@
 
 `mongodbatlas_encryption_at_rest_private_endpoint` provides a resource for managing a private endpoint used for encryption at rest with customer-managed keys. This ensures all traffic between Atlas and customer key management systems take place over private network interfaces.
 
-~> **IMPORTANT** The Encryption at Rest using Azure Key Vault over Private Endpoints feature is available by request. To request this functionality for your Atlas deployments, contact your Account Manager. 
-To learn more about existing limitations, see [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
-
--> **NOTE:** As a prerequisite to configuring a private endpoint for Azure Key Vault, the corresponding [`mongodbatlas_encryption_at_rest`](encryption_at_rest) resource has to be adjust by configuring [`azure_key_vault_config.require_private_networking`](encryption_at_rest#require_private_networking) to true. This attribute should be updated in place, ensuring the customer-managed keys encryption is never disabled.
+-> **NOTE:** As a prerequisite to configuring a private endpoint for Azure Key Vault or AWS KMS, the corresponding [`mongodbatlas_encryption_at_rest`](encryption_at_rest) resource has to be adjusted by configuring to true [`azure_key_vault_config.require_private_networking`](encryption_at_rest#require_private_networking) or [`aws_kms_config.require_private_networking`](encryption_at_rest#require_private_networking), respectively. This attribute should be updated in place, ensuring the customer-managed keys encryption is never disabled.
 
 -> **NOTE:** This resource does not support update operations. To modify values of a private endpoint the existing resource must be deleted and a new one can be created with the modified values.
 
 ## Example Usages
 
--> **NOTE:** Only Azure Key Vault with Azure Private Link is supported at this time.
+-> **NOTE:** Only Azure Key Vault with Azure Private Link and AWS KMS over AWS PrivateLink is supported at this time.
 
 ### Configuring Atlas Encryption at Rest using Azure Key Vault with Azure Private Link
+To learn more about existing limitations, see [Manage Customer Keys with Azure Key Vault Over Private Endpoints](https://www.mongodb.com/docs/atlas/security/azure-kms-over-private-endpoint/#manage-customer-keys-with-azure-key-vault-over-private-endpoints).
 
 Make sure to reference the [complete example section](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_encryption_at_rest_private_endpoint/azure) for detailed steps and considerations.
 
@@ -66,6 +64,32 @@ resource "azapi_update_resource" "approval" {
 }
 ```
 
+### Configuring Atlas Encryption at Rest using AWS KMS with AWS PrivateLink
+
+Make sure to reference the [complete example section](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/mongodbatlas_encryption_at_rest_private_endpoint/aws) for detailed steps and considerations.
+
+```terraform
+resource "mongodbatlas_encryption_at_rest" "ear" {
+  project_id = var.atlas_project_id
+
+  aws_kms_config {
+    require_private_networking = true
+
+    enabled                = true
+    customer_master_key_id = var.aws_kms_key_id
+    region                 = var.atlas_aws_region
+    role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+  }
+}
+
+# Creates private endpoint
+resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" {
+  project_id     = mongodbatlas_encryption_at_rest.ear.project_id
+  cloud_provider = "AWS"
+  region_name    = var.atlas_aws_region
+}
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
@@ -87,6 +111,7 @@ Encryption At Rest Private Endpoint resource can be imported using the project I
 
 ```
 $ terraform import mongodbatlas_encryption_at_rest_private_endpoint.test 650972848269185c55f40ca1-AZURE-650972848269185c55f40ca2
+$ terraform import mongodbatlas_encryption_at_rest_private_endpoint.test 650972848269185c55f40ca2-AWS-650972848269185c55f40ca3
 ```
 
 For more information see: 

examples/mongodbatlas_encryption_at_rest_private_endpoint/aws/README.md

@@ -0,0 +1,48 @@
+# MongoDB Atlas Provider - Encryption At Rest using Customer Key Management via Private Network Interfaces (AWS)
+This example shows how to configure encryption at rest using AWS with customer managed keys ensuring all communication with AWS Key Management Service (KMS) happens exclusively over AWS PrivateLink.
+
+## Dependencies
+
+* Terraform MongoDB Atlas Provider v1.27.0 minimum
+* A MongoDB Atlas account 
+* Terraform AWS provider
+* An AWS account
+
+## Usage
+
+**1\. Provide the appropriate values for the input variables.**
+
+- `atlas_public_key`: The public API key for MongoDB Atlas
+- `atlas_private_key`: The private API key for MongoDB Atlas
+- `atlas_project_id`: Atlas Project ID
+- `aws_kms_key_id`: ARN that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) to use to encrypt and decrypt
+- `atlas_aws_region`: Region in which the Encryption At Rest private endpoint is located
+
+**2\. Review the Terraform plan.**
+
+Execute the following command and ensure you are happy with the plan.
+
+``` bash
+$ terraform plan
+```
+This project will execute the following changes to acheive successful encryption at rest over AWS PrivateLink for customer managed keys:
+
+- Configure encryption at rest in an existing project using a custom AWS KMS Key. For successful private networking configuration, the `requires_private_networking` attribute in `mongodbatlas_encryption_at_rest.aws_kms_config` is set to `true`.
+- Create a private endpoint for the existing project under a certain AWS region using `mongodbatlas_encryption_at_rest_private_endpoint`. 
+
+**3\. Execute the Terraform apply.**
+
+Now execute the plan to provision the resources.
+
+``` bash
+$ terraform apply
+```
+
+**4\. Destroy the resources.**
+
+When you have finished your testing, ensure you destroy the resources to avoid unnecessary |service| charges.
+
+``` bash
+$ terraform destroy
+```
+

examples/mongodbatlas_encryption_at_rest_private_endpoint/aws/atlas-cloud-provider-access.tf

@@ -0,0 +1,13 @@
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+  project_id    = var.atlas_project_id
+  provider_name = "AWS"
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+  project_id = var.atlas_project_id
+  role_id    = mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+  aws {
+    iam_assumed_role_arn = aws_iam_role.test_role.arn
+  }
+}

examples/mongodbatlas_encryption_at_rest_private_endpoint/aws/aws-roles.tf

@@ -0,0 +1,47 @@
+resource "aws_iam_role_policy" "test_policy" {
+  name = "mongodb-atlas-kms-policy"
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "kms:Decrypt",
+          "kms:Encrypt",
+          "kms:DescribeKey"
+        ],
+        "Resource": [
+          "${var.aws_kms_key_id}"
+        ]
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+  name = "mongodb-atlas-kms-role"
+
+  assume_role_policy = <<EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config[0].atlas_aws_account_arn}"
+        },
+        "Action": "sts:AssumeRole",
+        "Condition": {
+          "StringEquals": {
+            "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws_config[0].atlas_assumed_role_external_id}"
+          }
+        }
+      }
+    ]
+  }
+  EOF
+}

examples/mongodbatlas_encryption_at_rest_private_endpoint/aws/main.tf

@@ -0,0 +1,19 @@
+resource "mongodbatlas_encryption_at_rest" "ear" {
+  project_id = var.atlas_project_id
+
+  aws_kms_config {
+    require_private_networking = true
+
+    enabled                = true
+    customer_master_key_id = var.aws_kms_key_id
+    region                 = var.atlas_aws_region
+    role_id                = mongodbatlas_cloud_provider_access_authorization.auth_role.role_id
+  }
+}
+
+# Creates private endpoint
+resource "mongodbatlas_encryption_at_rest_private_endpoint" "endpoint" {
+  project_id     = mongodbatlas_encryption_at_rest.ear.project_id
+  cloud_provider = "AWS"
+  region_name    = var.atlas_aws_region
+}

examples/mongodbatlas_encryption_at_rest_private_endpoint/aws/plural-data-source.tf

@@ -0,0 +1,8 @@
+data "mongodbatlas_encryption_at_rest_private_endpoints" "plural" {
+  project_id     = var.atlas_project_id
+  cloud_provider = "AWS"
+}
+
+output "number_of_endpoints" {
+  value = length(data.mongodbatlas_encryption_at_rest_private_endpoints.plural.results)
+}