mongodb · EspenAlbert · Aug 27, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_encryption_at_rest: Supports role_id in google_cloud_kms_config
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_encryption_at_rest: Supports role_id in google_cloud_kms_config
+```
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/mongodbatlas_cloud_provider_access_setup: Adds support for GCP as a Cloud Provider.
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_cloud_provider_access_setup: Adds support for GCP as a Cloud Provider.
+```
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/mongodbatlas_cloud_provider_access_authorization: Supports GCP cloud provider
+```
@@ -55,7 +55,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
         with:
-          version: v2.3.1 # Also update GOLANGCI_VERSION variable in GNUmakefile when updating this version
+          version: v2.4.0 # Also update GOLANGCI_VERSION variable in GNUmakefile when updating this version
       - name: actionlint
         run: |
           make tools

@@ -17,7 +17,7 @@ jobs:
     permissions:
       pull-requests: write # Needed by sticky-pull-request-comment
     steps:
-      - uses: amannn/action-semantic-pull-request@7f33ba792281b034f64e96f4c0b5496782dd3b37
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.tool-versions b/.tool-versions
@@ -1 +1 @@
-terraform 1.13.0
+terraform 1.13.1
@@ -1,5 +1,13 @@
 ## (Unreleased)
 
+ENHANCEMENTS:
+
+* data-source/mongodbatlas_cloud_provider_access_setup: Adds support for GCP as a Cloud Provider. ([#3637](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3637))
+* data-source/mongodbatlas_encryption_at_rest: Supports role_id in google_cloud_kms_config ([#3636](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3636))
+* resource/mongodbatlas_cloud_provider_access_authorization: Supports GCP cloud provider ([#3639](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3639))
+* resource/mongodbatlas_cloud_provider_access_setup: Adds support for GCP as a Cloud Provider. ([#3637](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3637))
+* resource/mongodbatlas_encryption_at_rest: Supports role_id in google_cloud_kms_config ([#3636](https://github.com/mongodb/terraform-provider-mongodbatlas/pull/3636))
+
 ## 1.40.0 (August 21, 2025)
 
 ENHANCEMENTS:

@@ -16,7 +16,7 @@ GITTAG=$(shell git describe --always --tags)
 VERSION=$(GITTAG:v%=%)
 LINKER_FLAGS=-s -w -X 'github.com/mongodb/terraform-provider-mongodbatlas/version.ProviderVersion=${VERSION}'
 
-GOLANGCI_VERSION=v2.3.1 # Also update golangci-lint GH action in code-health.yml when updating this version
+GOLANGCI_VERSION=v2.4.0 # Also update golangci-lint GH action in code-health.yml when updating this version
 
 export PATH := $(shell go env GOPATH)/bin:$(PATH)
 export SHELL := env PATH=$(PATH) /bin/bash

@@ -1,6 +1,6 @@
 # Data Source: mongodbatlas_cloud_provider_access_setup
 
-`mongodbatlas_cloud_provider_access_setup` allows you to get a single role for a provider access role setup, currently only AWS and Azure are supported.
+`mongodbatlas_cloud_provider_access_setup` allows you to get a single role for a provider access role setup. Supported providers: AWS, AZURE and GCP.
 
 -> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
 
@@ -36,27 +36,43 @@ data "mongodbatlas_cloud_provider_access_setup" "single_setup" {
    role_id = mongodbatlas_cloud_provider_access_setup.test_role.role_id
 }
 ```
+
+## Example Usage with GCP
+
+```terraform
+resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
+   project_id    = "64259ee860c43338194b0f8e"
+   provider_name = "GCP"
+}
+
+data "mongodbatlas_cloud_provider_access_setup" "single_setup" {
+   project_id    = mongodbatlas_cloud_provider_access_setup.test_role.project_id
+   provider_name = mongodbatlas_cloud_provider_access_setup.test_role.provider_name
+   role_id       = mongodbatlas_cloud_provider_access_setup.test_role.role_id
+}
+```
+
 ## Argument Reference
 
 * `project_id` - (Required) The unique ID for the project to get all Cloud Provider Access 
-* `provider_name` - (Required) cloud provider name, currently only AWS is supported
-* `role_id` - (Required) unique role id among all the aws roles provided by mongodb atlas 
+* `provider_name` - (Required) cloud provider name. Supported values: `AWS`, `AZURE`, and `GCP`.
+* `role_id` - (Required) unique role id among all the roles provided by MongoDB Atlas. 
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `id`              - Autogenerated Unique ID for this data source.
-* `aws`           - aws related role information
-    * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
-    * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
 * `aws_config`           - aws related role information
     * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
     * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
 * `azure_config` - azure related configurations 
    * `atlas_azure_app_id` - Azure Active Directory Application ID of Atlas.
    * `service_principal_id`- UUID string that identifies the Azure Service Principal.
    * `tenant_id`          - UUID String that identifies the Azure Active Directory Tenant ID.
+ * `gcp_config` - gcp related configurations
+   * `status` - The status of the GCP cloud provider access setup. See [MongoDB Atlas API](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-getgroupcloudprovideraccess#operation-getgroupcloudprovideraccess-200-body-application-vnd-atlas-2023-01-01-json-gcp-object-status).
+   * `service_account_for_atlas` - The GCP service account email that Atlas uses.
 * `created_date`  - Date on which this role was created.
 * `last_updated_date`                - Date and time when this Azure Service Principal was last updated. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
 

@@ -106,6 +106,8 @@ output "is_azure_encryption_at_rest_valid" {
 -> **NOTE:** It is possible to configure Atlas Encryption at Rest to communicate with Customer Managed Keys (Azure Key Vault or AWS KMS) over private network interfaces (Azure Private Link or AWS PrivateLink). This requires enabling the `azure_key_vault_config.require_private_networking` or the `aws_kms_config.require_private_networking` attribute, together with the configuration of the `mongodbatlas_encryption_at_rest_private_endpoint` resource. Please review the `mongodbatlas_encryption_at_rest_private_endpoint` resource for details.
 
 ### Configuring encryption at rest using customer key management in GCP
+For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication). Once roleId is configured, serviceAccountKey is no longer supported.
+
 ```terraform
 resource "mongodbatlas_encryption_at_rest" "test" {
   project_id = var.atlas_project_id
@@ -181,6 +183,7 @@ Read-Only:
 
 - `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified  project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
 - `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS.
+- `role_id` (String) Unique 24-hexadecimal digit string that identifies the Google Cloud Provider Access Role that MongoDB Cloud uses to access the Google Cloud KMS.
 - `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
 - `valid` (Boolean) Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
 

@@ -44,10 +44,21 @@ resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
 
 ```
 
+## Example Usage with GCP
+
+```terraform
+
+resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
+   project_id = "64259ee860c43338194b0f8e"
+   provider_name = "GCP"
+}
+
+```
+
 ## Argument Reference
 
 * `project_id` - (Required) The unique ID for the project
-* `provider_name` - (Required) The cloud provider for which to create a new role. Currently only AWS and AZURE are supported. **WARNING** Changing the `provider_name` will result in destruction of the existing resource and the creation of a new resource.
+* `provider_name` - (Required) The cloud provider for which to create a new role. Currently, AWS, AZURE and GCP are supported. **WARNING** Changing the `provider_name` will result in destruction of the existing resource and the creation of a new resource.
 * `azure_config` - azure related configurations 
    * `atlas_azure_app_id` - Azure Active Directory Application ID of Atlas. This property is required when `provider_name = "AZURE".`
    * `service_principal_id`- UUID string that identifies the Azure Service Principal. This property is required when `provider_name = "AZURE".`
@@ -59,6 +70,9 @@ resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
 * `aws_config` - aws related arn roles 
    * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
    * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
+* `gcp_config` - gcp related configuration
+  * `status` - The status of the GCP cloud provider access setup. See [MongoDB Atlas API](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-getgroupcloudprovideraccess#operation-getgroupcloudprovideraccess-200-body-application-vnd-atlas-2023-01-01-json-gcp-object-status).
+  * `service_account_for_atlas` - The GCP service account email that Atlas uses.
 * `created_date`                   - Date on which this role was created.
 * `last_updated_date`                - Date and time when this Azure Service Principal was last updated. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
 * `role_id`                        - Unique ID of this role.
@@ -135,13 +149,18 @@ resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
 Conditional 
 * `aws`
    * `iam_assumed_role_arn` - (Required) ARN of the IAM Role that Atlas assumes when accessing resources in your AWS account. This value is required after the creation (register of the role) as part of [Set Up Unified AWS Access](https://docs.atlas.mongodb.com/security/set-up-unified-aws-access/#set-up-unified-aws-access).
-
+* `azure`
+   * `atlas_azure_app_id` - (Required) Azure Active Directory Application ID of Atlas.
+   * `service_principal_id` - (Required) UUID string that identifies the Azure Service Principal.
+   * `tenant_id` - (Required) UUID String that identifies the Azure Active Directory Tenant ID.
 
 ## Attributes Reference
 
 * `id`               - Unique identifier used by terraform for internal management.
 * `authorized_date`  - Date on which this role was authorized.
 * `feature_usages`   - Atlas features this AWS IAM role is linked to.
+* `gcp`
+   * `service_account_for_atlas` - Email address for the Google Service Account created by Atlas.
 
 
 

@@ -134,6 +134,8 @@ Please review the [`mongodbatlas_encryption_at_rest_private_endpoint` resource d
 
 
 ### Configuring encryption at rest using customer key management in GCP
+For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication). Once roleId is configured, serviceAccountKey is no longer supported.
+
 ```terraform
 resource "mongodbatlas_encryption_at_rest" "test" {
   project_id = var.atlas_project_id
@@ -210,6 +212,7 @@ Optional:
 
 - `enabled` (Boolean) Flag that indicates whether someone enabled encryption at rest for the specified  project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of `false`.
 - `key_version_resource_id` (String, Sensitive) Resource path that displays the key version resource ID for your Google Cloud KMS.
+- `role_id` (String) Unique 24-hexadecimal digit string that identifies the Google Cloud Provider Access Role that MongoDB Cloud uses to access the Google Cloud KMS.
 - `service_account_key` (String, Sensitive) JavaScript Object Notation (JSON) object that contains the Google Cloud Key Management Service (KMS). Format the JSON as a string and not as an object.
 
 Read-Only:

@@ -51,7 +51,7 @@ resource "mongodbatlas_project" "test" {
 * `org_id` - (Required) The ID of the organization you want to create the project within.
 * `project_owner_id` - (Optional) Unique 24-hexadecimal digit string that identifies the Atlas user account to be granted the [Project Owner](https://docs.atlas.mongodb.com/reference/user-roles/#mongodb-authrole-Project-Owner) role on the specified project. If you set this parameter, it overrides the default value of the oldest [Organization Owner](https://docs.atlas.mongodb.com/reference/user-roles/#mongodb-authrole-Organization-Owner).
 * `tags` - (Optional) Map that contains key-value pairs between 1 to 255 characters in length for tagging and categorizing the project. See [below](#tags).
-* `with_default_alerts_settings` - (Optional) It allows users to disable the creation of the default alert settings. By default, this flag is set to true.
+* `with_default_alerts_settings` - (Optional) Flag that indicates whether to create the project with default alert settings. This setting cannot be updated after project creation. By default, this flag is set to true.
 * `is_collect_database_specifics_statistics_enabled` - (Optional) Flag that indicates whether to enable statistics in [cluster metrics](https://www.mongodb.com/docs/atlas/monitor-cluster-metrics/) collection for the project. By default, this flag is set to true.
 * `is_data_explorer_enabled` - (Optional) Flag that indicates whether to enable Data Explorer for the project. If enabled, you can query your database with an easy to use interface.  When Data Explorer is disabled, you cannot terminate slow operations from the [Real-Time Performance Panel](https://www.mongodb.com/docs/atlas/real-time-performance-panel/#std-label-real-time-metrics-status-tab) or create indexes from the [Performance Advisor](https://www.mongodb.com/docs/atlas/performance-advisor/#std-label-performance-advisor). You can still view Performance Advisor recommendations, but you must create those indexes from [mongosh](https://www.mongodb.com/docs/mongodb-shell/#mongodb-binary-bin.mongosh). By default, this flag is set to true.
 * `is_extended_storage_sizes_enabled` - (Optional) Flag that indicates whether to enable extended storage sizes for the specified project. Clusters with extended storage sizes must be on AWS or GCP, and cannot span multiple regions. When extending storage size, initial syncs and cross-project snapshot restores will be slow. This setting should only be used as a measure of temporary relief; consider sharding if more storage is required.