mongodb · filipcirtog · Dec 4, 2025 · Dec 4, 2025 · Dec 10, 2025 · Dec 11, 2025
@@ -0,0 +1,15 @@
+```release-note:enhancement
+resource/mongodbatlas_privatelink_endpoint_service: Adds `port_mapping_enabled` attribute
+```
+
+```release-note:enhancement
+resource/mongodbatlas_privatelink_endpoint: Adds `port_mapping_enabled` attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_privatelink_endpoint_service: Adds `port_mapping_enabled` attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_privatelink_endpoint: Adds `port_mapping_enabled` attribute
+```
@@ -58,5 +58,6 @@ In addition to all arguments above, the following attributes are exported:
 * `endpoint_group_names` - GCP network endpoint groups corresponding to the Private Service Connect endpoint service.
 * `region_name` - GCP region for the Private Service Connect endpoint service.
 * `service_attachment_names` - Unique alphanumeric and special character strings that identify the service attachments associated with the GCP Private Service Connect endpoint service.
+* `port_mapping_enabled` - Flag that indicates whether this endpoint service uses PSC port-mapping.
 
 See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/private-endpoints-service-get-one/) Documentation for more information.
@@ -122,5 +122,6 @@ In addition to all arguments above, the following attributes are exported:
   * `endpoint_name` - Forwarding rule that corresponds to the endpoint you created in GCP.
   * `ip_address` - Private IP address of the network endpoint group you created in GCP.
   * `status` - Status of the endpoint. Atlas returns one of the [values shown above](https://docs.atlas.mongodb.com/reference/api/private-endpoints-endpoint-create-one/#std-label-ref-status-field).
+* `port_mapping_enabled` - Flag that indicates whether this endpoint service uses PSC port-mapping.
 
 See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/private-endpoints-endpoint-get-one/) Documentation for more information.
@@ -37,7 +37,8 @@ resource "mongodbatlas_privatelink_endpoint" "test" {
 ### Further Examples
 - [AWS PrivateLink Endpoint](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/aws)
 - [Azure PrivateLink Endpoint](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/azure)
-- [GCP Private Service Connect Endpoint](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp)
+- [GCP Private Service Connect Endpoint (Legacy Architecture)](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp)
+- [GCP Private Service Connect Endpoint (Port-Based Architecture)](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp-port-based)
 
 ## Argument Reference
 
@@ -47,6 +48,7 @@ resource "mongodbatlas_privatelink_endpoint" "test" {
 Accepted values are: [AWS regions](https://docs.atlas.mongodb.com/reference/amazon-aws/#amazon-aws), [AZURE regions](https://docs.atlas.mongodb.com/reference/microsoft-azure/#microsoft-azure) and [GCP regions](https://docs.atlas.mongodb.com/reference/google-gcp/#std-label-google-gcp)
 * `timeouts`- (Optional) The duration of time to wait for Private Endpoint to be created or deleted. The timeout value is defined by a signed sequence of decimal numbers with a time unit suffix such as: `1h45m`, `300s`, `10m`, etc. The valid time units are:  `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. The default timeout for Private Endpoint create & delete is `1h`. Learn more about timeouts [here](https://www.terraform.io/plugin/sdkv2/resources/retries-and-customizable-timeouts).
 * `delete_on_create_timeout`- (Optional) Indicates whether to delete the resource being created if a timeout is reached when waiting for completion. When set to `true` and timeout occurs, it triggers the deletion and returns immediately without waiting for deletion to complete. When set to `false`, the timeout will not trigger resource deletion. If you suspect a transient error when the value is `true`, wait before retrying to allow resource deletion to finish. Default is `true`.
+* `port_mapping_enabled` - (Optional) Flag that indicates whether this endpoint service uses PSC port-mapping. When set to `true`, enables the new PSC port-based architecture for GCP, which requires only 1 endpoint instead of 50 endpoints required by the legacy architecture. Defaults to `false`. Only applicable for GCP provider.
 
 ## Attributes Reference
 

@@ -73,7 +73,7 @@ resource "mongodbatlas_privatelink_endpoint_service" "test" {
 }
 ```
 
-## Example with GCP
+## Example with GCP (Legacy Architecture)
 
 ```terraform
 resource "mongodbatlas_privatelink_endpoint" "test" {
@@ -97,7 +97,7 @@ resource "google_compute_subnetwork" "default" {
   network       = google_compute_network.default.id
 }
 
-# Create Google 50 Addresses
+# Create Google 50 Addresses (required for legacy architecture)
 resource "google_compute_address" "default" {
   count        = 50
   project      = google_compute_subnetwork.default.project
@@ -110,7 +110,7 @@ resource "google_compute_address" "default" {
   depends_on = [mongodbatlas_privatelink_endpoint.test]
 }
 
-# Create 50 Forwarding rules
+# Create 50 Forwarding rules (required for legacy architecture)
 resource "google_compute_forwarding_rule" "default" {
   count                 = 50
   target                = mongodbatlas_privatelink_endpoint.test.service_attachment_names[count.index]
@@ -144,20 +144,92 @@ resource "mongodbatlas_privatelink_endpoint_service" "test" {
 
 ```
 
+## Example with GCP (Port-Based Architecture)
+
+The new PSC port-based architecture simplifies setup by requiring only 1 endpoint instead of 50. Enable it by setting `port_mapping_enabled = true` on the endpoint resource.
+
+**Important:** For the new port-based architecture, the `endpoint_service_id` must match the `endpoint_name` in the `endpoints` block. Although the new API ignores the `endpoint_service_id` value, it is still required by the Terraform provider.
+
+```terraform
+resource "mongodbatlas_privatelink_endpoint" "test" {
+  project_id           = var.project_id
+  provider_name        = "GCP"
+  region               = var.gcp_region
+  port_mapping_enabled = true # Enable new PSC port-based architecture
+}
+
+# Create a Google Network
+resource "google_compute_network" "default" {
+  project = var.gcp_project
+  name    = "my-network"
+}
+
+# Create a Google Sub Network
+resource "google_compute_subnetwork" "default" {
+  project       = google_compute_network.default.project
+  name          = "my-subnet"
+  ip_cidr_range = "10.0.0.0/16"
+  region        = var.gcp_region
+  network       = google_compute_network.default.id
+}
+
+# Create Google Address (1 address for new PSC port-based architecture)
+resource "google_compute_address" "default" {
+  project      = google_compute_subnetwork.default.project
+  name         = "tf-test-psc-endpoint"
+  subnetwork   = google_compute_subnetwork.default.id
+  address_type = "INTERNAL"
+  address      = "10.0.42.1"
+  region       = google_compute_subnetwork.default.region
+
+  depends_on = [mongodbatlas_privatelink_endpoint.test]
+}
+
+# Create Forwarding Rule (1 rule for new PSC port-based architecture)
+resource "google_compute_forwarding_rule" "default" {
+  target                = mongodbatlas_privatelink_endpoint.test.service_attachment_names[0]
+  project               = google_compute_address.default.project
+  region                = google_compute_address.default.region
+  name                  = google_compute_address.default.name
+  ip_address            = google_compute_address.default.id
+  network               = google_compute_network.default.id
+  load_balancing_scheme = ""
+}
+
+resource "mongodbatlas_privatelink_endpoint_service" "test" {
+  project_id          = mongodbatlas_privatelink_endpoint.test.project_id
+  private_link_id     = mongodbatlas_privatelink_endpoint.test.private_link_id
+  provider_name       = "GCP"
+  # For port-based architecture, endpoint_service_id must match the endpoint_name
+  endpoint_service_id = google_compute_forwarding_rule.default.name
+  gcp_project_id      = var.gcp_project
+
+  # New PSC port-based architecture requires exactly 1 endpoint
+  endpoints {
+    ip_address    = google_compute_address.default.address
+    endpoint_name = google_compute_forwarding_rule.default.name
+  }
+
+  depends_on = [google_compute_forwarding_rule.default]
+}
+
+```
+
 ### Further Examples
 - [AWS PrivateLink Endpoint and Service](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/aws/cluster)
 - [Azure Private Link Endpoint and Service](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/azure)
-- [GCP Private Service Connect Endpoint and Service](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp)
+- [GCP Private Service Connect Endpoint and Service (Legacy Architecture)](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp)
+- [GCP Private Service Connect Endpoint and Service (Port-Based Architecture)](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp-port-based)
 
 ## Argument Reference
 
 * `project_id` - (Required) Unique identifier for the project.
 * `private_link_id` - (Required) Unique identifier of the `AWS` or `AZURE` PrivateLink connection which is created by `mongodbatlas_privatelink_endpoint` resource.
-* `endpoint_service_id` - (Required) Unique identifier of the interface endpoint you created in your VPC with the `AWS`, `AZURE` or `GCP` resource.
+* `endpoint_service_id` - (Required) Unique identifier of the interface endpoint you created in your VPC with the `AWS`, `AZURE` or `GCP` resource. **Note:** For GCP with the new port-based architecture (when `port_mapping_enabled = true` on the endpoint resource), this value must match the `endpoint_name` in the `endpoints` block. Although the new API ignores this value, it is still required by the Terraform provider.
 * `provider_name` - (Required) Cloud provider for which you want to create a private endpoint. Atlas accepts `AWS`, `AZURE` or `GCP`.
 * `private_endpoint_ip_address` - (Optional) Private IP address of the private endpoint network interface you created in your Azure VNet. Only for `AZURE`.
 * `gcp_project_id` - (Optional) Unique identifier of the GCP project in which you created your endpoints. Only for `GCP`.
-* `endpoints` - (Optional) Collection of individual private endpoints that comprise your endpoint group. Only for `GCP`. See below.
+* `endpoints` - (Optional) Collection of individual private endpoints that comprise your endpoint group. Only for `GCP`. See below. **Note:** For the legacy architecture, 50 endpoints are required. For the new port-based architecture (enabled with `port_mapping_enabled = true` on the endpoint resource), exactly 1 endpoint is required.
 * `timeouts`- (Optional) The duration of time to wait for Private Endpoint Service to be created or deleted. The timeout value is defined by a signed sequence of decimal numbers with a time unit suffix such as: `1h45m`, `300s`, `10m`, etc. The valid time units are:  `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. The default timeout for Private Endpoint create & delete is `2h`. Learn more about timeouts [here](https://www.terraform.io/plugin/sdkv2/resources/retries-and-customizable-timeouts).
 * `delete_on_create_timeout`- (Optional) Indicates whether to delete the resource being created if a timeout is reached when waiting for completion. When set to `true` and timeout occurs, it triggers the deletion and returns immediately without waiting for deletion to complete. When set to `false`, the timeout will not trigger resource deletion. If you suspect a transient error when the value is `true`, wait before retrying to allow resource deletion to finish. Default is `true`.
 
@@ -200,6 +272,7 @@ In addition to all arguments above, the following attributes are exported:
 * `endpoint_group_name` - (Optional) Unique identifier of the endpoint group. The endpoint group encompasses all of the endpoints that you created in GCP.
 * `endpoints` - Collection of individual private endpoints that comprise your network endpoint group.
   * `status` - Status of the endpoint. Atlas returns one of the [values shown above](https://docs.atlas.mongodb.com/reference/api/private-endpoints-endpoint-create-one/#std-label-ref-status-field).
+* `port_mapping_enabled` - Flag that indicates whether this endpoint service uses PSC port-mapping. This is a read-only attribute that reflects the architecture type. When `true`, the endpoint service uses the new PSC port-based architecture (requires 1 endpoint). When `false`, it uses the legacy architecture (requires 50 endpoints). Only applicable for GCP provider.
 
 ## Import
 Private Endpoint Link Connection can be imported using project ID and username, in the format `{project_id}--{private_link_id}--{endpoint_service_id}--{provider_name}`, e.g.

@@ -0,0 +1,100 @@
+# Example with GCP with Port-Based architecture and MongoDB Atlas Private Endpoint
+
+This project demonstrates the **new PSC port-based architecture** for setting up GCP Private Service Connect with MongoDB Atlas, which requires only 1 endpoint.
+
+## Architecture Comparison
+
+| Feature | Legacy Architecture | New Port-Based Architecture |
+|---------|-------------------|---------------------------|
+| Endpoints Required | 50 | 1 |
+| `port_mapping_enabled` | `false` (or omitted) | `true` |
+
+## Dependencies
+
+* Terraform v0.13+
+* Google Cloud account
+* MongoDB Atlas account
+
+```
+Terraform v0.13.0
++ provider registry.terraform.io/hashicorp/google
++ provider registry.terraform.io/terraform-providers/mongodbatlas
+```
+
+## Usage
+
+**1\. Ensure your Google credentials are set up.**
+
+1. Install the GCloud SDK by following the steps from the [official GCP documentation](https://cloud.google.com/sdk/docs/install).
+2. Run the command `gcloud init` and authenticate with GCP.
+3. Once authenticated you will need to select a project to use. After you select a project a success message will appear, see the example below. You are then ready to proceed.
+```
+⇒  gcloud init
+You are logged in as: [user@example.com].
+
+Pick cloud project to use:
+ [1] project1
+ [2] project2
+...
+
+Please enter numeric choice or text value (must exactly match list item): 1
+
+Your Google Cloud SDK is configured and ready to use!
+
+```
+**2\. TFVARS**
+
+Now create **terraform.tfvars** file with all the variable values and make sure **not to commit it**.
+
+An existing cluster on the project can optionally be linked via the `cluster_name` variable.
+If included, the gcp connection string to the cluster will be output.
+
+**3\. Review the Terraform plan.**
+
+Execute the below command and ensure you are happy with the plan.
+
+``` bash
+$ terraform plan
+```
+This project currently does the below deployments:
+
+- MongoDB Atlas GCP Private Endpoint (using new PSC port-based architecture with 1 endpoint)
+- Google resource Compute Network, SubNetwork, Address and Forwarding Rule
+- Google Private Service Connect (PSC)-MongoDB Private Link
+
+**4\. Execute the Terraform apply.**
+
+Now execute the plan to provision the GCP resources.
+
+``` bash
+$ terraform apply
+```
+
+**5\. Destroy the resources.**
+
+Once you are finished your testing, ensure you destroy the resources to avoid unnecessary GCP and Atlas charges.
+
+``` bash
+$ terraform destroy
+```
+
+## Key Differences from Legacy Architecture
+
+The main difference in this example is the `port_mapping_enabled = true` setting on the `mongodbatlas_privatelink_endpoint` resource:
+
+```hcl
+resource "mongodbatlas_privatelink_endpoint" "test" {
+  project_id           = var.project_id
+  provider_name        = "GCP"
+  region               = var.gcp_region
+  port_mapping_enabled = true  # This enables the new architecture
+  # ...
+}
+```
+
+With this setting:
+- Only **1 Google Compute Address** is needed (instead of 50)
+- Only **1 Google Compute Forwarding Rule** is needed (instead of 50)
+- The `endpoints` block in `mongodbatlas_privatelink_endpoint_service` contains exactly **1 endpoint**
+
+For the legacy architecture example (50 endpoints), see the [`gcp/`](../gcp/) directory example.