Skip to content

feat: Adds port_mapping_enabled attribute to privatelink_endpoint and privatelink_endpoint_service #4017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
filipcirtog wants to merge 32 commits into
base: CLOUDP-346617-dev-gcp-port-based
Choose a base branch
from
+641 −85
Open

feat: Adds port_mapping_enabled attribute to privatelink_endpoint and privatelink_endpoint_service #4017

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
332be39
replace prod SDK with preview SDK for private endpoint/endpoint service
filipcirtog Dec 4, 2025
9175dce
nit: add missing comments
filipcirtog Dec 4, 2025
8a9562f
gcp port routing implementation
filipcirtog Dec 10, 2025
ca4cacf
remove default values
filipcirtog Dec 11, 2025
ed3e818
doc: update resource and data-source attributes
filipcirtog Dec 19, 2025
d6725b9
add test case for disabled new architecture
filipcirtog Dec 22, 2025
7545b99
q: consistency updates
filipcirtog Dec 22, 2025
3752b5a
Merge branch 'CLOUDP-346617-dev-gcp-port-based' into CLOUDP-363082-gc…
filipcirtog Dec 22, 2025
cfb1e0f
changelog
filipcirtog Dec 22, 2025
3a32c9f
q: consistency
filipcirtog Dec 22, 2025
df750a7
q: consistency
filipcirtog Dec 22, 2025
be386c1
add more test cases
filipcirtog Jan 8, 2026
0c9b674
add examples with new architecture
filipcirtog Jan 12, 2026
6d555dc
example updates
filipcirtog Jan 13, 2026
a719ede
update doc
filipcirtog Jan 13, 2026
07cfdb7
doc improvements
filipcirtog Jan 13, 2026
6484466
remove unused azure dependency from examples
filipcirtog Jan 13, 2026
f06647e
code improvements
filipcirtog Jan 22, 2026
5e36067
style fix
filipcirtog Jan 22, 2026
0397c6b
copilot suggestions
filipcirtog Jan 22, 2026
80e3fcb
resolve PR comments
filipcirtog Jan 22, 2026
5f5ef57
fmt fix
filipcirtog Jan 22, 2026
3ab8f39
update docs
filipcirtog Jan 22, 2026
48449c5
revert changes
filipcirtog Jan 22, 2026
4c79e7a
doc additions
filipcirtog Jan 23, 2026
e12b299
remove unnecessary dependson
filipcirtog Jan 23, 2026
993a4bb
PR improvements
filipcirtog Jan 23, 2026
0d3dca5
remove should wording
filipcirtog Jan 23, 2026
4857fe5
add depends on
filipcirtog Jan 23, 2026
7b2d7a7
Merge branch 'CLOUDP-346617-dev-gcp-port-based' into CLOUDP-363082-gc…
filipcirtog Jan 23, 2026
652d1d4
Merge branch 'CLOUDP-346617-dev-gcp-port-based' into CLOUDP-363082-gc…
filipcirtog Jan 23, 2026
75313b9
address pr comments
filipcirtog Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .changelog/4017.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
```release-note:enhancement
resource/mongodbatlas_privatelink_endpoint_service: Adds `port_mapping_enabled` attribute
```

```release-note:enhancement
Copy link
Member

@lantoli lantoli Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the only other resource and ds in Private Endpoint Services group is https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/private_endpoint_regional_mode, can you confirm nothing changes there?

resource/mongodbatlas_privatelink_endpoint: Adds `port_mapping_enabled` attribute
```

```release-note:enhancement
data-source/mongodbatlas_privatelink_endpoint_service: Adds `port_mapping_enabled` attribute
```

```release-note:enhancement
data-source/mongodbatlas_privatelink_endpoint: Adds `port_mapping_enabled` attribute
```
1 change: 1 addition & 0 deletions docs/data-sources/privatelink_endpoint.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,5 +58,6 @@ In addition to all arguments above, the following attributes are exported:
* `endpoint_group_names` - GCP network endpoint groups corresponding to the Private Service Connect endpoint service.
* `region_name` - GCP region for the Private Service Connect endpoint service.
* `service_attachment_names` - Unique alphanumeric and special character strings that identify the service attachments associated with the GCP Private Service Connect endpoint service.
* `port_mapping_enabled` - Flag that indicates whether this endpoint service uses GCP port-mapping. When `true`, the endpoint service uses the new GCP port-based architecture (requires 1 endpoint). When `false`, it uses the legacy architecture. Only applicable for GCP provider.

See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/private-endpoints-service-get-one/) Documentation for more information.
48 changes: 39 additions & 9 deletions docs/data-sources/privatelink_endpoint_service.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,10 @@ resource "mongodbatlas_privatelink_endpoint_service" "test" {
}

data "mongodbatlas_privatelink_endpoint_service" "test" {
project_id = mongodbatlas_privatelink_endpoint_service.test.project_id
private_link_id = mongodbatlas_privatelink_endpoint_service.test.private_link_id
interface_endpoint_id = mongodbatlas_privatelink_endpoint_service.test.interface_endpoint_id
project_id = mongodbatlas_privatelink_endpoint_service.test.project_id
private_link_id = mongodbatlas_privatelink_endpoint_service.test.private_link_id
endpoint_service_id = mongodbatlas_privatelink_endpoint_service.test.endpoint_service_id
provider_name = "AWS"
}
```

Expand Down Expand Up @@ -71,9 +72,36 @@ resource "mongodbatlas_privatelink_endpoint_service" "test" {
}

data "mongodbatlas_privatelink_endpoint_service" "test" {
project_id = mongodbatlas_privatelink_endpoint_service.test.project_id
private_link_id = mongodbatlas_privatelink_endpoint_service.test.private_link_id
interface_endpoint_id = mongodbatlas_privatelink_endpoint_service.test.interface_endpoint_id
project_id = mongodbatlas_privatelink_endpoint_service.test.project_id
private_link_id = mongodbatlas_privatelink_endpoint_service.test.private_link_id
endpoint_service_id = mongodbatlas_privatelink_endpoint_service.test.endpoint_service_id
provider_name = "AZURE"
}
```

## Example with GCP (Legacy Architecture)

```terraform
data "mongodbatlas_privatelink_endpoint_service" "test" {
project_id = mongodbatlas_privatelink_endpoint_service.test.project_id
private_link_id = mongodbatlas_privatelink_endpoint_service.test.private_link_id
endpoint_service_id = mongodbatlas_privatelink_endpoint_service.test.endpoint_service_id
provider_name = "GCP"
}
```

## Example with GCP (Port-Based Architecture)

The new GCP port-based architecture uses port mapping to reduce resource provisioning. Unlike the legacy architecture that requires dedicated resources for each Atlas node, the new design uses a single set of resources to support up to 1000 nodes through a port mapping network endpoint group (NEG), enabling direct targeting of specific nodes using only one customer IP address. Enable it by setting `port_mapping_enabled = true` on the endpoint resource.

**Important:** For the new port-based architecture, use `endpoint_service_id` (the forwarding rule name) and `private_endpoint_ip_address` (the IP address). The `endpoints` list is no longer used for the new architecture.

```terraform
data "mongodbatlas_privatelink_endpoint_service" "test" {
project_id = mongodbatlas_privatelink_endpoint_service.test.project_id
private_link_id = mongodbatlas_privatelink_endpoint_service.test.private_link_id
endpoint_service_id = mongodbatlas_privatelink_endpoint_service.test.endpoint_service_id
provider_name = "GCP"
}
```

Expand All @@ -84,8 +112,8 @@ data "mongodbatlas_privatelink_endpoint_service" "test" {

* `project_id` - (Required) Unique identifier for the project.
* `private_link_id` - (Required) Unique identifier of the private endpoint service for which you want to retrieve a private endpoint.
* `endpoint_service_id` - (Required) Unique identifier of the `AWS` or `AZURE` or `GCP` resource.
* `provider_name` - (Required) Cloud provider for which you want to create a private endpoint. Atlas accepts `AWS` or `AZURE` or `GCP`.
* `endpoint_service_id` - (Required) Unique identifier of the interface endpoint you created in your VPC with the `AWS`, `AZURE`, or `GCP` resource. For GCP legacy architecture, this can be any identifier string. For GCP port-based architecture (when `port_mapping_enabled = true` on the endpoint resource), this should be the forwarding rule name.
Copy link
Collaborator

@marcosuma marcosuma Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why should? do we need any confirmation to change the wording?

Copy link
Collaborator Author

@filipcirtog filipcirtog Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you! no, this must be the forwarding rule name, I will change the wording

Copy link
Collaborator Author

@filipcirtog filipcirtog Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated. thank you!

* `provider_name` - (Required) Cloud provider for which you want to retrieve a private endpoint. Atlas accepts `AWS`, `AZURE` or `GCP`.

## Attributes Reference

Expand Down Expand Up @@ -118,9 +146,11 @@ In addition to all arguments above, the following attributes are exported:
* `AVAILABLE` - Atlas approved the connection to your private endpoint.
* `FAILED` - Atlas failed to accept the connection your private endpoint.
* `DELETING` - Atlas is removing the connection to your private endpoint from the Private Link service.
* `endpoints` - Collection of individual private endpoints that comprise your network endpoint group.
* `gcp_endpoint_status` - Status of the individual GCP endpoint. Only populated for port-based architecture (when `port_mapping_enabled = true`on the endpoint resource). Returns one of the following values: `INITIATING`, `AVAILABLE`, `FAILED`, `DELETING`.
* `endpoints` - Collection of individual private endpoints that comprise your network endpoint group. Only populated for legacy GCP architecture.
* `endpoint_name` - Forwarding rule that corresponds to the endpoint you created in GCP.
* `ip_address` - Private IP address of the network endpoint group you created in GCP.
* `status` - Status of the endpoint. Atlas returns one of the [values shown above](https://docs.atlas.mongodb.com/reference/api/private-endpoints-endpoint-create-one/#std-label-ref-status-field).
* `port_mapping_enabled` - Flag that indicates whether this endpoint service uses GCP port-mapping. This is a read-only attribute that reflects the architecture type. When `true`, the endpoint service uses the new GCP port-based architecture (requires 1 endpoint). When `false`, it uses the legacy architecture. Only applicable for GCP provider.

See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/private-endpoints-endpoint-get-one/) Documentation for more information.
6 changes: 4 additions & 2 deletions docs/resources/privatelink_endpoint.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@ resource "mongodbatlas_privatelink_endpoint" "test" {
### Further Examples
- [AWS PrivateLink Endpoint](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/aws)
- [Azure PrivateLink Endpoint](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/azure)
- [GCP Private Service Connect Endpoint](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp)
- [GCP Private Service Connect Endpoint (Legacy Architecture)](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp)
- [GCP Private Service Connect Endpoint (Port-Based Architecture)](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/v2.2.0/examples/mongodbatlas_privatelink_endpoint/gcp-port-based)

## Argument Reference

Expand All @@ -47,6 +48,7 @@ resource "mongodbatlas_privatelink_endpoint" "test" {
Accepted values are: [AWS regions](https://docs.atlas.mongodb.com/reference/amazon-aws/#amazon-aws), [AZURE regions](https://docs.atlas.mongodb.com/reference/microsoft-azure/#microsoft-azure) and [GCP regions](https://docs.atlas.mongodb.com/reference/google-gcp/#std-label-google-gcp)
* `timeouts`- (Optional) The duration of time to wait for Private Endpoint to be created or deleted. The timeout value is defined by a signed sequence of decimal numbers with a time unit suffix such as: `1h45m`, `300s`, `10m`, etc. The valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. The default timeout for Private Endpoint create & delete is `1h`. Learn more about timeouts [here](https://www.terraform.io/plugin/sdkv2/resources/retries-and-customizable-timeouts).
* `delete_on_create_timeout`- (Optional) Indicates whether to delete the resource being created if a timeout is reached when waiting for completion. When set to `true` and timeout occurs, it triggers the deletion and returns immediately without waiting for deletion to complete. When set to `false`, the timeout will not trigger resource deletion. If you suspect a transient error when the value is `true`, wait before retrying to allow resource deletion to finish. Default is `true`.
* `port_mapping_enabled` - (Optional) Flag that indicates whether this endpoint service uses GCP port-mapping. When set to `true`, enables the new GCP port-based architecture for GCP, which requires only 1 endpoint. Defaults to `false`. Only applicable for GCP provider.

## Attributes Reference

Expand All @@ -65,7 +67,7 @@ GCP:
* `endpoint_group_names` - GCP network endpoint groups corresponding to the Private Service Connect endpoint service.
* `region_name` - GCP region for the Private Service Connect endpoint service.
* `service_attachment_names` - Unique alphanumeric and special character strings that identify the service attachments associated with the GCP Private Service Connect endpoint service. Returns an empty list while Atlas creates the service attachments.
* `status` - Status of the AWS PrivateLink connection or Status of the Azure Private Link Service. Atlas returns one of the following values:
* `status` - Status of the AWS PrivateLink connection or Status of the Azure/GCP Private Link Service. Atlas returns one of the following values:
AWS:
* `AVAILABLE` Atlas is creating the network load balancer and VPC endpoint service.
* `WAITING_FOR_USER` The Atlas network load balancer and VPC endpoint service are created and ready to receive connection requests. When you receive this status, create an interface endpoint to continue configuring the AWS PrivateLink connection.
Expand Down
Loading
Loading