doc: Migration guide to move from API Keys (PAKs) to Service Accounts #4047
Conversation
filipcirtog
changed the base branch from
master
to
CLOUDP-352932-service-accounts-dev
filipcirtog
changed the title
manupedrozo
left a comment
manupedrozo
left a comment
There was a problem hiding this comment.
Good first draft!
Extra comments:
- Did you follow the guide yourself to verify it works as expected?
- It would be great to have supporting examples (for both org and project resources) like: migrate_atlas_user_and_atlas_users
- Note the v1/v2/v3 structure that matches this guide
- Then link to the examples guides from the tf docs
| page_title: "Migration Guide: Programmatic API Keys (PAKs) to Service Accounts (SAs)" | ||
| --- | ||
|
|
||
| **Note:** Migration to Service Accounts is **not required**. If you are currently using `mongodbatlas_api_key`, `mongodbatlas_api_key_project_assignment`, and `mongodbatlas_access_list_api_key` resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security, flexibility, or best practices, but existing PAK configurations will continue to work and are supported. |
There was a problem hiding this comment.
Not sure if flexibility is a pro of SAs vs PAKs.
| **Note:** Migration to Service Accounts is **not required**. If you are currently using `mongodbatlas_api_key`, `mongodbatlas_api_key_project_assignment`, and `mongodbatlas_access_list_api_key` resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security, flexibility, or best practices, but existing PAK configurations will continue to work and are supported. | |
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and are supported. |
|
|
||
| # Migration Guide: Programmatic API Keys (PAKs) to Service Accounts (SAs) | ||
|
|
||
| The goal of this guide is to help users transition from Programmatic API Keys (PAKs) to Service Accounts (SAs) in MongoDB Atlas. Service Accounts provide a more secure and flexible authentication method that eliminates the need to manage API key secrets in Terraform state. |
There was a problem hiding this comment.
"Service Accounts provide a more secure and flexible authentication method" - Not sure how SAs are more flexible
"Service Accounts provide a more secure and flexible authentication method that eliminates the need to manage API key secrets in Terraform state" - But we now have to manage SAs instead of PAKs, so wouldn't include this as an upside.
Take a look at the docs for the advantage of SAs over PAKs: Service accounts are the recommended method to manage authentication to the Atlas Administration API. Service accounts provide improved security over API keys by using the industry standard OAuth 2.0 protocol with the Client Credentials flow.
|
|
||
| | PAK Resource | Service Account Resource | Notes | | ||
| |--------------|-------------------------|-------| | ||
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level key/account | |
There was a problem hiding this comment.
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level key/account | | |
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | API key / Service Account | |
| resource "mongodbatlas_api_key_project_assignment" "example" { | ||
| project_id = var.project_id | ||
| api_key_id = mongodbatlas_api_key.example.api_key_id | ||
| roles = ["GROUP_OWNER", "GROUP_DATA_ACCESS_ADMIN"] |
There was a problem hiding this comment.
Just for clarity, wouldn't mix GROUP_OWNER with other roles since owner already contains other roles. Maybe go with ["GROUP_READ_ONLY", "GROUP_DATA_ACCESS_READ_ONLY"].
| resource "mongodbatlas_access_list_api_key" "example" { | ||
| org_id = var.org_id | ||
| api_key_id = mongodbatlas_api_key.example.api_key_id | ||
| cidr_block = "192.168.1.0/24" |
There was a problem hiding this comment.
Matching the alternative to avoid confusion (also in other occurrences)
| cidr_block = "192.168.1.0/24" | |
| cidr_block = "192.168.1.100/32" |
|
|
||
| ## Stage 2: Intermediate State (Both PAK and SA Resources) | ||
|
|
||
| In this stage, you'll add Service Account resources alongside your existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. |
There was a problem hiding this comment.
| In this stage, you'll add Service Account resources alongside your existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. | |
| In this stage, you will add Service Account resources alongside your existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. |
|
|
||
| 4. Run `terraform plan` to review the changes. | ||
| 5. Run `terraform apply` to create the Service Account resources. | ||
| 6. **Important**: Save the Service Account secret from the output. When a Service Account is created, a secret is automatically generated. The secret value is only returned once at creation time. |
There was a problem hiding this comment.
- The output block should be added together with the service account before running
applyin step 4 - I think we can remove the datasources
manupedrozo
left a comment
manupedrozo
left a comment
There was a problem hiding this comment.
Thanks for the iteration, I think its in much better shape now!
Left more comments - Its ready to share with the docs team as well.
| ## Overview | ||
|
|
||
| Service Accounts are the recommended method to manage authentication to the Atlas Administration API. Service Accounts provide improved security over API keys by using the industry standard OAuth 2.0 protocol with the Client Credentials flow. This guide covers migrating from Programmatic API Keys (PAKs) to Service Accounts (SAs) in MongoDB Atlas. | ||
|
|
||
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and are supported. | ||
|
|
There was a problem hiding this comment.
Suggesting the following. Would like to get docs team input here:
| ## Overview | |
| Service Accounts are the recommended method to manage authentication to the Atlas Administration API. Service Accounts provide improved security over API keys by using the industry standard OAuth 2.0 protocol with the Client Credentials flow. This guide covers migrating from Programmatic API Keys (PAKs) to Service Accounts (SAs) in MongoDB Atlas. | |
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and are supported. | |
| ## Overview | |
| This guide explains how to migrate from Programmatic API Key (PAK) resources to Service Account (SA) resources. | |
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and be supported. | |
There was a problem hiding this comment.
Updated. Thank you!
|
|
||
| | PAK Resource | Service Account Resource | Notes | | ||
| |--------------|-------------------------|-------| | ||
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level API key / Service Account | |
There was a problem hiding this comment.
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level API key / Service Account | | |
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | API key / Service Account | |
There was a problem hiding this comment.
Updated. Thank you!
|
|
||
| ### Step 1: Initial State - PAK Resources Only | ||
|
|
||
| This is your starting configuration with organization-level PAK resources (org PAK + assignment to project + access list entry): |
There was a problem hiding this comment.
| This is your starting configuration with organization-level PAK resources (org PAK + assignment to project + access list entry): | |
| Original configuration with organization-level PAK resources: |
There was a problem hiding this comment.
Updated. Thank you!
|
|
||
| For complete working examples, see the [organization-level migration example](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/migrate_pak_to_service_account/org_level). | ||
|
|
||
| ### Step 1: Initial State - PAK Resources Only |
There was a problem hiding this comment.
| ### Step 1: Initial State - PAK Resources Only | |
| ### Step 1: Initial Configuration - PAK Resources Only |
There was a problem hiding this comment.
Updated. Thank you!
| This is your starting configuration with organization-level PAK resources (org PAK + assignment to project + access list entry): | ||
|
|
||
| ```terraform | ||
| # Organization-level Programmatic API Key |
There was a problem hiding this comment.
I think we can avoid repeating "organization-level" so often. Should be clear since we are in the "Organization-Level API Keys to Service Accounts" section.
Changing the api key description to not say "for project access" may help.
There was a problem hiding this comment.
Updated. Thank you!
|
|
||
| --- | ||
|
|
||
| - **Important:** The Service Account secret is only returned once at creation time. Make sure to save it securely before proceeding. |
There was a problem hiding this comment.
Bit out of place, I think you can remove
There was a problem hiding this comment.
Updated! Thank you!
| <details> | ||
| <summary><span style="font-size:1.4em; font-weight:bold;">Project-Level Migration</span></summary> | ||
|
|
||
| ## Project-Level API Keys to Service Accounts |
There was a problem hiding this comment.
Assume same comments as for Org-level steps
There was a problem hiding this comment.
Updated! Thank you!
| @@ -0,0 +1,9 @@ | |||
| terraform { | |||
| required_version = ">= 1.7.0" | |||
There was a problem hiding this comment.
Updated! Thank you!
| description = "The secret value of the first secret created with the service account. Only available after initial creation." | ||
| value = try(mongodbatlas_service_account.example.secrets[0].secret, null) | ||
| sensitive = true | ||
| } No newline at end of file |
There was a problem hiding this comment.
Updated! Thank you!
| @@ -0,0 +1,19 @@ | |||
| # Combined Example: Organization-Level PAK → Service Account | |||
There was a problem hiding this comment.
Given that we don't have readmes with instructions in the subfolders, I suggest following this style of readme here instead: examples/migrate_atlas_user_and_atlas_users/README.md
|
APIx bot: a message has been sent to Docs Slack channel |
There was a problem hiding this comment.
Pull request overview
This PR adds a comprehensive migration guide to help users transition from Personal Access Keys (PAKs) to Service Accounts (SAs). The guide provides step-by-step instructions with working code examples demonstrating the migration path.
Changes:
- Added migration guide documentation explaining the PAK to SA transition process
- Created organization-level migration examples showing three states: PAK only, PAK+SA coexistence, and SA only
- Created project-level migration examples with the same three-state approach
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/guides/migrate-pak-to-service-account.md | Main migration guide with detailed instructions and code examples for both org-level and project-level migrations |
| examples/migrate_pak_to_service_account/org_level/README.md | Documentation for organization-level migration example |
| examples/migrate_pak_to_service_account/org_level/v1/* | Initial state example showing PAK resources only at org level |
| examples/migrate_pak_to_service_account/org_level/v2/* | Intermediate state showing PAK and SA resources coexisting at org level |
| examples/migrate_pak_to_service_account/org_level/v3/* | Final state showing SA resources only at org level |
| examples/migrate_pak_to_service_account/project_level/README.md | Documentation for project-level migration example |
| examples/migrate_pak_to_service_account/project_level/v1/* | Initial state example showing PAK resources only at project level |
| examples/migrate_pak_to_service_account/project_level/v2/* | Intermediate state showing PAK and SA resources coexisting at project level |
| examples/migrate_pak_to_service_account/project_level/v3/* | Final state showing SA resources only at project level |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 29 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ## Overview | ||
|
|
||
| This guide explains how to migrate from Programmatic API Key (PAK) resources to Service Account (SA) resources. |
There was a problem hiding this comment.
nit: i'd add a clarification like to use them as authentication mechanism, see more info in: https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/provider-configuration
|
|
||
| This guide explains how to migrate from Programmatic API Key (PAK) resources to Service Account (SA) resources. | ||
|
|
||
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and be supported. |
There was a problem hiding this comment.
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and be supported. | |
| **Note:** Migration to Service Accounts is recommended but **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and be supported. |
There was a problem hiding this comment.
updated! thank you!
| <details> | ||
| <summary><span style="font-size:1.4em; font-weight:bold;">Organization-Level Migration</span></summary> | ||
|
|
||
| ## Organization-Level API Keys to Service Accounts |
There was a problem hiding this comment.
[nit] Would it make sense to use L3 headings for everything within this section? (Right sub headings are all L2)
There was a problem hiding this comment.
updated! thank you!
erabil-mdb
left a comment
erabil-mdb
left a comment
There was a problem hiding this comment.
LGTM! (+ small suggestion)
|
|
||
| - **Backup your Terraform state file** before making any changes. | ||
| - **Test the process in a non-production environment** if possible. | ||
| - **Secrets handling** - Managing Service Accounts with Terraform will expose sensitive organizational secrets in Terraform's state. We suggest following [Terraform's best practices](https://developer.hashicorp.com/terraform/language/state/sensitive-data). |
There was a problem hiding this comment.
Just a suggestion for smoother reading:
| - **Secrets handling** - Managing Service Accounts with Terraform will expose sensitive organizational secrets in Terraform's state. We suggest following [Terraform's best practices](https://developer.hashicorp.com/terraform/language/state/sensitive-data). | |
| - Managing Service Accounts with Terraform **exposes sensitive organizational secrets** in Terraform's state. We suggest following [Terraform's best practices](https://developer.hashicorp.com/terraform/language/state/sensitive-data). |
There was a problem hiding this comment.
updated! thank you!
There was a problem hiding this comment.
I think you missed the removal of **Secrets handling** - .
Can you also update this in the secrets rotation guide to keep consistency? Ty!
There was a problem hiding this comment.
updated. thank you! will update that guide in the next doc PR (soon) as I would need to rebase this one and it is not worth the effort.
manupedrozo
left a comment
manupedrozo
left a comment
There was a problem hiding this comment.
Great work! Thanks for iterating and addressing comments.
Good on my side, still a few comments from others.
|
|
||
| ### Step 2: Intermediate State - Add Service Account Resources Alongside Existing PAK Resources | ||
|
|
||
| Add the Service Account resources to your configuration while keeping the existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. |
There was a problem hiding this comment.
I think the statement "allows both authentication methods to work simultaneously" is not true, both SA and PAK exist simultaneously, but are not used simultaneously.
There was a problem hiding this comment.
I was thinking on the case of using SA/PAKs as the authentication method for the MongoDB Atlas Terraform Provider, but in the cases of other applications/tools, the statement can be true. Feel free to ignore the previous comment
| terraform output -raw service_account_first_secret | ||
| ``` | ||
|
|
||
| 4. Test your Service Account in your applications and verify that both PAK and SA authentication methods work correctly. |
There was a problem hiding this comment.
should we explain how that would look like in the case of switching the auth method of the TF provider from PAK to SA? something similar to https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/provider-configuration#programmatic-access-key warning block where we say Update your provider attributes or environment variables to use SA credentials instead of PAK credentials, then run terraform plan to verify everything works correctly.
I say this because the guide is generic in terms of the application that uses the PAK/SA, but I think the main use case we want to enable is the TF provider authentication
There was a problem hiding this comment.
A previous iteration mentioned this. I suggested to remove it to avoid confusion and mention only "your applications".
For example: If the user were to change the provider credentials in this same config, they would not have permissions to re-apply as the SA has only ORG_MEMBER role.
I think it makes sense for the credentials used for provider authentication in a particular configuration to be managed outside of that same configuration.
There was a problem hiding this comment.
I think we should cover the end to end case of using the new SA resource sand switching from PAK to SA as the auth method, since it's the main problem we are trying to solve by implementing these resources in TF
There was a problem hiding this comment.
I am on board on including a link to the SA authentication registry page to reference how it is used but I would be careful to add it as a step here given the previous comment:
I think it makes sense for the credentials used for provider authentication in a particular configuration to be managed outside of that same configuration.
Do we know of PAK users authenticating with a PAK that is managed within the same configuration? I don't think we should be recommending this approach (can lock yourself out).
There was a problem hiding this comment.
I am not saying to recommend the approach of using PAKs created in a configuration as the auth mechanism within the same configuration, but I would like to have in this guide the case of switching from PAK to SA as the auth mechanism of the TF provider, which is the main use case we want to enable, even if the SA/PAK is created in one configuration and used as auth in another. Hope that makes sense
There was a problem hiding this comment.
Yes that makes sense. @filipcirtog can you mention this in the guide and include a link to the provider configuration guide with SA?
https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/provider-configuration
There was a problem hiding this comment.
Thank you for the suggestions. I have added some notes on this. Please let me know WDY.
| This guide explains how to migrate from Programmatic API Key (PAK) resources to Service Account (SA) resources. | ||
| This guide explains how to migrate from Programmatic API Key (PAK) resources to Service Account (SA) resources managed by Terraform. | ||
|
|
||
| **Important:** The steps in this guide are for migrating Terraform-managed PAK and SA resources (e.g., `mongodbatlas_api_key`, `mongodbatlas_service_account`). This guide does **not** cover switching the Terraform provider authentication method from PAK to SA. For information on configuring the provider to authenticate using Service Accounts instead of Programmatic Access Keys, see the [Provider Configuration guide](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/provider-configuration). |
There was a problem hiding this comment.
Its a bit confusing that we mention here that This guide does **not** cover switching the Terraform provider authentication method but then we have a ## Switching Terraform Provider Authentication section.
I think we can remove this or change the wording to something like: "If you are looking to change the provider authentication method, refer to ..."
There was a problem hiding this comment.
updated. thanks!
|
|
||
| --- | ||
|
|
||
| ## Switching Terraform Provider Authentication |
There was a problem hiding this comment.
| ## Switching Terraform Provider Authentication | |
| ## Switching the Provider Authentication Method |
There was a problem hiding this comment.
updated. thanks!
|
|
||
| For detailed instructions on configuring Service Account authentication for the provider, see the [Provider Configuration guide](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/provider-configuration). | ||
|
|
||
| **Note:** The Service Account used for provider authentication can be created in a separate Terraform configuration or managed outside of Terraform. It's recommended to manage provider authentication credentials separately from the resources they manage to avoid potential lockout scenarios. |
There was a problem hiding this comment.
| **Note:** The Service Account used for provider authentication can be created in a separate Terraform configuration or managed outside of Terraform. It's recommended to manage provider authentication credentials separately from the resources they manage to avoid potential lockout scenarios. | |
| **Note:** The Service Account used for provider authentication should be created in a separate Terraform configuration or managed outside of Terraform. It is recommended to manage provider authentication credentials separately from the resources they manage to avoid potential lockout scenarios. |
There was a problem hiding this comment.
updated. thanks!
|
|
||
| ## Switching Terraform Provider Authentication | ||
|
|
||
| After migrating your Terraform-managed resources from PAK to SA, you may also want to switch the Terraform provider authentication method from PAK to SA. This is a common use case for migrating to Service Accounts. |
There was a problem hiding this comment.
| After migrating your Terraform-managed resources from PAK to SA, you may also want to switch the Terraform provider authentication method from PAK to SA. This is a common use case for migrating to Service Accounts. | |
| After migrating your Terraform-managed resources from PAK to SA, you may also want to switch the Terraform provider authentication method. |
There was a problem hiding this comment.
updated. thanks!
…ev' into CLOUDP-352932-service-accounts-dev-migration-guide
…service-accounts-dev-migration-guide
|
Thanks for addressing the comments! LGTM |
| service_account_name = "example-service-account" | ||
| secret_expires_after_hours = 2160 # 90 days |
There was a problem hiding this comment.
| service_account_name = "example-service-account" | |
| secret_expires_after_hours = 2160 # 90 days | |
| service_account_name = "example-service-account" | |
| secret_expires_after_hours = 2160 # 90 days |
There was a problem hiding this comment.
updated! thanks!
| ```terraform | ||
| project_service_account_name = "example-project-service-account" | ||
| secret_expires_after_hours = 2160 # 90 days | ||
| ``` |
There was a problem hiding this comment.
| ```terraform | |
| project_service_account_name = "example-project-service-account" | |
| secret_expires_after_hours = 2160 # 90 days | |
| ``` | |
| ```terraform | |
| project_service_account_name = "example-project-service-account" | |
| secret_expires_after_hours = 2160 # 90 days |
There was a problem hiding this comment.
updated! thanks!
…service-accounts-dev-migration-guide
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 38 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
filipcirtog
merged commit 88668b5
into
CLOUDP-352932-service-accounts-dev
filipcirtog
deleted the
CLOUDP-352932-service-accounts-dev-migration-guide
branch
* feat: Adds the mongodbatlas_service_account resource and data-source/s (#4018) * Add mongodbatlas_service_account_secret resource and datasource (#4027) * feat: Add mongodbatlas_service_account_project_assignment resource and datasources (#4030) * Add service_account_project_assignment test with multiple assignments (#4032) * Add service_account_access_list_entry resource and datasources (#4037) * Add project_service_account resource and datasources (#4038) * doc: Add service_account resource and datasources docs (#4039) * Add service_account_project_assignment resource and datasources docs (#4040) * feat: Add project_service_account_secret resource and datasource (#4041) * Service Account secret rotation guide (#4050) * doc: Add service_account_secret & project_service_account_secret resource and datasource docs (#4051) * feat: Add `project_service_account_access_list_entry` resource and datasources (#4060) * project_service_account_access_list_entry resource, data source and plural data source implementation * add changelog and CI tests * fix test * address PR comments * Bump sdk in dev branch (#4069) * doc: Add Documentation for `mongodbatlas_service_account_access_list_entry` and `mongodbatlas_project_service_account_access_list_entry` resources, singular data-sources, and plural data-sources (#4071) * doc additions * ensure consistency across docs * improve prerequisites wording * ensure format consistency * fix mutation fail * fix ci * fix fmt * fix mutation fail * docs improvements * fix examples fmt * fix mutation fail * feedback improvements * doc: Add `project_service_account` resource and datasources docs (#4066) * doc additions * docs improvements * group important notes togather * docs improvements * feedback improvements * wording improvements * doc: Migration guide to move from API Keys (PAKs) to Service Accounts (#4047) * add migration guide * refactoring + examples * remove boilerplate text * nit: ensure consistency between the org and project guides * address PR comments * ensure EOL consistency * address PR comment * address copilot consistency comments * ensure spacing consistency * consistency fixes * implement PR suggestions * nit * addition of terraform auth note * feedback improvements * update secret handling guide with working improvement * format improvements * consistency improvements * fix: Ensure consistency between `service_account_secret` and `project_service_account_secret` resources and DSs (#4081) * consistency improvements * feedback improvements * chore: Add flag to overwrite lists state in autogen unmarshalling (#4086) * Test runner reorder --------- Co-authored-by: Filip Cirtog <filip.cirtog@mongodb.com> Co-authored-by: svc-apix-bot <svc-api-experience-integrations-escalation@mongodb.com>
* feat: Adds the mongodbatlas_service_account resource and data-source/s (#4018) * Add mongodbatlas_service_account_secret resource and datasource (#4027) * feat: Add mongodbatlas_service_account_project_assignment resource and datasources (#4030) * Add service_account_project_assignment test with multiple assignments (#4032) * Add service_account_access_list_entry resource and datasources (#4037) * Add project_service_account resource and datasources (#4038) * doc: Add service_account resource and datasources docs (#4039) * Add service_account_project_assignment resource and datasources docs (#4040) * feat: Add project_service_account_secret resource and datasource (#4041) * Service Account secret rotation guide (#4050) * doc: Add service_account_secret & project_service_account_secret resource and datasource docs (#4051) * feat: Add `project_service_account_access_list_entry` resource and datasources (#4060) * project_service_account_access_list_entry resource, data source and plural data source implementation * add changelog and CI tests * fix test * address PR comments * Bump sdk in dev branch (#4069) * doc: Add Documentation for `mongodbatlas_service_account_access_list_entry` and `mongodbatlas_project_service_account_access_list_entry` resources, singular data-sources, and plural data-sources (#4071) * doc additions * ensure consistency across docs * improve prerequisites wording * ensure format consistency * fix mutation fail * fix ci * fix fmt * fix mutation fail * docs improvements * fix examples fmt * fix mutation fail * feedback improvements * doc: Add `project_service_account` resource and datasources docs (#4066) * doc additions * docs improvements * group important notes togather * docs improvements * feedback improvements * wording improvements * doc: Migration guide to move from API Keys (PAKs) to Service Accounts (#4047) * add migration guide * refactoring + examples * remove boilerplate text * nit: ensure consistency between the org and project guides * address PR comments * ensure EOL consistency * address PR comment * address copilot consistency comments * ensure spacing consistency * consistency fixes * implement PR suggestions * nit * addition of terraform auth note * feedback improvements * update secret handling guide with working improvement * format improvements * consistency improvements * fix: Ensure consistency between `service_account_secret` and `project_service_account_secret` resources and DSs (#4081) * consistency improvements * feedback improvements * chore: Add flag to overwrite lists state in autogen unmarshalling (#4086) * Test runner reorder --------- Co-authored-by: Filip Cirtog <filip.cirtog@mongodb.com> Co-authored-by: svc-apix-bot <svc-api-experience-integrations-escalation@mongodb.com>
Description
This PR adds a migration guide to help users transition from Personal Access Keys (PAKs) to Service Accounts (SAs). The guide includes:
This guide includes:
Furthermore, examples are provided in
examples/migrate_pak_to_service_account/:Organization-level examples (
org_level/):v1/: Initial PAK configurationv2/: Intermediate state with both PAK and SA resourcesv3/: Final state with SA resources onlyREADME.md: Usage instructions and prerequisitesProject-level examples (
project_level/):v1/: Initial PAK configurationv2/: Intermediate state with both PAK and SA resourcesv3/: Final state with SA resources onlyREADME.md: Usage instructions and prerequisitesNote: The PR build currently fails due to a missing resource still under development. This will be then tested to confirm that everything works as expected.
We are seeking feedback on the guide content itself, specifically its clarity Thank you!
Link to any related issue(s): CLOUDP-369989
Type of change:
Required Checklist:
Further comments