fix: Encryption at rest return inconsistent plan when setting secret access key

[andreaangiolillo]

Description

Ticket: INTMDB-1202
Help Ticket: HELP-50897

The encryption at rest resource returns inconsistent results after apply when the secret access key is provided

--
2023-10-16T16:05:09.424+0100 [ERROR] vertex "mongodbatlas_encryption_at_rest.mongoencrypt" error: Provider produced inconsistent result after apply
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to mongodbatlas_encryption_at_rest.mongoencrypt, provider "provider[\"registry.terraform.io/mongodb/mongodbatlas\"]" produced an unexpected new value: .aws_kms_config[0].secret_access_key: inconsistent
│ values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

This PR updates the logic to use the secret_access_key from the state file instead from the API response since the field is not returned.

NOTE

Credentials based authentication is no longer supported by the API, if users try to pass accessKeyID and secretAccessKey for the encryption at rest resource for a new project, they will get the following error

{
    "detail": "Credentials based authentication is no longer supported for AWS KMS.",
    "error": 400,
    "errorCode": "AWS_KMS_CREDENTIALS_AUTH_DEPRECATED",
    "parameters": [],
    "reason": "Bad Request"
}

The Atlas team made the decision to allow customers to keep providing these credentials if the project was already using them to allow them to migrate to the new IAM role-based. As a result, if the user was already providing those credentials, they will still be able to do so. New projects will get the error instead. This is why there are no acceptance tests defined and the terraform documentation does not include a test about it. (code mms/NDSUISvc.java

    // Prevent credentials in a request when creds are not currently
    // in use.  Allow users with creds to keep using them until they switch
    if (!hasExistingCreds && hasCredentialsInRequest) {
      throw new SvcException(NDSErrorCode.AWS_KMS_CREDENTIALS_AUTH_DEPRECATED);
    }

Unfortunately, we cannot deprecate the fields as long as they are supported in the API.

How did I reproduce the issue

I ran Atlas locally and removed the validation in mms/NDSUISvc.java

Type of change:

• Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
• New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR.
• Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR.
• This change requires a documentation update
• Documentation fix/enhancement

Required Checklist:

• I have signed the MongoDB CLA
• I have read the contribution guidelines
• I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
• I have added any necessary documentation (if appropriate)
• I have run make fmt and formatted my code
• If changes include deprecations or removals, I defined an isolated PR with a relevant title as it will be used in the auto-generated changelog.

Further comments

Next Steps

• I am reaching out to the team owning the API to see if they plan to deprecate the fields for the API

[github-actions]

Package	Line Rate	Health
github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas	2%	❌
github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/framework/validator	68%	➖
github.com/mongodb/terraform-provider-mongodbatlas/mongodbatlas/util	12%	❌
Summary	3% (271 / 10291)	❌

[AgustinBettati]

Great investigation, LGTM. Would update our terraform migration issues document with this case.