feat: Adds atlas Organization New Parameters Support

examples/mongodbatlas_organization/organization-step-1/main.tf

@@ -1,8 +1,11 @@
 resource "mongodbatlas_organization" "test" {
-  org_owner_id = var.org_owner_id
-  name         = "testCreateORG"
-  description  = "test API key from Org Creation Test"
-  role_names   = ["ORG_OWNER"]
+  org_owner_id               = var.org_owner_id
+  name                       = "testCreateORG"
+  description                = "test API key from Org Creation Test"
+  role_names                 = ["ORG_OWNER"]
+  multi_factor_auth_required = true
+  restrict_employee_access   = true
+  api_access_list_required   = false
 }
 
 output "org_id" {

internal/common/constant/access_level.go

@@ -0,0 +1,5 @@
+package constant
+
+const (
+	OrgOwner = "ORG_OWNER"
+)

internal/service/organization/data_source_organization.go

@@ -42,6 +42,18 @@ func DataSource() *schema.Resource {
 					},
 				},
 			},
+			"api_access_list_required": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"multi_factor_auth_required": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"restrict_employee_access": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -69,6 +81,20 @@ func dataSourceMongoDBAtlasOrganizationRead(ctx context.Context, d *schema.Resou
 		return diag.FromErr(fmt.Errorf("error setting `is_deleted`: %s", err))
 	}
 
+	settings, _, err := conn.OrganizationsApi.GetOrganizationSettings(ctx, orgID).Execute()
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error getting organization settings: %s", err))
+	}
+	if err := d.Set("api_access_list_required", settings.ApiAccessListRequired); err != nil {
+		return diag.Errorf("error setting `api_access_list_required` for organization (%s): %s", orgID, err)
+	}
+	if err := d.Set("multi_factor_auth_required", settings.MultiFactorAuthRequired); err != nil {
+		return diag.Errorf("error setting `multi_factor_auth_required` for organization (%s): %s", orgID, err)
+	}
+	if err := d.Set("restrict_employee_access", settings.RestrictEmployeeAccess); err != nil {
+		return diag.Errorf("error setting `restrict_employee_access` for organization (%s): %s", orgID, err)
+	}
+
 	d.SetId(organization.GetId())
 
 	return nil

internal/service/organization/data_source_organization_test.go

@@ -6,21 +6,26 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/testutil/acc"
 )
 
 func TestAccConfigDSOrganization_basic(t *testing.T) {
 	var (
-		orgID = os.Getenv("MONGODB_ATLAS_ORG_ID")
+		orgID          = os.Getenv("MONGODB_ATLAS_ORG_ID")
+		datasourceName = "data.mongodbatlas_organization.test"
 	)
 	resource.ParallelTest(t, resource.TestCase{
 		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
 		Steps: []resource.TestStep{
 			{
 				Config: testAccMongoDBAtlasOrganizationConfigWithDS(orgID),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttrSet("data.mongodbatlas_organization.test", "name"),
-					resource.TestCheckResourceAttrSet("data.mongodbatlas_organization.test", "id"),
+					resource.TestCheckResourceAttrSet(datasourceName, "name"),
+					resource.TestCheckResourceAttrSet(datasourceName, "id"),
+					resource.TestCheckResourceAttrSet(datasourceName, "restrict_employee_access"),
+					resource.TestCheckResourceAttrSet(datasourceName, "multi_factor_auth_required"),
+					resource.TestCheckResourceAttrSet(datasourceName, "api_access_list_required"),
 				),
 			},
 		},

internal/service/organization/data_source_organizations.go

@@ -3,6 +3,7 @@ package organization
 import (
 	"context"
 	"fmt"
+	"log"
 
 	"go.mongodb.org/atlas-sdk/v20231115003/admin"
 
@@ -26,7 +27,7 @@ func PluralDataSource() *schema.Resource {
 			"include_deleted_orgs": {
 				Type:       schema.TypeBool,
 				Optional:   true,
-				Deprecated: fmt.Sprintf(constant.DeprecationParamByDate, "January 2025"),
+				Deprecated: fmt.Sprintf(constant.DeprecationParamByVersion, "1.16.0"),
 			},
 			"page_num": {
 				Type:     schema.TypeInt,
@@ -69,6 +70,18 @@ func PluralDataSource() *schema.Resource {
 								},
 							},
 						},
+						"api_access_list_required": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"multi_factor_auth_required": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"restrict_employee_access": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
 					},
 				},
 			},
@@ -96,7 +109,7 @@ func dataSourceMongoDBAtlasOrganizationsRead(ctx context.Context, d *schema.Reso
 		return diag.FromErr(fmt.Errorf("error getting organization information: %s", err))
 	}
 
-	if err := d.Set("results", flattenOrganizations(organizations.GetResults())); err != nil {
+	if err := d.Set("results", flattenOrganizations(ctx, conn, organizations.GetResults())); err != nil {
 		return diag.FromErr(fmt.Errorf("error setting `results`: %s", err))
 	}
 
@@ -123,7 +136,7 @@ func flattenOrganizationLinks(links []admin.Link) []map[string]any {
 	return linksList
 }
 
-func flattenOrganizations(organizations []admin.AtlasOrganization) []map[string]any {
+func flattenOrganizations(ctx context.Context, conn *admin.APIClient, organizations []admin.AtlasOrganization) []map[string]any {
 	var results []map[string]any
 
 	if len(organizations) == 0 {
@@ -133,11 +146,19 @@ func flattenOrganizations(organizations []admin.AtlasOrganization) []map[string]
 	results = make([]map[string]any, len(organizations))
 
 	for k, organization := range organizations {
+		settings, _, err := conn.OrganizationsApi.GetOrganizationSettings(ctx, *organization.Id).Execute()
+		if err != nil {
+			log.Printf("[WARN] Error getting organization settings (organization ID: %s): %s", *organization.Id, err)
+		}
+
 		results[k] = map[string]any{
-			"id":         organization.Id,
-			"name":       organization.Name,
-			"is_deleted": organization.IsDeleted,
-			"links":      flattenOrganizationLinks(organization.GetLinks()),
+			"id":                         organization.Id,
+			"name":                       organization.Name,
+			"is_deleted":                 organization.IsDeleted,
+			"links":                      flattenOrganizationLinks(organization.GetLinks()),
+			"api_access_list_required":   settings.ApiAccessListRequired,
+			"multi_factor_auth_required": settings.MultiFactorAuthRequired,
+			"restrict_employee_access":   settings.RestrictEmployeeAccess,
 		}
 	}
 

internal/service/organization/data_source_organizations_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/testutil/acc"
 )
 
@@ -21,6 +22,9 @@ func TestAccConfigDSOrganizations_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(datasourceName, "results.#"),
 					resource.TestCheckResourceAttrSet(datasourceName, "results.0.name"),
 					resource.TestCheckResourceAttrSet(datasourceName, "results.0.id"),
+					resource.TestCheckResourceAttrSet(datasourceName, "results.0.restrict_employee_access"),
+					resource.TestCheckResourceAttrSet(datasourceName, "results.0.multi_factor_auth_required"),
+					resource.TestCheckResourceAttrSet(datasourceName, "results.0.api_access_list_required"),
 				),
 			},
 		},

internal/service/organization/resource_organization.go

@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/mwielbut/pointy"
 
+	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/constant"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/common/conversion"
 	"github.com/mongodb/terraform-provider-mongodbatlas/internal/config"
 )
@@ -61,11 +62,30 @@ func Resource() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"api_access_list_required": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
+			"multi_factor_auth_required": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
+			"restrict_employee_access": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
 		},
 	}
 }
 
 func resourceMongoDBAtlasOrganizationCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	if err := ValidateAPIKeyIsOrgOwner(conversion.ExpandStringList(d.Get("role_names").(*schema.Set).List())); err != nil {
+		return diag.FromErr(err)
+	}
+
 	conn := meta.(*config.MongoDBClient).AtlasV2
 	organization, resp, err := conn.OrganizationsApi.CreateOrganization(ctx, newCreateOrganizationRequest(d)).Execute()
 	if err != nil {
@@ -74,7 +94,30 @@ func resourceMongoDBAtlasOrganizationCreate(ctx context.Context, d *schema.Resou
 			return nil
 		}
 
-		return diag.FromErr(fmt.Errorf("error create Organization: %s", err))
+		return diag.FromErr(fmt.Errorf("error creating Organization: %s", err))
+	}
+
+	orgID := organization.Organization.GetId()
+
+	// update settings using new keys for this created organization because
+	// the provider/requesting API keys are not applicable for performing updates/delete for this new organization
+	cfg := config.Config{
+		PublicKey:  *organization.ApiKey.PublicKey,
+		PrivateKey: *organization.ApiKey.PrivateKey,
+		BaseURL:    meta.(*config.MongoDBClient).Config.BaseURL,
+	}
+
+	clients, _ := cfg.NewClient(ctx)
+	conn = clients.(*config.MongoDBClient).AtlasV2
+
+	_, _, errUpdate := conn.OrganizationsApi.UpdateOrganizationSettings(ctx, orgID, newOrganizationSettings(d)).Execute()
+	if errUpdate != nil {
+		if _, _, err := conn.OrganizationsApi.DeleteOrganization(ctx, orgID).Execute(); err != nil {
+			d.SetId("")
+			return diag.FromErr(fmt.Errorf("an error occurred when updating Organization settings: %s.\n Unable to delete organization, there may be dangling resources: %s", errUpdate.Error(), err.Error()))
+		}
+		d.SetId("")
+		return diag.FromErr(fmt.Errorf("an error occurred when updating Organization settings: %s", err))
 	}
 
 	if err := d.Set("private_key", organization.ApiKey.GetPrivateKey()); err != nil {
@@ -119,6 +162,26 @@ func resourceMongoDBAtlasOrganizationRead(ctx context.Context, d *schema.Resourc
 		}
 		return diag.FromErr(fmt.Errorf("error reading organization information: %s", err))
 	}
+
+	if err := d.Set("name", organization.Name); err != nil {
+		return diag.Errorf("error setting `name` for organization (%s): %s", *organization.Id, err)
+	}
+
+	settings, _, err := conn.OrganizationsApi.GetOrganizationSettings(ctx, orgID).Execute()
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("error reading organization settings: %s", err))
+	}
+
+	if err := d.Set("api_access_list_required", settings.ApiAccessListRequired); err != nil {
+		return diag.Errorf("error setting `api_access_list_required` for organization (%s): %s", orgID, err)
+	}
+	if err := d.Set("multi_factor_auth_required", settings.MultiFactorAuthRequired); err != nil {
+		return diag.Errorf("error setting `multi_factor_auth_required` for organization (%s): %s", orgID, err)
+	}
+	if err := d.Set("restrict_employee_access", settings.RestrictEmployeeAccess); err != nil {
+		return diag.Errorf("error setting `restrict_employee_access` for organization (%s): %s", orgID, err)
+	}
+
 	d.SetId(conversion.EncodeStateID(map[string]string{
 		"org_id": organization.GetId(),
 	}))
@@ -143,9 +206,16 @@ func resourceMongoDBAtlasOrganizationUpdate(ctx context.Context, d *schema.Resou
 		updateRequest.Name = d.Get("name").(string)
 		_, _, err := conn.OrganizationsApi.RenameOrganization(ctx, orgID, updateRequest).Execute()
 		if err != nil {
-			return diag.FromErr(fmt.Errorf("error updating Organization: %s", err))
+			return diag.FromErr(fmt.Errorf("error updating Organization name: %s", err))
+		}
+	}
+
+	if d.HasChange("api_access_list_required") || d.HasChange("multi_factor_auth_required") || d.HasChange("restrict_employee_access") {
+		if _, _, err := conn.OrganizationsApi.UpdateOrganizationSettings(ctx, orgID, newOrganizationSettings(d)).Execute(); err != nil {
+			return diag.FromErr(fmt.Errorf("error updating Organization settings: %s", err))
 		}
 	}
+
 	return resourceMongoDBAtlasOrganizationRead(ctx, d, meta)
 }
 
@@ -163,7 +233,7 @@ func resourceMongoDBAtlasOrganizationDelete(ctx context.Context, d *schema.Resou
 	orgID := ids["org_id"]
 
 	if _, _, err := conn.OrganizationsApi.DeleteOrganization(ctx, orgID).Execute(); err != nil {
-		return diag.FromErr(fmt.Errorf("error Organization: %s", err))
+		return diag.FromErr(fmt.Errorf("error deleting Organization: %s", err))
 	}
 	return nil
 }
@@ -185,3 +255,21 @@ func newCreateOrganizationRequest(d *schema.ResourceData) *admin.CreateOrganizat
 
 	return createRequest
 }
+
+func newOrganizationSettings(d *schema.ResourceData) *admin.OrganizationSettings {
+	return &admin.OrganizationSettings{
+		ApiAccessListRequired:   pointy.Bool(d.Get("api_access_list_required").(bool)),
+		MultiFactorAuthRequired: pointy.Bool(d.Get("multi_factor_auth_required").(bool)),
+		RestrictEmployeeAccess:  pointy.Bool(d.Get("restrict_employee_access").(bool)),
+	}
+}
+
+func ValidateAPIKeyIsOrgOwner(roles []string) error {
+	for _, role := range roles {
+		if role == constant.OrgOwner {
+			return nil
+		}
+	}
+
+	return fmt.Errorf("`role_names` for new API Key must have the ORG_OWNER role to use this resource")
+}