doc: Adds mongodbatlas_api_key_project_assignment documentation, examples and migration guide

[oarbusi]

Description

Adds mongodbatlas_api_key_project_assignment documentation, examples and migration guide.
Also removed the examples that were using the old patterns for API key assignment to projects to avoid customers from referencing those.
This corresponds to the documentation necessary for #3461

Link to any related issue(s): CLOUDP-215112

Type of change:

• Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
• New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR. A migration guide must be created or updated if the new feature will go in a major version.
• Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR. A migration guide must be created or updated.
• This change requires a documentation update
• Documentation fix/enhancement

Required Checklist:

• I have signed the MongoDB CLA
• I have read the contributing guides
• I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
• I have added any necessary documentation (if appropriate)
• I have run make fmt and formatted my code
• If changes include deprecations or removals I have added appropriate changelog entries.
• If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Further comments

[github-actions]

APIx bot: a message has been sent to Docs Slack channel

[EspenAlbert]

[nit] I would remove this

[maastha]

i think this can be a common section that can be referred in every migration doc, instead of "Review your current usage** of mongodbatlas_project_api_key" we can rephrase this to be more generic like "Review your current usage** of deprecate resource or something"

[EspenAlbert]

Can we also support / instead of - to be more consistent?

[EspenAlbert]

Is this a use-case for import and removed block?

[marcosuma]

I was thinking the same

[oarbusi]

yes, I have clarified that removed block can be used

[EspenAlbert]

Do we have any examples of this?

[marcosuma]

good point

[oarbusi]

I think there's no need, for_each count are terraform features. I added links to the official documentation for this features

[EspenAlbert]

I am not sure if we want duplicate main.tf content here

[oarbusi]

I think it doesn't hurt to have it here IMO

[marcosuma]

Remember the "Does this work for modules"? And I think this doesn't, right?

[marcosuma]

in any case we need an example specific for modules

[oarbusi]

Because the old resource corresponds to 2 resources, moved block is not possible and this wouldn't work for modules because import is needed. Will add a "Does this work for modules" section

[oarbusi]

Have added migration path for modules and example for modules in 0a856bd and b40d686
let me know what you think

[marcosuma]

question: shouldn't we still have these examples but just migrated to the new approach?

[oarbusi]

I think having the old pattern examples will be confusing and can lead to customers referencing those even if we now recommend the new pattern. Removing them and only having a single (new example) is better

[marcosuma]

got it, but aren't we removing the examples on how to use mongodbatlas_access_list_api_key ?

[oarbusi]

good point, I have added that back to the api_key example in 669bb50

[marcosuma]

Thanks for the section, but I would remove it from here and put this text into "## Migration using Modules"

[oarbusi]

Makes sense, done in dc0790b

[AgustinBettati]

nit: This table is hard to read when using https://registry.terraform.io/tools/doc-preview, might be worthing just putting as sub titles

[oarbusi]

changed in e0ba552

[AgustinBettati]

just curious is this something we can fix in api_key import?

[oarbusi]

I think we could but not sure if it would be considered as a breaking change or not. To fix it we would need to change the behavior of the Read. If you see the import of the api_key resource, the encoded Id attribute is set, and then on the Read, more attributes are set but not org_id, so when the terraform apply after the import is done, a change is detected. e.g.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.api_key_assignment.mongodbatlas_api_key.this will be updated in-place ~ resource "mongodbatlas_api_key" "this" { ~ description = "Legacy module-managed API Key" -> "Module-managed API Key" id = "YXBpX2tleV9pZA==:Njg2N2E1ODg2YTdlOGQ0M2Q2ZTdlODFl-b3JnX2lk:NjBkZGY1NWMyN2E1YTIwOTU1YTcwN2Q3" + org_id = "60ddf55c27a5a20955a707d7" # (3 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. 

open to discuss if this change is worth doing now

[maastha]

if org_id will be set every time in Read() then this would be a breaking change as it would result in non-empty plans right?

[marcosuma]

Some customers who have platform and app teams have very distinct responsibilities. App teams, who would be the ones having to run this comment, don't have access to import capabilities. I think this should be converted into adding the import block in the configuration rather than as a command. I believe that should work

[marcosuma]

I am also very worried that this is the only suggestion we can make. Imagine a very big customer with hundreds of app teams, each team is expected to do that if they want to migrate to our recommended approach. That's never going to happen.

is the project_assignment an idempotent type of resource? What I mean is: if mongodbatlas_api_key_project_assignment is being created in TF but that assignment already exists, will it fail? or simply succeed? if that's the case we could recommend a moved from project_api_key to api_key and then the mongodbatlas_api_key_project_assignment would be defined as "new" resources

[oarbusi]

added explicit mention of import block throughout the doc in ec95e5f.

[davidhou17]

LGTM % nits

[maastha]

Suggested change

	page_title: "Migration Guide: Project API Key to API Key + Assignment"
	page_title: "Migration Guide: Project API Key to API Key + Project Assignment"

[maastha]

i think this can be a common section that can be referred in every migration doc, instead of "Review your current usage** of mongodbatlas_project_api_key" we can rephrase this to be more generic like "Review your current usage** of deprecate resource or something"

[maastha]

if org_id will be set every time in Read() then this would be a breaking change as it would result in non-empty plans right?