feat: Add Stream PrivateLink Endpoint (#1547)

Co-authored-by: Rakhul S Prakash <rakhul.s.prakash@peerislands.io>

Author: rakhul-mongo

.github/workflows/contract-testing.yaml

@@ -35,6 +35,7 @@ jobs:
      search-index: ${{ steps.filter.outputs.search-index }}
      stream-connection: ${{ steps.filter.outputs.stream-connection }}
      stream-instance: ${{ steps.filter.outputs.stream-instance }}
+     stream-privatelink-endpoint: ${{ steps.filter.outputs.stream-privatelink-endpoint }}
      stream-processor: ${{ steps.filter.outputs.stream-processor }}
      stream-workspace: ${{ steps.filter.outputs.stream-workspace }}
      third-party-integration: ${{ steps.filter.outputs.third-party-integration }}
@@ -93,6 +94,8 @@ jobs:
           - 'cfn-resources/stream-connection/**'
         stream-instance:
           - 'cfn-resources/stream-instance/**'
+        stream-privatelink-endpoint:
+          - 'cfn-resources/stream-privatelink-endpoint/**'
         stream-processor:
           - 'cfn-resources/stream-processor/**'
         stream-workspace:
@@ -1081,6 +1084,46 @@ jobs:
           pushd cfn-resources/stream-instance
           make create-test-resources
           cat inputs/inputs_1_create.json
+          make run-contract-testing
+          make delete-test-resources
+  stream-privatelink-endpoint:
+    needs: change-detection
+    if: ${{ needs.change-detection.outputs.stream-privatelink-endpoint == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5
+        with:
+          go-version-file: 'cfn-resources/go.mod'
+      - name: setup Atlas CLI
+        uses: mongodb/atlas-github-action@e3c9e0204659bafbb3b65e1eb1ee745cca0e9f3b
+      - uses: aws-actions/setup-sam@c2a20b1822cc4a6bc594ff7f1dbb658758e383c3
+        with:
+          use-installer: true
+      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ENV }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ENV }}
+          aws-region: eu-west-1
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        with:
+          python-version: '3.9'
+          cache: 'pip' # caching pip dependencies
+      - run: pip install cloudformation-cli cloudformation-cli-go-plugin
+      - name: Run the Contract test
+        shell: bash
+        env:
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${{ secrets.CLOUD_DEV_PUBLIC_KEY }}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${{ secrets.CLOUD_DEV_PRIVATE_KEY }}
+          MONGODB_ATLAS_ORG_ID: ${{ secrets.CLOUD_DEV_ORG_ID }}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.MONGODB_ATLAS_BASE_URL }}
+          MONGODB_ATLAS_PROFILE: cfn-cloud-dev-github-action
+        run: |
+          pushd cfn-resources/stream-privatelink-endpoint
+          make create-test-resources
+
+          cat inputs/*
+
           make run-contract-testing
           make delete-test-resources
   stream-processor:

cfn-resources/stream-privatelink-endpoint/.rpdk-config

@@ -0,0 +1,27 @@
+{
+    "artifact_type": "RESOURCE",
+    "typeName": "MongoDB::Atlas::StreamPrivatelinkEndpoint",
+    "language": "go",
+    "runtime": "provided.al2",
+    "entrypoint": "bootstrap",
+    "testEntrypoint": "bootstrap",
+    "settings": {
+        "version": false,
+        "subparser_name": null,
+        "verbose": 0,
+        "force": false,
+        "type_name": null,
+        "artifact_type": null,
+        "endpoint_url": null,
+        "region": null,
+        "target_schemas": [],
+        "profile": null,
+        "import_path": "github.com/mongodb/mongodbatlas-cloudformation-resources/stream-privatelink-endpoint",
+        "protocolVersion": "2.0.0"
+    },
+    "canarySettings": {
+        "contract_test_file_names": [
+            "inputs_1.json"
+        ]
+    }
+}

cfn-resources/stream-privatelink-endpoint/Makefile

@@ -0,0 +1,37 @@
+.PHONY: build debug clean create-test-resources delete-test-resources run-contract-testing
+tags=logging callback metrics scheduler
+cgo=0
+goos=linux
+goarch=amd64
+CFNREP_GIT_SHA?=$(shell git rev-parse HEAD)
+ldXflags=-s -w -X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=info -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+ldXflagsD=-X github.com/mongodb/mongodbatlas-cloudformation-resources/util.defaultLogLevel=debug -X github.com/mongodb/mongodbatlas-cloudformation-resources/version.Version=${CFNREP_GIT_SHA}
+
+build:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflags)" -tags="$(tags)" -o bin/bootstrap cmd/main.go
+
+debug:
+	cfn generate
+	env GOOS=$(goos) CGO_ENABLED=$(cgo) GOARCH=$(goarch) go build -ldflags="$(ldXflagsD)" -tags="$(tags)" -o bin/debug cmd/main.go
+
+clean:
+	rm -rf bin
+
+submit: clean build
+	@echo "==> Submitting to private registry for testing"
+	 cfn submit --set-default --region us-east-1
+
+create-test-resources:
+	@echo "==> Creating test files and resources for contract testing"
+	./test/contract-testing/cfn-test-create.sh
+
+delete-test-resources:
+	@echo "==> Delete test resources used for contract testing"
+	./test/contract-testing/cfn-test-delete.sh
+
+run-contract-testing:
+	@echo "==> Run contract testing"
+	make build
+	sam local start-lambda &
+	cfn test --function-name TestEntrypoint --verbose

cfn-resources/stream-privatelink-endpoint/README.md

@@ -0,0 +1,65 @@
+# MongoDB::Atlas::StreamPrivatelinkEndpoint
+
+## Description
+
+Resource for creating and managing [Stream Processing Private Link Endpoints](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-createprivatelinkconnection). This resource enables secure, private connectivity between Atlas Stream Processing and streaming services (AWS MSK, Confluent Cloud, or AWS S3) over AWS PrivateLink. This resource supports AWS only.
+
+## Requirements
+
+Set up an AWS profile to securely give CloudFormation access to your Atlas credentials.
+For instructions on setting up a profile, [see here](/README.md#mongodb-atlas-api-keys-credential-management).
+
+## Attributes and Parameters
+
+See the [resource docs](docs/README.md). Also refer [AWS security best practices for CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds) to manage credentials.
+
+## CloudFormation Examples
+
+See the example [CFN Template](/examples/atlas-streams/stream-privatelink-endpoint/stream-privatelink-endpoint-s3.json) for example resource.
+
+## Deployment
+
+### Prerequisites
+
+- **Atlas Project**: You must have an existing MongoDB Atlas project.
+- **AWS Account**: An AWS account with appropriate permissions for PrivateLink and VPC endpoint creation.
+- **Atlas Credentials**: Set up an AWS profile to securely give CloudFormation access to your Atlas credentials. For instructions, see [MongoDB Atlas API Keys Credential Management](/README.md#mongodb-atlas-api-keys-credential-management).
+- **AWS Credentials**: Configure AWS credentials with permissions to create VPC endpoints and manage PrivateLink connections.
+
+### Basic Deployment
+
+```bash
+aws cloudformation deploy \
+  --template-file examples/atlas-streams/stream-privatelink-endpoint/stream-privatelink-endpoint-s3.json \
+  --stack-name atlas-stream-privatelink-endpoint-s3 \
+  --parameter-overrides \
+    ProjectId=<YOUR_PROJECT_ID> \
+    Region=eu-west-1 \
+    ServiceEndpointId=com.amazonaws.eu-west-1.s3 \
+    Profile=default \
+  --capabilities CAPABILITY_IAM \
+  --region eu-west-1
+```
+
+## Verification
+
+### Using Atlas CLI
+
+After deployment, verify the Private Link Endpoint was created:
+
+```bash
+# List all Private Link Endpoints for the project
+atlas streams privatelink list --projectId <PROJECT_ID>
+
+# Describe a specific Private Link Endpoint
+atlas streams privatelink describe <ENDPOINT_ID> --projectId <PROJECT_ID>
+```
+
+### Using Atlas UI
+
+1. Navigate to your Atlas project
+2. Go to **Network Access** → **Stream Processing Private Link Endpoints**
+3. Verify the endpoint appears with:
+   - Vendor type: "S3", "MSK", or "CONFLUENT"
+   - State: "AVAILABLE" (may take a few minutes to transition)
+   - Correct region and service endpoint ID

cfn-resources/stream-privatelink-endpoint/cmd/main.go

@@ -0,0 +1,100 @@
+// Copyright 2026 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package resource
+
+import (
+	"context"
+
+	"go.mongodb.org/atlas-sdk/v20250312013/admin"
+
+	"github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
+
+	"github.com/mongodb/mongodbatlas-cloudformation-resources/util"
+	"github.com/mongodb/mongodbatlas-cloudformation-resources/util/constants"
+)
+
+const (
+	stateDone            = "DONE"
+	stateFailed          = "FAILED"
+	stateDeleteRequested = "DELETE_REQUESTED"
+	stateDeleting        = "DELETING"
+	stateDeleted         = "DELETED"
+
+	callbackDelaySeconds = 3
+	callbackKey          = "callbackStreamPrivatelinkEndpoint"
+)
+
+var callbackContext = map[string]any{callbackKey: true}
+
+func isCallback(req *handler.Request) bool {
+	_, found := req.CallbackContext[callbackKey]
+	return found
+}
+
+func validateProgress(client *util.MongoDBClient, model *Model, isDelete bool) handler.ProgressEvent {
+	ctx := context.Background()
+	projectID := util.SafeString(model.ProjectId)
+	connectionID := util.SafeString(model.Id)
+
+	streamsPrivateLinkConnection, apiResp, err := client.AtlasSDK.StreamsApi.GetPrivateLinkConnection(ctx, projectID, connectionID).Execute()
+	notFound := util.StatusNotFound(apiResp)
+
+	if err != nil && !notFound {
+		return handleError(apiResp, constants.READ, err)
+	}
+
+	state := stateDeleted
+	if streamsPrivateLinkConnection != nil {
+		state = streamsPrivateLinkConnection.GetState()
+	}
+
+	targetState := stateDone
+	if isDelete {
+		targetState = stateDeleted
+	}
+
+	if state == stateFailed {
+		return handleFailedState(streamsPrivateLinkConnection)
+	}
+
+	if state != targetState {
+		return inProgressEvent(model, streamsPrivateLinkConnection)
+	}
+
+	if isDelete {
+		return handler.ProgressEvent{
+			OperationStatus: handler.Success,
+			Message:         constants.Complete,
+		}
+	}
+
+	UpdateModel(model, streamsPrivateLinkConnection)
+	return handler.ProgressEvent{
+		OperationStatus: handler.Success,
+		Message:         constants.Complete,
+		ResourceModel:   model,
+	}
+}
+
+func inProgressEvent(model *Model, apiResp *admin.StreamsPrivateLinkConnection) handler.ProgressEvent {
+	UpdateModel(model, apiResp)
+	return handler.ProgressEvent{
+		OperationStatus:      handler.InProgress,
+		Message:              constants.Pending,
+		ResourceModel:        model,
+		CallbackDelaySeconds: callbackDelaySeconds,
+		CallbackContext:      callbackContext,
+	}
+}