feat: Update Stream Connection Resource by sivaram-mongodb · Pull Request #1524 · mongodb/mongodbatlas-cloudformation-resources

sivaram-mongodb · 2026-01-08T08:05:35Z

Proposed changes

Updated existing resource Stream Connection with significant enhancements:

Added support for two new connection types: AWSLambda and Https
Implemented OAuth (OAUTHBEARER) authentication mechanism for Kafka connections with full OAuth 2.0 flow
Upgraded Atlas SDK from v20231115014 to v20250312010 for latest API features
Added comprehensive unit test coverage with mock-based testing
Created 4 new CloudFormation example templates showcasing new features
Improved model mapping logic with proper handling of write-only sensitive fields
Enhanced test infrastructure with 6 complete test input sets for all connection types

cfn testing:

Published to AWS private registry

stack testing for cluster connection type :

stack testing for Sample connection type:

stack testing for http connection type:

stack testing for aws lamda connection type:

stack testing for kafka (basic) connection type:

stack testing for kafka (OAuth ) connection type:

Jira ticket: CLOUDP-369806

Please include a summary of the fix/feature/change, including any relevant motivation and context.

Link to any related issue(s):

Type of change:

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as
expected)
This change requires a documentation update
If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Manual QA performed:

cfn invoke for each of CRUDL/cfn test
Updated resource in example
Published to AWS private registry
Used the template in example to create and update a stack in AWS
Deleted stack to ensure resources are deleted
Created multiple resources in same stack
Validated in Atlas UI
Included screenshots

Required Checklist:

I have signed the MongoDB CLA
I have added tests that prove my fix is effective or that my feature works
I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
I have added any necessary documentation (if appropriate)
I have run make fmt and formatted my code
For CFN Resources: I have released by changes in the private registry and proved by change
works in Atlas

Further comments

EspenAlbert · 2026-01-08T10:00:29Z

-	if _, apiResp, err := conn.StreamsApi.DeleteStreamConnection(ctx, *projectID, *instanceName, *connectionName).Execute(); err != nil {
-		return handleError(apiResp, constants.DELETE, err)
+	resp, err := conn.StreamsApi.DeleteStreamConnection(ctx, *projectID, *workspaceOrInstanceName, *connectionName).Execute()
+	if err != nil {


What is the reason for this refactoring? Removing the call to handleError?

I guess this is handled by the @sivaram-mongodb . We have the handleError method.

EspenAlbert · 2026-01-08T10:03:27Z

 		model := GetStreamConnectionModel(&accumulatedStreamConns[i], nil)
 		model.ProjectId = currentModel.ProjectId
-		model.InstanceName = currentModel.InstanceName
+		if currentModel.WorkspaceName != nil {


What is the logic behind this conditional, should't we always set it for both WorkspaceName and InstanceName?

We are setting it for both Workspace and InstanceName as suggested.

I think it would be simpler to use the workspaceOrInstanceName variable directly:

model.WorkspaceName = workspaceOrInstanceName model.InstanceName = workspaceOrInstanceName

…dformation-resources into CLOUDP-369806-stream-connection

…nnection tests; remove resource unit tests

maastha · 2026-01-16T22:55:17Z

    "InstanceName": {
      "type": "string",
-      "description": "Human-readable label that identifies the stream instance."
+      "description": "Human-readable label that identifies the stream instance. Deprecated: Use WorkspaceName instead."


can we emphasize the warning here, similar to TF messaging & referencing other CFN deprecated attributes:

"WARNING: This field is deprecated and will be removed in the next major release. Please use WorkspaceName instead" ...... "

Updated InstanceName description with stronger deprecation warning: "WARNING: This field is deprecated and will be removed in the next major release. Please use WorkspaceName instead."

maastha · 2026-01-16T22:55:49Z

    "/properties/ProjectId",
    "/properties/ConnectionName",
-    "/properties/InstanceName",
+    "/properties/WorkspaceName",


InstanceName would still qualify as the primaryIdentifier no?

maastha · 2026-01-16T23:02:39Z

+  "ConnectionName": "ConnectionNameAWSLambda",
+  "Type": "AWSLambda",
+  "Aws": {
+    "RoleArn": "arn:aws:iam::263641576157:role/mongodb-atlas-streams-lambda-new"


remove roleArn here and from other test input files

Removed hardcoded RoleArn placeholders

maastha · 2026-01-16T23:02:43Z

+  "ConnectionName": "ConnectionNameAWSLambda",
+  "Type": "AWSLambda",
+  "Aws": {
+    "RoleArn": "arn:aws:iam::263641576157:role/mongodb-atlas-streams-lambda-new-updated"


remove roleArn here and from other test input files

Removed hardcoded RoleArn placeholders

maastha · 2026-01-16T23:12:51Z

+iamRoleNameUpdate="mongodb-atlas-streams-lambda-$(date +%s)-${RANDOM}-updated"
+policyName="atlas-lambda-invoke-policy"
+
+echo "Creating IAM roles: ${iamRoleNameCreate} and ${iamRoleNameUpdate}"


Why do we need different roles here?
For reference https://github.com/mongodb/terraform-provider-mongodbatlas/blob/master/internal/service/streamconnection/resource_stream_connection_test.go#L935 this is how we have stream connection tests setup in Terraform

I think we should be able to simplify the setup here.

Can you explain why we need all the roles and policies in this script?

Simplified IAM setup to use single role for both CREATE/UPDATE tests (removed duplicate role and Lambda permissions policy) to align with Terraform's pattern - kept only trust policy.

oarbusi · 2026-01-19T08:52:45Z

 		return nil, errEvent
 	}

+	normalizeWorkspaceName(currentModel)


nit: why not use getWorkspaceOrInstanceName here instead? it does mostly the same as normalizeWorkspaceName but IMO it would be clearer/more explicit what is happening

oarbusi · 2026-01-19T08:55:04Z

+		return *peErr, nil
+	}
+
+	workspaceOrInstanceName, peErr := getWorkspaceOrInstanceName(currentModel)


workspace name will always be set here because InitEnvWithLatestClient has been called. Could use it directly instead of calling getWorkspaceOrInstanceName

I think you could simplify it by using directly workspace name here or not call normalizeWorkspaceName in InitEnvWithLatestClient. WDYT?
my overall feeling is that getWorkspaceOrInstanceName and normalizeWorkspaceName do very similar things and we could unify

Agreed.

I’ve removed getWorkspaceOrInstanceName and unified the logic into normalizeWorkspaceName. After InitEnvWithLatestClient, WorkspaceName is guaranteed to be set, so all handlers now use currentModel.WorkspaceName directly. ( keeps backward compatibility with InstanceName )

oarbusi

Thanks for addressing the comments, LGTM

…dformation-resources into CLOUDP-369806-stream-connection

sivaram-mongodb requested a review from a team as a code owner January 8, 2026 08:05

sivaram-mongodb force-pushed the CLOUDP-369806-stream-connection branch from 8d19d2f to 070e1be Compare January 8, 2026 08:36