[Bug]: mongodbatlas_project_api_key inconsistent plan

[megrehnsf]

Is there an existing issue for this?

• [X] I have searched the existing issues

Provider Version

v1.20.0

Terraform Version

v1.9.3

Terraform Edition

Terraform Cloud

Current Behavior

A mongodbatlas_project_api_key resource does not properly evaluate existing project_assignment in the plan.

The provider attempts to recreate existing project access and fails on the atlas api with:

╷
│ Error: error assigning api_keys into the project(66f1): https://cloud.mongodb.com/api/atlas/v2/groups/*/apiKeys/* POST: HTTP 400 Bad Request (Error code: "API_KEY_ALREADY_IN_GROUP") Detail: API key is already in the group. Reason: Bad Request. Params: []
│ 
│   with mongodbatlas_project_api_key.project,
│   on main.tf line 116, in resource "mongodbatlas_project_api_key" "project":
│  116: resource "mongodbatlas_project_api_key" "project" {
│ 
╵
Operation failed: failed running terraform apply (exit 1)

---

State show for resource

terraform state show mongodbatlas_project_api_key.project

resource "mongodbatlas_project_api_key" "project" {
api_key_id  = "*"
description = "API Key for project-name"
id          = "*"
private_key = (sensitive value)
public_key  = "*"

project_assignment {
    project_id = "*"
    role_names = [
        "GROUP_OWNER",
    ]
}

}

Plan result

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place

Terraform will perform the following actions:

mongodbatlas_project_api_key.project will be updated in-place

~ resource "mongodbatlas_project_api_key" "project" { id = "*"

(4 unchanged attributes hidden)

  + project_assignment {
      + project_id = "*"
      + role_names = [
          + "GROUP_OWNER",
        ]
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform v1.9.3 on linux_amd64

• provider registry.terraform.io/mongodb/mongodbatlas v1.20.0

Terraform configuration to reproduce the issue

resource "mongodbatlas_project" "atlas_project" {
  org_id           = <org id string>
  project_owner_id = <owner id string>
  name             = "project-name"

  is_collect_database_specifics_statistics_enabled = true
  is_data_explorer_enabled                         = true
  is_performance_advisor_enabled                   = true
  is_realtime_performance_panel_enabled            = true
  is_schema_advisor_enabled                        = true
  with_default_alerts_settings                     = false
}

resource "mongodbatlas_project_api_key" "project" {
  description = "API Key for project-name"

  project_assignment {
    project_id = mongodbatlas_project.atlas_project.id
    role_names = ["GROUP_OWNER"]
  }
}

Steps To Reproduce

1. Add mongodbatlas_project and mongodbatlas_project_api_key in the same terraform
2. Plan
3. Apply, resources created
4. Plan, project_access change proposed
5. Apply, Atlas api error returned: API_KEY_ALREADY_IN_GROUP

Logs

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[github-actions[bot]]

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

• Terraform configuration file used to reproduce the issue
• Terraform log files from the run where the issue occurred
• Terraform Atlas provider version used to reproduce the issue
• Terraform version used to reproduce the issue
• Confirmation if Terraform OSS, Terraform Cloud, or Terraform Enterprise deployment

The ticket CLOUDP-276228 was created for internal tracking.