feat: Add AzureBlobStorage connection type support for stream connections

[jwongmongodb]

Description

Adds support for AzureBlobStorage as a new stream connection type in mongodbatlas_stream_connection resource and data sources.

Link to any related issue(s): CLOUDP-383606

Type of change:

• New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR. A migration guide must be created or updated if the new feature will go in a major version.
• This change requires a documentation update

Required Checklist:

• I have signed the MongoDB CLA
• I have read the contributing guides
• I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
• I have added any necessary documentation (if appropriate)
• I have run make fix and verified my code
• If changes include deprecations or removals I have added appropriate changelog entries.
• If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

[Copilot]

Pull request overview

Adds AzureBlobStorage as a supported stream connection type for the mongodbatlas_stream_connection Terraform resource and related data sources, including schema/model mapping, acceptance tests, and documentation/examples updates.

Changes:

• Extend stream connection schemas/models (codegen + provider) to include an azure configuration block and AzureBlobStorage type handling.
• Update request/response mapping to support Azure-specific fields and publicPrivateNetworking mapping for networking.
• Add acceptance tests, docs, examples, and changelog entries for the new connection type.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
tools/codegen/models/stream_connection_api.yaml	Adds AzureBlobStorage type + azure fields and allows networking for the new type in codegen model.
internal/testutil/acc/pre_check.go	Adds acceptance test pre-check for Azure Blob Storage env vars.
internal/serviceapi/streamconnectionapi/resource_schema.go	Generated schema updated to include azure and allow it for AzureBlobStorage.
internal/service/streamconnection/resource_stream_connection.go	Adds connection-type constants and Azure object model/type definitions.
internal/service/streamconnection/resource_schema.go	Adds AzureBlobStorage schema block and expands type validation list.
internal/service/streamconnection/model_stream_connection.go	Maps Azure fields to/from SDK and routes networking to PublicPrivateNetworking for Azure.
internal/service/streamconnection/resource_stream_connection_test.go	Adds AzureBlobStorage acceptance test and helpers.
internal/service/streamconnection/model_stream_connection_test.go	Adds unit test coverage for Azure SDK<->TF mapping and TF->SDK request creation.
examples/mongodbatlas_stream_connection/*	Adds example configuration and variables for Azure Blob Storage connection.
docs/resources/stream_connection.md	Adds Azure example and documents Azure arguments/type.
docs/data-sources/stream_connections.md	Documents Azure in stream connections data source.
docs/data-sources/stream_connection.md	Documents Azure in stream connection data source.
.changelog/4356.txt	Adds release notes for AzureBlobStorage support and PRIVATE_LINK networking.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

APIx bot: a message has been sent to Docs Slack channel

[augmentcode]

🤖 Augment PR Summary

Summary: Adds first-class support for AzureBlobStorage as a stream connection type in the Terraform provider.

Changes:

• Extends the stream connection resource/data source docs to include Azure Blob Storage and its attributes
• Adds an azure nested block to the framework-based mongodbatlas_stream_connection schema and maps it to Atlas SDK request/response models
• Updates networking handling to support PUBLIC/PRIVATE_LINK for Azure Blob Storage via the API’s public/private networking field
• Adds type validation for the stream connection type attribute
• Adds unit test coverage for AzureBlobStorage model conversions and an acceptance test for the new connection type
• Updates acceptance-test runner workflow to pass required Azure environment variables
• Adds changelog entries documenting the new connection type and networking access support

Technical Notes: Azure networking uses the public/private networking API shape while still exposing a consistent Terraform networking block in the framework resource.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[lizo-mdb]

LGTM with a few small suggestions!

[maastha]

Suggested change

	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"

[maastha]

do we need a UseStateForUnknown plan modifier? How does the plan show if anything is changed in this object?

[christineschen]

since region is computed each time the storage account changes, UseStateForUnknown may cause errors if the planned value doesn't match what the API returns

[maastha]

why is this optional/computed?

[christineschen]

it's in the API spec as optional, so it's computed if users don't supply a value. In the UI there's not even a field for users to add it so it would only be something that the api/sdk/tf supports

[marcosuma]

one nit but I think right now we're never erroring, right? no matter what's the type we assume is StreamsKafkaNetworking

[christineschen]

right that's the existing behavior, and PublicPrivateNetworking was introduced in the last SDK update (so as of yet will only be used for Azure blob storage and GCP pubsub)

[EspenAlbert]

What format is used? The atlas US_EAST_1 or azure style eastus1?

[christineschen]

azure style eastus1

[EspenAlbert]

Can you add that example to the docs? (Common source of confusion)

[EspenAlbert]

Looks quite good. Would maybe consider an example to demonstrate the privatelink functionality.
Main uncertainty I have is about the stream_connection not using role_id, seems weird to specify the service_principal_id twice

[EspenAlbert]

This setup confuses me a bit.
Why is the azure not referencing the mongodbatlas_cloud_provider_access_setup.azure_setup.role_id?

Seems a bit inconsistent that the atlas resource require azure service_principal_id?

[christineschen]

the way the API is set up, the input is service_principal_id and then role_id is computed

[EspenAlbert]

IMO: This is a bad experience. role_id is what should be configured, but understand it is a big ask to change the API :/

[christineschen]

I think it has to do with the way the UI is set up, where users will configure their Azure integration and get a service principal ID, and then on the streams connection manager page they choose between their service principal IDs (since there may be multiple), and role ID is abstracted away

[lantoli]

looks like some types were missing that are not related to this PR change, consider either doing it in a different PR or at least mention it in this PR description. same for the other files

[christineschen]

removed from this PR

[lantoli]

new 3 attrs should be in Azure section instead of AWS section

[lantoli]

Suggested change

	If `type` is `AzureBlobStorage` the the configuration defines the following additional attributes:
	If `type` is `AzureBlobStorage` the configuration defines the following additional attributes:

[lantoli]

we're in TPF so no need to check customer-provided values, only useful to check Computed attributes

[lantoli]

nit: i guess it's because of the Atlas API, there is a naming inconsistency, prefixing with AWS/Azure sometimes (e.g., AWSKinesisDataStreams, AWSLambda, AzureBlobStorage) but not with S3

[christineschen]

yeah we had a discussion about this on the streams team since S3 can be used by other non-AWS providers too

[christineschen]

@EspenAlbert the private link support is done in a separate PR that I just put up for review here: #4366

I can remove the line from the changelog in this PR if that makes it confusing

[EspenAlbert]

notice how

terraform-provider-mongodbatlas/internal/serviceapi/logintegration/resource_test.go

Lines 691 to 692 in 12d6a4e

	func azureStorageContainerConfig(projectID string, config *azureConfig) string {
	return fmt.Sprintf(`

uses the exact same storage account setup.
Can we refactor into acc package? see code/provider/internal/testutil/acc/stream_instance.go for existing example

[EspenAlbert]

Thank you for addressing the comments!

[EspenAlbert]

@EspenAlbert the private link support is done in a separate PR that I just put up for review here: #4366

I can remove the line from the changelog in this PR if that makes it confusing

Yes, that would be great 👍

[lantoli]

thanks, LGTM once all comments are addressed and new acceptance test passes in PR checks