feat(kafka_instance): support multiple security groups (#101)

* feat(kafka_instance): support multiple security groups

* test(kafka_instance): add test cases for compute_specs security_groups

Author: Gezi-lzq

client/model_kafka_instance.go

@@ -19,7 +19,7 @@ type SpecificationParam struct {
 	NodeConfig               *NodeConfigParam           `json:"nodeConfig,omitempty"`
 	Networks                 []InstanceNetworkParam     `json:"networks,omitempty"`
 	KubernetesNodeGroups     []KubernetesNodeGroupParam `json:"kubernetesNodeGroups,omitempty"`
-	SecurityGroup            *string                    `json:"securityGroup,omitempty"`
+	SecurityGroups           []string                   `json:"securityGroups,omitempty"`
 	Template                 *string                    `json:"template,omitempty"`
 	FileSystem               *FileSystemParam           `json:"fileSystemForFsWal,omitempty"`
 	DeployType               *string                    `json:"deployType,omitempty"`
@@ -223,6 +223,7 @@ type SpecificationVO struct {
 	BucketProfiles           []BucketProfileSummaryVO `json:"bucketProfiles,omitempty"`
 	DataBuckets              []BucketProfileVO        `json:"dataBuckets,omitempty"`
 	SecurityGroupId          *string                  `json:"securityGroupId,omitempty"`
+	SecurityGroups           []string                 `json:"securityGroups,omitempty"`
 	FileSystem               *FileSystemVO            `json:"fileSystemForFsWal,omitempty"`
 	Provider                 *string                  `json:"provider,omitempty"`
 	Region                   *string                  `json:"region,omitempty"`
@@ -365,7 +366,7 @@ type InstanceConfigParam struct {
 type SpecificationUpdateParam struct {
 	ReservedAku              *int32                     `json:"reservedAku,omitempty"`
 	NodeConfig               *NodeConfigParam           `json:"nodeConfig,omitempty"`
-	SecurityGroup            *string                    `json:"securityGroup,omitempty"`
+	SecurityGroups           []string                   `json:"securityGroups,omitempty"`
 	Template                 *string                    `json:"template,omitempty"`
 	Networks                 []InstanceNetworkParam     `json:"networks,omitempty"`
 	KubernetesNodeGroups     []KubernetesNodeGroupParam `json:"kubernetesNodeGroups,omitempty"`

docs/data-sources/kafka_instance.md

@@ -71,6 +71,7 @@ Read-Only:
 - `kubernetes_service_account` (String)
 - `networks` (Attributes List) To configure the network settings for an instance, you need to specify the availability zone(s) and subnet information. Currently, you can set either one availability zone or three availability zones. (see [below for nested schema](#nestedatt--compute_specs--networks))
 - `reserved_aku` (Number) AutoMQ defines AKU (AutoMQ Kafka Unit) to measure the scale of the cluster. Each AKU provides 20 MiB/s of read/write throughput. For more details on AKU, please refer to the [documentation](https://docs.automq.com/automq-cloud/subscriptions-and-billings/byoc-env-billings/billing-instructions-for-byoc#indicator-constraints). The currently supported AKU specifications are 6, 8, 10, 12, 14, 16, 18, 20, 22, and 24. If an invalid AKU value is set, the instance cannot be created.
+- `security_groups` (List of String) Security groups for the instance
 
 <a id="nestedatt--compute_specs--data_buckets"></a>
 ### Nested Schema for `compute_specs.data_buckets`

docs/resources/kafka_instance.md

@@ -40,6 +40,8 @@ resource "automq_kafka_instance" "example" {
         bucket_name = "automq-data-bucket"
       }
     ]
+
+    # security_groups = ["sg-example123"] # Optional. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.
   }
 
   features = {
@@ -155,6 +157,7 @@ Optional:
 - `kubernetes_namespace` (String)
 - `kubernetes_node_groups` (Attributes List) Node groups (or node pools) are units for unified configuration management of physical nodes in Kubernetes. Different Kubernetes providers may use different terms for node groups. Select target node groups that must be created in advance and configured for either single-AZ or three-AZ deployment. The instance node type must meet the requirements specified in the documentation. If you select a single-AZ node group, the AutoMQ instance will be deployed in a single availability zone; if you select a three-AZ node group, the instance will be deployed across three availability zones. (see [below for nested schema](#nestedatt--compute_specs--kubernetes_node_groups))
 - `kubernetes_service_account` (String)
+- `security_groups` (List of String) Security groups for the instance. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.
 
 <a id="nestedatt--compute_specs--networks"></a>
 ### Nested Schema for `compute_specs.networks`

examples/resources/automq_kafka_instance/resource.tf

@@ -20,6 +20,8 @@ resource "automq_kafka_instance" "example" {
         bucket_name = "automq-data-bucket"
       }
     ]
+
+    # security_groups = ["sg-example123"] # Optional. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.
   }
 
   features = {

internal/models/kafka_instance.go

@@ -77,6 +77,7 @@ type ComputeSpecsModel struct {
 	KubernetesServiceAcct types.String          `tfsdk:"kubernetes_service_account"`
 	InstanceRole          types.String          `tfsdk:"instance_role"`
 	DataBuckets           types.List            `tfsdk:"data_buckets"`
+	SecurityGroups        types.List            `tfsdk:"security_groups"`
 	FileSystemParam       *FileSystemParamModel `tfsdk:"file_system_param"`
 }
 
@@ -316,6 +317,16 @@ func ExpandKafkaInstanceResource(ctx context.Context, instance KafkaInstanceReso
 			request.Spec.DataBuckets = dataBuckets
 		}
 
+		// Security Groups for compute specs
+		if !instance.ComputeSpecs.SecurityGroups.IsNull() &&
+			!instance.ComputeSpecs.SecurityGroups.IsUnknown() {
+			var securityGroups []string
+			diags := instance.ComputeSpecs.SecurityGroups.ElementsAs(ctx, &securityGroups, false)
+			if !diags.HasError() && len(securityGroups) > 0 {
+				request.Spec.SecurityGroups = securityGroups
+			}
+		}
+
 		// File System Parameters for FSWAL
 		if instance.ComputeSpecs.FileSystemParam != nil {
 			fileSystemParam := &client.FileSystemParam{
@@ -654,6 +665,7 @@ func FlattenKafkaInstanceModel(ctx context.Context, instance *client.InstanceVO,
 				Networks:              []NetworkModel{},
 				KubernetesNodeGroups:  []NodeGroupModel{},
 				DataBuckets:           types.ListNull(DataBucketObjectType),
+				SecurityGroups:        types.ListNull(types.StringType),
 				DeployType:            types.StringNull(),
 				DnsZone:               types.StringNull(),
 				KubernetesClusterID:   types.StringNull(),
@@ -742,6 +754,18 @@ func FlattenKafkaInstanceModel(ctx context.Context, instance *client.InstanceVO,
 			resource.ComputeSpecs.DataBuckets = types.ListNull(DataBucketObjectType)
 		}
 
+		// Security Groups for compute specs
+		if len(instance.Spec.SecurityGroups) > 0 {
+			securityGroupsList, sgDiags := types.ListValueFrom(ctx, types.StringType, instance.Spec.SecurityGroups)
+			if !sgDiags.HasError() {
+				resource.ComputeSpecs.SecurityGroups = securityGroupsList
+			}
+		} else if previousSpecs != nil && !previousSpecs.SecurityGroups.IsNull() {
+			resource.ComputeSpecs.SecurityGroups = previousSpecs.SecurityGroups
+		} else {
+			resource.ComputeSpecs.SecurityGroups = types.ListNull(types.StringType)
+		}
+
 		// File System Parameters for FSWAL
 		var previousFileSystemParam *FileSystemParamModel
 		if previousSpecs != nil {

internal/models/kafka_instance_test.go

@@ -259,6 +259,58 @@ func TestExpandKafkaInstanceResource(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Configuration with compute_specs security_groups",
+			input: KafkaInstanceResourceModel{
+				Name:    types.StringValue("instance-with-sg"),
+				Version: types.StringValue("1.0.0"),
+				ComputeSpecs: &ComputeSpecsModel{
+					ReservedAku:    types.Int64Value(4),
+					SecurityGroups: types.ListValueMust(types.StringType, []attr.Value{types.StringValue("sg-abc123"), types.StringValue("sg-def456")}),
+				},
+				Features: &FeaturesModel{
+					WalMode: types.StringValue("EBSWAL"),
+				},
+			},
+			expected: client.InstanceCreateParam{
+				Name:    "instance-with-sg",
+				Version: "1.0.0",
+				Spec: client.SpecificationParam{
+					ReservedAku:    4,
+					NodeConfig:     &client.NodeConfigParam{},
+					SecurityGroups: []string{"sg-abc123", "sg-def456"},
+				},
+				Features: &client.InstanceFeatureParam{
+					WalMode: stringPtr("EBSWAL"),
+				},
+			},
+		},
+		{
+			name: "Configuration with null compute_specs security_groups",
+			input: KafkaInstanceResourceModel{
+				Name:    types.StringValue("instance-no-sg"),
+				Version: types.StringValue("1.0.0"),
+				ComputeSpecs: &ComputeSpecsModel{
+					ReservedAku:    types.Int64Value(4),
+					SecurityGroups: types.ListNull(types.StringType),
+				},
+				Features: &FeaturesModel{
+					WalMode: types.StringValue("EBSWAL"),
+				},
+			},
+			expected: client.InstanceCreateParam{
+				Name:    "instance-no-sg",
+				Version: "1.0.0",
+				Spec: client.SpecificationParam{
+					ReservedAku:    4,
+					NodeConfig:     &client.NodeConfigParam{},
+					SecurityGroups: nil, // Should not be included when null
+				},
+				Features: &client.InstanceFeatureParam{
+					WalMode: stringPtr("EBSWAL"),
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -635,3 +687,132 @@ func timePtr(s string) *time.Time {
 	t, _ := time.Parse(time.RFC3339, s)
 	return &t
 }
+
+func TestFlattenKafkaInstanceModel_ComputeSpecsSecurityGroups(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    *client.InstanceVO
+		expected *KafkaInstanceResourceModel
+	}{
+		{
+			name: "Instance with compute_specs security_groups",
+			input: &client.InstanceVO{
+				InstanceId:  strPtr("instance-with-sg"),
+				Name:        strPtr("test-with-sg"),
+				Description: strPtr("Instance with security groups"),
+				Version:     strPtr("1.0.0"),
+				State:       strPtr("Running"),
+				Spec: &client.SpecificationVO{
+					ReservedAku:    int32Ptr(4),
+					SecurityGroups: []string{"sg-abc123", "sg-def456"},
+				},
+				Features: &client.InstanceFeatureVO{
+					WalMode: strPtr("EBSWAL"),
+				},
+			},
+			expected: &KafkaInstanceResourceModel{
+				InstanceID:     types.StringValue("instance-with-sg"),
+				Name:           types.StringValue("test-with-sg"),
+				Description:    types.StringValue("Instance with security groups"),
+				Version:        types.StringValue("1.0.0"),
+				InstanceStatus: types.StringValue("Running"),
+				ComputeSpecs: &ComputeSpecsModel{
+					ReservedAku:    types.Int64Value(4),
+					SecurityGroups: types.ListValueMust(types.StringType, []attr.Value{types.StringValue("sg-abc123"), types.StringValue("sg-def456")}),
+				},
+				Features: &FeaturesModel{
+					WalMode: types.StringValue("EBSWAL"),
+				},
+			},
+		},
+		{
+			name: "Instance without compute_specs security_groups",
+			input: &client.InstanceVO{
+				InstanceId:  strPtr("instance-no-sg"),
+				Name:        strPtr("test-no-sg"),
+				Description: strPtr("Instance without security groups"),
+				Version:     strPtr("1.0.0"),
+				State:       strPtr("Running"),
+				Spec: &client.SpecificationVO{
+					ReservedAku:    int32Ptr(4),
+					SecurityGroups: nil,
+				},
+				Features: &client.InstanceFeatureVO{
+					WalMode: strPtr("EBSWAL"),
+				},
+			},
+			expected: &KafkaInstanceResourceModel{
+				InstanceID:     types.StringValue("instance-no-sg"),
+				Name:           types.StringValue("test-no-sg"),
+				Description:    types.StringValue("Instance without security groups"),
+				Version:        types.StringValue("1.0.0"),
+				InstanceStatus: types.StringValue("Running"),
+				ComputeSpecs: &ComputeSpecsModel{
+					ReservedAku:    types.Int64Value(4),
+					SecurityGroups: types.ListNull(types.StringType),
+				},
+				Features: &FeaturesModel{
+					WalMode: types.StringValue("EBSWAL"),
+				},
+			},
+		},
+		{
+			name: "Instance with single security group",
+			input: &client.InstanceVO{
+				InstanceId:  strPtr("instance-single-sg"),
+				Name:        strPtr("test-single-sg"),
+				Description: strPtr("Instance with single security group"),
+				Version:     strPtr("1.0.0"),
+				State:       strPtr("Running"),
+				Spec: &client.SpecificationVO{
+					ReservedAku:    int32Ptr(6),
+					SecurityGroups: []string{"sg-only-one"},
+				},
+				Features: &client.InstanceFeatureVO{
+					WalMode: strPtr("S3WAL"),
+				},
+			},
+			expected: &KafkaInstanceResourceModel{
+				InstanceID:     types.StringValue("instance-single-sg"),
+				Name:           types.StringValue("test-single-sg"),
+				Description:    types.StringValue("Instance with single security group"),
+				Version:        types.StringValue("1.0.0"),
+				InstanceStatus: types.StringValue("Running"),
+				ComputeSpecs: &ComputeSpecsModel{
+					ReservedAku:    types.Int64Value(6),
+					SecurityGroups: types.ListValueMust(types.StringType, []attr.Value{types.StringValue("sg-only-one")}),
+				},
+				Features: &FeaturesModel{
+					WalMode: types.StringValue("S3WAL"),
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resource := &KafkaInstanceResourceModel{}
+			diags := FlattenKafkaInstanceModel(context.Background(), tt.input, resource)
+
+			assert.False(t, diags.HasError(), "FlattenKafkaInstanceModel should not return errors")
+
+			// Check basic fields
+			assert.Equal(t, tt.expected.InstanceID, resource.InstanceID)
+			assert.Equal(t, tt.expected.Name, resource.Name)
+			assert.Equal(t, tt.expected.Description, resource.Description)
+			assert.Equal(t, tt.expected.Version, resource.Version)
+			assert.Equal(t, tt.expected.InstanceStatus, resource.InstanceStatus)
+
+			// Check compute specs
+			assert.NotNil(t, resource.ComputeSpecs)
+			assert.Equal(t, tt.expected.ComputeSpecs.ReservedAku, resource.ComputeSpecs.ReservedAku)
+
+			// Check security groups
+			assert.Equal(t, tt.expected.ComputeSpecs.SecurityGroups, resource.ComputeSpecs.SecurityGroups)
+
+			// Check features
+			assert.NotNil(t, resource.Features)
+			assert.Equal(t, tt.expected.Features.WalMode, resource.Features.WalMode)
+		})
+	}
+}

internal/provider/datasource_instance.go

@@ -112,6 +112,11 @@ func (r *KafkaInstanceDataSource) Schema(_ context.Context, _ datasource.SchemaR
 							},
 						},
 					},
+					"security_groups": schema.ListAttribute{
+						ElementType: types.StringType,
+						Computed:    true,
+						Description: "Security groups for the instance",
+					},
 					"file_system_param": schema.SingleNestedAttribute{
 						Computed:    true,
 						Description: "File system configuration for FSWAL mode",

internal/provider/resource_instance.go

@@ -255,6 +255,19 @@ func (r *KafkaInstanceResource) Schema(ctx context.Context, req resource.SchemaR
 							stringplanmodifier.UseStateForUnknown(),
 						},
 					},
+					"security_groups": schema.ListAttribute{
+						ElementType: types.StringType,
+						Optional:    true,
+						Computed:    true,
+						Description: "Security groups for the instance. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.",
+						PlanModifiers: []planmodifier.List{
+							listplanmodifier.RequiresReplace(),
+							listplanmodifier.UseStateForUnknown(),
+						},
+						Validators: []validator.List{
+							listvalidator.SizeAtLeast(1),
+						},
+					},
 					"file_system_param": schema.SingleNestedAttribute{
 						Optional:    true,
 						Description: "File system configuration for FSWAL mode",