feat(kafka_instance): support multiple security groups

Author: Gezi-lzq

client/model_kafka_instance.go

@@ -19,7 +19,7 @@ type SpecificationParam struct {
 	NodeConfig               *NodeConfigParam           `json:"nodeConfig,omitempty"`
 	Networks                 []InstanceNetworkParam     `json:"networks,omitempty"`
 	KubernetesNodeGroups     []KubernetesNodeGroupParam `json:"kubernetesNodeGroups,omitempty"`
-	SecurityGroup            *string                    `json:"securityGroup,omitempty"`
+	SecurityGroups           []string                   `json:"securityGroups,omitempty"`
 	Template                 *string                    `json:"template,omitempty"`
 	FileSystem               *FileSystemParam           `json:"fileSystemForFsWal,omitempty"`
 	DeployType               *string                    `json:"deployType,omitempty"`
@@ -223,6 +223,7 @@ type SpecificationVO struct {
 	BucketProfiles           []BucketProfileSummaryVO `json:"bucketProfiles,omitempty"`
 	DataBuckets              []BucketProfileVO        `json:"dataBuckets,omitempty"`
 	SecurityGroupId          *string                  `json:"securityGroupId,omitempty"`
+	SecurityGroups           []string                 `json:"securityGroups,omitempty"`
 	FileSystem               *FileSystemVO            `json:"fileSystemForFsWal,omitempty"`
 	Provider                 *string                  `json:"provider,omitempty"`
 	Region                   *string                  `json:"region,omitempty"`
@@ -365,7 +366,7 @@ type InstanceConfigParam struct {
 type SpecificationUpdateParam struct {
 	ReservedAku              *int32                     `json:"reservedAku,omitempty"`
 	NodeConfig               *NodeConfigParam           `json:"nodeConfig,omitempty"`
-	SecurityGroup            *string                    `json:"securityGroup,omitempty"`
+	SecurityGroups           []string                   `json:"securityGroups,omitempty"`
 	Template                 *string                    `json:"template,omitempty"`
 	Networks                 []InstanceNetworkParam     `json:"networks,omitempty"`
 	KubernetesNodeGroups     []KubernetesNodeGroupParam `json:"kubernetesNodeGroups,omitempty"`

docs/data-sources/kafka_instance.md

@@ -71,6 +71,7 @@ Read-Only:
 - `kubernetes_service_account` (String)
 - `networks` (Attributes List) To configure the network settings for an instance, you need to specify the availability zone(s) and subnet information. Currently, you can set either one availability zone or three availability zones. (see [below for nested schema](#nestedatt--compute_specs--networks))
 - `reserved_aku` (Number) AutoMQ defines AKU (AutoMQ Kafka Unit) to measure the scale of the cluster. Each AKU provides 20 MiB/s of read/write throughput. For more details on AKU, please refer to the [documentation](https://docs.automq.com/automq-cloud/subscriptions-and-billings/byoc-env-billings/billing-instructions-for-byoc#indicator-constraints). The currently supported AKU specifications are 6, 8, 10, 12, 14, 16, 18, 20, 22, and 24. If an invalid AKU value is set, the instance cannot be created.
+- `security_groups` (List of String) Security groups for the instance
 
 <a id="nestedatt--compute_specs--data_buckets"></a>
 ### Nested Schema for `compute_specs.data_buckets`

docs/resources/kafka_instance.md

@@ -40,6 +40,8 @@ resource "automq_kafka_instance" "example" {
         bucket_name = "automq-data-bucket"
       }
     ]
+
+    # security_groups = ["sg-example123"] # Optional. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.
   }
 
   features = {
@@ -155,6 +157,7 @@ Optional:
 - `kubernetes_namespace` (String)
 - `kubernetes_node_groups` (Attributes List) Node groups (or node pools) are units for unified configuration management of physical nodes in Kubernetes. Different Kubernetes providers may use different terms for node groups. Select target node groups that must be created in advance and configured for either single-AZ or three-AZ deployment. The instance node type must meet the requirements specified in the documentation. If you select a single-AZ node group, the AutoMQ instance will be deployed in a single availability zone; if you select a three-AZ node group, the instance will be deployed across three availability zones. (see [below for nested schema](#nestedatt--compute_specs--kubernetes_node_groups))
 - `kubernetes_service_account` (String)
+- `security_groups` (List of String) Security groups for the instance. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.
 
 <a id="nestedatt--compute_specs--networks"></a>
 ### Nested Schema for `compute_specs.networks`

examples/resources/automq_kafka_instance/resource.tf

@@ -20,6 +20,8 @@ resource "automq_kafka_instance" "example" {
         bucket_name = "automq-data-bucket"
       }
     ]
+
+    # security_groups = ["sg-example123"] # Optional. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.
   }
 
   features = {

internal/models/kafka_instance.go

@@ -77,6 +77,7 @@ type ComputeSpecsModel struct {
 	KubernetesServiceAcct types.String          `tfsdk:"kubernetes_service_account"`
 	InstanceRole          types.String          `tfsdk:"instance_role"`
 	DataBuckets           types.List            `tfsdk:"data_buckets"`
+	SecurityGroups        types.List            `tfsdk:"security_groups"`
 	FileSystemParam       *FileSystemParamModel `tfsdk:"file_system_param"`
 }
 
@@ -316,6 +317,16 @@ func ExpandKafkaInstanceResource(ctx context.Context, instance KafkaInstanceReso
 			request.Spec.DataBuckets = dataBuckets
 		}
 
+		// Security Groups for compute specs
+		if !instance.ComputeSpecs.SecurityGroups.IsNull() &&
+			!instance.ComputeSpecs.SecurityGroups.IsUnknown() {
+			var securityGroups []string
+			diags := instance.ComputeSpecs.SecurityGroups.ElementsAs(ctx, &securityGroups, false)
+			if !diags.HasError() && len(securityGroups) > 0 {
+				request.Spec.SecurityGroups = securityGroups
+			}
+		}
+
 		// File System Parameters for FSWAL
 		if instance.ComputeSpecs.FileSystemParam != nil {
 			fileSystemParam := &client.FileSystemParam{
@@ -654,6 +665,7 @@ func FlattenKafkaInstanceModel(ctx context.Context, instance *client.InstanceVO,
 				Networks:              []NetworkModel{},
 				KubernetesNodeGroups:  []NodeGroupModel{},
 				DataBuckets:           types.ListNull(DataBucketObjectType),
+				SecurityGroups:        types.ListNull(types.StringType),
 				DeployType:            types.StringNull(),
 				DnsZone:               types.StringNull(),
 				KubernetesClusterID:   types.StringNull(),
@@ -742,6 +754,18 @@ func FlattenKafkaInstanceModel(ctx context.Context, instance *client.InstanceVO,
 			resource.ComputeSpecs.DataBuckets = types.ListNull(DataBucketObjectType)
 		}
 
+		// Security Groups for compute specs
+		if len(instance.Spec.SecurityGroups) > 0 {
+			securityGroupsList, sgDiags := types.ListValueFrom(ctx, types.StringType, instance.Spec.SecurityGroups)
+			if !sgDiags.HasError() {
+				resource.ComputeSpecs.SecurityGroups = securityGroupsList
+			}
+		} else if previousSpecs != nil && !previousSpecs.SecurityGroups.IsNull() {
+			resource.ComputeSpecs.SecurityGroups = previousSpecs.SecurityGroups
+		} else {
+			resource.ComputeSpecs.SecurityGroups = types.ListNull(types.StringType)
+		}
+
 		// File System Parameters for FSWAL
 		var previousFileSystemParam *FileSystemParamModel
 		if previousSpecs != nil {

internal/provider/datasource_instance.go

@@ -112,6 +112,11 @@ func (r *KafkaInstanceDataSource) Schema(_ context.Context, _ datasource.SchemaR
 							},
 						},
 					},
+					"security_groups": schema.ListAttribute{
+						ElementType: types.StringType,
+						Computed:    true,
+						Description: "Security groups for the instance",
+					},
 					"file_system_param": schema.SingleNestedAttribute{
 						Computed:    true,
 						Description: "File system configuration for FSWAL mode",

internal/provider/resource_instance.go

@@ -255,6 +255,19 @@ func (r *KafkaInstanceResource) Schema(ctx context.Context, req resource.SchemaR
 							stringplanmodifier.UseStateForUnknown(),
 						},
 					},
+					"security_groups": schema.ListAttribute{
+						ElementType: types.StringType,
+						Optional:    true,
+						Computed:    true,
+						Description: "Security groups for the instance. Omit this field entirely to let backend auto-generate. If specified, must contain at least one security group.",
+						PlanModifiers: []planmodifier.List{
+							listplanmodifier.RequiresReplace(),
+							listplanmodifier.UseStateForUnknown(),
+						},
+						Validators: []validator.List{
+							listvalidator.SizeAtLeast(1),
+						},
+					},
 					"file_system_param": schema.SingleNestedAttribute{
 						Optional:    true,
 						Description: "File system configuration for FSWAL mode",

internal/provider/resource_instance_validation_test.go

@@ -757,3 +757,73 @@ func TestValidateKafkaInstanceConfiguration_FSWALWithUnknownSecurityGroups(t *te
 		t.Fatalf("unexpected diagnostics for FSWAL with unknown security_groups: %v", diags)
 	}
 }
+
+// TestComputeSpecsSecurityGroupsValidator tests the compute_specs.security_groups schema validator
+func TestComputeSpecsSecurityGroupsValidator(t *testing.T) {
+	s := getKafkaInstanceResourceSchema(t)
+	computeAttrRaw, ok := s.Attributes["compute_specs"].(schema.SingleNestedAttribute)
+	if !ok {
+		t.Fatalf("compute_specs attribute has unexpected type %T", s.Attributes["compute_specs"])
+	}
+	computeAttr := computeAttrRaw
+
+	// Test security_groups attribute properties
+	securityGroupsAttrRaw, ok := computeAttr.Attributes["security_groups"].(schema.ListAttribute)
+	if !ok {
+		t.Fatalf("security_groups attribute has unexpected type %T", computeAttr.Attributes["security_groups"])
+	}
+	securityGroupsAttr := securityGroupsAttrRaw
+	if !securityGroupsAttr.Optional {
+		t.Fatalf("security_groups should be optional")
+	}
+	if !securityGroupsAttr.Computed {
+		t.Fatalf("security_groups should be computed")
+	}
+	if len(securityGroupsAttr.PlanModifiers) == 0 {
+		t.Fatalf("security_groups plan modifiers missing")
+	}
+	if !hasListRequiresReplace(securityGroupsAttr.PlanModifiers) {
+		t.Fatalf("expected security_groups to require replacement, modifiers: %v", securityGroupsAttr.PlanModifiers)
+	}
+	if len(securityGroupsAttr.Validators) == 0 {
+		t.Fatalf("security_groups validators missing")
+	}
+
+	// Test that empty list is rejected
+	req := validator.ListRequest{
+		ConfigValue: types.ListValueMust(types.StringType, []attr.Value{}),
+		Path:        path.Root("compute_specs").AtName("security_groups"),
+	}
+	resp := validator.ListResponse{}
+	securityGroupsAttr.Validators[0].ValidateList(context.Background(), req, &resp)
+	if !resp.Diagnostics.HasError() {
+		t.Fatalf("expected validator error for empty security_groups list")
+	}
+
+	// Test that list with one element is accepted
+	reqValid := validator.ListRequest{
+		ConfigValue: types.ListValueMust(types.StringType, []attr.Value{
+			types.StringValue("sg-12345"),
+		}),
+		Path: path.Root("compute_specs").AtName("security_groups"),
+	}
+	respValid := validator.ListResponse{}
+	securityGroupsAttr.Validators[0].ValidateList(context.Background(), reqValid, &respValid)
+	if respValid.Diagnostics.HasError() {
+		t.Fatalf("validator should accept non-empty security_groups list: %v", respValid.Diagnostics)
+	}
+
+	// Test that list with multiple elements is accepted
+	reqMultiple := validator.ListRequest{
+		ConfigValue: types.ListValueMust(types.StringType, []attr.Value{
+			types.StringValue("sg-12345"),
+			types.StringValue("sg-67890"),
+		}),
+		Path: path.Root("compute_specs").AtName("security_groups"),
+	}
+	respMultiple := validator.ListResponse{}
+	securityGroupsAttr.Validators[0].ValidateList(context.Background(), reqMultiple, &respMultiple)
+	if respMultiple.Diagnostics.HasError() {
+		t.Fatalf("validator should accept multiple security_groups: %v", respMultiple.Diagnostics)
+	}
+}