Egress PNI support for TF

[Daniel Ayaz (danielayaz)]

Release Notes

New Features

• Added routes attribute to aws_private_network_interface block in confluent_access_point resource and data source, enabling configuration of egress CIDR routes for bidirectional PNI traffic.

Bug Fixes

• [Briefly describe any bugs fixed in this PR].

Examples

• [Briefly describe any Terraform configuration example updates in this PR].

Checklist

• I can successfully build and use a custom Terraform provider binary for Confluent.
• I have verified my PR with real Confluent Cloud resources in a pre-prod or production environment, or both.
• I have attached manual Terraform verification results or screenshots in the Test & Review section below.
• I have included appropriate Terraform acceptance or unit tests for any new resource, data source, or functionality.
• I have included appropriate Terraform live testing for any new resource, data source, or functionality.
• I have included a testing thread with main.tf file in #terraform-provider-development-testing.
• I have included rate limit/load testing results.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have updated the corresponding documentation and include relevant examples for this PR.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Check this box if the feature is enabled for certain organizations only

What

Adds support for egress routes on AWS Private Network Interface (PNI) Access Points.

Changes:

• Added routes field (maps to API egress_routes) to aws_private_network_interface schema
• Supports create, read, and in-place update operations
• Field is optional, computed, max 10 items (backend enforced)
• Updated resource and data source documentation

Note: Uses internal SDK (ccloud-sdk-go-v2-internal/networking-access-point@v0.11.0) via replace directive until egress_routes is promoted to public SDK.

Blast Radius

Low: Only affects customers using confluent_access_point with aws_private_network_interface configuration

References

https://confluentinc.atlassian.net/browse/APIE-778

Test & Review

https://confluent.slack.com/archives/C08H9NWM0TG/p1770821914183479

[Copilot]

Pull request overview

Adds Terraform support for configuring AWS PNI (Private Network Interface) egress CIDR routes on confluent_access_point resources/data sources, including schema, CRUD wiring, docs, and test fixtures.

Changes:

• Add routes attribute to aws_private_network_interface for the confluent_access_point resource and data source.
• Map routes ↔ API egress_routes on create/read, and support in-place update logic.
• Update docs, wiremock test fixtures, and Go module replacement for the internal networking-access-point SDK.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/provider/resource_access_point.go	Adds routes to schema; wires routes into create/read/update logic for AWS PNI access points.
internal/provider/data_source_access_point.go	Exposes computed routes attribute for the access point data source AWS PNI block.
internal/provider/resource_access_point_test.go	Extends acceptance test assertions and test config to include routes.
internal/provider/data_source_access_point_test.go	Extends data source acceptance test assertions to include routes.
internal/testdata/network_access_point/create_aws_private_network_interface_ap.json	Adds egress_routes to mocked create response payload.
internal/testdata/network_access_point/read_created_aws_private_network_interface_ap.json	Adds egress_routes to mocked read response payload.
internal/testdata/network_access_point/update_aws_private_network_interface_ap.json	Adds egress_routes to mocked update response payload.
docs/resources/confluent_access_point.md	Documents the new routes argument/attribute and provides example usage.
docs/data-sources/confluent_access_point.md	Documents the exported routes attribute on the data source.
go.mod	Updates Go version and adds a replace to use internal networking-access-point SDK.
go.sum	Adds checksums for the internal networking-access-point SDK module.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In accessPointUpdate, the config discriminator Kind is set to paramAwsPrivateNetworkInterface ("aws_private_network_interface"), while accessPointCreate uses awsPrivateNetworkInterface ("AwsPrivateNetworkInterface"). Using the schema/block name here is inconsistent and may cause the API discriminator to be incorrect during PATCH updates. Align Kind to the same value used on create (the SDK/API kind string).

Suggested change

	Kind: paramAwsPrivateNetworkInterface,
	Kind: awsPrivateNetworkInterface,

[Copilot]

The acceptance test covers reading routes from state, but it never performs an update that changes aws_private_network_interface.routes to exercise the new in-place update behavior. Add a test step that modifies routes (e.g., add/remove a CIDR) and assert the updated state to ensure the update code path is validated.