mongodb · marcabreracast · Nov 14, 2025 · Nov 17, 2025 · Nov 17, 2025 · Nov 17, 2025
@@ -0,0 +1,11 @@
+```release-note:enhancement
+resource/mongodbatlas_advanced_cluster: Adds the `custom_openssl_cipher_config_tls13` attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_advanced_cluster: Adds the `custom_openssl_cipher_config_tls13` attribute
+```
+
+```release-note:enhancement
+data-source/mongodbatlas_advanced_clusters: Adds the `custom_openssl_cipher_config_tls13` attribute
+```
@@ -241,6 +241,7 @@ Key-value pairs that categorize the cluster. Each key and value has a maximum le
 * `change_stream_options_pre_and_post_images_expire_after_seconds` - (Optional) The minimum pre- and post-image retention time in seconds This parameter is only supported for MongoDB version 6.0 and above. Defaults to `-1`(off).
 * `tls_cipher_config_mode` - The TLS cipher suite configuration mode. Valid values include `CUSTOM` or `DEFAULT`. The `DEFAULT` mode uses the default cipher suites. The `CUSTOM` mode allows you to specify custom cipher suites for both TLS 1.2 and TLS 1.3.
 * `custom_openssl_cipher_config_tls12` - The custom OpenSSL cipher suite list for TLS 1.2. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
+* `custom_openssl_cipher_config_tls13` - The custom OpenSSL cipher suite list for TLS 1.3. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
 
 ### pinned_fcv
 

@@ -237,6 +237,7 @@ Key-value pairs that categorize the cluster. Each key and value has a maximum le
 * `change_stream_options_pre_and_post_images_expire_after_seconds` - (Optional) The minimum pre- and post-image retention time in seconds. This parameter is only supported for MongoDB version 6.0 and above. Defaults to `-1`(off).
 * `tls_cipher_config_mode` - The TLS cipher suite configuration mode. Valid values include `CUSTOM` or `DEFAULT`. The `DEFAULT` mode uses the default cipher suites. The `CUSTOM` mode allows you to specify custom cipher suites for both TLS 1.2 and TLS 1.3. 
 * `custom_openssl_cipher_config_tls12` - The custom OpenSSL cipher suite list for TLS 1.2. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
+* `custom_openssl_cipher_config_tls13` - The custom OpenSSL cipher suite list for TLS 1.3. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
 
 ### pinned_fcv
 

@@ -570,6 +570,7 @@ Include **desired options** within advanced_configuration:
 * `default_max_time_ms` - (Optional) Default time limit in milliseconds for individual read operations to complete. This option corresponds to the [defaultMaxTimeMS](https://www.mongodb.com/docs/upcoming/reference/cluster-parameters/defaultMaxTimeMS/) cluster parameter. This parameter is supported only for MongoDB version 8.0 and above.
 * `tls_cipher_config_mode` - (Optional) The TLS cipher suite configuration mode. Valid values include `CUSTOM` or `DEFAULT`. The `DEFAULT` mode uses the default cipher suites. The `CUSTOM` mode allows you to specify custom cipher suites for both TLS 1.2 and TLS 1.3. To unset, this should be set back to `DEFAULT`.
 * `custom_openssl_cipher_config_tls12` - (Optional) The custom OpenSSL cipher suite list for TLS 1.2. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
+* `custom_openssl_cipher_config_tls13` - (Optional) The custom OpenSSL cipher suite list for TLS 1.3. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.
 
 
 ### tags

@@ -13,7 +13,8 @@ import (
 
 func AddAdvancedConfig(ctx context.Context, tfModel *TFModel, input *ProcessArgs, diags *diag.Diagnostics) {
 	var advancedConfig TFAdvancedConfigurationModel
-	var customCipherConfig *[]string
+	var customCipherConfigTLS12 *[]string
+	var customCipherConfigTLS13 *[]string
 
 	if input.ArgsDefault != nil {
 		// Using the new API as source of Truth, only use `inputLegacy` for fields not in `input`
@@ -37,9 +38,11 @@ func AddAdvancedConfig(ctx context.Context, tfModel *TFModel, input *ProcessArgs
 			MinimumEnabledTlsProtocol:        types.StringValue(conversion.SafeValue(input.ArgsDefault.MinimumEnabledTlsProtocol)),
 			TlsCipherConfigMode:              types.StringValue(conversion.SafeValue(input.ArgsDefault.TlsCipherConfigMode)),
 		}
-		customCipherConfig = input.ArgsDefault.CustomOpensslCipherConfigTls12
+		customCipherConfigTLS12 = input.ArgsDefault.CustomOpensslCipherConfigTls12
+		customCipherConfigTLS13 = input.ArgsDefault.CustomOpensslCipherConfigTls13
 	}
-	advancedConfig.CustomOpensslCipherConfigTls12 = customOpensslCipherConfigTLS12(ctx, diags, customCipherConfig)
+	advancedConfig.CustomOpensslCipherConfigTls12 = customOpensslCipherConfig(ctx, diags, customCipherConfigTLS12)
+	advancedConfig.CustomOpensslCipherConfigTls13 = customOpensslCipherConfig(ctx, diags, customCipherConfigTLS13)
 
 	overrideTLSIfClusterAdvancedConfigPresent(ctx, diags, &advancedConfig, input.ClusterAdvancedConfig)
 
@@ -54,14 +57,15 @@ func overrideTLSIfClusterAdvancedConfigPresent(ctx context.Context, diags *diag.
 	}
 	tfAdvConfig.MinimumEnabledTlsProtocol = types.StringValue(conversion.SafeValue(conf.MinimumEnabledTlsProtocol))
 	tfAdvConfig.TlsCipherConfigMode = types.StringValue(conversion.SafeValue(conf.TlsCipherConfigMode))
-	tfAdvConfig.CustomOpensslCipherConfigTls12 = customOpensslCipherConfigTLS12(ctx, diags, conf.CustomOpensslCipherConfigTls12)
+	tfAdvConfig.CustomOpensslCipherConfigTls12 = customOpensslCipherConfig(ctx, diags, conf.CustomOpensslCipherConfigTls12)
+	tfAdvConfig.CustomOpensslCipherConfigTls13 = customOpensslCipherConfig(ctx, diags, conf.CustomOpensslCipherConfigTls13)
 }
 
-func customOpensslCipherConfigTLS12(ctx context.Context, diags *diag.Diagnostics, customOpensslCipherConfigTLS12 *[]string) types.Set {
-	if customOpensslCipherConfigTLS12 == nil {
+func customOpensslCipherConfig(ctx context.Context, diags *diag.Diagnostics, customOpensslCipherConfig *[]string) types.Set {
+	if customOpensslCipherConfig == nil {
 		return types.SetNull(types.StringType)
 	}
-	val, d := types.SetValueFrom(ctx, types.StringType, customOpensslCipherConfigTLS12)
+	val, d := types.SetValueFrom(ctx, types.StringType, customOpensslCipherConfig)
 	diags.Append(d...)
 	return val
 }
@@ -61,10 +61,16 @@ func newClusterAdvancedConfiguration(ctx context.Context, objInput *types.Object
 		return nil
 	}
 
+	var customCipherConfigTLS13 *[]string
+	if !inputAdvConfig.CustomOpensslCipherConfigTls13.IsNull() && !inputAdvConfig.CustomOpensslCipherConfigTls13.IsUnknown() {
+		customCipherConfigTLS13 = conversion.Pointer(conversion.TypesSetToString(ctx, inputAdvConfig.CustomOpensslCipherConfigTls13))
+	}
+
 	return &admin.ApiAtlasClusterAdvancedConfiguration{
 		MinimumEnabledTlsProtocol:      conversion.NilForUnknown(inputAdvConfig.MinimumEnabledTlsProtocol, inputAdvConfig.MinimumEnabledTlsProtocol.ValueStringPointer()),
 		TlsCipherConfigMode:            conversion.NilForUnknown(inputAdvConfig.TlsCipherConfigMode, inputAdvConfig.TlsCipherConfigMode.ValueStringPointer()),
 		CustomOpensslCipherConfigTls12: conversion.Pointer(conversion.TypesSetToString(ctx, inputAdvConfig.CustomOpensslCipherConfigTls12)),
+		CustomOpensslCipherConfigTls13: customCipherConfigTLS13,
 	}
 }
 

@@ -15,7 +15,7 @@ var (
 	// Change mappings uses `attribute_name`, it doesn't care about the nested level.
 	attributeRootChangeMapping = map[string][]string{
 		"replication_specs":      {},
-		"tls_cipher_config_mode": {"custom_openssl_cipher_config_tls12"},
+		"tls_cipher_config_mode": {"custom_openssl_cipher_config_tls12", "custom_openssl_cipher_config_tls13"},
 		"cluster_type":           {"config_server_management_mode", "config_server_type"}, // computed values of config server change when REPLICA_SET changes to SHARDED
 	}
 	attributeReplicationSpecChangeMapping = map[string][]string{

@@ -1919,6 +1919,9 @@ func configAdvanced(t *testing.T, projectID, clusterName, mongoDBMajorVersion st
 		if p.CustomOpensslCipherConfigTls12 != nil && len(*p.CustomOpensslCipherConfigTls12) > 0 {
 			advancedConfig += fmt.Sprintf("custom_openssl_cipher_config_tls12 = [%s]\n", acc.JoinQuotedStrings(*p.CustomOpensslCipherConfigTls12))
 		}
+		if p.CustomOpensslCipherConfigTls13 != nil && len(*p.CustomOpensslCipherConfigTls13) > 0 {
+			advancedConfig += fmt.Sprintf("custom_openssl_cipher_config_tls13 = [%s]\n", acc.JoinQuotedStrings(*p.CustomOpensslCipherConfigTls13))
+		}
 	}
 	if p.MinimumEnabledTlsProtocol != nil {
 		advancedConfig += fmt.Sprintf("minimum_enabled_tls_protocol = %[1]q\n", *p.MinimumEnabledTlsProtocol)
@@ -1973,9 +1976,14 @@ func checkAdvanced(name, tls string, processArgs *admin.ClusterDescriptionProces
 		advancedConfig["advanced_configuration.default_max_time_ms"] = strconv.Itoa(*processArgs.DefaultMaxTimeMS)
 	}
 
-	if processArgs.TlsCipherConfigMode != nil && processArgs.CustomOpensslCipherConfigTls12 != nil {
+	if processArgs.TlsCipherConfigMode != nil && (processArgs.CustomOpensslCipherConfigTls12 != nil || processArgs.CustomOpensslCipherConfigTls13 != nil) {
 		advancedConfig["advanced_configuration.tls_cipher_config_mode"] = "CUSTOM"
-		advancedConfig["advanced_configuration.custom_openssl_cipher_config_tls12.#"] = strconv.Itoa(len(*processArgs.CustomOpensslCipherConfigTls12))
+		if processArgs.CustomOpensslCipherConfigTls12 != nil {
+			advancedConfig["advanced_configuration.custom_openssl_cipher_config_tls12.#"] = strconv.Itoa(len(*processArgs.CustomOpensslCipherConfigTls12))
+		}
+		if processArgs.CustomOpensslCipherConfigTls13 != nil {
+			advancedConfig["advanced_configuration.custom_openssl_cipher_config_tls13.#"] = strconv.Itoa(len(*processArgs.CustomOpensslCipherConfigTls13))
+		}
 	} else {
 		advancedConfig["advanced_configuration.tls_cipher_config_mode"] = "DEFAULT"
 	}
@@ -2051,6 +2059,41 @@ func checkAdvancedDefaultWrite(name, writeConcern, tls string) resource.TestChec
 		pluralChecks...)
 }
 
+func TestAccAdvancedCluster_tls13CustomCiphers(t *testing.T) {
+	var (
+		projectID, clusterName = acc.ProjectIDExecutionWithCluster(t, 4)
+		resourceName           = "mongodbatlas_advanced_cluster.test"
+		processArgs            = &admin.ClusterDescriptionProcessArgs20240805{
+			TlsCipherConfigMode:            conversion.StringPtr("CUSTOM"),
+			CustomOpensslCipherConfigTls13: conversion.Pointer([]string{"TLS_AES_128_GCM_SHA256"}),
+			MinimumEnabledTlsProtocol:      conversion.StringPtr("TLS1_3"),
+		}
+	)
+
+	advancedConfig := configAdvanced(t, projectID, clusterName, "", processArgs)
+	check := resource.ComposeAggregateTestCheckFunc(
+		resource.TestCheckResourceAttr(resourceName, "project_id", projectID),
+		resource.TestCheckResourceAttr(resourceName, "name", clusterName),
+		resource.TestCheckResourceAttr(resourceName, "advanced_configuration.tls_cipher_config_mode", "CUSTOM"),
+		resource.TestCheckResourceAttr(resourceName, "advanced_configuration.custom_openssl_cipher_config_tls13.#", "1"),
+
+		resource.TestCheckResourceAttr(dataSourceName, "advanced_configuration.tls_cipher_config_mode", "CUSTOM"),
+		resource.TestCheckResourceAttr(dataSourceName, "advanced_configuration.custom_openssl_cipher_config_tls13.#", "1"),
+
+		resource.TestCheckResourceAttr(dataSourcePluralName, "results.0.advanced_configuration.tls_cipher_config_mode", "CUSTOM"),
+		resource.TestCheckResourceAttr(dataSourcePluralName, "results.0.advanced_configuration.custom_openssl_cipher_config_tls13.#", "1"),
+	)
+
+	resource.ParallelTest(t, resource.TestCase{
+		ProtoV6ProviderFactories: acc.TestAccProviderV6Factories,
+		Steps: []resource.TestStep{
+			{
+				Config: advancedConfig,
+				Check:  check,
+			},
+		},
+	})
+}
 func configReplicationSpecsAutoScaling(t *testing.T, projectID, clusterName string, autoScalingSettings *admin.AdvancedAutoScalingSettings, elecInstanceSize string, elecDiskSizeGB, analyticsNodeCount int) string {
 	t.Helper()
 	lifecycleIgnoreChanges := ""

@@ -490,6 +490,12 @@ func AdvancedConfigurationSchema(ctx context.Context) schema.SingleNestedAttribu
 				ElementType:         types.StringType,
 				MarkdownDescription: "The custom OpenSSL cipher suite list for TLS 1.2. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.",
 			},
+			"custom_openssl_cipher_config_tls13": schema.SetAttribute{
+				Computed:            true,
+				Optional:            true,
+				ElementType:         types.StringType,
+				MarkdownDescription: "The custom OpenSSL cipher suite list for TLS 1.3. This field is only valid when `tls_cipher_config_mode` is set to `CUSTOM`.",
+			},
 			"tls_cipher_config_mode": schema.StringAttribute{
 				Optional:            true,
 				Computed:            true,
@@ -699,6 +705,7 @@ var SpecsObjType = types.ObjectType{AttrTypes: map[string]attr.Type{
 type TFAdvancedConfigurationModel struct {
 	OplogMinRetentionHours                                types.Float64 `tfsdk:"oplog_min_retention_hours"`
 	CustomOpensslCipherConfigTls12                        types.Set     `tfsdk:"custom_openssl_cipher_config_tls12"`
+	CustomOpensslCipherConfigTls13                        types.Set     `tfsdk:"custom_openssl_cipher_config_tls13"`
 	MinimumEnabledTlsProtocol                             types.String  `tfsdk:"minimum_enabled_tls_protocol"`
 	DefaultWriteConcern                                   types.String  `tfsdk:"default_write_concern"`
 	TlsCipherConfigMode                                   types.String  `tfsdk:"tls_cipher_config_mode"`
@@ -726,6 +733,7 @@ var AdvancedConfigurationObjType = types.ObjectType{AttrTypes: map[string]attr.T
 	"default_max_time_ms":                  types.Int64Type,
 	"tls_cipher_config_mode":               types.StringType,
 	"custom_openssl_cipher_config_tls12":   types.SetType{ElemType: types.StringType},
+	"custom_openssl_cipher_config_tls13":   types.SetType{ElemType: types.StringType},
 }}
 
 type TFPinnedFCVModel struct {