Use new private endpoint connections API

[carloruiz]

Previously, the private_endpoint_connection resource only supported AWS
private link connections. This commit updates the provider code to use
the new CC API Private Endpoint Connections methods. These cloud-neutral
methods will work for all cloud providers and cluster types, except
Serverless clusters on Azure as that configuration is not yet
supported.

Commit checklist

• Changelog
• Doc gen (make generate)
• Integration test(s)
• Acceptance test(s)
• Example(s)

[fantapop]

These changes look good to me. I'm slightly confused about the state of the example here:
https://github.com/cockroachdb/terraform-provider-cockroach/blob/main/examples/resources/cockroach_aws_private_endpoint_connection/cockroach_aws_private_endpoint_connection.tf

I actually have an outstanding PR to rename it anyways but perhaps the contents should be update as part of this to reflect the correct usage.

Along similar lines, I'm wondering if there is any necessary migration as part of this or period where we need to keep a deprecated resource name around?

[carloruiz]

perhaps the contents should be update as part of this to reflect the correct usage.

ack. will update

Along similar lines, I'm wondering if there is any necessary migration as part of this or period where we need to keep a deprecated resource name around?

Fortunately, we're not deprecating any TF fields as part of this change.

[carloruiz]

Acceptance test: had do manually change some code to make this work. There's no straight-forward way to automatically test Private endpoint connection creation bc the client needs to create the endpoint out of band before calling the API. I created the endpoint manually and hardcoded the endpoint id into the test.

COCKROACH_API_KEY=<KEY> COCKROACH_SERVER=https://management-staging.crdb.io TF_ACC=1 make test
go test ./... -run TestAccServerlessPrivateEndpointConnectionResource -v  -timeout 20m
?   	github.com/cockroachdb/terraform-provider-cockroach	[no test files]
?   	github.com/cockroachdb/terraform-provider-cockroach/mock	[no test files]
=== RUN   TestAccServerlessPrivateEndpointConnectionResource
=== PAUSE TestAccServerlessPrivateEndpointConnectionResource
=== CONT  TestAccServerlessPrivateEndpointConnectionResource
--- PASS: TestAccServerlessPrivateEndpointConnectionResource (68.70s)
PASS
ok  	github.com/cockroachdb/terraform-provider-cockroach/internal/provider	69.241s

[carloruiz]

Actually I was able to add a fixture for the serverless test so it runs with the acceptance tests. It will reuse the real, existing endpoint id.

[fantapop]

Hey, I had a few concerns. Left some comments in there.

[fantapop]

This feels a little fragile to me. Do we have anything protecting it from being removed? Many teams won't have the perms to fix it if it breaks.

[carloruiz]

I can't think of a way to make it "unfragile", except actually allocating an AWS account for TF testing, creating an AWS service account, creating an API key for the account, using the AWS SDK to create and delete the private endpoint connection on each test run, running the tests with the AWS API key. We'd also need to figure out a way to store AWS API Key so all engineers have access. Maybe vault, but then the TF tests would have a vault dep. I don't think it's a viable approach atm, too much hassle.

I know it's janky but I think the approach in this PR could get us working acceptance tests for a year since the staging Host clusters will prob not be re-created any time soon. It will break eventually and it be annoying to fix but IMO the future pain is worth having coverage. If you feel differently, I can leave the acceptance test as skipped and punt on this.

[carloruiz]

Hmm actually I'm going to leave this test as skipped since the endpointId only works for staging. Any acceptance test ran against any other env will fail.

[fantapop]

Is there a way to make it conditional on the env? Or maybe we can add instructions for running the test in staging?

[fantapop]

rather than hard coding this id everywhere, is it possible to use a datasource to fetch the endpoint using something else like name?

[carloruiz]

is it possible to use a datasource to fetch the endpoint using something else like name?

To fetch from AWS? We'd need AWS creds and we'd need to figure out a way to share the AWS API key across CC eng. Also, the endpoint is only uniquely identified by ID, so we'd still need to store the endpointId somewhere.

[fantapop]

LGTM