provider: Add jwt_issuer resource

Aligning to the CC API changes, this PR deprecates the `api_oidc_config`
resource in favor of the `jwt_issuer` resource.
As the existing TF resource was not in use, the team decided to make
the changes in-place.
Refined and added exhaustive acceptance tests.

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Updated to version 2.0.1 of cockroach-cloud-sdk-go
 
+## Added
+
+- Replaced `api_oidc_config` with `jwt_issuer` resource
+
 ## [1.7.7] - 2024-06-20
 
 - Added warning about using private endpoints with old versions.

docs/resources/jwt_issuer.md

@@ -0,0 +1,64 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_jwt_issuer Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  Configuration to manage external JWT Issuers to access CockroachDB Cloud API via JWT.
+---
+
+# cockroach_jwt_issuer (Resource)
+
+Configuration to manage external JWT Issuers to access CockroachDB Cloud API via JWT.
+
+## Example Usage
+
+```terraform
+resource "cockroach_jwt_issuer" "example" {
+  issuer_url = "https://accounts.google.com"
+  audience   = "test_audience"
+  jwks       = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"test_kid1\",\"kty\":\"RSA\",\"n\":\"09lq1lCEuteonwDJOhGTDak11ThplZuC9JEWQNdBnBSQwlkJQIE7A7nTBO0xTibcsh2HwYkC-N_Gs1jP4iwN3dRqnu5FwG2ct5mY8KLwJiHzToFC0MKenSFQCy0FviNtOnpiObcUlDvR2NDeNtMl_6SPzcQEt7GUTBBYZgoAxPmOgevki6ZNO6Y86xFqx3y6v8EPwW010AiC60r4AHGCTBhYF4uqmq5JH2UU4dDh9Udc-9LZxlSqPwJvnKDG2GjcnD8TsU3wjfEM_nRmx3dnXsrZUXYfNGtdv5dlHywf5AhkJmTavqcsJkgrNA-PNBghFMcCR816_kCIkCYWLWC5vQ\"}]}"
+  claim      = "email"
+  identity_map = [
+    {
+      token_identity = "token_identity"
+      cc_identity    = "cc_identity"
+      is_regex       = false
+    },
+    {
+      token_identity = "(.*)"
+      cc_identity    = "\\[email protected]"
+      is_regex       = true
+    },
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `audience` (String) The intended audience for consuming the JWT.
+- `issuer_url` (String) The URL of the server issuing JWTs.
+
+### Optional
+
+- `claim` (String) Used to identify the user from the external Identity Provider. Defaults to "sub".
+- `identity_map` (Attributes List) A list of mappings to map the external token identity into CockroachDB Cloud. (see [below for nested schema](#nestedatt--identity_map))
+- `jwks` (String) A set of public keys (JWKS) used to verify the JWT.
+
+### Read-Only
+
+- `id` (String) The unique identifier of the JWT Issuer resource.
+
+<a id="nestedatt--identity_map"></a>
+### Nested Schema for `identity_map`
+
+Required:
+
+- `cc_identity` (String) Specifies how to map the fetched token identity into CockroachDB Cloud.
+- `token_identity` (String) Specifies how to fetch external identity from the token claim.
+
+Optional:
+
+- `is_regex` (Boolean) Specifies whether the token_identity and cc_identity configurations are in regex format.

examples/resources/cockroach_jwt_issuer/resource.tf

@@ -0,0 +1,18 @@
+resource "cockroach_jwt_issuer" "example" {
+  issuer_url = "https://accounts.google.com"
+  audience   = "test_audience"
+  jwks       = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"test_kid1\",\"kty\":\"RSA\",\"n\":\"09lq1lCEuteonwDJOhGTDak11ThplZuC9JEWQNdBnBSQwlkJQIE7A7nTBO0xTibcsh2HwYkC-N_Gs1jP4iwN3dRqnu5FwG2ct5mY8KLwJiHzToFC0MKenSFQCy0FviNtOnpiObcUlDvR2NDeNtMl_6SPzcQEt7GUTBBYZgoAxPmOgevki6ZNO6Y86xFqx3y6v8EPwW010AiC60r4AHGCTBhYF4uqmq5JH2UU4dDh9Udc-9LZxlSqPwJvnKDG2GjcnD8TsU3wjfEM_nRmx3dnXsrZUXYfNGtdv5dlHywf5AhkJmTavqcsJkgrNA-PNBghFMcCR816_kCIkCYWLWC5vQ\"}]}"
+  claim      = "email"
+  identity_map = [
+    {
+      token_identity = "token_identity"
+      cc_identity    = "cc_identity"
+      is_regex       = false
+    },
+    {
+      token_identity = "(.*)"
+      cc_identity    = "\\[email protected]"
+      is_regex       = true
+    },
+  ]
+}