provider: Add jwt_issuer resource

Aligning to the CC API changes, this PR deprecates the `api_oidc_config`
resource in favor of the `jwt_issuer` resource.
As the existing TF resource was not in use, the team decided to make
the changes in-place.
Refined and added exhaustive acceptance tests.
Removed is_regex field from the TF Provider.

CHANGELOG.md

@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Clarify cluster.private_network_visibility attribute documentation.
 
+## Changed
+
+- Replaced `api_oidc_config` with `jwt_issuer` resource
+
 ## [1.8.0] - 2024-09-18
 
 ### Added

docs/resources/jwt_issuer.md

@@ -0,0 +1,58 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_jwt_issuer Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  Configuration to manage external JSON Web Token (JWT) Issuers for authentication to the CockroachDB Cloud API.
+---
+
+# cockroach_jwt_issuer (Resource)
+
+Configuration to manage external JSON Web Token (JWT) Issuers for authentication to the CockroachDB Cloud API.
+
+## Example Usage
+
+```terraform
+resource "cockroach_jwt_issuer" "example" {
+  issuer_url = "https://accounts.google.com"
+  audience   = "test_audience"
+  jwks       = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"test_kid1\",\"kty\":\"RSA\",\"n\":\"09lq1lCEuteonwDJOhGTDak11ThplZuC9JEWQNdBnBSQwlkJQIE7A7nTBO0xTibcsh2HwYkC-N_Gs1jP4iwN3dRqnu5FwG2ct5mY8KLwJiHzToFC0MKenSFQCy0FviNtOnpiObcUlDvR2NDeNtMl_6SPzcQEt7GUTBBYZgoAxPmOgevki6ZNO6Y86xFqx3y6v8EPwW010AiC60r4AHGCTBhYF4uqmq5JH2UU4dDh9Udc-9LZxlSqPwJvnKDG2GjcnD8TsU3wjfEM_nRmx3dnXsrZUXYfNGtdv5dlHywf5AhkJmTavqcsJkgrNA-PNBghFMcCR816_kCIkCYWLWC5vQ\"}]}"
+  claim      = "email"
+  identity_map = [
+    {
+      token_identity = "test_user"
+      cc_identity    = "[email protected]"
+    },
+    {
+      token_identity = "/^sso_(.*)$"
+      cc_identity    = "\\[email protected]"
+    },
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `audience` (String) The intended audience for consuming the JWT.
+- `issuer_url` (String) The URL of the server issuing JWTs.
+
+### Optional
+
+- `claim` (String) Used to identify the user from the external Identity Provider. Defaults to "sub".
+- `identity_map` (Attributes List) A list of mappings to map the external token identity into CockroachDB Cloud. (see [below for nested schema](#nestedatt--identity_map))
+- `jwks` (String) A set of public keys (JWKS) used to verify the JWT.
+
+### Read-Only
+
+- `id` (String) The unique identifier of the JWT Issuer resource.
+
+<a id="nestedatt--identity_map"></a>
+### Nested Schema for `identity_map`
+
+Required:
+
+- `cc_identity` (String) Specifies how to map the fetched token identity to an identity in CockroachDB Cloud. In case of a regular expression for token_identity, this must contain a \1 placeholder for the matched content. Note that you will need to escape the backslash in the string as in the example usage (\\\1).
+- `token_identity` (String) Specifies how to fetch external identity from the token claim. A regular expression must start with a forward slash. The regular expression must be in RE2 compatible syntax. For further details, please see https://github.com/google/re2/wiki/Syntax.

examples/resources/cockroach_jwt_issuer/resource.tf

@@ -0,0 +1,16 @@
+resource "cockroach_jwt_issuer" "example" {
+  issuer_url = "https://accounts.google.com"
+  audience   = "test_audience"
+  jwks       = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"test_kid1\",\"kty\":\"RSA\",\"n\":\"09lq1lCEuteonwDJOhGTDak11ThplZuC9JEWQNdBnBSQwlkJQIE7A7nTBO0xTibcsh2HwYkC-N_Gs1jP4iwN3dRqnu5FwG2ct5mY8KLwJiHzToFC0MKenSFQCy0FviNtOnpiObcUlDvR2NDeNtMl_6SPzcQEt7GUTBBYZgoAxPmOgevki6ZNO6Y86xFqx3y6v8EPwW010AiC60r4AHGCTBhYF4uqmq5JH2UU4dDh9Udc-9LZxlSqPwJvnKDG2GjcnD8TsU3wjfEM_nRmx3dnXsrZUXYfNGtdv5dlHywf5AhkJmTavqcsJkgrNA-PNBghFMcCR816_kCIkCYWLWC5vQ\"}]}"
+  claim      = "email"
+  identity_map = [
+    {
+      token_identity = "test_user"
+      cc_identity    = "[email protected]"
+    },
+    {
+      token_identity = "/^sso_(.*)$"
+      cc_identity    = "\\[email protected]"
+    },
+  ]
+}