Support cross cluster API keys with the existing API key resource.

[tobio]

Fixes #693

I started off creating an independent resource for cross cluster keys, but there's a lot of duplication and it's not clear what benefit there is in splitting them apart.

[nick-benoit]

@tobio It seems that updating the key access:

  # elasticstack_elasticsearch_security_api_key.cross_cluster_key will be updated in-place
  ~ resource "elasticstack_elasticsearch_security_api_key" "cross_cluster_key" {
      ~ access               = {
          ~ replication = [
              ~ {
                  ~ names = [
                      ~ "archive-*" -> "archive-test-*",
                    ]
                },
            ]
        }
        id                   = "SgYidikGTeuWQ-qWz5pU_w/z2PdC5kBKm2x_cQXbsR7"
        name                 = "My Cross-Cluster API Key"
        # (8 unchanged attributes hidden)
    }

The role descriptions are also updated which results in this error:

elasticstack_elasticsearch_security_api_key.cross_cluster_key: Modifying... [id=SgYidikGTeuWQ-qWz5pU_w/z2PdC5kBKm2x_cQXbsR7]
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to elasticstack_elasticsearch_security_api_key.cross_cluster_key, provider "provider[\"registry.terraform.io/elastic/elasticstack\"]" produced an unexpected
│ new value: .role_descriptors: was
│ cty.StringVal("{\"cross_cluster\":{\"cluster\":[\"cross_cluster_replication\"],\"indices\":[{\"names\":[\"archive-*\"],\"privileges\":[\"cross_cluster_replication\",\"cross_cluster_replication_internal\"],\"allow_restricted_indices\":false}]}}"),
│ but now
│ cty.StringVal("{\"cross_cluster\":{\"cluster\":[\"cross_cluster_replication\"],\"indices\":[{\"names\":[\"archive-test-*\"],\"privileges\":[\"cross_cluster_replication\",\"cross_cluster_replication_internal\"],\"allow_restricted_indices\":false}]}}").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

I wonder if we should get rid of UseStateForUnknown for the role_descriptors field? It seems like this field is not updatable in the cross cluster api (docs). Perhaps this is a good argument for a different resource like you mentioned in the PR description?

IMPORTANT: If you don't specify role_descriptors in the request, a call to this API might still change the API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.

link

It looks like this field is a bit sticky for non-cross cluster api key updates as well.

[nick-benoit]

Does it make sense to have this acceptance test update something in access to get some IT style acceptance test coverage of SetUnknownIfAccessHasChanges?

[tobio]

Yea, it does exactly that.