PSA update

[okrause]

Small update to private-service-access (PSA) module.

The problem it solves:
google_service_networking_connection doesn't delete peerings if there are still resources like cloud router are still attached to it. But some services delete such resources lazily (not immediately after they got deleted), e.g. Cloud SQL and NetApp Volumes.

Since deleting such peerings will fail, the authors of google_service_networking_connection added the option to abandon peerings.

But abandoning peerings introduces a new problem: Creating a new peering with a different psaRange fails, since servicenetworking still tracks the old peering. This even happens if the user deletes the peered VPC and re-creates it with the same name. Creating the peering still fails.

To fix this, the "existing shadow peering" (it is not visible when deleting and re-creating the VPC) needs to be updated instead of created. The google_service_networking_connection resource supports this through the update_on_creation_fail parameter.

This PR changes the PSA module to set update_on_creation_fail = true if deletion_policy == ABANDON.

I used that approach to be minimal invasive to non-GCNV deployments, but believe there is no harm in setting update_on_creation_fail always to true for all connections. I like the reviewer to weigh in on that design decision.

I ran deploy->delete->re-deploy->delete tests for "servicenetworking.googleapis.com" type connections and for "netapp.servicenetworking.goog" + "deletion_policy == ABANDON" connections. All worked as expected.

[okrause]

@bytetwin Please have a look. This fix is required to make automated test for GCNV work.

[bytetwin]

I don't see any harm in this. @cboneti, wdyt ?

I think the PR description is not right. The deletion_policy=ABANDON is set on the PSA (google_service_networking_connection) and not the on the VPC. This means the PSA exists but TF stops tracking it.

So adding this param means the dangling peering connection is reused but the add peering range goes through a forced update

[okrause]

@bytetwin I think you are right. I always thought about the PSA connection being a child resource of the VPC which is supposed to be cleaned up with it's parent resource (the VPC). But as you pointed out, it is not a child resource. Should I change the wording of the PR?

[bytetwin]

@bytetwin I think you are right. I always thought about the PSA connection being a child resource of the VPC which is supposed to be cleaned up with it's parent resource (the VPC). But as you pointed out, it is not a child resource. Should I change the wording of the PR?

yes please.

[bytetwin]

/gcbrun

[okrause]

I changed the PR description.

[okrause]

Thank you for your help.