resource_tailnet_key: handle 404 and discard invalid keys

[clstokes]

What this PR does / why we need it:

1. Changes the handling of 404 errors on Read / terraform refresh operations to treat all 404 errors as a deleted key. Previously only one-time keys (e.g not reusable) were treated as deleted and a 404 would fail the terraform operation with an error.
2. Removes tailnet key from state during Read operation if invalid key property is true.

Which issue this PR fixes:

Fixes #144

Special notes for your reviewer:

~Any concerns with using the time of the machine that is running Terraform to compare with expires_at returned by the Tailscale API?~

[clstokes]

Local testing...

main.tf

variable "expiry" {
    default = 30
}

resource "tailscale_tailnet_key" "instance" {
  expiry   = var.expiry
  reusable = false
  tags     = ["tag:demo-exit-node"]
}

output "key_id" {
    value = tailscale_tailnet_key.instance.id
}

output "expiry" {
    value = var.expiry
}

test steps / output

# TF_CLI_CONFIG_FILE=.terraformrc terraform apply -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - tailscale/tailscale in /Users/cameron/.terraform.d/plugins/github.com/tailscale/tailscale/0.1/darwin_arm64
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # tailscale_tailnet_key.instance will be created
  + resource "tailscale_tailnet_key" "instance" {
      + created_at = (known after apply)
      + expires_at = (known after apply)
      + expiry     = 30
      + id         = (known after apply)
      + key        = (sensitive value)
      + reusable   = false
      + tags       = [
          + "tag:demo-exit-node",
        ]
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ key_id = "kxqFHN3CNTRL" -> (known after apply)
tailscale_tailnet_key.instance: Creating...
tailscale_tailnet_key.instance: Creation complete after 0s [id=key1]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

expiry = 30
key_id = "key1"
#  
#  
# 
# TF_CLI_CONFIG_FILE=.terraformrc terraform refresh            
tailscale_tailnet_key.instance: Refreshing state... [id=key1]

Outputs:

expiry = 30
key_id = "key1"
#  
#  
# 
# TF_CLI_CONFIG_FILE=.terraformrc terraform refresh
tailscale_tailnet_key.instance: Refreshing state... [id=key1]

Outputs:

expiry = 30
key_id = "key1"
#  
#  
# 
# TF_CLI_CONFIG_FILE=.terraformrc terraform apply -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - tailscale/tailscale in /Users/cameron/.terraform.d/plugins/github.com/tailscale/tailscale/0.1/darwin_arm64
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tailscale_tailnet_key.instance: Refreshing state... [id=key1]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

expiry = 30
key_id = "key1"
#  
#  
# 
# sleep $(terraform output expiry)                 
#  
#  
# 
# TF_CLI_CONFIG_FILE=.terraformrc terraform apply -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - tailscale/tailscale in /Users/cameron/.terraform.d/plugins/github.com/tailscale/tailscale/0.1/darwin_arm64
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published
│ releases.
╵
tailscale_tailnet_key.instance: Refreshing state... [id=key1]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # tailscale_tailnet_key.instance has been deleted
  - resource "tailscale_tailnet_key" "instance" {
      - id         = "key1" -> null
        tags       = [
            "tag:demo-exit-node",
        ]
        # (6 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to
undo or respond to these changes.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # tailscale_tailnet_key.instance will be created
  + resource "tailscale_tailnet_key" "instance" {
      + created_at = (known after apply)
      + expires_at = (known after apply)
      + expiry     = 30
      + id         = (known after apply)
      + key        = (sensitive value)
      + reusable   = false
      + tags       = [
          + "tag:demo-exit-node",
        ]
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ key_id = "key1" -> (known after apply)
tailscale_tailnet_key.instance: Creating...
tailscale_tailnet_key.instance: Creation complete after 0s [id=key2]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

expiry = 30
key_id = "key2"
#  
#  
# 
# TF_CLI_CONFIG_FILE=.terraformrc terraform destroy -auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - tailscale/tailscale in /Users/cameron/.terraform.d/plugins/github.com/tailscale/tailscale/0.1/darwin_arm64
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published
│ releases.
╵
tailscale_tailnet_key.instance: Refreshing state... [id=key2]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tailscale_tailnet_key.instance will be destroyed
  - resource "tailscale_tailnet_key" "instance" {
      - created_at = "2023-09-12T17:49:38Z" -> null
      - ephemeral  = false -> null
      - expires_at = "2023-09-12T17:50:08Z" -> null
      - expiry     = 30 -> null
      - id         = "key2" -> null
      - key        = (sensitive value) -> null
      - reusable   = false -> null
      - tags       = [
          - "tag:demo-exit-node",
        ] -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Changes to Outputs:
  - expiry = 30 -> null
  - key_id = "key2" -> null
tailscale_tailnet_key.instance: Destroying... [id=key2]
tailscale_tailnet_key.instance: Destruction complete after 2s

Destroy complete! Resources: 1 destroyed.
# 

[clstokes]

After internal discussion we're going to go a slightly different direction here that will require changes to the Tailscale API and https://github.com/tailscale/tailscale-client-go. I made this PR a draft and will come back to this once the upstream change are ready.

[clstokes]

Updated to use invalid key property per https://github.com/tailscale/tailscale-client-go/pull/59.

go.mod will need to be updated once more once tailscale-client-go is released.