Terraform: Add teleport_bot_v2 resource and teleport_bot datasource

[boxofrad]

Fixes #40654, #51555, and #56910 by deprecating and replacing teleport_bot with a new teleport_bot_v2 resource.

Background

Our current Terraform resource for managing bots is hand-rolled, doesn't follow the same conventions as our other resources, deletes and recreates the user and role whenever the bot is modified, and doesn't support importing bots.

This PR replaces it with a new resource generated from its protobuf definition by protoc-gen-terraform.

I went with teleport_bot_v2 because this seems to be the established convention for versioning Terraform resources, and we don't typically tie the version suffix to the Teleport resource type version (which you provide as an attribute on the resource itself).

I wasn't sure whether to add the suffix to the data source for symmetry, or to omit it because there is no v1, so went for the latter.

The migration path for existing users would be roughly:

# Import the bot as a new resource
$ terraform import teleport_bot_v2.default my-awesome-bot

# Remove the old resource from state
$ terraform state rm teleport_bot.default

Using the new resource type will require upgrading the auth server first, because the generated Terraform code relies on the resource's revision changing to detect when writes have been propagated to the cache, which we previously weren't setting on bots.

changelog: Terraform: Add teleport_bot_v2 resource and teleport_bot datasource

[public-teleport-github-review-bot]

@boxofrad - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[github-actions]

Amplify deployment status

Branch	Commit	Job ID	Status	Preview	Updated (UTC)
boxofrad/bot-resource-terraform	73ff976	3	✅SUCCEED	boxofrad-bot-resource-terraform	2025-10-16 15:50:34

[strideynet]

I do slightly worry that teleport_bot_v2 could be setting ourselves up for pain if we were to ever introduce BotV2 in Teleport itself. I'd be curious what Hugo and/or the rest of the team thinks.

[strideynet]

Using the new resource type will require upgrading the auth server first, because the generated Terraform code relies on the resource's revision changing to detect when writes have been propagated to the cache

What happens if they haven't upgraded the auth server first?

[boxofrad]

I do slightly worry that teleport_bot_v2 could be setting ourselves up for pain if we were to ever introduce BotV2 in Teleport itself.

It's certainly awkward. In that case, you'd likely need to write:

resource "teleport_bot_v2" "bot" {
  version = "v2"

  # ...
}

What happens if they haven't upgraded the auth server first?

The provider will exit with this error when you update a bot:

Error reading Bot (tried 12 times) - state outdated, please import resource

Because it'll just sit in a retry loop reading the bot and checking if its revision has changed. One alternative would be to mark the resource with HasStaticID which would opt-out of this "read after write" check, which is closer to the old resource's behaviour.