[ENG-2684] Fix Terraform provider aws-regions serialization breaking frontend (#3963)

## Summary

- The Terraform provider serialized `aws-regions` as a comma-separated
string, but the frontend Zod schema expects a JSON array, causing
"Invalid source data" in the UI for Terraform-created sources.
- Fixed Create, Update, and Read paths in the provider to use proper
array serialization via `structpb.ListValue`.
- Intentionally omitted legacy CSV fallback in Read — existing sources
will self-heal on the next `terraform apply`.

## Linear Ticket

- **Ticket**:
[ENG-2684](https://linear.app/overmind/issue/ENG-2684/fix-terraform-provider-aws-regions-serialization-breaking-frontend)
— Fix Terraform provider aws-regions serialization breaking frontend
- **Project**: Terraform Module for AWS Source Setup

## Changes

**`aws-source/module/provider/resource_aws_source.go`** (core fix):

- **Create & Update**: Replaced `strings.Join(regions, ",")` with
`toAnySlice(regions)` so `structpb.NewStruct` produces a `ListValue`
instead of a `StringValue`.
- **Read**: Replaced string-based parsing with
`regionsFromStructValue()` which only reads from `ListValue`. No legacy
CSV fallback — this forces Terraform to detect drift on existing sources
with the old format. Returns an empty slice (not nil) when the value
isn't a list, so `ListValueFrom` produces a non-null empty list —
correct for a `Required` schema attribute.
- **Helpers**: Added `toAnySlice` (converts `[]string` to `[]any`) and
`regionsFromStructValue` (extracts regions from protobuf `ListValue`).
Removed unused `splitNonEmpty` and `strings` import.

**`aws-source/module/provider/.github/workflows/release.yml`**: Minor
release pipeline improvement.

**`deploy/.terraform.lock.hcl`**: Updated lock file with new overmind
provider hash.

**`aws-source/README.md`** and
**`aws-source/module/terraform/README.md`**: Documented `api_key`
provider-block attribute for authentication.

All existing provider tests pass without modification.

## Deviations from Approved Plan

The plan in ENG-2684 described four changes, all scoped to
`resource_aws_source.go`. The implementation includes those four items
plus:

1. **Empty slice instead of nil on parse failure** — not in the plan.
`regionsFromStructValue` returns `[]string{}` instead of `nil` when the
stored value isn't a `ListValue`. This prevents `ListValueFrom` from
producing a null list for a `Required` attribute, which could break
refresh in future Terraform framework versions. Drift-based self-healing
is preserved since an empty list still differs from the configured
regions.
2. **`release.yml` pipeline tweak** — not in the plan. Minor CI change
to the provider release workflow (1 line). Low risk, bundled for
convenience.
3. **`deploy/.terraform.lock.hcl` update** — not in the plan. Updates
the lock file to include the new provider version hash. Required for
`deploy/` to use the updated provider.
4. **Documentation updates to `aws-source/README.md` and
`aws-source/module/terraform/README.md`** — not in the plan. Adds
documentation for the `api_key` provider-block attribute. Docs-only, no
behavioral change.

No planned items were omitted or modified. The core fix (items 1–4 in
the plan) matches the approved approach exactly.

GitOrigin-RevId: 67c7387e75d8b85bc14095b51d90215ba042da1f

Author: DavidS-ovm

aws-source/module/provider/.github/workflows/release.yml

@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-24.04-8
     steps:
       - name: Checkout
         uses: actions/checkout@v6

aws-source/module/provider/resource_aws_source.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	"connectrpc.com/connect"
 	"github.com/google/uuid"
@@ -130,7 +129,7 @@ func (r *awsSourceResource) Create(ctx context.Context, req resource.CreateReque
 		"aws-access-strategy": "external-id",
 		"aws-external-id":     externalID,
 		"aws-target-role-arn": plan.AWSRoleARN.ValueString(),
-		"aws-regions":         strings.Join(regions, ","),
+		"aws-regions":         toAnySlice(regions),
 	})
 	if err != nil {
 		resp.Diagnostics.AddError("Failed to build source config", err.Error())
@@ -216,8 +215,7 @@ func (r *awsSourceResource) Read(ctx context.Context, req resource.ReadRequest,
 			state.AWSRoleARN = types.StringValue(v.GetStringValue())
 		}
 		if v, ok := fields["aws-regions"]; ok {
-			regionStr := v.GetStringValue()
-			regionVals := splitNonEmpty(regionStr, ",")
+			regionVals := regionsFromStructValue(v)
 			listVal, diags := types.ListValueFrom(ctx, types.StringType, regionVals)
 			resp.Diagnostics.Append(diags...)
 			state.AWSRegions = listVal
@@ -271,7 +269,7 @@ func (r *awsSourceResource) Update(ctx context.Context, req resource.UpdateReque
 		"aws-access-strategy": "external-id",
 		"aws-external-id":     externalID,
 		"aws-target-role-arn": plan.AWSRoleARN.ValueString(),
-		"aws-regions":         strings.Join(regions, ","),
+		"aws-regions":         toAnySlice(regions),
 	})
 	if err != nil {
 		resp.Diagnostics.AddError("Failed to build source config", err.Error())
@@ -361,14 +359,25 @@ func regionsFromList(ctx context.Context, list types.List) ([]string, diag.Diagn
 	return regions, diags
 }
 
-func splitNonEmpty(s, sep string) []string {
-	parts := strings.Split(s, sep)
-	result := make([]string, 0, len(parts))
-	for _, p := range parts {
-		trimmed := strings.TrimSpace(p)
-		if trimmed != "" {
-			result = append(result, trimmed)
+func toAnySlice(ss []string) []any {
+	out := make([]any, len(ss))
+	for i, s := range ss {
+		out[i] = s
+	}
+	return out
+}
+
+func regionsFromStructValue(v *structpb.Value) []string {
+	lv := v.GetListValue()
+	if lv == nil {
+		return []string{}
+	}
+	vals := lv.GetValues()
+	out := make([]string, 0, len(vals))
+	for _, item := range vals {
+		if s := item.GetStringValue(); s != "" {
+			out = append(out, s)
 		}
 	}
-	return result
+	return out
 }

aws-source/module/terraform/README.md

@@ -98,9 +98,16 @@ your HCL.
 
 ## Authentication
 
-The Overmind provider reads `OVERMIND_API_KEY` from the environment. The API key
+The Overmind provider accepts an API key via the `api_key` attribute or the
+`OVERMIND_API_KEY` environment variable. The attribute takes precedence. The key
 must have `sources:write` scope.
 
+```hcl
+provider "overmind" {
+  api_key = var.overmind_api_key
+}
+```
+
 The AWS provider must have permissions to create IAM roles and policies in the
 target account.