feat(resource,datasource): restore, read replicas, data sources, timeouts (Phase 5)

Resource:
- read_replica_of (RequiresReplace, ConflictsWith restore/password): Create
  calls CreatePostgresReadReplica.
- restore_to_point_in_time {source_id, restore_target} (RequiresReplace,
  ConflictsWith read_replica_of): Create calls RestorePostgres. Restored
  instance name = top-level name.
- Three-path Create switch (replica / restore / standard), shared wait+sync.
- timeouts {} block (create+update) wired into the create + update waits.

Data sources (alpha-gated via pkg/datasource/register_{stable,debug}.go;
provider.DataSources delegates to GetDataSourceFactories):
- clickhouse_postgres_service (by id), clickhouse_postgres_services (list),
  clickhouse_postgres_service_ca_certificates (PEM).

API: GetPostgresCaCertificates now routes through doRequest (gains
retry/User-Agent/logging); the separate doRawRequest is unnecessary since
doRequest returns bytes verbatim and formatLogBody tolerates non-JSON.

Dependent-replica: e2e confirmed the server returns 200 (not 409) when
deleting a primary with a replica, so the previously-removed fail-fast
heuristic correctly stays removed.

Helper-level unit tests for the request builders; live e2e validated read
replica (psql), all 3 data sources, CA cert, timeouts, and dependent-replica
delete behavior.

Author: amogiska

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/hashicorp/terraform-plugin-docs v0.25.0
 	github.com/hashicorp/terraform-plugin-framework v1.19.0
+	github.com/hashicorp/terraform-plugin-framework-timeouts v0.7.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.19.0
 	github.com/hashicorp/terraform-plugin-go v0.31.0
 	github.com/hashicorp/terraform-plugin-log v0.10.0

go.sum

@@ -101,6 +101,8 @@ github.com/hashicorp/terraform-plugin-docs v0.25.0 h1:qHs1V257NxVe8tv6HS4UQfNqja
 github.com/hashicorp/terraform-plugin-docs v0.25.0/go.mod h1:MQggCmY8zgP7R7E/cC0b0cmTvA9hSj3ZKyrrsDjRbLo=
 github.com/hashicorp/terraform-plugin-framework v1.19.0 h1:q0bwyhxAOR3vfdgbk9iplv3MlTv/dhBHTXjQOtQDoBA=
 github.com/hashicorp/terraform-plugin-framework v1.19.0/go.mod h1:YRXOBu0jvs7xp4AThBbX4mAzYaMJ1JgtFH//oGKxwLc=
+github.com/hashicorp/terraform-plugin-framework-timeouts v0.7.0 h1:jblRy1PkLfPm5hb5XeMa3tezusnMRziUGqtT5epSYoI=
+github.com/hashicorp/terraform-plugin-framework-timeouts v0.7.0/go.mod h1:5jm2XK8uqrdiSRfD5O47OoxyGMCnwTcl8eoiDgSa+tc=
 github.com/hashicorp/terraform-plugin-framework-validators v0.19.0 h1:Zz3iGgzxe/1XBkooZCewS0nJAaCFPFPHdNJd8FgE4Ow=
 github.com/hashicorp/terraform-plugin-framework-validators v0.19.0/go.mod h1:GBKTNGbGVJohU03dZ7U8wHqc2zYnMUawgCN+gC0itLc=
 github.com/hashicorp/terraform-plugin-go v0.31.0 h1:0Fz2r9DQ+kNNl6bx8HRxFd1TfMKUvnrOtvJPmp3Z0q8=

pkg/datasource/descriptions/postgres_service.md

@@ -0,0 +1,24 @@
+> **Alpha data source.** Exposed only in alpha builds of the provider
+> (`-tags alpha`). The backing ClickHouse Cloud Managed Postgres API is
+> `beta` server-side. Expect breaking changes between alpha releases.
+
+Fetches a single [ClickHouse Cloud Managed Postgres](https://clickhouse.com/cloud/postgres)
+service by ID, including its current `pg_config` / `pgbouncer_config`.
+
+Returns the same attributes as the `clickhouse_postgres_service` resource
+**except `password`** (the server never echoes it on read). The
+`connection_string` (which embeds the password) is returned and marked
+sensitive. `tags`, `pg_config`, and `pgbouncer_config` are exposed as
+read-only string maps. Server-reserved `chc_`-prefixed tags are filtered out.
+
+## Example
+
+```hcl
+data "clickhouse_postgres_service" "example" {
+  id = "5f1a3d9d-3d8e-8ed0-8d25-545aec9d5e3b"
+}
+
+output "host" {
+  value = data.clickhouse_postgres_service.example.hostname
+}
+```

pkg/datasource/descriptions/postgres_service_ca_certificates.md

@@ -0,0 +1,22 @@
+> **Alpha data source.** Exposed only in alpha builds of the provider
+> (`-tags alpha`). The backing ClickHouse Cloud Managed Postgres API is
+> `beta` server-side. Expect breaking changes between alpha releases.
+
+Fetches the PEM-encoded CA certificate chain for a
+[ClickHouse Cloud Managed Postgres](https://clickhouse.com/cloud/postgres)
+service. Use it to pin the CA when connecting with `sslmode=verify-full`.
+
+Input `service_id`; output `certificate` (the PEM chain).
+
+## Example
+
+```hcl
+data "clickhouse_postgres_service_ca_certificates" "example" {
+  service_id = clickhouse_postgres_service.example.id
+}
+
+resource "local_file" "ca" {
+  content  = data.clickhouse_postgres_service_ca_certificates.example.certificate
+  filename = "${path.module}/pg-ca.pem"
+}
+```

pkg/datasource/descriptions/postgres_services.md

@@ -0,0 +1,22 @@
+> **Alpha data source.** Exposed only in alpha builds of the provider
+> (`-tags alpha`). The backing ClickHouse Cloud Managed Postgres API is
+> `beta` server-side. Expect breaking changes between alpha releases.
+
+Lists all [ClickHouse Cloud Managed Postgres](https://clickhouse.com/cloud/postgres)
+services in the organization. Returns a `services` list of summary objects
+(`id`, `name`, `cloud_provider`, `region`, `postgres_version`, `size`,
+`ha_type`, `state`, `created_at`, `is_primary`).
+
+The list endpoint does not return `connection_string`, `password`, or
+`pg_config`; use the `clickhouse_postgres_service` data source (by ID) for the
+full set of attributes. Useful for `for_each` over existing services.
+
+## Example
+
+```hcl
+data "clickhouse_postgres_services" "all" {}
+
+output "service_names" {
+  value = [for s in data.clickhouse_postgres_services.all.services : s.name]
+}
+```

pkg/datasource/postgres_service.go

@@ -0,0 +1,201 @@
+//go:build alpha
+
+package datasource
+
+import (
+	"context"
+	_ "embed"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	"github.com/ClickHouse/terraform-provider-clickhouse/pkg/internal/api"
+)
+
+//go:embed descriptions/postgres_service.md
+var postgresServiceDataSourceDescription string
+
+// postgresReservedTagPrefix mirrors the resource's chc_ reservation; system
+// tags are filtered out of data-source output the same way.
+const postgresReservedTagPrefix = "chc_"
+
+// postgresDefaultPort mirrors the resource's hardcoded listening port.
+const postgresDefaultPort int64 = 5432
+
+var _ datasource.DataSource = &postgresServiceDataSource{}
+
+// NewPostgresServiceDataSource fetches a single Managed Postgres service by ID.
+func NewPostgresServiceDataSource() datasource.DataSource {
+	return &postgresServiceDataSource{}
+}
+
+type postgresServiceDataSource struct {
+	client api.Client
+}
+
+type postgresServiceDataSourceModel struct {
+	ID               types.String `tfsdk:"id"`
+	Name             types.String `tfsdk:"name"`
+	CloudProvider    types.String `tfsdk:"cloud_provider"`
+	Region           types.String `tfsdk:"region"`
+	PostgresVersion  types.String `tfsdk:"postgres_version"`
+	Size             types.String `tfsdk:"size"`
+	HaType           types.String `tfsdk:"ha_type"`
+	State            types.String `tfsdk:"state"`
+	CreatedAt        types.String `tfsdk:"created_at"`
+	IsPrimary        types.Bool   `tfsdk:"is_primary"`
+	Hostname         types.String `tfsdk:"hostname"`
+	Port             types.Int64  `tfsdk:"port"`
+	Username         types.String `tfsdk:"username"`
+	ConnectionString types.String `tfsdk:"connection_string"`
+	Tags             types.Map    `tfsdk:"tags"`
+	PgConfig         types.Map    `tfsdk:"pg_config"`
+	PgBouncerConfig  types.Map    `tfsdk:"pgbouncer_config"`
+}
+
+func (d *postgresServiceDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+	client, ok := req.ProviderData.(api.Client)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			"Expected api.Client, got something else. Please report this issue to the provider developers.",
+		)
+		return
+	}
+	d.client = client
+}
+
+func (d *postgresServiceDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_postgres_service"
+}
+
+func (d *postgresServiceDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		MarkdownDescription: postgresServiceDataSourceDescription,
+		Attributes: map[string]schema.Attribute{
+			"id":                schema.StringAttribute{Description: "Unique identifier of the Postgres service to look up.", Required: true},
+			"name":              schema.StringAttribute{Description: "Human-readable name.", Computed: true},
+			"cloud_provider":    schema.StringAttribute{Description: "Cloud provider hosting the instance.", Computed: true},
+			"region":            schema.StringAttribute{Description: "Cloud region.", Computed: true},
+			"postgres_version":  schema.StringAttribute{Description: "Major Postgres version.", Computed: true},
+			"size":              schema.StringAttribute{Description: "Instance size (VM SKU).", Computed: true},
+			"ha_type":           schema.StringAttribute{Description: "High-availability mode ('none', 'async', 'sync').", Computed: true},
+			"state":             schema.StringAttribute{Description: "Server-reported state.", Computed: true},
+			"created_at":        schema.StringAttribute{Description: "RFC3339 creation timestamp.", Computed: true},
+			"is_primary":        schema.BoolAttribute{Description: "True for a primary; false for a read replica.", Computed: true},
+			"hostname":          schema.StringAttribute{Description: "Network hostname for client connections.", Computed: true},
+			"port":              schema.Int64Attribute{Description: "TCP port for client connections.", Computed: true},
+			"username":          schema.StringAttribute{Description: "Default superuser name.", Computed: true},
+			"connection_string": schema.StringAttribute{Description: "Full connection URI (embeds the password). Sensitive.", Computed: true, Sensitive: true},
+			"tags": schema.MapAttribute{
+				Description: "User tags (server-reserved 'chc_' tags are filtered out). Read-only; represented as a map.",
+				Computed:    true,
+				ElementType: types.StringType,
+			},
+			"pg_config": schema.MapAttribute{
+				Description: "Postgres server parameters currently set on the instance. Read-only; represented as a map.",
+				Computed:    true,
+				ElementType: types.StringType,
+			},
+			"pgbouncer_config": schema.MapAttribute{
+				Description: "PgBouncer parameters currently set on the instance. Read-only; represented as a map.",
+				Computed:    true,
+				ElementType: types.StringType,
+			},
+		},
+	}
+}
+
+func (d *postgresServiceDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
+	var data postgresServiceDataSourceModel
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	pg, err := d.client.GetPostgres(ctx, data.ID.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError("Error reading Postgres service", "Could not read Postgres service "+data.ID.ValueString()+": "+err.Error())
+		return
+	}
+	cfg, err := d.client.GetPostgresConfig(ctx, data.ID.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError("Error reading Postgres configuration", "Could not read config for Postgres service "+data.ID.ValueString()+": "+err.Error())
+		return
+	}
+
+	data.ID = types.StringValue(pg.Id)
+	data.Name = types.StringValue(pg.Name)
+	data.CloudProvider = types.StringValue(pg.Provider)
+	data.Region = types.StringValue(pg.Region)
+	data.PostgresVersion = types.StringValue(pg.PostgresVersion)
+	data.Size = types.StringValue(pg.Size)
+	if pg.HaType != "" {
+		data.HaType = types.StringValue(pg.HaType)
+	} else {
+		data.HaType = types.StringValue("none")
+	}
+	data.State = types.StringValue(pg.State)
+	data.CreatedAt = types.StringValue(pg.CreatedAt)
+	if pg.IsPrimary != nil {
+		data.IsPrimary = types.BoolValue(*pg.IsPrimary)
+	} else {
+		data.IsPrimary = types.BoolValue(true)
+	}
+	data.Hostname = stringOrNull(pg.Hostname)
+	data.Port = types.Int64Value(postgresDefaultPort)
+	data.Username = stringOrNull(pg.Username)
+	data.ConnectionString = stringOrNull(pg.ConnectionString)
+
+	tags, diags := apiTagsToMap(pg.Tags)
+	resp.Diagnostics.Append(diags...)
+	pgCfg, diags := configToMap(cfg.PgConfig)
+	resp.Diagnostics.Append(diags...)
+	pbCfg, diags := configToMap(cfg.PgBouncerConfig)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+	data.Tags = tags
+	data.PgConfig = pgCfg
+	data.PgBouncerConfig = pbCfg
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
+
+// --- shared helpers (datasource package, alpha) ---------------------------
+
+func stringOrNull(s *string) types.String {
+	if s == nil {
+		return types.StringNull()
+	}
+	return types.StringValue(*s)
+}
+
+// apiTagsToMap converts api tags to a string map, dropping chc_-prefixed
+// (server-reserved) tags. An empty value becomes an empty string.
+func apiTagsToMap(tags []api.Tag) (types.Map, diag.Diagnostics) {
+	m := make(map[string]attr.Value, len(tags))
+	for _, t := range tags {
+		if strings.HasPrefix(t.Key, postgresReservedTagPrefix) {
+			continue
+		}
+		m[t.Key] = types.StringValue(t.Value)
+	}
+	return types.MapValue(types.StringType, m)
+}
+
+func configToMap(c api.PgConfigMap) (types.Map, diag.Diagnostics) {
+	m := make(map[string]attr.Value, len(c))
+	for k, v := range c {
+		m[k] = types.StringValue(v)
+	}
+	return types.MapValue(types.StringType, m)
+}

pkg/datasource/postgres_service_ca_certificates.go

@@ -0,0 +1,89 @@
+//go:build alpha
+
+package datasource
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	"github.com/ClickHouse/terraform-provider-clickhouse/pkg/internal/api"
+)
+
+//go:embed descriptions/postgres_service_ca_certificates.md
+var postgresCaCertsDataSourceDescription string
+
+var _ datasource.DataSource = &postgresCaCertificatesDataSource{}
+
+// NewPostgresServiceCaCertificatesDataSource fetches the PEM-encoded CA chain
+// for a Managed Postgres service (for clients that pin the CA).
+func NewPostgresServiceCaCertificatesDataSource() datasource.DataSource {
+	return &postgresCaCertificatesDataSource{}
+}
+
+type postgresCaCertificatesDataSource struct {
+	client api.Client
+}
+
+type postgresCaCertificatesDataSourceModel struct {
+	ServiceID   types.String `tfsdk:"service_id"`
+	Certificate types.String `tfsdk:"certificate"`
+}
+
+func (d *postgresCaCertificatesDataSource) Configure(_ context.Context, req datasource.ConfigureRequest, resp *datasource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+	client, ok := req.ProviderData.(api.Client)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			"Expected api.Client, got something else. Please report this issue to the provider developers.",
+		)
+		return
+	}
+	d.client = client
+}
+
+func (d *postgresCaCertificatesDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_postgres_service_ca_certificates"
+}
+
+func (d *postgresCaCertificatesDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		MarkdownDescription: postgresCaCertsDataSourceDescription,
+		Attributes: map[string]schema.Attribute{
+			"service_id": schema.StringAttribute{
+				Description: "ID of the Postgres service whose CA certificate chain to fetch.",
+				Required:    true,
+			},
+			"certificate": schema.StringAttribute{
+				Description: "PEM-encoded CA certificate chain.",
+				Computed:    true,
+			},
+		},
+	}
+}
+
+func (d *postgresCaCertificatesDataSource) Read(ctx context.Context, req datasource.ReadRequest, resp *datasource.ReadResponse) {
+	var data postgresCaCertificatesDataSourceModel
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	pem, err := d.client.GetPostgresCaCertificates(ctx, data.ServiceID.ValueString())
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error reading Postgres CA certificates",
+			"Could not fetch CA certificates for Postgres service "+data.ServiceID.ValueString()+": "+err.Error(),
+		)
+		return
+	}
+
+	data.Certificate = types.StringValue(string(pem))
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}