fix: Avoids sending database user password in update request if the value has not changed

[AgustinBettati]

Description

Link to any related issue(s): CLOUDP-235738

This change aligns with our behaviour prior to version 1.12.0.
Additionally a warning is included to bring visibility on the suggested course of action after a database user is created:

mongodbatlas_database_user.static_user: Creation complete after 7s [id=YXV0aF9kYXRhYmFzZV9uYW1l:YWRtaW4=-cHJvamVjdF9pZA==:NjUyNTE0NDZhZTVmM2Y2ZWM3OTY4YjEz-dXNlcm5hbWU=:dXNlci10aGF0LWNhbi1iZS1kZWxldGVkLTM=]
╷
│ Warning: If the password value will be managed externally it is advised to remove the attribute
│ 
│   with mongodbatlas_database_user.static_user,
│   on main.tf line 72, in resource "mongodbatlas_database_user" "static_user":
│   72: resource "mongodbatlas_database_user" "static_user" {
│ 
│ More details can be found in resource documentation under the 'password' attribute

Manual verification that PATCH request is being generated correctly

Generated patch request when updating a labels value but password remains the same, password is not sent:

PATCH /api/atlas/v2/groups/65251446ae5f3f6ec7968b13/databaseUsers/admin/user-that-can-be-deleted-2 HTTP/1.1
{
 "awsIAMType": "NONE",
 "databaseName": "admin",
 "groupId": "65251446ae5f3f6ec7968b13",
 "labels": [
  {
   "key": "My Key2",
   "value": "My Value"
  }
 ],
 "ldapAuthType": "NONE",
 "oidcAuthType": "NONE",
 "roles": [
  {
   "databaseName": "admin",
   "roleName": "readAnyDatabase"
  }
 ],
 "scopes": [],
 "username": "user-that-can-be-deleted-2",
 "x509Type": "NONE"
}

Generated patch request when updating password value, password is sent:

PATCH /api/atlas/v2/groups/65251446ae5f3f6ec7968b13/databaseUsers/admin/user-that-can-be-deleted-2 HTTP/1.1
{
 "awsIAMType": "NONE",
 "databaseName": "admin",
 "groupId": "65251446ae5f3f6ec7968b13",
 "labels": [
  {
   "key": "My Key3",
   "value": "My Value"
  }
 ],
 "ldapAuthType": "NONE",
 "oidcAuthType": "NONE",
 "password": "udpatedpassword",
 "roles": [
  {
   "databaseName": "admin",
   "roleName": "readAnyDatabase"
  }
 ],
 "scopes": [],
 "username": "user-that-can-be-deleted-2",
 "x509Type": "NONE"
}

Type of change:

• Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
• New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR.
• Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR.
• This change requires a documentation update
• Documentation fix/enhancement

Required Checklist:

• I have signed the MongoDB CLA
• I have read the contribution guidelines
• I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
• I have added any necessary documentation (if appropriate)
• I have run make fmt and formatted my code
• If changes include deprecations or removals, I defined an isolated PR with a relevant title as it will be used in the auto-generated changelog.
• If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Further comments

[lantoli]

i guess this also covers if the password attribute is deleted, then we set nil so it's not sent

[AgustinBettati]

correct, added an additional unit test to cover this case as well, thanks

[lantoli]

is this warning shown always or it has some condition?

[AgustinBettati]

will always be shown, not really any particular condition we can use because password will always be defined for create operation (fails in API otherwise)

[andreaangiolillo]

LGTM

[andreaangiolillo]

Should we add a warning at the top of this page to make sure that this warning message is not missed?

[AgustinBettati]

makes sense, included.