[New Data Source]: vault_kv_secret_v2_metadata

[octo]

Description

This PR adds a new data source vault_kv_secret_v2_metadata that allows retrieving metadata from a KV-V2 secret without exposing the secret content itself.

The primary use case is to obtain non-ephemeral version information that can be used with write-only version arguments in downstream resources, solving a common issue when working with ephemeral secrets. This enables proper change tracking for Vault secrets while maintaining security by keeping the actual secret content ephemeral.

The new data source complements the existing vault_kv_secret_v2 ephemeral data source by providing just the metadata (particularly the version number) without storing sensitive data in the Terraform state.

Closes #2537

Checklist

• Added CHANGELOG entry
• Acceptance tests were run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestDataSourceKVV2SecretMetadata,TestDataSourceKVV2SecretMetadata_deletedSecret'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestDataSourceKVV2SecretMetadata,TestDataSourceKVV2SecretMetadata_deletedSecret -timeout 30m ./...
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
ok      github.com/hashicorp/terraform-provider-vault/codegen   0.493s [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/consts   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/base   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/client [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/errutil        [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/framework/model  [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/framework/validators     0.583s [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/internal/identity/entity  0.873s [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/group   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/mfa     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/pki      [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/provider 0.835s [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/internal/provider/fwprovider      [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/providertest     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/rotation [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/sync     [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/vault/secrets/ephemeral  0.666s [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/internal/vault/sys        1.221s [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
ok      github.com/hashicorp/terraform-provider-vault/testutil  1.722s [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/util      1.457s [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/util/mountutil    0.751s [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/vault     1.499s [no tests to run]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[octo]

There is a corporate Contributor License Agreement between GitLab and HashiCorp, dated 2021. I have contacted our legal team to be added to the list of contributors.

[octo]

There is a corporate Contributor License Agreement between GitLab and HashiCorp, dated 2021. I have contacted our legal team to be added to the list of contributors.

✅ Our legal team has informed me that I have been added to a list of authorized contributors. The CLA bot is happy now.

[octo]

Removed the ChangeLog entry which caused merge conflicts and rebased onto main.

@lursu This PR is ready for review. If you need anything from me to proceed with the review, please let me know.