cli: re-introduce iam upgrade check

[3u13r]

Context

We still maintain the function in which we manually add the CSP if we did changes that require an constellation iam upgrade, though the function wasn't used for some time. Either we drop this safety check completely (as it also only applies to the cli and not the terraform) and is one less manual step when changing code and releasing, or we use it.

I'm currently of the opinion to drop this, but wanted to show what the full feature looked like.

Proposed change(s)

• re-introduce iam upgrade check

Checklist

• Add labels (e.g., for changelog category)

upgrade to this branch: (gcp-snp, 1:1) https://github.com/edgelesssys/constellation/actions/runs/13679706679
nop e2e gcp-snp: https://github.com/edgelesssys/constellation/actions/runs/13679730897

[netlify]

✅ Deploy Preview for constellation-docs canceled.

Name	Link
🔨 Latest commit	f08eb35
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/67c86f5fed5f79000830e614

[github-actions]

Coverage report

Package	Old	New	Trend
cli/internal/cmd	58.10%	57.90%	↘️

[elchead]

Good catch. What is your proposed way of telling users that they need to upgrade the IAM setup for this upgrade?
Is it the release notes? IMO we can drop this warning in the CLI then

[3u13r]

What is your proposed way of telling users that they need to upgrade the IAM setup for this upgrade?

To be honest I'm a bit on the fence about it. I think that both the migration page (https://docs.edgeless.systems/constellation/reference/migration) and the UpgradeRequiresIAMMigration change require the dev to "just know" on an IAM change to add a disclaimer. Since the code is a bit awkward to pass the yes flag though those layers, I'm a bit more inclined to just document it in the docs. On the other hand, the warning in the cli is a bit more present for the user than reading patchnotes and migration guides. But again, if a user is using our Terraform module and has downloaded the module, then we should inform them too.
Open to opinions here.

[daniel-weisse]

IMO we should make this as obvious as possible for the user.
While documenting it in just one place is simpler for the devs, I see no harm in additionally keeping the check in the CLI.
Since these IAM upgrades are somewhat of a "breaking" change we should document they should ideally be mentioned in the release notes, have a small entry in the migration page, and have this additional check during upgrades with the CLI

We can't easily supply something similar for Terraform, but here people should pay a bit more attention to the release notes anyways.

[elchead]

I don't have a strong opinion either, but I agree that the dev effort for maintaining the warning is also limited. Let's merge then