Allow cross region PrivateLink connections

[bobbyiliev]

Motivation

Tips for reviewer

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[pH14]

seems like we could tighten this up to be more precise. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids has more details on the structure

the most legit solution would be to automatically pull every AZ ID from the partition we're operating in during our Pulumi run and then plumbing it 20 layers deep to here... in practice I think just ensuring we're following the structure in the doc above is sufficient

[pH14]

(and if we pull out some logic to validate the ids, we should add a quick unit test)

[alex-hunt-materialize]

It worries me a bit injecting a pattern when we don't know what rules AWS uses internally for naming these, but this is probably as good as we can do without injecting the complete list.

[ParkMyCar]

The code itself looks good to me, not super familiar though with cross region PrivateLink so would defer to Cloud folks on that

[bobbyiliev]

Looking into this further I think that this PR might not even be necessary! Still validating this but will keep the threat updated.

[bobbyiliev]

Closing this PR in favor ofhttps://github.com/MaterializeInc/cloud/pull/10617

No changes will be needed on the database side nor the AZ id validation on the controller side.

AWS handles all this on their end. All that we would need to do to support this is to just pass the service_region to the create request. We are extracting that information from the service name itself as it contains the region already.

You must now select the VPC and subnets you want to create the VPC endpoint in. Cross-region connectivity does not require any AZ alignment, unlike in-region PrivateLink where the consumer can only create an endpoint in the AZs supported by the service provider. You can choose as many AZs as your resiliency posture requires and choose the subnets that best fit your needs.

I will open just a follow-up docs PR for this clarification.