[K9VULN-12163] feat(agentless-gcp): introduce agentless setup metadata

[mohamed-challal]

Summary

This PR reworks the GCP Agentless Scanning Cloud Shell setup script to better support additive deployments, users can run the script multiple times to add new scanner regions or projects to scan without destroying existing infrastructure.

Previously, re-running the script with a different region would cause Terraform to lose track of the previous region's provider, resulting in Error: Provider configuration not present errors and requiring a full destroy/redeploy cycle.

Changes

Deployment metadata (metadata.py — new)

• Introduces a config.json metadata file stored in the GCS state bucket alongside the Terraform state.
• Tracks: scanner project, all deployed regions, all projects to scan, created_at / modified_at timestamps.
• On each deploy, reads existing metadata and merges current inputs with previously deployed state (union of regions and projects).
• Uses GCS object generation preconditions (compare-and-swap) for safe concurrent writes.
• Metadata is written only after a successful terraform apply.

Deploy flow (main.py)

• Reads existing metadata before generating Terraform config.
• Merges current run inputs with existing deployment state via Config.with_merged().
• Generates Terraform config covering all regions and projects (existing + new).
• Prints a clear diff showing which regions/projects are new vs. existing.
• If Terraform state exists but metadata does not (old deployment), exits with an explicit message asking the user to destroy first.

Destroy flow (destroy.py)

• Reads metadata from GCS to discover all deployed regions and projects (no longer requires SCANNER_REGIONS / PROJECTS_TO_SCAN env vars when metadata exists).
• Falls back to environment variables if metadata is absent.
• Deletes metadata file after successful terraform destroy.

Region validation (preflight.py)

• Validates region IDs against the actual GCP Compute API (gcloud compute regions describe).
• Runs validation concurrently using ThreadPoolExecutor for all regions in parallel.

Resource naming (terraform.py)

• Abbreviates long region names in VPC names to stay within GCP's 63-character resource name limit (e.g., northamerica-northeast1 → na-ne1 in vpc_name).
• Renamed Terraform module prefix from datadog_agentless_scanner_ to datadog_agentless_.
• Renamed GCS backend prefix from agentless-scanner to datadog-agentless.
• Updated unit tests.

How it works

	Run 1	Run 2
Input regions	us-east1	europe-west1
Input projects to cover	project-a	project-a, project-b
Merged regions	us-east1	us-east1, europe-west1
Merged projects to cover	project-a	project-a, project-b
What Terraform does	Creates scanner infra in us-east1, IAM for project-a	Adds europe-west1 infra + project-b IAM bindings (us-east1 untouched)
Metadata after	regions: [us-east1], projects: [project-a]	regions: [europe-west1, us-east1], projects: [project-a, project-b]

{
  "version": 1,
  "scanner_project": "project-a",
  "regions": [
    "europe-west1",
    "us-east1"
  ],
  "projects_to_scan": [
    "project-a",
    "project-b"
  ],
  "created_at": "2026-03-05T17:13:47.909771+00:00",
  "modified_at": "2026-03-05T17:22:25.225663+00:00"
}