[CI] Pin Terraform and tfplugindocs versions in check-docs job

[Supam]

Motivation

The linter-checks job in .github/workflows/test.yml runs make check-docs, which invokes tfplugindocs generate. Two non-hermetic dependencies make this job's outcome depend on the runner image:

1. No terraform setup step: tfplugindocs uses whatever terraform is on PATH (or downloads "latest" via checkpoint). Write-only argument rendering requires Terraform ≥ 1.11. If the runner image (or a contributor's laptop) has an older binary, the regenerated docs silently drop [Write-only] badges and > **NOTE**: callouts.
2. tfplugindocs@latest in tools/tools.go: each run pulled the newest release, so an upstream rendering change could flip docs output without any repo change.

This combination is what caused PR #3800 — a contributor regenerated docs locally with Terraform 1.5.2 (no write-only support), the regen stripped annotations, and CI then failed in the opposite direction. Pinning both versions makes the docs output deterministic across laptops and CI runners.

Changes

• Pin Terraform CLI in CI: add hashicorp/setup-terraform (pinned by SHA, terraform_version: 1.13.1, terraform_wrapper: false) before the Check Docs Are Up To Date step in the linter-checks job.
• Pin tfplugindocs via a go.mod tool directive (Go 1.24+): drop tools/tools.go and the //go:generate go install ...@latest indirection. The binary is now declared as tool github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs in go.mod, locked in go.sum, and invoked via go tool tfplugindocs generate in scripts/generate-docs.sh. Bumped from v0.16.0 to v0.25.0.
• Surface the active Terraform version at the start of scripts/generate-docs.sh so the binary used for docs generation is always visible in logs.
• Extend the check-docs failure message in GNUmakefile with a hint pointing at the Terraform version requirement when the diff looks like missing [Write-only] annotations or > **NOTE**: callouts.
• Update LICENSE-3rdparty.csv with the new transitive dependencies pulled in by tfplugindocs v0.25.0 (Kunde21/markdownfmt/v3, bmatcuk/doublestar/v4, hashicorp/cli, yuin/goldmark-meta, go.abhg.dev/goldmark/frontmatter).
• Update DEVELOPMENT.md to reflect the new go tool invocation.

Testing

Ran locally with Terraform 1.13.1 and the new tfplugindocs pin:

make check-docs output (success path)

$ make check-docs
go tool tfplugindocs generate --provider-name datadog --rendered-provider-name "terraform-provider-datadog"
Active terraform: Terraform v1.13.1
rendering website for provider "datadog" (as "terraform-provider-datadog")
…
rendering "resources/workflow_automation.md.tmpl"
Success: No generated documentation changes detected

license-check passes after CSV update

$ bash scripts/license-check.sh
Ensuring all dependencies are present in LICENSE-3rdparty.csv ...
LICENSE-3rdparty.csv is up to date

Failure-path message preview

Uncommitted changes were detected in the autogenerated docs folder. Please run 'make docs' to autogenerate the docs, and commit the changes
M docs/resources/integration_fastly_account.md

HINT: 'tfplugindocs' uses the 'terraform' binary on your PATH to introspect the provider schema.
      If the diff shows missing [Write-only] annotations or '> **NOTE**:' callouts, your local
      Terraform is likely older than 1.11 (write-only argument support was added in 1.11).
      Active terraform: Terraform v1.13.1

[Supam]

• [CI] Pin Terraform and tfplugindocs versions in check-docs job #3804 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.