Update documentation for ephemeral resources: remove broken examples,…

… add notes, misc fixes (#12448)

mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_access_token.html.markdown

@@ -35,10 +35,6 @@ In the example below, `google_project` will run as `service_B`.
 provider "google" {
 }
 
-data "google_client_config" "default" {
-  provider = google
-}
-
 ephemeral "google_service_account_access_token" "default" {
   provider               = google
   target_service_account = "[email protected]"

mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_id_token.html.markdown

@@ -12,6 +12,9 @@ For more information see
 [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).
 
 ## Example Usage - ServiceAccount JSON credential file.
+
+-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_id_token.oidc in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_id_token could be used to set field values when creating managed resources.
+
   `google_service_account_id_token` will use the configured [provider credentials](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#credentials-1)
 
   ```hcl
@@ -21,7 +24,10 @@ For more information see
   ```
 
 ## Example Usage - Service Account Impersonation.
-  `google_service_account_access_token` will use background impersonated credentials provided by [google_service_account_access_token](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account_access_token).
+
+-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_id_token.oidc in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_id_token could be used to set field values when creating managed resources.
+
+  Ephemeral resource `google_service_account_id_token` will use background impersonated credentials provided by [google_service_account_access_token](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account_access_token).
 
   Note: to use the following, you must grant `target_service_account` the
   `roles/iam.serviceAccountTokenCreator` role on itself.
@@ -50,29 +56,6 @@ For more information see
 
   ```
 
-## Example Usage - Invoking Cloud Run Endpoint
-
-  The following configuration will invoke [Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service) endpoint where the service account for Terraform has been granted `roles/run.invoker` role previously.
-
-```hcl
-
-ephemeral "google_service_account_id_token" "oidc" {
-  target_audience = "https://your.cloud.run.app/"
-}
-
-data "http" "cloudrun" {
-  url = "https://your.cloud.run.app/"
-  request_headers  = {
-    Authorization = "Bearer ${ephemeral.google_service_account_id_token.oidc.id_token}"
-  }
-}
-
-
-output "cloud_run_response" {
-  value = data.http.cloudrun.body
-}
-```
-
 ## Argument Reference
 
 The following arguments are supported:

mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_jwt.html.markdown

@@ -10,6 +10,8 @@ This ephemeral resource provides a [self-signed JWT](https://cloud.google.com/ia
 
 ## Example Usage
 
+-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_jwt.foo in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_jwt could be used to set field values when creating managed resources.
+
 Note: in order to use the following, the caller must have _at least_ `roles/iam.serviceAccountTokenCreator` on the `target_service_account`.
 
 ```hcl

mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_key.html.markdown

@@ -10,6 +10,9 @@ Get an ephemeral service account public key. For more information, see [the offi
 
 ## Example Usage
 
+-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_key.mykey in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_key could be used to set field values when creating managed resources.
+
+
 ```hcl
 resource "google_service_account" "myaccount" {
   account_id = "dev-foo-account"