Fix OpenTofu acceptance jobs (expired hc-install signing key)

[msinhore]

What

The OpenTofu matrix jobs install tofu but the acceptance-test framework (terraform-plugin-testing / hc-install) doesn't know about it, so it tries to download Terraform CLI — which currently fails with openpgp: key expired (stale HashiCorp release-signing key bundled in hc-install v0.6.3). Every PR fails the whole OpenTofu matrix before any test runs (see PRs #1–#4).

This points TF_ACC_TERRAFORM_PATH at the installed tofu binary (plus TF_ACC_PROVIDER_HOST=registry.opentofu.org), so the jobs actually exercise OpenTofu and never hit the broken download path. tofu_wrapper: false is set so which tofu resolves the real binary.

Alternative considered

Bumping terraform-plugin-testing/hc-install (new signing key) would also unbreak the download — but then the "OpenTofu" jobs would keep silently testing with Terraform latest, which is not what the matrix claims.

🤖 Generated with Claude Code

[msinhore]

Please review/merge this first. The OpenTofu acceptance matrix is currently red on every PR in this repo (including #1–#4) due to a pre-existing CI bug — the bundled hc-install (v0.6.3) tries to download Terraform CLI and fails with openpgp: key expired. This PR fixes that by pointing the OpenTofu jobs at the installed tofu binary. With the fix in place this PR's own matrix is fully green (29/29). Once merged, re-running the other PRs clears their OpenTofu failures.

[msinhore]

TL;DR for reviewers — please merge #5 first.

All open PRs in this repo (#1–#4) currently show a red OpenTofu acceptance matrix. This is not caused by those changes — it's a pre-existing CI bug: the bundled hc-install (v0.6.3) tries to download the Terraform CLI and fails with openpgp: key expired (HashiCorp's release-signing key bundled in that version has expired). It breaks the OpenTofu jobs on every PR before any test runs.

#5 fixes this by pointing the OpenTofu jobs at the installed tofu binary (TF_ACC_TERRAFORM_PATH) instead of downloading Terraform. With the fix, #5's own matrix is fully green (29/29).

Suggested order:

Merge #5 (CI-only fix; green).
Re-run the checks on #2 (cloudstack_internal_loadbalancer), #3 (autoscale import support) and #4 (network-rule import support) — their OpenTofu jobs go green (build, RAT and the Terraform matrix already pass).
Merge #2 / #3 / #4.
#1 (cloudstack_instance_group) is a separate case — its failures are real (not the CI bug): the simulator's listInstanceGroups doesn't return an empty group, so the post-create Read clears the ID. I'd suggest holding it (draft) and revisiting with an acceptance test that deploys a VM into the group.