Currently we create the AWS clients when registering the reconciler with the manager. With the addition of Shared VPC support, this has a dependency on the HCP resource. Creating the clients at this point makes it so that the clients are set for the life of the CPO and will not respond to changes in the HCP (which is fine as long as shared VPC roles are immutable).

Fixing it so that we create the clients during reconcile, impacts deletion cleanup because we need to ensure that the HCP is available during AWSEndpointService cleanup. Currently the HCP is deleted before the AWSEndpointService is deleted, which means that on deletion the AWSEndpointService reconciler is not able to construct a valid AWS client since it no longer has the HCP to do that.

One possible fix for this would be for the AWSEndpointService reconciler to add its own finalizer to the HCP and cleanup the VPC endpoint on HCP deletion instead of AWSEndpointService deletion.