add dynamodb database access

[GavinFrazar]

This PR adds DynamoDB support to database access #17842

DAX, dynamodb, and dynamodb streams are all supported.

Why

We want to bring DynamoDB into database access for consistency and to enable some things not possible via app access.
This change will enable the use of NoSQLWorkbench GUI client for DynamoDB.

How

Configure one Teleport database for each AWS region you want in your cluster.

• This is what enables NoSQL Workbench via "local" connections, because otherwise it sends requests to the non-existent "local" AWS region, and I cannot find a way to get it to respect HTTPS_PROXY env variable.

Example Configuration

  databases:
    - name: "home-dynamodb"
      protocol: "dynamodb"
# optional uri, if uri is set then AWS region can be extracted from that
# or if AWS region is already set then the regions must match.
      # uri: "dynamodb.us-west-2.amazonaws.com:443"
      static_labels:
        env: "dev"
      aws:
        region: "us-west-2"
        account_id: "278576220453"

RBAC

• --db-name is not supported.
• --db-user should be an AWS role, either "role/SomeRole" or "SomeRole" is fine. The full ARN is constructed using configured AWS account ID and the AWS partition (determined by region).

tsh

• DynamoDB has no "shell-session" type of cli that I can find, which is unique among the db protocols we support. Therefore tsh db connect prints a user message telling them to use tsh proxy db --tunnel instead.
• "The connect command" in tsh db ls -v is instead tsh proxy db --tunnel as well.
• For now we require the --tunnel flag. I may add non-tunnel later, but it will only work with the aws cli, not NoSQLWorkbench, since NoSQLWorkbench does not have a way to configure trusted CA bundle.

Example usage:

1. Setup local proxy tunnel: $ tsh proxy db --tunnel --port 8000 --db-user=GavinDynamoDBRole home-dynamodb
2. (optionally) use aws cli: $ aws dynamodb list-tables --endpoint-url=http://localhost:8000
3. (optionally) use NoSQLWorkbench:

• click "Launch" Amazon DynamoDB > "Operation builder" > "Add connection" > "DynamoDB local" tab.
• Name the connection as you want and match the local proxy port setting, then click "connect".
• All operations thereon will be in the configured AWS region.
  

4. (optionally) use AWS sdk for your apps, for example python w/ boto3:

$ python3
Python 3.10.4 (main, Mar 31 2022, 03:37:37) [Clang 12.0.0 ] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> clt = boto3.client('dynamodb', endpoint_url='http://localhost:8000')
>>> res = clt.list_tables()
>>> print(res)
{'TableNames': *snip output*}
>>> 

This PR is stacked against the app access PR #19387 for merge.

TODO: update webapps repo to recognize the DynamoDB db access request event codes.

[GavinFrazar]

@smallinsky this is ready I just need to finish the writeup before I mark it ready for review by others, but since you are already familiar with what this PR accomplishes you can take a look if you want

[github-actions]

@GavinFrazar - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[greedy52]

First pass!

[greedy52]

Looks good to me. Also tested it out today and worked great!

One note I believe dax support we have here today is only for for dax APIs.

I doubt if there are any customer needs dax endpoints access from Teleport (as we can access dynamodb directly). If so, we may consider doing dax endpoints support separately where use AWS API for discovery and dax client for engine. I can create a ticket for this.

[GavinFrazar]

Due to PR size this requires admin approval to merge - who can do that? @r0mant @smallinsky

[smallinsky]

Due to PR size this requires admin approval to merge - who can do that?

I think that we need ask @r0mant or @zmb3 for approval.

[r0mant]

Bot.