feat: Add an escape hatch for non-FIPS DynamoDB on FIPS binaries

[codingllama]

Add the "TELEPORT_UNSTABLE_DISABLE_DYNAMODB_FIPS" environment variable as an escape hatch for FIPS binaries that want to use non-FIPS DynamoDB endpoints.

FIPS DynamoDB is not available in all AWS regions. Nevertheless, this may be acceptable for certain use-cases.

Without the env varible:

$ teleport start --fips
> 2025-02-05T13:55:48.665-03:00 INFO [DYNAMODB]  resolved endpoint for aws service service.id:DynamoDB service.api_version:2012-08-10 uri:https://dynamodb-fips.sa-east-1.amazonaws.com endpoint/resolver.go:71
>
> ERROR REPORT:
> User Message: initialization failed
> 	operation error DynamoDB: DescribeTable, https response error StatusCode: 0, RequestID: , request send failed, Post "https://dynamodb-fips.sa-east-1.amazonaws.com/": dial tcp: lookup dynamodb-fips.sa-east-1.amazonaws.com on 127.0.0.53:53: no such host

Using the env variable:

$ TELEPORT_UNSTABLE_DISABLE_DYNAMODB_FIPS=yes teleport start --fips
# backend
> 2025-02-05T14:05:51.828-03:00 INFO [DYNAMODB]  resolved endpoint for aws service service.id:DynamoDB service.api_version:2012-08-10 uri:https://dynamodb.sa-east-1.amazonaws.com endpoint/resolver.go:71
> 2025-02-05T14:05:51.996-03:00 INFO [DYNAMODB]  resolved endpoint for aws service service.id:DynamoDB Streams service.api_version:2012-08-10 uri:https://streams.dynamodb.sa-east-1.amazonaws.com endpoint/resolver.go:71
# events
> 2025-02-05T14:05:52.238-03:00 INFO [DYNAMODB]  resolved endpoint for aws service service.id:DynamoDB service.api_version:2012-08-10 uri:https://dynamodb.sa-east-1.amazonaws.com endpoint/resolver.go:71

Partially retracts #34170 via the added env variable.

[codingllama]

@zmb3 this is all that is needed to support DynamoDB. #34170 touches lines that I didn't touch here, but I also didn't want to lower requirements more than we absolutely have to.

I'm skipping the changelog, as I'm unsure whether we want an _UNSTABLE variable documented that way. (Tim suggested an _UNSTABLE variable, happy to change if you prefer.)

Finally, let me know how far this should be backported. (I've added all active releases.)

Let me know what you think.

[codingllama]

It looks like we should consider both S3 and STS in here as well, so let me move this to draft while I chase those. Will ping everyone once we are ready to go again.

[codingllama]

Re S3:

S3 obeys the teleport start --fips flag - if the flag is set it attempts to use FIPS S3, otherwise it does not (it doesn't matter if the binary is "boring"). S3 can also be controlled via its URL: setting "region" or "use_fips_endpoint" will override the Teleport config and --fips flag.

TL;DR: S3 is already configurable through other means and needs no additional escape hatch flag.

[codingllama]

Closing in favor of #51924.