EC2 auto discovery: allow usage of pre-defined AWS-RunShellScript SSM Document

[marcoandredinis]

tldr: if you set the EC2 Discover SSM Document to AWS-RunShellScript you don't need to create a custom SSM Document (per account/per region).

EC2 Auto Discovery uses AWS SSM to install teleport into the EC2 target instances.
It calls ssm.SendCommand to execute an SSM Document which installs, configures and runs teleport.
The teleport instance running on the target instances will join the cluster afterwards.

In order to call ssm.SendCommand we need to pass an SSM Document.

So far, we asked users to create a specific SSM Document
Whether using the docs EC2 Discover guide:
https://goteleport.com/docs/enroll-resources/auto-discovery/servers/ec2-discovery/ec2-discovery-manual/#step-37-create-ssm-documents

Or the WebUI:

This requires a moving piece which is really not necessary.
SSM Documents are per-region, which makes this an even worse problem, eg, #48532

This PR changes the discovery flow to ensure it knows about AWS-RunShellScript SSM document.
This document is managed by AWS and exists in all accounts and regions, thus we don't need to create a custom SSM document.

This change also brings the EC2 server discovery implementation closer to the one used for
Azure:

teleport/lib/srv/server/azure_installer.go

Line 111 in 5d28371

script := fmt.Sprintf("curl -s -L %s| bash -s $@ #%x", installerURL, nonce)

GCP:

teleport/lib/srv/server/gcp_installer.go

Line 84 in 5d28371

script := fmt.Sprintf("curl -s -L https://%s/v1/webapi/scripts/installer/%s | bash -s %s",

In the future, the default SSM Document will be changed but for now users must set it in the matcher's SSM Document field.

Backwards compat:
Users which have an explicit SSM Document will see no change.
Users which have no explicit SSM Document (we default to TeleportDiscoveryInstaller) will see not change.

Only users that explicitly set the matcher's SSM Document to AWS-RunShellScript will get the new flow.

Docs will be updated with note explaining this change and marking the custom SSM Document creation step as optional.

WebUI flow should be updated afterwards to:

• set the SSM Document to AWS-RunShellScript in the DiscoveryConfig Matcher
• change one-off to not create the SSM Document

changelog: Adapts EC2 Server auto discovery to send the correct parameters when using the AWS-RunShellScript pre-defined SSM Document.

[juliaogris]

LGTM, with some minor suggestions and questions.

I'm not really across this feature in depth, so this is a fairly superficial, code-only review.

[marcoandredinis]

@smallinsky Can you please take a look at this when you get a chance?

[marcoandredinis]

@r0mant Flaky Tests Detector fails to complete in time because I've added a new required field to the DiscoveryService Config struct, and the detector is now running a ton of tests.

I ran them locally with a higher timeout and they completed successfully:

SUBJECT='-timeout 30m -run "^TestProcessPublicProxyAddr$$|^TestConfigCheckAndSetDefaults$$|
^TestDiscoveryServerEKS$$|^TestDiscoveryServer$$|^TestDiscoveryServerConcurrency$$|^TestDiscoveryKubeServices$$|^TestDiscoveryInCloudKube$$|^TestDiscoveryServer_New$$|^Tes
tDiscoveryDatabase$$|^TestDiscoveryDatabaseRemovingDiscoveryConfigs$$|^TestAzureVMDiscovery$$|^TestGCPVMDiscovery$$|^TestEmitUsageEvents$$|^TestDiscoveryKubeIntegrationEKS
$$|^TestSSMRunCommandParameters$$|^TestEC2Watcher$$|^TestMatchersToEC2InstanceFetchers$$" ./lib/service ./lib/srv/discovery ./lib/srv/server' ADDFLAGS='-count 100' make te
st-go-unit
\
                cargo build -p rdp-client  --release --locked --target=aarch64-apple-darwin
    Finished `release` profile [optimized + debuginfo] target(s) in 0.16s
CGO_ENABLED=1 CGO_CFLAGS=-mmacosx-version-min=12.0 go test -json -tags " desktop_access_rdp   libfido2  pivtest  "  -timeout 30m -run "^TestProcessPublicProxyAddr$|^TestConfigCheckAndSetDefaults$|^TestDiscoveryServerEKS$|^TestDiscoveryServer$|^TestDiscoveryServerConcurrency$|^TestDiscoveryKubeServices$|^TestDiscoveryInCloudKube$|^TestDiscoveryServer_New$|^TestDiscoveryDatabase$|^TestDiscoveryDatabaseRemovingDiscoveryConfigs$|^TestAzureVMDiscovery$|^TestGCPVMDiscovery$|^TestEmitUsageEvents$|^TestDiscoveryKubeIntegrationEKS$|^TestSSMRunCommandParameters$|^TestEC2Watcher$|^TestMatchersToEC2InstanceFetchers$" ./lib/service ./lib/srv/discovery ./lib/srv/server -race -shuffle on -count 100 \
                | tee /Users/marcodinis/src/teleport/test-logs/unit.json \
                | go tool gotestsum --raw-command -- cat
✓  lib/srv/server (2.9s)
✓  lib/service (8.194s)
✓  lib/srv/discovery (23m7.579s)

DONE 9100 tests in 1387.569s

Can I please get a waiver on the check?

[r0mant]

/excludeflake *

[backport-bot-workflows]

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v18	Create PR