EC2 Auto-Discovery: EICE support

[marcoandredinis]

Add support for EICE mode in EC2 Auto-Discovery

If an Integration is being used, then default to EICE mode.

Every time the Discovery finds EC2 instances, it will upsert them with an expiration of now+90m. This ends up being something similar to a heartbeat that exists for Teleport SSH Nodes. Labels are always in sync (it can lag as much time as the Discovery Service Poll Interval), and when an EC2 instance is removed or the Matcher no longer matches the instance, the Node is removed (it can lag up to 90 minutes, as per the expiration).

Pre-req: Create an Integration and add your first EC2 instance (this ensures your permissions are correct) and the EC2 Instance Connect Endpoint is created for that VPC. Now, start a DiscoveryService (no need if you are on cloud/dev) and then create the following DiscoveryConfig:

kind: discovery_config
version: v1
metadata:
  name: dc001
spec:
  discovery_group: "prod-resources"
  aws:
    - types: ["ec2"]
      regions: ["eu-west-2"]
      tags:
        "*": "*"
      integration: teleportdev

Ensure the discovery_group is the same that you have running on the DiscoveryService (for cloud that's going to be cloud-discovery-group).

You should see the newly created Nodes (it can take up to five minutes).

Demo

2024-01-10T17:32:04Z DEBU [DISCOVERY] EC2 instances discovered (AccountID: 278576220453, Instances: [i-05723b41571a653e9]), starting installation pid:1137334.1 discovery/discovery.go:950

Fixes #34291

[marcoandredinis]

@Joerger Can you please take a look when you get a chance?

[marcoandredinis]

@r0mant Can you please take another look?

[public-teleport-github-review-bot[bot]]

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v15	Create PR