Create DiscoverEC2 User Tasks when Auto Discover fails on EC2 instances

[marcoandredinis]

This PR changes the DiscoveryService to start creating and updating
Discover EC2 User Tasks.

So, what are Discover EC2 User Tasks?
When users set up Auto Discover for EC2 Instances, they don't have a
good way of checking for issues on their configured matchers.

We created User Tasks as a way to warn Users that something's wrong.
Each User Task should describe an issue that happened and a way to fix
it.
This has potential to be used to report unexpected events trough the
whole system, which are not errors per se, but something the user should
take action in order to improve the situation.
In this case, we are creating a sub type of those tasks: DiscoverEC2.

From now on, when the DiscoveryService fails to auto-enroll an instance,
it will create a DiscoverEC2 User Task grouping all the failed instances
by the following props:

• integration
• issue type
• account id
• region

A follow up PR will also create notifications so that the user can
actually be notified on those User Tasks and take action.

Demo:

$ tctl get user_tasks
kind: user_task
metadata:
  expires:
    nanos: 542005000
    seconds: 1727976384
  name: 52c33845-a413-5b2e-bfa3-1afc5d79236a
  revision: 663ed34b-6c65-4976-9052-af5898b295e1
spec:
  discover_ec2:
    account_id: "123456789012"
    instances:
      i-123:
        discovery_config: dc001
        discovery_group: aws-prod
        instance_id: i-123
        invocation_url: https://eu-west-2.console.aws.amazon.com/systems-manager/run-command/5041ad35-deab-4be7-8bfb-cd64f1cc2a24/i-123
        sync_time:
          nanos: 525000000
          seconds: 1727976024
    region: eu-west-2
  integration: teleportdev
  issue_type: ec2-ssm-script-failure
  state: OPEN
  task_type: discover-ec2
version: v1
---
kind: user_task
metadata:
  expires:
    nanos: 540832000
    seconds: 1727976378
  name: 7da201b0-57d1-503b-856e-de8ca5acd1e1
  revision: 9f803bb5-7ef6-4bd6-a2e5-fbbf8119248a
spec:
  discover_ec2:
    account_id: "123456789012"
    instances:
      i-1234:
        discovery_config: dc001
        discovery_group: aws-prod
        instance_id: i-1234
        sync_time:
          nanos: 379000000
          seconds: 1727976018
    region: eu-west-2
  integration: teleportdev
  issue_type: ec2-ssm-unsupported-os
  state: OPEN
  task_type: discover-ec2
version: v1
---
kind: user_task
metadata:
  expires:
    nanos: 782998000
    seconds: 1727976378
  name: b64397ac-764d-5d9d-af09-30d4775f7a78
  revision: 30ac5a71-a314-43de-a190-ee7db6cfa36a
spec:
  discover_ec2:
    account_id: "123456789012"
    instances:
      i-12345:
        discovery_config: dc001
        discovery_group: aws-prod
        instance_id: i-12345
        sync_time:
          nanos: 631000000
          seconds: 1727976018
    region: eu-west-2
  integration: teleportdev
  issue_type: ec2-ssm-agent-connection-lost
  state: OPEN
  task_type: discover-ec2
version: v1
---
kind: user_task
metadata:
  expires:
    nanos: 291505000
    seconds: 1727976378
  name: dcdca1c5-d489-58bd-8f01-6477ad9756d1
  revision: 176e6527-5cf7-43a2-b1b5-39cdff720f96
spec:
  discover_ec2:
    account_id: "123456789012"
    instances:
      i-123456:
        discovery_config: dc001
        discovery_group: aws-prod
        instance_id: i-123456
        sync_time:
          nanos: 887000000
          seconds: 1727976017
      i-1234567:
        discovery_config: dc001
        discovery_group: aws-prod
        instance_id: i-1234567
        sync_time:
          nanos: 134000000
          seconds: 1727976018
    region: eu-west-2
  integration: teleportdev
  issue_type: ec2-ssm-agent-not-registered
  state: OPEN
  task_type: discover-ec2
version: v1

[marcoandredinis]

(i'm working on the flaky test but this should be reviewable already 👍 )

[marcoandredinis]

@fheinecke @timothyb89 Can you please take a look when you get a chance?

[r0mant]

Left some questions and suggestions.

[r0mant]

I'm having a bit of a hard time parsing this logic. Are we trying to merge instances from this discovery service into existing tasks object? Can it be simplified or refactored somehow to make this more clear? Right now it's a big method that does several things so it's a bit hard to follow.

[marcoandredinis]

Yes, that's correct.
It brings the existing task from the cluster's backend and merges it into the existing in-memory state.
And then updates it.

I've moved the merge part into its own method.
Let me know what you think.

[r0mant]

Nit: groupPending is a pretty confusing name tbh. What is the "group" and why is it "pending"? Can we pick a more descriptive name?

[marcoandredinis]

We have 4 fields that we use to group instances into a task: integration, issue type, region and account id.
So, the group is the unique key for this resource.
What do you think about groupsToSync or taskKeysToSync?
Changing to the latter, but please let me know if that's clearer?

[r0mant]

What's the difference between this invocation and the one in discovery.go above? Just trying to understand what errors will be captured by this function vs the other one cause they seem to be both processing results of SSM runs?

[marcoandredinis]

We have 3 places where we generate tasks:
A) we describe the Instance's SSM Agent state and if there's an error (eg, ssm not installed, ssm not online, os not supported)
B) sending the command (ssm:SendCommand) fails (wrong permissions, document params issues, ...)
C) after starting the execution, we check the execution result for each instance

A and C are reported using the ReportEC2SSMInstallationResult
B is reported in discovery.go

teleport/lib/srv/discovery/discovery.go

Line 963 in aeefe42

if err := s.ec2Installer.Run(s.ctx, req); err != nil {

[public-teleport-github-review-bot]

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v16	Create PR