[v18] identity activity center: Backport EKS audit logs (#61651)

* [v18] proto/accessgraph: Add RPC for sending k8s audit logs to Access Graph

Add a `KubeAuditLogsStream()` rpc to the `AccessGraphService` for
streaming Kubernetes apiserver audit logs from the Teleport discovery
service to access graph. This is intended for EKS audit logs which are
made available via CloudWatch, but can accommodate other k8s services.

The audit log messages are represented as a `google.protobuf.Struct` so
as to not depend on the k8s.io .proto files, but also as k8s typically
uses protos internally only - the expectation is that we'll receive the
apiserver audit logs as json-encoded strings. This encode easily as a
`google.protobuf.Struct`.

* [v18] proto: Generate protos for accessgraph

Generate proto and grpc code for changes to accessgraph/v1alpha1:

    make grpc/host

These changes add the `KubeAuditLogsStream()` rpc and associated types.

* [v18] proto/types: Add AccessGraphAWSSyncEKSAuditLogs message

Add the `AccessGraphAWSSyncEKSAuditLogs` message used by new field in
`AccessGraphAWSSync` for specifying which EKS clusters should have
apiserver audit logs fetched and sent to Access Graph.

* [v18] proto: Regenerate protos for types

Generate proto code for `AccessGraphAWSSyncEKSAuditLogs` message:

    make grpc/host
    make derive

* [v18] lib/config: Add static config for AccessGraph EKS audit logs

Extend the static config for Access Graph discovery to be able to
specify the EKS cluster for which apiserver audit logs should be fetched
and sent to Access Graph.

* [v18] discovery: Add AWS EKS audit log fetching for Access Graph

Add a watcher to start fetchers for all access graph EKS clusters that
are configured to have Kubernetes apiserver audit logs fetched and send
them to access graph. It receives the set of clusters to fetch audit
logs for from the AWS resource syncer as it discovers EKS clusters.
Those clusters are reconciled against the current set of log fetchers,
with no-longer-needed fetchers stopped and new fetchers started as
needed.

This commit requires go.mod be updated with:

    go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@latest

It is left out of this commit for now as it makes rebasing/merging
master easier.

* [v18] Add github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs to go.mod

Run:

    go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@latest
    make go-mod-tidy-all
    # Manually move the go.mod line back to the first section!?!?

This commit is kept separate for easier merging/rebasing.

* [v18] discovery: Refactor eks audit log fetching for testing

Refactor the eksAuditLog{Watcher,Fetcher} and the aws_sync.Fetcher
cloudwatchlogs to be more testable:

* factor away eksAuditLogFetcher from eksAuditLogWatcher. The watcher
  just needs a factory function to create a fetcher, and all the watcher
  needs from that fetcher is a `Run()` method. Lift the cancel func out
  of the watcher and store it directly in the watcher, as only the
  watcher uses it.
* factor away aws_sync.Fetcher from eksAuditLogFetcher. All it needs
  from the sync fetcher it calls is one method to fetch cloudwatch logs.
  Make that an interface and use just that. This allows a fake source of
  cloudwatch logs to be provided for testing. While here, use protobuf
  getters rather than accessing fields directly.
* Use protobuf getters in aws_sync.Fetcher cloudwatchlogs instead of
  accessing fields directly. In future, we could pass in an interface
  with those getters to make the code more testable.

* [v18] discovery: Add eks audit log tests

Add tests for `eksAuditLogWatcher` and `eksAuditLogFetcher`. Copy the
grpc stream testing util from the access graph repo into teleport as it
is useful for the bidirectional streaming methods uses by access graph,
and makes it easier to test on the client side.

* [v18] accessgraph sync: Add AWS IAM role for EKS audit logs

Update the `teleport configure integration acces-graph aws-iam` command
to add a permission to access EKS audit logs via CloudWatch Logs if the
`--eks-audit-logs` flag is passed. This is necessary so that an
integration can pull the EKS audit logs if so configured in a discovery
access graph matcher.

* [v18] web: Add web eksAuditLogs to integration configure endpoint

Extend the web endpoint for the webscript for integrations configure
access-graph-cloud-sync-iam.sh to add the `eksAuditLogs` query param to
configure with EKS audit logs enabled. Add tests for this endpoint as
there were none.

* [v18] Regenerate AWS regions.go file

Run `make go-generate` to update the `lib/utils/aws/region/regions.go`
file as something in the backport of EKS audit logs for Identity
Activity Center has changed what would be generated.

Author: camscale

api/proto/teleport/legacy/types/types.proto

@@ -9235,6 +9235,17 @@ message AccessGraphAWSSyncCloudTrailLogs {
   string SQSQueue = 2 [(gogoproto.jsontag) = "sqs_queue,omitempty"];
 }
 
+// AccessGraphAWSSyncEKSAuditLogs defines the settings for ingesting Kubernetes apiserver
+// audit logs from EKS clusters.
+message AccessGraphAWSSyncEKSAuditLogs {
+  // The tags of EKS clusters for which apiserver audit logs should be fetched.
+  wrappers.LabelValues Tags = 1 [
+    (gogoproto.nullable) = false,
+    (gogoproto.jsontag) = "tags,omitempty",
+    (gogoproto.customtype) = "Labels"
+  ];
+}
+
 // AccessGraphAWSSync is a configuration for AWS Access Graph service poll service.
 message AccessGraphAWSSync {
   // Regions are AWS regions to import resources from.
@@ -9245,6 +9256,7 @@ message AccessGraphAWSSync {
   string Integration = 4 [(gogoproto.jsontag) = "integration,omitempty"];
   // Configuration settings for collecting AWS CloudTrail logs via an SQS queue.
   AccessGraphAWSSyncCloudTrailLogs cloud_trail_logs = 5 [(gogoproto.jsontag) = "cloud_trail_logs,omitempty"];
+  AccessGraphAWSSyncEKSAuditLogs eks_audit_logs = 6 [(gogoproto.jsontag) = "eks_audit_logs,omitempty"];
 }
 
 // AccessGraphAzureSync is a configuration for Azure Access Graph service poll service.