[DO NOT MERGE, WIP]Add support to fetch cacertfiles from Amazon S3

[BeichenZhang-BCZ]

In collaboration with Sunfinite - thanks for kicking off first commit

Proposed Changes

Please describe the big picture of your changes here to communicate to the RabbitMQ team why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.

When rabbitmq user configures or operates rabbitmq, user may want to configure rabbitmq to access information such as private CA certs/credentials etc, in AWS service rather than passing those information as local file or plain-text configuration to improve security and usability. For example, if user intends to configure LDAP for authentication and authorization, user as of today needs to define a local certs file and inform rabbitmq with config or environment variable .

With this AWS Resource Fetcher feature, user can pass in Amazon Resource Name(ARN) of the certs through new configuration schema eg: aws.arns.auth_ldap.ssl_options.cacertfile. The fetcher will fetch the relevant cert files from AWS S3 from user's account and assign it to the appropriate LDAP plugin application environment.

For corner case handling:

0. Change is backward compatible if user doesn't configure any new ARN based attributes.
1. If the user configurates both arn attribute and normal attribute for the same content, the value fetched according to arn attribute will prevail.
2. If the fetcher failed to fetch from user resource, an unique error message will be thrown and rabbitmq start-up will fail.

This PR is working in progress to solicit early feedbacks. We are working on to add more functionalities such as allowing customer to configure Secret Manager arn for rabbitmq to retrieve credentials.

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

• Bug fix (non-breaking change which fixes issue #NNNN)
• [ x ] New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause an observable behavior change in existing systems)
• Documentation improvements (corrections, new content, etc)
• Cosmetic change (whitespace, formatting, etc)
• Build system and/or CI

Checklist

Put an x in the boxes that apply.
You can also fill these out after creating the PR.
This is simply a reminder of what we are going to look for before merging your code.

• [ x ] Mandatory: I (or my employer/client) have have signed the CA (see https://github.com/rabbitmq/cla)
• [ x ] I have read the CONTRIBUTING.md document
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally with my changes
• If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
• If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution
you did and what alternatives you considered, etc.

[lukebakken]

Let's chat about cacerts.

[lukebakken]

There is no need to write these files to the filesystem if we use the cacerts configuration option. Please see this discussion for more information:

#14426

[lukebakken]

It would be better to be specific about which functions are exported for tests.

[lukebakken]

Suggested change

	?LOG_INFO("Attempting to resolve ARN: ~p", [Arn]),
	?LOG_DEBUG("aws arn: resolving: ~p", [Arn]),

[lukebakken]

Suggested change

	?LOG_ERROR("Failed to resolve ARN ~p: ~p", [Arn, Reason])
	?LOG_ERROR("aws arn: failed to resolve ~p: ~p", [Arn, Reason])

[lukebakken]

Suggested change

	?LOG_INFO("Fetched ARN ~p and stored to ~p", [Arn, FilePath]);
	?LOG_INFO("aws arn: fetched ~p and stored to ~p", [Arn, FilePath]);

[lukebakken]

Suggested change

	?LOG_ERROR("Unsupported service: ~p", [Service]),
	?LOG_ERROR("aws arn: unsupported service: ~p", [Service]),

[lukebakken]

Suggested change

	?LOG_ERROR("Failed to parse ARN ~p: ~p", [Arn, Error]),
	?LOG_ERROR("aws arn: failed to parse ~p: ~p", [Arn, Error]),

[lukebakken]

Why are we doing conversions to lists here?

[BeichenZhang-BCZ]

+1 I also noted the conversion here. The input from {mapping, "aws.arns.auth_ldap.ssl_options.cacertfile", "rabbit.aws_arns", [{datatype, string}]}. is a binary.Can we just use binary:split ? @sunfinite

[BeichenZhang-BCZ]

If the reason of using list is because you need to use string:tokens against the output, considering using string:lexemes which takes in either list or binary

[lukebakken]

An alternative to using aws arn: to differentiate log messages would be to have an AWS-plugin specific logging domain - https://www.erlang.org/doc/apps/kernel/logger.html#t:metadata/0 cc @SimonUnge @the-mikedavis

[michaelklishin]

v4.2.x and v4.1.x now have separate logging domains for all, or at least most, major plugins.

[BeichenZhang-BCZ]

This code applies if the configuration value is of type list. However, for many config, they are just a tuple. For example, when you run

rabbitmqctl eval "application:get_all_env(rabbitmq_auth_backend_ldap)."

assuming you have configured the ldap, you will get:

[...
{ssl_options,[{verify,verify_none}]},
 {user_dn_pattern,"${username}"},
..
]

some fields are array while others are just tuple.

In next rev, I will create modify the code to call different functions based on the nature of the configuration