User Tasks: add discover-ec2 task type

This PR adds more business logic into the User Tasks, in particular into
the `discover-ec2` task type.

One of the key features of the DiscoverEC2 User Tasks is that we must
have a single task per:
- integration
- region
- account id
- issue type

This allows user to have a detailed view of the issues their are facing
but still grouping EC2 instances.

To do this, we had to move the region and account id up one level.
Previously they were at the instance level, and it would require
iterating over them to actually create the group (uniq key) we want.

This also adds well known errors as issue types to ensure we validate
them.

A later PR will come where we actually start creating/updating
DiscoverEC2 User Tasks from the DiscoveryService.

api/proto/teleport/usertasks/v1/user_tasks.proto

@@ -63,6 +63,10 @@ message UserTaskSpec {
 message DiscoverEC2 {
   // Instances maps an instance id to the result of enrolling that instance into teleport.
   map<string, DiscoverEC2Instance> instances = 1;
+  // AccountID is the AWS Account ID for the instances.
+  string account_id = 2;
+  // Region is the AWS Region where this issue is happening.
+  string region = 3;
 }
 
 // DiscoverEC2Instance contains the result of enrolling an AWS EC2 Instance.
@@ -72,10 +76,6 @@ message DiscoverEC2Instance {
   // Name is the instance Name.
   // Might be empty, if the instance doesn't have the Name tag.
   string name = 2;
-  // AccountID is the AWS Account ID for this instance.
-  string account_id = 3;
-  // Region is the AWS Region where this issue is happening.
-  string region = 4;
   // InvocationURL is the URL that points to the invocation.
   // Empty if there was an error before installing the
   string invocation_url = 5;
@@ -85,4 +85,8 @@ message DiscoverEC2Instance {
   string discovery_group = 7;
   // SyncTime is the timestamp when the error was produced.
   google.protobuf.Timestamp sync_time = 8;
+
+  // AccountID and Region were moved into the DiscoverEC2 message.
+  reserved 3, 4;
+  reserved "account_id", "region";
 }

api/types/autodiscover.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+// List of Auto Discover EC2 issues identifiers.
+// This value is used to populate the UserTasks.Spec.IssueType for Discover EC2 tasks.
+// The Web UI will then use those identifiers to show detailed instructions on how to fix the issue.
+const (
+	// AutoDiscoverEC2IssueEICEFailedToCreateNode is used when the EICE flow fails to create a node.
+	// This can happen when the Node does not have a valid PrivateIPAddress.
+	// This is very unlekly and should only happen if the AWS API returns an unexpected response.
+	AutoDiscoverEC2IssueEICEFailedToCreateNode = "ec2-eice-create-node"
+
+	// AutoDiscoverEC2IssueEICEFailedToUpsertNode is used when the EICE flow fails to upsert a node into the cluster.
+	// This is very unlekly and should only happen
+	// - if the Discovery system role was changed
+	// - if the Node resource validation was changed on the Auth and not on the DiscoveryService
+	// - or because of a network error
+	AutoDiscoverEC2IssueEICEFailedToUpsertNode = "ec2-eice-upsert-node"
+
+	// AutoDiscoverEC2IssueScriptInstanceNotRegistered is used to identify instances that failed to auto-enroll
+	// because they are not present in Amazon Systems Manager.
+	// This usually means that the Instance does not have the SSM Agent running,
+	// or that the instance's IAM Profile does not allow have the managed IAM Policy AmazonSSMManagedInstanceCore assigned to it.
+	AutoDiscoverEC2IssueScriptInstanceNotRegistered = "ec2-ssm-agent-not-registered"
+
+	// AutoDiscoverEC2IssueScriptInstanceConnectionLost is used to identify instances that failed to auto-enroll
+	// because the agent lost connection to Amazon Systems Manager.
+	// This can happen if the user changed some setting in the instance's network or IAM profile.
+	AutoDiscoverEC2IssueScriptInstanceConnectionLost = "ec2-ssm-agent-connection-lost"
+
+	// AutoDiscoverEC2IssueScriptInstanceUnsupportedOS is used to identify instances that failed to auto-enroll
+	// because its OS is not supported by teleport.
+	// This can happen if the instance is running Windows.
+	AutoDiscoverEC2IssueScriptInstanceUnsupportedOS = "ec2-ssm-unsupported-os"
+
+	// AutoDiscoverEC2IssueScriptFailure is used to identify instances that failed to auto-enroll
+	// because the installation script failed.
+	// The invocation url must be included in the report, so that users can see what was wrong.
+	AutoDiscoverEC2IssueScriptFailure = "ec2-ssm-script-failure"
+
+	// AutoDiscoverEC2IssueInvocationFailure is used to identify instances that failed to auto-enroll
+	// because the SSM Script Run (also known as Invocation) failed.
+	// This happens when there's a failure with permissions or an invalid configuration (eg, invalid document name).
+	AutoDiscoverEC2IssueInvocationFailure = "ec2-ssm-invocation-failure"
+)