Add option to take a snapshot of a managed service source cluster

[mikaylathompson]

Description

We discovered that our existing CDK is not sufficient for taking a snapshot of a managed service source cluster. A specific snapshot role must be created, and there needs to be a trust relationship between the console task role and this snapshot role that allows it to be passed.

With this PR, if managedServiceSourceSnapshotEnabled is added to the cdk.context as true, it sets up these roles and relationships.

In this PR, it does not handle adding the relevant role arn to the services.yaml and passing it through automatically. That would be an excellent follow-up, but in this case I'm trying to focus on unblocking the particularly time-confusing and messy parts instead of making this a fully supported experience.

One of the caveats is that, to pass in the snapshot role, the source cluster must use sigv4 auth. I added a check for this in the CDK.

Manually tested:

Before:

(.venv) bash-5.2# console snapshot create
2024-09-28 03:23:13,956 INFO o.o.m.u.ProcessHelpers [main] getNodeInstanceName()=ip-10-0-5-198.us-east-2.compute.internal
2024-09-28 03:23:14,679 INFO o.o.m.CreateSnapshot [main] Running CreateSnapshot with --snapshot-name rfs-snapshot --source-host https://vpc-cisco-or1-j5nojtdsafdmocqgnzmpjpcbwe.us-east-2.es.amazonaws.com --source-username admin --source-password Admin123! --otel-collector-endpoint http://localhost:4317 --s3-repo-uri s3://migration-artifacts-293444901541-new-cdk-us-east-2/rfs-snapshot-repo --s3-region us-east-2 --no-wait
2024-09-28 03:23:15,144 INFO o.o.m.b.w.SnapshotRunner [main] Attempting to initiate the snapshot...
2024-09-28 03:23:16,573 ERROR o.o.m.b.c.OpenSearchClient [reactor-http-nio-2] Could not register snapshot repo: _snapshot/migration_assistant_repo. Response Code: 401, Response Message: Unauthorized, Response Body: {"Message":"settings.role_arn is needed for snapshot registration."}

With this enabled:

(.venv) bash-5.2# console snapshot create --s3-role-arn arn:aws:iam::293444901541:role/OSMigrations-new-cdk-us-east-2-SnapshotRole53D7C789-18fLjvR4jHRc
2024-09-28 19:34:29,439 INFO o.o.m.u.ProcessHelpers [main] getNodeInstanceName()=ip-10-0-5-155.us-east-2.compute.internal
2024-09-28 19:34:30,381 INFO o.o.m.CreateSnapshot [main] Running CreateSnapshot with --snapshot-name rfs-snapshot --source-host https://vpc-demo-target-cluster-3v7rbwdjxvf6xaxmdxcswmrjgm.us-east-2.es.amazonaws.com --source-aws-service-signing-name es --source-aws-region us-east-2 --otel-collector-endpoint http://localhost:4317 --s3-repo-uri s3://migration-artifacts-293444901541-new-cdk-us-east-2/rfs-snapshot-repo --s3-region us-east-2 --no-wait --s3-role-arn arn:aws:iam::293444901541:role/OSMigrations-new-cdk-us-east-2-SnapshotRole53D7C789-18fLjvR4jHRc
2024-09-28 19:34:30,871 INFO o.o.m.b.w.SnapshotRunner [main] Attempting to initiate the snapshot...
2024-09-28 19:34:32,953 INFO o.o.m.b.c.SnapshotCreator [main] Snapshot repo registration successful
2024-09-28 19:34:33,040 INFO o.o.m.b.c.SnapshotCreator [main] Snapshot rfs-snapshot creation initiated
2024-09-28 19:34:33,040 INFO o.o.m.b.w.SnapshotRunner [main] Snapshot in progress...
Snapshot rfs-snapshot creation initiated successfully

Issues Resolved

#2001

I also fix a dumb mistake I made in the sample cdk.context.json and make the logic around targetVersion vs engineVersion cleaner. It was still requiring an engineVersion in some cases where it really wasn't relevant.

Testing

Manual.

Check List

• New functionality includes testing
  • All tests pass, including unit test, integration test and doctest
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.28%. Comparing base (00f7ce3) to head (17ad2c7).
Report is 6 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1028      +/-   ##
============================================
- Coverage     80.30%   80.28%   -0.02%     
- Complexity     2727     2728       +1     
============================================
  Files           366      366              
  Lines         13617    13617              
  Branches        942      942              
============================================
- Hits          10935    10933       -2     
- Misses         2108     2109       +1     
- Partials        574      575       +1     

Flag	Coverage Δ
gradle-test	78.27% <ø> (-0.02%)	⬇️
python-test	90.11% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[AndreKurait]

Note: AOS doesn't support snapshots yet

[AndreKurait]

Can we add a deterministic name to avoid suffix? OSMigrations-new-cdk-us-east-2-SnapshotRole53D7C789-18fLjvR4jHRc?

[AndreKurait]

Can we hold on this change until the plaintext password option is removed from this?

[AndreKurait]

Where is this used?

[mikaylathompson]

Ah, not anymore, removing.

[AndreKurait]

Do we want to make this a top level argument instead of within source cluster?

[mikaylathompson]

I went back and forth on this--it's a combo of RFS-related and source-cluster related, so it didn't fit perfectly anywhere. Would you prefer in the source object?

[AndreKurait]

I'm good with this for now

[AndreKurait]

Thanks for this, this could have really tripped up a customer