feat: Add AWS instance identity authentication (#570)

* feat: Add AWS instance identity authentication

This allows zero-trust authentication for all AWS instances.

Prior to this, AWS instances could be used by passing `CODER_TOKEN`
as an environment variable to the startup script. AWS explicitly
states that secrets should not be passed in startup scripts because
it's user-readable.

* Fix sha256 verbosity

* Fix HTTP client being exposed on auth

coderd/workspaceresourceauth_test.go

@@ -13,6 +13,46 @@ import (
 	"github.com/coder/coder/provisionersdk/proto"
 )
 
+func TestPostWorkspaceAuthAWSInstanceIdentity(t *testing.T) {
+	t.Parallel()
+	t.Run("Success", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
+		client := coderdtest.New(t, &coderdtest.Options{
+			AWSInstanceIdentity: certificates,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		coderdtest.NewProvisionerDaemon(t, client)
+		version := coderdtest.CreateProjectVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			Provision: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agent: &proto.Agent{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							},
+						}},
+					},
+				},
+			}},
+		})
+		project := coderdtest.CreateProject(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitProjectVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, "me", project.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		client.HTTPClient = metadataClient
+		_, err := client.AuthWorkspaceAWSInstanceIdentity(context.Background())
+		require.NoError(t, err)
+	})
+}
+
 func TestPostWorkspaceAuthGoogleInstanceIdentity(t *testing.T) {
 	t.Parallel()
 	t.Run("Expired", func(t *testing.T) {
@@ -20,7 +60,7 @@ func TestPostWorkspaceAuthGoogleInstanceIdentity(t *testing.T) {
 		instanceID := "instanceidentifier"
 		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, true)
 		client := coderdtest.New(t, &coderdtest.Options{
-			GoogleTokenValidator: validator,
+			GoogleInstanceIdentity: validator,
 		})
 		_, err := client.AuthWorkspaceGoogleInstanceIdentity(context.Background(), "", metadata)
 		var apiErr *codersdk.Error
@@ -33,7 +73,7 @@ func TestPostWorkspaceAuthGoogleInstanceIdentity(t *testing.T) {
 		instanceID := "instanceidentifier"
 		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
 		client := coderdtest.New(t, &coderdtest.Options{
-			GoogleTokenValidator: validator,
+			GoogleInstanceIdentity: validator,
 		})
 		_, err := client.AuthWorkspaceGoogleInstanceIdentity(context.Background(), "", metadata)
 		var apiErr *codersdk.Error
@@ -46,27 +86,12 @@ func TestPostWorkspaceAuthGoogleInstanceIdentity(t *testing.T) {
 		instanceID := "instanceidentifier"
 		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
 		client := coderdtest.New(t, &coderdtest.Options{
-			GoogleTokenValidator: validator,
+			GoogleInstanceIdentity: validator,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
 		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateProjectVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			ProvisionDryRun: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
-						Resources: []*proto.Resource{{
-							Name: "somename",
-							Type: "someinstance",
-							Agent: &proto.Agent{
-								Auth: &proto.Agent_InstanceId{
-									InstanceId: "",
-								},
-							},
-						}},
-					},
-				},
-			}},
 			Provision: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{