Support typed AWS environment variables

Problem to solve

People need to deploy to AWS, but entering the right environment variables can be confusing and error prone. By adding a new kind of typed extensible variable (https://gitlab.com/gitlab-org/gitlab-ce/issues/46806) we can make this much easier, and provide a better but still simple integration for teams doing deployments to AWS.

Target audience

• Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
• Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
• Devon, DevOps Engineer, https://design.gitlab.com/research/personas#persona-devon

Proposal

The AWS commandline client supports a few environment variables: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html. We can make setting these via typed variables quite easy.

The keys to start with are:

• AWS_ACCESS_KEY_ID – Specifies an AWS access key associated with an IAM user or role.
• AWS_SECRET_ACCESS_KEY – Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
• AWS_DEFAULT_REGION – Specifies the AWS Region to send the request to. This one may be optional.

The typical use case for this will be to scope this to environments, so the right values are automatically set up for the automation to a given environment.

We should do some kind of validation of inputs here to avoid situations where someone has pasted a value in the wrong format, as described in comment https://gitlab.com/gitlab-org/gitlab-ce/issues/57780#note_144847555.

Mockups

TBD

What does success look like, and how can we measure that?

We want to be able to understand how many people are deploying to AWS (and other clouds) - we should have a usage ping that shows how many people are using the AWS credential creation in this way as evidence of ~Release usage, though this should of course be anonymous.

Links / references

Future Improvement

In the future, we could also consider:

• AWS_DEFAULT_OUTPUT – Specifies the output format to use.
• AWS_DEFAULT_PROFILE – Specifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in a credentials or config file, or the value default to use the default profile. If you specify this environment variable, it overrides the behavior of using the profile named [default] in the configuration file.
• AWS_SESSION_TOKEN – Specifies the session token value that is required if you are using temporary security credentials. For more information, see the Output section of the assume-role command in the AWS CLI Command Reference.
• AWS_CA_BUNDLE – Specifies the path to a certificate bundle to use for HTTPS certificate validation.
• AWS_SHARED_CREDENTIALS_FILE – Specifies the location of the file that the AWS CLI uses to store access keys (the default is ~/.aws/credentials).
• AWS_CONFIG_FILE – Specifies the location of the file that the AWS CLI uses to store configuration profiles (the default is ~/.aws/config).