Feat: add ssm handling

Add SSM Port Forwarding Feature

This PR adds AWS Systems Manager (SSM) port forwarding capabilities to the AWS Auth Provider API, enabling secure port-forward tunneling to EC2 instances without requiring direct SSH access or public IP addresses.

Implementation

SSM Port Forward Endpoint (GET /ssm/port-forward)

Start an SSM port forwarding session to tunnel traffic from the API host to a remote EC2 instance.

Parameters:

• instance_id (required) - EC2 instance ID to connect to
• remote_port (required) - Port on the remote instance
• remote_host (optional) - Remote external host (ex: mykubeapiendpoint.aws)
• local_port (optional) - Local port to bind (auto-allocated if not specified)
• protocol (optional) - URL protocol (http or https, default: http)
• env_ctx, region, role_arn - Standard AWS authentication parameters

Notes:

• If no local_port specified: tries to match the remote_port, otherwise finds available port in range
• If local_port specified but unavailable: automatically finds alternative port
• Configurable port range via PORT_RANGE_START and PORT_RANGE_END environment variables (default: 10000-20000)

Returns: Plain text URL to access the forwarded port (e.g., http://aws-auth-provider:12313)

Architecture

The implementation uses a dual-port architecture to enable external access:

External Client → [0.0.0.0:local_port] → Python TCP Proxy 
                                              ↓
                     [127.0.0.1:plugin_local_port] → session-manager-plugin → AWS SSM → EC2 Instance

Why this approach?

• session-manager-plugin only binds to localhost (127.0.0.1)

Configuration

Environment variables:

• API_HOST - Host for generated URLs (default: aws-auth-provider)
• PORT_RANGE_START - Minimum port for auto-allocation (default: 10000)
• PORT_RANGE_END - Maximum port for auto-allocation (default: 20000)