Add AWS session token support and existing VPC/subnet support

[mcarpendale]

This PR adds comprehensive support for AWS temporary credentials and existing VPC/subnet infrastructure, addressing modern AWS authentication requirements and organizational security policies.

Features Added

1. AWS Session Token Support

• Support for temporary credentials from IAM Identity Center (SSO)
• Support for AWS STS session tokens
• Support for assumed role credentials
• Session tokens flow through entire credential chain: User Input → Config → AWS SDK → Terraform → EC2 → Scripts

2. Existing VPC/Subnet Support

• Use existing VPC infrastructure instead of creating new VPC
• Use existing subnet instead of creating new subnet
• Conditional resource creation (VPC, subnet, IGW, route tables)
• Dynamic IP assignment for existing subnets
• Dynamic /etc/hosts generation via AWS API queries

Files Modified (15 files)

Core Application (2 files):

• px-deploy.go: Config struct, CLI flags, env vars, destroy fix
• aws.go: AWS SDK integration, nil pointer handling, IAM key age skip

Configuration (1 file):

• defaults.yml: Added aws_session_token, aws_existing_vpc_id, aws_existing_subnet_id

AWS Terraform (3 files):

• terraform/aws/variables.tf: New variable definitions
• terraform/aws/main.tf: Conditional resources, dynamic IPs, naming fixes
• terraform/aws/cloud-init.tpl: Pass session token and VPC config

vSphere Terraform (3 files):

• terraform/vsphere/variables.tf: Session token variable
• terraform/vsphere/main.tf: Pass session token to cloud-init
• terraform/vsphere/cloud-init.tpl: Conditional session token
• vsphere.go: Terraform variable generation

Infrastructure Scripts (1 file):

• infra/all-common: Dynamic /etc/hosts, AWS CLI install, IP queries

Shell Scripts (4 files):

• scripts/clusterpair: Parse session token
• scripts/dude: Parse session token (2 locations)
• scripts/eks-multicloud-target: Parse session token
• scripts/helm-backup-apps: Parse session token

Key Fixes

1. Destroy command session token loading (px-deploy.go:1271)

   • Was missing session token when loading credentials from defaults.yml
   • Caused authentication failures during destroy operations

2. AWS instance naming convention (terraform/aws/main.tf)

   • Masters: master-N (without instance number)
   • Workers: node-N-M (with instance number)
   • Fixes SSH connection and script compatibility issues

3. Nil pointer handling (aws.go:391-412)

   • Handle instances with private-only IPs (no public IP)
   • Required for existing VPC deployments without Internet Gateway

4. IAM key age check (aws.go:800-804)

   • Skip check when using temporary credentials
   • Prevents panic with session tokens

Testing Performed

✅ Successfully deployed with temporary credentials (IAM Identity Center) ✅ Successfully deployed with existing VPC and subnet ✅ All nodes became Ready, Portworx installed successfully ✅ Status and connect commands worked correctly
✅ Destroy command worked with refreshed credentials ✅ Tested across multiple AWS accounts with different SCPs ✅ Backward compatibility verified (works without session token)

Backward Compatibility

✅ 100% backward compatible - no breaking changes

• Session token is optional (defaults to empty string)
• Existing VPC/subnet fields are optional
• All existing configurations work unchanged
• Static credentials continue to work as before

Security

✅ No security regressions

• Session tokens never logged
• Session tokens cleared from deployment YAML files
• Credentials file permissions remain 0600
• Follows existing credential handling patterns

Use Cases Addressed

• Organizations using IAM Identity Center (AWS SSO)
• Organizations with SCP blocking Internet Gateway creation
• Deployments requiring site-to-site VPN connectivity
• Multi-account AWS environments with security policies
• Compliance requirements for temporary credentials