Audit for CloudWatch multitenancy

[iwysiu]

I did an initial audit and I didn’t find anything, but we should double check. The only things CloudWatch uses are NewSessionCache, SessionCache.GetSession, AWSDatasourceSettings, AuthSettings, ReadAuthSettings, and some consts.

For reference, the key parts of supporting multi-tenancy are:

• State and sensitive information should only be stored at the instance level
• Code should not reference environment variables
• Code should not access the file system

Notes:

• CloudWatch doesn't actually use any of the pieces of grafana-aws-sdk that use sqlds.
• Hosted Grafana doesn’t support non-key auth so we don’t have to handle them (slack link)

[iwysiu]

No changes required to the library for CloudWatch.

CloudWatch Notes:

• We could refactor LoadCloudWatchSettings to call AWSDatsourceSettings.Load
• Should just use ReadAuthSettingsFromContext instead of ReadAuthSettings since we know we'll have access to the context auth settings and it removes the env variable path (even if we shouldn't end up going down it).

grafana-aws-sdk Notes:

• For a longer term refactor: may make sense to move the AuthSettings to be part of AWSDatasourceSettings and add a loader that accepts a context
• I considered trying to refactor the SessionCache to be more pared down for a single instance, but considering that we're going to have to replace it to move to aws-sdk-go/v2 fairly soon, I decided not to. We can't just isolate the new session part of it, since we still need the sts timeouts and handling session expiration.