access_monitoring_rule: Support plugin.spec.name condition variable

[bernardjkim]

Supports #51682

This PR adds supports for using plugin.spec.name variable within the condition expression.

The plugin.spec.name will replace the spec.notification.name. This is more of a UX change. We can deprecate the spec.notification.name but continue to support it. With built-in/native auto approvals, we'd like to support auto approvals without notifications. It would be a bit confusing to continue using spec.notification.name in this scenario.

# Example AMR
kind: access_monitoring_rule
version: v1
metadata:
  name: teleport-pre-approved-roles
spec:
  condition: >
    plugin.spec.name == "teleport-slack" &&
    contains_any(access_request.spec.roles, set("prod"))
  subjects:
    - access_request
  notification:
    # Deprecated: Use 'plugin.spec.name == "teleport-native"' condition instead
    # name: teleport-slack
    recipients: ["access-requests"] 

There is one notable change in behavior with these changes. The AMR can now be configured to match all available plugins, because the spec.notification.name can be empty. If this is an undesirable change, we can add an extra validation step to ensure that a plugin.spec.name variable is used within the condition expression.

Changelog: Support plugin.spec.name AMR condition variable.

[github-actions]

Amplify deployment status

Branch	Commit	Job ID	Status	Preview	Updated (UTC)
bernard/amr-plugin-conditions	HEAD	1	✅SUCCEED	bernard-amr-plugin-conditions	2025-02-04 03:56:41