UserTasks: Add SSM Document and Installer for DiscoverEC2 Issues (#47626

)

This PR adds two new fields to the DiscoverEC2 User Task.
SSM Document used to install teleport
Teleport Installer script name used to install teleport

This can be used to let the user know which scripts were used.
For the SSM Document, users can then open it in webui.
For the Installer Script, users can manage it using `tctl` client.

api/proto/teleport/usertasks/v1/user_tasks.proto

@@ -67,6 +67,12 @@ message DiscoverEC2 {
   string account_id = 2;
   // Region is the AWS Region where Teleport failed to enroll EC2 instances.
   string region = 3;
+  // SSMDocument is the Amazon Systems Manager SSM Document name that was used to install teleport on the instance.
+  // In Amazon console, the document is at:
+  // https://REGION.console.aws.amazon.com/systems-manager/documents/SSM_DOCUMENT/description
+  string ssm_document = 4;
+  // InstallerScript is the Teleport installer script that was used to install teleport on the instance.
+  string installer_script = 5;
 }
 
 // DiscoverEC2Instance contains the result of enrolling an AWS EC2 Instance.

api/types/usertasks/object.go

@@ -215,10 +215,12 @@ func validateDiscoverEC2TaskType(ut *usertasksv1.UserTask) error {
 // TaskNameForDiscoverEC2Parts are the fields that deterministically compute a Discover EC2 task name.
 // To be used with TaskNameForDiscoverEC2 function.
 type TaskNameForDiscoverEC2Parts struct {
-	Integration string
-	IssueType   string
-	AccountID   string
-	Region      string
+	Integration     string
+	IssueType       string
+	AccountID       string
+	Region          string
+	SSMDocument     string
+	InstallerScript string
 }
 
 // TaskNameForDiscoverEC2 returns a deterministic name for the DiscoverEC2 task type.
@@ -233,6 +235,10 @@ func TaskNameForDiscoverEC2(parts TaskNameForDiscoverEC2Parts) string {
 	bs = append(bs, []byte(parts.AccountID)...)
 	bs = append(bs, binary.LittleEndian.AppendUint64(nil, uint64(len(parts.Region)))...)
 	bs = append(bs, []byte(parts.Region)...)
+	bs = append(bs, binary.LittleEndian.AppendUint64(nil, uint64(len(parts.SSMDocument)))...)
+	bs = append(bs, []byte(parts.SSMDocument)...)
+	bs = append(bs, binary.LittleEndian.AppendUint64(nil, uint64(len(parts.InstallerScript)))...)
+	bs = append(bs, []byte(parts.InstallerScript)...)
 	return uuid.NewSHA1(discoverEC2Namespace, bs).String()
 }
 

api/types/usertasks/object_test.go

@@ -250,7 +250,7 @@ func TestNewDiscoverEC2UserTask(t *testing.T) {
 				Kind:    "user_task",
 				Version: "v1",
 				Metadata: &headerv1.Metadata{
-					Name:    "154e1429-da26-5ce2-add2-b0e77a27dd96",
+					Name:    "f36b8798-fdec-59fe-8bd0-33f4890ced05",
 					Expires: userTaskExpirationTimestamp,
 				},
 				Spec: baseEC2DiscoverTaskSpec,

lib/srv/discovery/discovery.go

@@ -981,10 +981,12 @@ func (s *Server) handleEC2RemoteInstallation(instances *server.EC2Instances) err
 		for _, instance := range req.Instances {
 			s.awsEC2Tasks.addFailedEnrollment(
 				awsEC2TaskKey{
-					accountID:   instances.AccountID,
-					integration: instances.Integration,
-					issueType:   usertasks.AutoDiscoverEC2IssueSSMInvocationFailure,
-					region:      instances.Region,
+					accountID:       instances.AccountID,
+					integration:     instances.Integration,
+					issueType:       usertasks.AutoDiscoverEC2IssueSSMInvocationFailure,
+					region:          instances.Region,
+					ssmDocument:     req.DocumentName,
+					installerScript: req.InstallerScriptName(),
 				},
 				&usertasksv1.DiscoverEC2Instance{
 					// TODO(marco): add instance name

lib/srv/discovery/status.go

@@ -302,10 +302,12 @@ func (s *Server) ReportEC2SSMInstallationResult(ctx context.Context, result *ser
 
 	s.awsEC2Tasks.addFailedEnrollment(
 		awsEC2TaskKey{
-			integration: result.IntegrationName,
-			issueType:   result.IssueType,
-			accountID:   result.SSMRunEvent.AccountID,
-			region:      result.SSMRunEvent.Region,
+			integration:     result.IntegrationName,
+			issueType:       result.IssueType,
+			accountID:       result.SSMRunEvent.AccountID,
+			region:          result.SSMRunEvent.Region,
+			ssmDocument:     result.SSMDocumentName,
+			installerScript: result.InstallerScript,
 		},
 		&usertasksv1.DiscoverEC2Instance{
 			// TODO(marco): add instance name
@@ -333,10 +335,12 @@ type awsEC2Tasks struct {
 
 // awsEC2TaskKey identifies a UserTask group.
 type awsEC2TaskKey struct {
-	integration string
-	issueType   string
-	accountID   string
-	region      string
+	integration     string
+	issueType       string
+	accountID       string
+	region          string
+	ssmDocument     string
+	installerScript string
 }
 
 // iterationStarted clears out any in memory issues that were recorded.
@@ -431,10 +435,12 @@ func (s *Server) acquireSemaphoreForUserTask(userTaskName string) (releaseFn fun
 // All of this flow is protected by a lock to ensure there's no race between this and other DiscoveryServices.
 func (s *Server) mergeUpsertDiscoverEC2Task(taskGroup awsEC2TaskKey, failedInstances map[string]*usertasksv1.DiscoverEC2Instance) error {
 	userTaskName := usertasks.TaskNameForDiscoverEC2(usertasks.TaskNameForDiscoverEC2Parts{
-		Integration: taskGroup.integration,
-		IssueType:   taskGroup.issueType,
-		AccountID:   taskGroup.accountID,
-		Region:      taskGroup.region,
+		Integration:     taskGroup.integration,
+		IssueType:       taskGroup.issueType,
+		AccountID:       taskGroup.accountID,
+		Region:          taskGroup.region,
+		SSMDocument:     taskGroup.ssmDocument,
+		InstallerScript: taskGroup.installerScript,
 	})
 
 	releaseFn, ctxWithLease, err := s.acquireSemaphoreForUserTask(userTaskName)

lib/srv/server/ssm_install.go

@@ -63,6 +63,10 @@ type SSMInstallationResult struct {
 	// IssueType identifies the type of issue that occurred if the installation failed.
 	// These are well known identifiers that can be found at types.AutoDiscoverEC2Issue*.
 	IssueType string
+	// SSMDocumentName is the Amazon SSM Document Name used to install Teleport into the instance.
+	SSMDocumentName string
+	// InstallerScript is the Teleport Installer script name used to install Teleport into the instance.
+	InstallerScript string
 }
 
 // SSMInstaller handles running SSM commands that install Teleport on EC2 instances.
@@ -95,6 +99,16 @@ type SSMRunRequest struct {
 	DiscoveryConfig string
 }
 
+// InstallerScriptName returns the Teleport Installer script name.
+// Returns empty string if not defined.
+func (r *SSMRunRequest) InstallerScriptName() string {
+	if r == nil || r.Params == nil {
+		return ""
+	}
+
+	return r.Params[ParamScriptName]
+}
+
 // CheckAndSetDefaults ensures the emitter is present and creates a default logger if one is not provided.
 func (c *SSMInstallerConfig) checkAndSetDefaults() error {
 	if c.ReportSSMInstallationResultFunc == nil {
@@ -212,6 +226,8 @@ func invalidSSMInstanceInstallationResult(req SSMRunRequest, instanceID, status,
 		IntegrationName: req.IntegrationName,
 		DiscoveryConfig: req.DiscoveryConfig,
 		IssueType:       issueType,
+		SSMDocumentName: req.DocumentName,
+		InstallerScript: req.InstallerScriptName(),
 	}
 }
 
@@ -359,6 +375,8 @@ func (si *SSMInstaller) checkCommand(ctx context.Context, req SSMRunRequest, com
 					IntegrationName: req.IntegrationName,
 					DiscoveryConfig: req.DiscoveryConfig,
 					IssueType:       usertasks.AutoDiscoverEC2IssueSSMScriptFailure,
+					SSMDocumentName: req.DocumentName,
+					InstallerScript: req.InstallerScriptName(),
 				}))
 			}
 
@@ -373,6 +391,8 @@ func (si *SSMInstaller) checkCommand(ctx context.Context, req SSMRunRequest, com
 				IntegrationName: req.IntegrationName,
 				DiscoveryConfig: req.DiscoveryConfig,
 				IssueType:       usertasks.AutoDiscoverEC2IssueSSMScriptFailure,
+				SSMDocumentName: req.DocumentName,
+				InstallerScript: req.InstallerScriptName(),
 			}))
 		}
 	}