DiscoveryMatchers: move checkandset to types package (#32857)

* DiscoveryMatchers: move checkandset to types package * add opensearch to iamrole as users
gravitational · Oct 4, 2023 · 44209ce · 44209ce
1 parent 41edd25
commit 44209ce
Show file tree

Hide file tree

Showing 43 changed files with 1,923 additions and 1,277 deletions.
diff --git a/api/types/constants.go b/api/types/constants.go
@@ -1116,3 +1116,13 @@ const (
 	// JWTClaimsRewriteNone include neither traits nor roles in the JWT token.
 	JWTClaimsRewriteNone = "none"
 )
+
+const (
+	// DefaultInstallerScriptName is the name of the by default populated, EC2
+	// installer script
+	DefaultInstallerScriptName = "default-installer"
+
+	// DefaultInstallerScriptNameAgentless is the name of the by default populated, EC2
+	// installer script when agentless mode is enabled for a matcher
+	DefaultInstallerScriptNameAgentless = "default-agentless-installer"
+)
diff --git a/api/types/installers/installers.go b/api/types/installers/installers.go
@@ -30,11 +30,11 @@ var defaultAgentlessInstallScript string
 
 // InstallerScriptName is the name of the by default populated, EC2
 // installer script
-const InstallerScriptName = "default-installer"
+const InstallerScriptName = types.DefaultInstallerScriptName
 
 // InstallerScriptName is the name of the by default populated, EC2
 // installer script when agentless mode is enabled for a matcher
-const InstallerScriptNameAgentless = "default-agentless-installer"
+const InstallerScriptNameAgentless = types.DefaultInstallerScriptNameAgentless
 
 // DefaultInstaller represents a the default installer script provided
 // by teleport

diff --git a/api/types/matchers_aws.go b/api/types/matchers_aws.go
@@ -16,6 +16,80 @@ limitations under the License.
 
 package types
 
+import (
+	"github.com/gravitational/trace"
+	"golang.org/x/exp/slices"
+
+	apiutils "github.com/gravitational/teleport/api/utils"
+	awsapiutils "github.com/gravitational/teleport/api/utils/aws"
+)
+
+const (
+	// IAMInviteTokenName is the name of the default Teleport IAM
+	// token to use when templating the script to be executed.
+	IAMInviteTokenName = "aws-discovery-iam-token"
+
+	// SSHDConfigPath is the path to the sshd config file to modify
+	// when using the agentless installer
+	SSHDConfigPath = "/etc/ssh/sshd_config"
+
+	// AWSInstallerDocument is the name of the default AWS document
+	// that will be called when executing the SSM command.
+	AWSInstallerDocument = "TeleportDiscoveryInstaller"
+
+	// AWSAgentlessInstallerDocument is the name of the default AWS document
+	// that will be called when executing the SSM command .
+	AWSAgentlessInstallerDocument = "TeleportAgentlessDiscoveryInstaller"
+
+	// AWSMatcherEC2 is the AWS matcher type for EC2 instances.
+	AWSMatcherEC2 = "ec2"
+	// AWSMatcherEKS is the AWS matcher type for AWS Kubernetes.
+	AWSMatcherEKS = "eks"
+	// AWSMatcherRDS is the AWS matcher type for RDS databases.
+	AWSMatcherRDS = "rds"
+	// AWSMatcherRDSProxy is the AWS matcher type for RDS Proxy databases.
+	AWSMatcherRDSProxy = "rdsproxy"
+	// AWSMatcherRedshift is the AWS matcher type for Redshift databases.
+	AWSMatcherRedshift = "redshift"
+	// AWSMatcherRedshiftServerless is the AWS matcher type for Redshift Serverless databases.
+	AWSMatcherRedshiftServerless = "redshift-serverless"
+	// AWSMatcherElastiCache is the AWS matcher type for ElastiCache databases.
+	AWSMatcherElastiCache = "elasticache"
+	// AWSMatcherMemoryDB is the AWS matcher type for MemoryDB databases.
+	AWSMatcherMemoryDB = "memorydb"
+	// AWSMatcherOpenSearch is the AWS matcher type for OpenSearch databases.
+	AWSMatcherOpenSearch = "opensearch"
+)
+
+// SupportedAWSMatchers is list of AWS services currently supported by the
+// Teleport discovery service.
+var SupportedAWSMatchers = append([]string{
+	AWSMatcherEC2,
+	AWSMatcherEKS,
+}, SupportedAWSDatabaseMatchers...)
+
+// SupportedAWSDatabaseMatchers is a list of the AWS databases currently
+// supported by the Teleport discovery service.
+var SupportedAWSDatabaseMatchers = []string{
+	AWSMatcherRDS,
+	AWSMatcherRDSProxy,
+	AWSMatcherRedshift,
+	AWSMatcherRedshiftServerless,
+	AWSMatcherElastiCache,
+	AWSMatcherMemoryDB,
+	AWSMatcherOpenSearch,
+}
+
+// RequireAWSIAMRolesAsUsersMatchers is a list of the AWS databases that
+// require AWS IAM roles as database users.
+// IMPORTANT: if you add database matchers for AWS keyspaces, OpenSearch, or
+// DynamoDB discovery, add them here and in RequireAWSIAMRolesAsUsers in
+// api/types.
+var RequireAWSIAMRolesAsUsersMatchers = []string{
+	AWSMatcherRedshiftServerless,
+	AWSMatcherOpenSearch,
+}
+
 // GetTypes gets the types that the matcher can match.
 func (m AWSMatcher) GetTypes() []string {
 	return m.Types
@@ -29,7 +103,84 @@ func (m AWSMatcher) CopyWithTypes(t []string) Matcher {
 }
 
 // CheckAndSetDefaults that the matcher is correct and adds default values.
-func (m AWSMatcher) CheckAndSetDefaults() error {
-	// TODO(marco): implement
+func (m *AWSMatcher) CheckAndSetDefaults() error {
+	for _, matcherType := range m.Types {
+		if !slices.Contains(SupportedAWSMatchers, matcherType) {
+			return trace.BadParameter("discovery service type does not support %q, supported resource types are: %v",
+				matcherType, SupportedAWSMatchers)
+		}
+	}
+
+	if len(m.Types) == 0 {
+		return trace.BadParameter("discovery service requires at least one type")
+	}
+
+	if len(m.Regions) == 0 {
+		return trace.BadParameter("discovery service requires at least one region")
+	}
+
+	for _, region := range m.Regions {
+		if err := awsapiutils.IsValidRegion(region); err != nil {
+			return trace.BadParameter("discovery service does not support region %q", region)
+		}
+	}
+
+	if m.AssumeRole != nil {
+		if m.AssumeRole.RoleARN != "" {
+			if err := awsapiutils.CheckRoleARN(m.AssumeRole.RoleARN); err != nil {
+				return trace.BadParameter("invalid assume role: %v", err)
+			}
+		} else if m.AssumeRole.ExternalID != "" {
+			for _, t := range m.Types {
+				if !slices.Contains(RequireAWSIAMRolesAsUsersMatchers, t) {
+					return trace.BadParameter("discovery service AWS matcher assume_role_arn is empty, but has external_id %q",
+						m.AssumeRole.ExternalID)
+				}
+			}
+		}
+	}
+
+	if m.Tags == nil || len(m.Tags) == 0 {
+		m.Tags = map[string]apiutils.Strings{Wildcard: {Wildcard}}
+	}
+
+	if m.Params == nil {
+		m.Params = &InstallerParams{
+			InstallTeleport: true,
+		}
+	}
+
+	switch m.Params.JoinMethod {
+	case JoinMethodIAM, "":
+		m.Params.JoinMethod = JoinMethodIAM
+	default:
+		return trace.BadParameter("only IAM joining is supported for EC2 auto-discovery")
+	}
+
+	if m.Params.JoinToken == "" {
+		m.Params.JoinToken = IAMInviteTokenName
+	}
+
+	if m.Params.SSHDConfig == "" {
+		m.Params.SSHDConfig = SSHDConfigPath
+	}
+
+	if m.Params.ScriptName == "" {
+		m.Params.ScriptName = DefaultInstallerScriptNameAgentless
+		if m.Params.InstallTeleport {
+			m.Params.ScriptName = DefaultInstallerScriptName
+		}
+	}
+
+	if m.SSM == nil {
+		m.SSM = &AWSSSM{}
+	}
+
+	if m.SSM.DocumentName == "" {
+		m.SSM.DocumentName = AWSAgentlessInstallerDocument
+		if m.Params.InstallTeleport {
+			m.SSM.DocumentName = AWSInstallerDocument
+		}
+	}
 	return nil
 }