add ListVPCs to AWS OIDC integration service (#44708)

* add ListVPCs to AWS OIDC integration service * add databasevpcs endpoint for AWS OIDC integration * set DescribeVpcs page size to 100
gravitational · Jul 29, 2024 · b197b3e · b197b3e
1 parent cffc4b8
commit b197b3e
Show file tree

Hide file tree

Showing 13 changed files with 1,432 additions and 647 deletions.
diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go
diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go
diff --git a/api/proto/teleport/integration/v1/awsoidc_service.proto b/api/proto/teleport/integration/v1/awsoidc_service.proto
@@ -49,6 +49,11 @@ service AWSOIDCService {
   // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html
   rpc ListSubnets(ListSubnetsRequest) returns (ListSubnetsResponse);
 
+  // ListVPCs returns a list of AWS VPCs.
+  // It uses the following API:
+  // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html
+  rpc ListVPCs(ListVPCsRequest) returns (ListVPCsResponse);
+
   // DeployDatabaseService deploys a Database Services to Amazon ECS.
   rpc DeployDatabaseService(DeployDatabaseServiceRequest) returns (DeployDatabaseServiceResponse);
 
@@ -262,7 +267,7 @@ message ListSubnetsRequest {
 
 // Subnet is a representation of an AWS VPC subnet.
 message Subnet {
-  // Name is the subnet name.
+  // Name is the subnet name. Can be empty.
   string name = 1;
   // ID is the subnet ID.
   string id = 2;
@@ -279,6 +284,36 @@ message ListSubnetsResponse {
   string next_token = 2;
 }
 
+// ListVPCsRequest is a request for a paginated list of AWS VPCs.
+message ListVPCsRequest {
+  // Integration is the AWS OIDC Integration name.
+  // Required.
+  string integration = 1;
+  // Region is the AWS Region
+  // Required.
+  string region = 2;
+  // NextToken is the token to be used to fetch the next page.
+  // If empty, the first page is fetched.
+  string next_token = 3;
+}
+
+// VPC is a representation of an AWS VPC.
+message VPC {
+  // Name is the VPC name. Can be empty.
+  string name = 1;
+  // ID is the VPC ID.
+  string id = 2;
+}
+
+// ListVPCsResponse contains a page of AWS VPCs.
+message ListVPCsResponse {
+  // VPCs contains the page of VPCs.
+  repeated VPC vpcs = 1;
+  // NextToken is used for pagination.
+  // If non-empty, it can be used to request the next page.
+  string next_token = 2;
+}
+
 // DeployDatabaseServiceRequest is a request to deploy .
 message DeployDatabaseServiceRequest {
   // Integration is the AWS OIDC Integration name.

diff --git a/lib/auth/integration/integrationv1/awsoidc.go b/lib/auth/integration/integrationv1/awsoidc.go
@@ -716,3 +716,45 @@ func (s *AWSOIDCService) ListSubnets(ctx context.Context, req *integrationpb.Lis
 		NextToken: resp.NextToken,
 	}, nil
 }
+
+// ListVPCs returns a list of AWS VPCs.
+func (s *AWSOIDCService) ListVPCs(ctx context.Context, req *integrationpb.ListVPCsRequest) (*integrationpb.ListVPCsResponse, error) {
+	authCtx, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if err := authCtx.CheckAccessToKind(types.KindIntegration, types.VerbUse); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	awsClientReq, err := s.awsClientReq(ctx, req.Integration, req.Region)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	awsClient, err := awsoidc.NewListVPCsClient(ctx, awsClientReq)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	resp, err := awsoidc.ListVPCs(ctx, awsClient, awsoidc.ListVPCsRequest{
+		NextToken: req.NextToken,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	vpcs := make([]*integrationpb.VPC, 0, len(resp.VPCs))
+	for _, s := range resp.VPCs {
+		vpcs = append(vpcs, &integrationpb.VPC{
+			Name: s.Name,
+			Id:   s.ID,
+		})
+	}
+
+	return &integrationpb.ListVPCsResponse{
+		Vpcs:      vpcs,
+		NextToken: resp.NextToken,
+	}, nil
+}