From c51cebe9789e258cecabead49e5cd7c24aebb262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Andr=C3=A9=20Dinis?= Date: Fri, 23 Feb 2024 17:43:15 +0000 Subject: [PATCH] AWS OIDC: DeployService service (#38511) * AWS OIDC: DeployService service This PR creates a new method on the AWS OIDC gRPC service that deploys an ECS Service. This is part of a refactor that moves the API calls behind the Auth Service. * add rbac test and rename teleport config string * revert e --- .../integration/v1/awsoidc_service.pb.go | 433 +++++++++++++++--- .../integration/v1/awsoidc_service_grpc.pb.go | 39 ++ .../integration/v1/awsoidc_service.proto | 50 ++ lib/auth/integration/integrationv1/awsoidc.go | 50 ++ .../integration/integrationv1/awsoidc_test.go | 61 +++ lib/integrations/awsoidc/deployservice.go | 32 +- .../awsoidc/deployservice_test.go | 36 +- .../awsoidc/deployservice_vcr_test.go | 16 +- lib/web/integrations_awsoidc.go | 56 ++- lib/web/ui/integration.go | 15 - 10 files changed, 609 insertions(+), 179 deletions(-) diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go index 9af880ac5eefd..401ee1fad7220 100644 --- a/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go +++ b/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go @@ -1034,6 +1034,216 @@ func (x *DeployDatabaseServiceResponse) GetClusterDashboardUrl() string { return "" } +// DeployServiceRequest is a request to deploy . +type DeployServiceRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Integration is the AWS OIDC Integration name. + // Required. + Integration string `protobuf:"bytes,1,opt,name=integration,proto3" json:"integration,omitempty"` + // Region is the AWS Region + // Required. + Region string `protobuf:"bytes,2,opt,name=region,proto3" json:"region,omitempty"` + // DeploymentMode is the deployment name that should be applied when creating the ECS Service. + // Allowed modes: database-service + // Required. + DeploymentMode string `protobuf:"bytes,3,opt,name=deployment_mode,json=deploymentMode,proto3" json:"deployment_mode,omitempty"` + // SecurityGroups to apply to the service's network configuration. + // If empty, the default security group for the VPC is going to be used. + SecurityGroups []string `protobuf:"bytes,4,rep,name=security_groups,json=securityGroups,proto3" json:"security_groups,omitempty"` + // SubnetIds are the subnets for the network configuration. + // Required. + SubnetIds []string `protobuf:"bytes,5,rep,name=subnet_ids,json=subnetIds,proto3" json:"subnet_ids,omitempty"` + // TaskRoleARN is the AWS IAM Role received by the deployed service. + // Required. + TaskRoleArn string `protobuf:"bytes,6,opt,name=task_role_arn,json=taskRoleArn,proto3" json:"task_role_arn,omitempty"` + // TeleportVersion is the teleport version to be deployed. + // This is used to fetch the correct tag for the teleport container image. + // Eg, 14.3.4 (no "v" prefix) + // Required. + TeleportVersion string `protobuf:"bytes,7,opt,name=teleport_version,json=teleportVersion,proto3" json:"teleport_version,omitempty"` + // DeploymentJoinTokenName is the Teleport IAM Join Token to be used by the deployed + // service to join the cluster. + // Required. + DeploymentJoinTokenName string `protobuf:"bytes,8,opt,name=deployment_join_token_name,json=deploymentJoinTokenName,proto3" json:"deployment_join_token_name,omitempty"` + // TeleportConfigString is the teleport.yaml configuration (base64 encoded) used by teleport. + // Required. + TeleportConfigString string `protobuf:"bytes,9,opt,name=teleport_config_string,json=teleportConfigString,proto3" json:"teleport_config_string,omitempty"` +} + +func (x *DeployServiceRequest) Reset() { + *x = DeployServiceRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[13] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeployServiceRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeployServiceRequest) ProtoMessage() {} + +func (x *DeployServiceRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[13] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeployServiceRequest.ProtoReflect.Descriptor instead. +func (*DeployServiceRequest) Descriptor() ([]byte, []int) { + return file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP(), []int{13} +} + +func (x *DeployServiceRequest) GetIntegration() string { + if x != nil { + return x.Integration + } + return "" +} + +func (x *DeployServiceRequest) GetRegion() string { + if x != nil { + return x.Region + } + return "" +} + +func (x *DeployServiceRequest) GetDeploymentMode() string { + if x != nil { + return x.DeploymentMode + } + return "" +} + +func (x *DeployServiceRequest) GetSecurityGroups() []string { + if x != nil { + return x.SecurityGroups + } + return nil +} + +func (x *DeployServiceRequest) GetSubnetIds() []string { + if x != nil { + return x.SubnetIds + } + return nil +} + +func (x *DeployServiceRequest) GetTaskRoleArn() string { + if x != nil { + return x.TaskRoleArn + } + return "" +} + +func (x *DeployServiceRequest) GetTeleportVersion() string { + if x != nil { + return x.TeleportVersion + } + return "" +} + +func (x *DeployServiceRequest) GetDeploymentJoinTokenName() string { + if x != nil { + return x.DeploymentJoinTokenName + } + return "" +} + +func (x *DeployServiceRequest) GetTeleportConfigString() string { + if x != nil { + return x.TeleportConfigString + } + return "" +} + +// DeployServiceResponse contains information about the deployed service. +type DeployServiceResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // ClusterArn identifies the cluster where the deployment was made. + ClusterArn string `protobuf:"bytes,1,opt,name=cluster_arn,json=clusterArn,proto3" json:"cluster_arn,omitempty"` + // ServiceARN is the Amazon ECS Cluster Service ARN created to run the task. + ServiceArn string `protobuf:"bytes,2,opt,name=service_arn,json=serviceArn,proto3" json:"service_arn,omitempty"` + // TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the Service. + TaskDefinitionArn string `protobuf:"bytes,3,opt,name=task_definition_arn,json=taskDefinitionArn,proto3" json:"task_definition_arn,omitempty"` + // ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console. + ServiceDashboardUrl string `protobuf:"bytes,4,opt,name=service_dashboard_url,json=serviceDashboardUrl,proto3" json:"service_dashboard_url,omitempty"` +} + +func (x *DeployServiceResponse) Reset() { + *x = DeployServiceResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[14] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DeployServiceResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeployServiceResponse) ProtoMessage() {} + +func (x *DeployServiceResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[14] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeployServiceResponse.ProtoReflect.Descriptor instead. +func (*DeployServiceResponse) Descriptor() ([]byte, []int) { + return file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP(), []int{14} +} + +func (x *DeployServiceResponse) GetClusterArn() string { + if x != nil { + return x.ClusterArn + } + return "" +} + +func (x *DeployServiceResponse) GetServiceArn() string { + if x != nil { + return x.ServiceArn + } + return "" +} + +func (x *DeployServiceResponse) GetTaskDefinitionArn() string { + if x != nil { + return x.TaskDefinitionArn + } + return "" +} + +func (x *DeployServiceResponse) GetServiceDashboardUrl() string { + if x != nil { + return x.ServiceDashboardUrl + } + return "" +} + // ListEC2Request is a request for a paginated list of AWS EC2 instances. type ListEC2Request struct { state protoimpl.MessageState @@ -1054,7 +1264,7 @@ type ListEC2Request struct { func (x *ListEC2Request) Reset() { *x = ListEC2Request{} if protoimpl.UnsafeEnabled { - mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[13] + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[15] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1067,7 +1277,7 @@ func (x *ListEC2Request) String() string { func (*ListEC2Request) ProtoMessage() {} func (x *ListEC2Request) ProtoReflect() protoreflect.Message { - mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[13] + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[15] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1080,7 +1290,7 @@ func (x *ListEC2Request) ProtoReflect() protoreflect.Message { // Deprecated: Use ListEC2Request.ProtoReflect.Descriptor instead. func (*ListEC2Request) Descriptor() ([]byte, []int) { - return file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP(), []int{13} + return file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP(), []int{15} } func (x *ListEC2Request) GetIntegration() string { @@ -1120,7 +1330,7 @@ type ListEC2Response struct { func (x *ListEC2Response) Reset() { *x = ListEC2Response{} if protoimpl.UnsafeEnabled { - mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[14] + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1133,7 +1343,7 @@ func (x *ListEC2Response) String() string { func (*ListEC2Response) ProtoMessage() {} func (x *ListEC2Response) ProtoReflect() protoreflect.Message { - mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[14] + mi := &file_teleport_integration_v1_awsoidc_service_proto_msgTypes[16] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1146,7 +1356,7 @@ func (x *ListEC2Response) ProtoReflect() protoreflect.Message { // Deprecated: Use ListEC2Response.ProtoReflect.Descriptor instead. func (*ListEC2Response) Descriptor() ([]byte, []int) { - return file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP(), []int{14} + return file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP(), []int{16} } func (x *ListEC2Response) GetServers() []*types.ServerV2 { @@ -1310,62 +1520,105 @@ var file_teleport_integration_v1_awsoidc_service_proto_rawDesc = []byte{ 0x15, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x64, 0x61, 0x73, 0x68, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x44, 0x61, 0x73, 0x68, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x55, 0x72, - 0x6c, 0x22, 0x69, 0x0a, 0x0e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x0a, - 0x0a, 0x6e, 0x65, 0x78, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x09, 0x6e, 0x65, 0x78, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x5b, 0x0a, 0x0f, - 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, - 0x29, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x0f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x56, - 0x32, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x6e, 0x65, - 0x78, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, - 0x6e, 0x65, 0x78, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x32, 0xc7, 0x04, 0x0a, 0x0e, 0x41, 0x57, - 0x53, 0x4f, 0x49, 0x44, 0x43, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x08, - 0x4c, 0x69, 0x73, 0x74, 0x45, 0x49, 0x43, 0x45, 0x12, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, - 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, - 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x49, 0x43, 0x45, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x29, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, - 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, - 0x74, 0x45, 0x49, 0x43, 0x45, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6e, 0x0a, - 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x73, 0x12, 0x2d, + 0x6c, 0x22, 0x83, 0x03, 0x0a, 0x14, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, + 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, + 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, + 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, + 0x6e, 0x74, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x64, + 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x27, 0x0a, + 0x0f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, + 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, + 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, + 0x5f, 0x69, 0x64, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x09, 0x73, 0x75, 0x62, 0x6e, + 0x65, 0x74, 0x49, 0x64, 0x73, 0x12, 0x22, 0x0a, 0x0d, 0x74, 0x61, 0x73, 0x6b, 0x5f, 0x72, 0x6f, + 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x74, 0x61, + 0x73, 0x6b, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x12, 0x29, 0x0a, 0x10, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x56, 0x65, 0x72, + 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x3b, 0x0a, 0x1a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, + 0x6e, 0x74, 0x5f, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x6e, 0x61, + 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, + 0x6d, 0x65, 0x6e, 0x74, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x34, 0x0a, 0x16, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x63, 0x6f, + 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x18, 0x09, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x14, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x22, 0xbd, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x70, 0x6c, + 0x6f, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x61, 0x72, 0x6e, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x41, + 0x72, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x72, + 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x41, 0x72, 0x6e, 0x12, 0x2e, 0x0a, 0x13, 0x74, 0x61, 0x73, 0x6b, 0x5f, 0x64, 0x65, 0x66, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x72, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x11, 0x74, 0x61, 0x73, 0x6b, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, + 0x41, 0x72, 0x6e, 0x12, 0x32, 0x0a, 0x15, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x64, + 0x61, 0x73, 0x68, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x13, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x44, 0x61, 0x73, 0x68, 0x62, + 0x6f, 0x61, 0x72, 0x64, 0x55, 0x72, 0x6c, 0x22, 0x69, 0x0a, 0x0e, 0x4c, 0x69, 0x73, 0x74, 0x45, + 0x43, 0x32, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, + 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, + 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x72, + 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, + 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x6e, 0x65, 0x78, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, + 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x65, 0x78, 0x74, 0x54, 0x6f, 0x6b, + 0x65, 0x6e, 0x22, 0x5b, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x29, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, + 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x56, 0x32, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, + 0x12, 0x1d, 0x0a, 0x0a, 0x6e, 0x65, 0x78, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x65, 0x78, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x32, + 0xb7, 0x05, 0x0a, 0x0e, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44, 0x43, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x12, 0x5f, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x49, 0x43, 0x45, 0x12, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x61, 0x74, - 0x61, 0x62, 0x61, 0x73, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, - 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, - 0x62, 0x61, 0x73, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7d, 0x0a, - 0x12, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x47, 0x72, 0x6f, - 0x75, 0x70, 0x73, 0x12, 0x32, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x49, 0x43, + 0x45, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x49, 0x43, 0x45, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x6e, 0x0a, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x62, + 0x61, 0x73, 0x65, 0x73, 0x12, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, + 0x69, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, - 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, - 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, - 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x47, 0x72, - 0x6f, 0x75, 0x70, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x86, 0x01, 0x0a, - 0x15, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, - 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, - 0x2e, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x36, 0x2e, - 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x44, 0x61, - 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5c, 0x0a, 0x07, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, - 0x12, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, - 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, - 0x43, 0x32, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x7d, 0x0a, 0x12, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, + 0x69, 0x74, 0x79, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x32, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, - 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, - 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, - 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, - 0x31, 0x3b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x31, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, + 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x33, 0x2e, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x53, 0x65, 0x63, 0x75, + 0x72, 0x69, 0x74, 0x79, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x86, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x44, 0x61, 0x74, + 0x61, 0x62, 0x61, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x35, 0x2e, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x44, 0x61, 0x74, + 0x61, 0x62, 0x61, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x36, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, + 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, + 0x70, 0x6c, 0x6f, 0x79, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6e, 0x0a, 0x0d, 0x44, + 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2d, 0x2e, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x53, 0x65, 0x72, + 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x53, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5c, 0x0a, 0x07, 0x4c, + 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, 0x12, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, + 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, 0x32, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x45, 0x43, + 0x32, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, + 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1380,7 +1633,7 @@ func file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP() []byte { return file_teleport_integration_v1_awsoidc_service_proto_rawDescData } -var file_teleport_integration_v1_awsoidc_service_proto_msgTypes = make([]protoimpl.MessageInfo, 15) +var file_teleport_integration_v1_awsoidc_service_proto_msgTypes = make([]protoimpl.MessageInfo, 17) var file_teleport_integration_v1_awsoidc_service_proto_goTypes = []interface{}{ (*ListEICERequest)(nil), // 0: teleport.integration.v1.ListEICERequest (*EC2InstanceConnectEndpoint)(nil), // 1: teleport.integration.v1.EC2InstanceConnectEndpoint @@ -1395,32 +1648,36 @@ var file_teleport_integration_v1_awsoidc_service_proto_goTypes = []interface{}{ (*DeployDatabaseServiceRequest)(nil), // 10: teleport.integration.v1.DeployDatabaseServiceRequest (*DeployDatabaseServiceDeployment)(nil), // 11: teleport.integration.v1.DeployDatabaseServiceDeployment (*DeployDatabaseServiceResponse)(nil), // 12: teleport.integration.v1.DeployDatabaseServiceResponse - (*ListEC2Request)(nil), // 13: teleport.integration.v1.ListEC2Request - (*ListEC2Response)(nil), // 14: teleport.integration.v1.ListEC2Response - (*types.DatabaseV3)(nil), // 15: types.DatabaseV3 - (*types.ServerV2)(nil), // 16: types.ServerV2 + (*DeployServiceRequest)(nil), // 13: teleport.integration.v1.DeployServiceRequest + (*DeployServiceResponse)(nil), // 14: teleport.integration.v1.DeployServiceResponse + (*ListEC2Request)(nil), // 15: teleport.integration.v1.ListEC2Request + (*ListEC2Response)(nil), // 16: teleport.integration.v1.ListEC2Response + (*types.DatabaseV3)(nil), // 17: types.DatabaseV3 + (*types.ServerV2)(nil), // 18: types.ServerV2 } var file_teleport_integration_v1_awsoidc_service_proto_depIdxs = []int32{ 1, // 0: teleport.integration.v1.ListEICEResponse.ec2ices:type_name -> teleport.integration.v1.EC2InstanceConnectEndpoint - 15, // 1: teleport.integration.v1.ListDatabasesResponse.databases:type_name -> types.DatabaseV3 + 17, // 1: teleport.integration.v1.ListDatabasesResponse.databases:type_name -> types.DatabaseV3 6, // 2: teleport.integration.v1.SecurityGroupRule.cidrs:type_name -> teleport.integration.v1.SecurityGroupRuleCIDR 7, // 3: teleport.integration.v1.SecurityGroup.inbound_rules:type_name -> teleport.integration.v1.SecurityGroupRule 7, // 4: teleport.integration.v1.SecurityGroup.outbound_rules:type_name -> teleport.integration.v1.SecurityGroupRule 8, // 5: teleport.integration.v1.ListSecurityGroupsResponse.security_groups:type_name -> teleport.integration.v1.SecurityGroup 11, // 6: teleport.integration.v1.DeployDatabaseServiceRequest.deployments:type_name -> teleport.integration.v1.DeployDatabaseServiceDeployment - 16, // 7: teleport.integration.v1.ListEC2Response.servers:type_name -> types.ServerV2 + 18, // 7: teleport.integration.v1.ListEC2Response.servers:type_name -> types.ServerV2 0, // 8: teleport.integration.v1.AWSOIDCService.ListEICE:input_type -> teleport.integration.v1.ListEICERequest 3, // 9: teleport.integration.v1.AWSOIDCService.ListDatabases:input_type -> teleport.integration.v1.ListDatabasesRequest 5, // 10: teleport.integration.v1.AWSOIDCService.ListSecurityGroups:input_type -> teleport.integration.v1.ListSecurityGroupsRequest 10, // 11: teleport.integration.v1.AWSOIDCService.DeployDatabaseService:input_type -> teleport.integration.v1.DeployDatabaseServiceRequest - 13, // 12: teleport.integration.v1.AWSOIDCService.ListEC2:input_type -> teleport.integration.v1.ListEC2Request - 2, // 13: teleport.integration.v1.AWSOIDCService.ListEICE:output_type -> teleport.integration.v1.ListEICEResponse - 4, // 14: teleport.integration.v1.AWSOIDCService.ListDatabases:output_type -> teleport.integration.v1.ListDatabasesResponse - 9, // 15: teleport.integration.v1.AWSOIDCService.ListSecurityGroups:output_type -> teleport.integration.v1.ListSecurityGroupsResponse - 12, // 16: teleport.integration.v1.AWSOIDCService.DeployDatabaseService:output_type -> teleport.integration.v1.DeployDatabaseServiceResponse - 14, // 17: teleport.integration.v1.AWSOIDCService.ListEC2:output_type -> teleport.integration.v1.ListEC2Response - 13, // [13:18] is the sub-list for method output_type - 8, // [8:13] is the sub-list for method input_type + 13, // 12: teleport.integration.v1.AWSOIDCService.DeployService:input_type -> teleport.integration.v1.DeployServiceRequest + 15, // 13: teleport.integration.v1.AWSOIDCService.ListEC2:input_type -> teleport.integration.v1.ListEC2Request + 2, // 14: teleport.integration.v1.AWSOIDCService.ListEICE:output_type -> teleport.integration.v1.ListEICEResponse + 4, // 15: teleport.integration.v1.AWSOIDCService.ListDatabases:output_type -> teleport.integration.v1.ListDatabasesResponse + 9, // 16: teleport.integration.v1.AWSOIDCService.ListSecurityGroups:output_type -> teleport.integration.v1.ListSecurityGroupsResponse + 12, // 17: teleport.integration.v1.AWSOIDCService.DeployDatabaseService:output_type -> teleport.integration.v1.DeployDatabaseServiceResponse + 14, // 18: teleport.integration.v1.AWSOIDCService.DeployService:output_type -> teleport.integration.v1.DeployServiceResponse + 16, // 19: teleport.integration.v1.AWSOIDCService.ListEC2:output_type -> teleport.integration.v1.ListEC2Response + 14, // [14:20] is the sub-list for method output_type + 8, // [8:14] is the sub-list for method input_type 8, // [8:8] is the sub-list for extension type_name 8, // [8:8] is the sub-list for extension extendee 0, // [0:8] is the sub-list for field type_name @@ -1589,7 +1846,7 @@ func file_teleport_integration_v1_awsoidc_service_proto_init() { } } file_teleport_integration_v1_awsoidc_service_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ListEC2Request); i { + switch v := v.(*DeployServiceRequest); i { case 0: return &v.state case 1: @@ -1601,6 +1858,30 @@ func file_teleport_integration_v1_awsoidc_service_proto_init() { } } file_teleport_integration_v1_awsoidc_service_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DeployServiceResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_integration_v1_awsoidc_service_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListEC2Request); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_integration_v1_awsoidc_service_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ListEC2Response); i { case 0: return &v.state @@ -1619,7 +1900,7 @@ func file_teleport_integration_v1_awsoidc_service_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_integration_v1_awsoidc_service_proto_rawDesc, NumEnums: 0, - NumMessages: 15, + NumMessages: 17, NumExtensions: 0, NumServices: 1, }, diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go index b5baeede55791..777aa0a78370c 100644 --- a/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go +++ b/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go @@ -37,6 +37,7 @@ const ( AWSOIDCService_ListDatabases_FullMethodName = "/teleport.integration.v1.AWSOIDCService/ListDatabases" AWSOIDCService_ListSecurityGroups_FullMethodName = "/teleport.integration.v1.AWSOIDCService/ListSecurityGroups" AWSOIDCService_DeployDatabaseService_FullMethodName = "/teleport.integration.v1.AWSOIDCService/DeployDatabaseService" + AWSOIDCService_DeployService_FullMethodName = "/teleport.integration.v1.AWSOIDCService/DeployService" AWSOIDCService_ListEC2_FullMethodName = "/teleport.integration.v1.AWSOIDCService/ListEC2" ) @@ -60,6 +61,8 @@ type AWSOIDCServiceClient interface { ListSecurityGroups(ctx context.Context, in *ListSecurityGroupsRequest, opts ...grpc.CallOption) (*ListSecurityGroupsResponse, error) // DeployDatabaseService deploys a Database Services to Amazon ECS. DeployDatabaseService(ctx context.Context, in *DeployDatabaseServiceRequest, opts ...grpc.CallOption) (*DeployDatabaseServiceResponse, error) + // DeployService deploys an ECS Service to Amazon ECS. + DeployService(ctx context.Context, in *DeployServiceRequest, opts ...grpc.CallOption) (*DeployServiceResponse, error) // ListEC2 lists the EC2 instances of the AWS account per region. // It uses the following API: // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html @@ -110,6 +113,15 @@ func (c *aWSOIDCServiceClient) DeployDatabaseService(ctx context.Context, in *De return out, nil } +func (c *aWSOIDCServiceClient) DeployService(ctx context.Context, in *DeployServiceRequest, opts ...grpc.CallOption) (*DeployServiceResponse, error) { + out := new(DeployServiceResponse) + err := c.cc.Invoke(ctx, AWSOIDCService_DeployService_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *aWSOIDCServiceClient) ListEC2(ctx context.Context, in *ListEC2Request, opts ...grpc.CallOption) (*ListEC2Response, error) { out := new(ListEC2Response) err := c.cc.Invoke(ctx, AWSOIDCService_ListEC2_FullMethodName, in, out, opts...) @@ -139,6 +151,8 @@ type AWSOIDCServiceServer interface { ListSecurityGroups(context.Context, *ListSecurityGroupsRequest) (*ListSecurityGroupsResponse, error) // DeployDatabaseService deploys a Database Services to Amazon ECS. DeployDatabaseService(context.Context, *DeployDatabaseServiceRequest) (*DeployDatabaseServiceResponse, error) + // DeployService deploys an ECS Service to Amazon ECS. + DeployService(context.Context, *DeployServiceRequest) (*DeployServiceResponse, error) // ListEC2 lists the EC2 instances of the AWS account per region. // It uses the following API: // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html @@ -162,6 +176,9 @@ func (UnimplementedAWSOIDCServiceServer) ListSecurityGroups(context.Context, *Li func (UnimplementedAWSOIDCServiceServer) DeployDatabaseService(context.Context, *DeployDatabaseServiceRequest) (*DeployDatabaseServiceResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method DeployDatabaseService not implemented") } +func (UnimplementedAWSOIDCServiceServer) DeployService(context.Context, *DeployServiceRequest) (*DeployServiceResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method DeployService not implemented") +} func (UnimplementedAWSOIDCServiceServer) ListEC2(context.Context, *ListEC2Request) (*ListEC2Response, error) { return nil, status.Errorf(codes.Unimplemented, "method ListEC2 not implemented") } @@ -250,6 +267,24 @@ func _AWSOIDCService_DeployDatabaseService_Handler(srv interface{}, ctx context. return interceptor(ctx, in, info, handler) } +func _AWSOIDCService_DeployService_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(DeployServiceRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AWSOIDCServiceServer).DeployService(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AWSOIDCService_DeployService_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AWSOIDCServiceServer).DeployService(ctx, req.(*DeployServiceRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _AWSOIDCService_ListEC2_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(ListEC2Request) if err := dec(in); err != nil { @@ -291,6 +326,10 @@ var AWSOIDCService_ServiceDesc = grpc.ServiceDesc{ MethodName: "DeployDatabaseService", Handler: _AWSOIDCService_DeployDatabaseService_Handler, }, + { + MethodName: "DeployService", + Handler: _AWSOIDCService_DeployService_Handler, + }, { MethodName: "ListEC2", Handler: _AWSOIDCService_ListEC2_Handler, diff --git a/api/proto/teleport/integration/v1/awsoidc_service.proto b/api/proto/teleport/integration/v1/awsoidc_service.proto index 2448c08c2348a..fecfa3abd1cf2 100644 --- a/api/proto/teleport/integration/v1/awsoidc_service.proto +++ b/api/proto/teleport/integration/v1/awsoidc_service.proto @@ -42,6 +42,9 @@ service AWSOIDCService { // DeployDatabaseService deploys a Database Services to Amazon ECS. rpc DeployDatabaseService(DeployDatabaseServiceRequest) returns (DeployDatabaseServiceResponse); + // DeployService deploys an ECS Service to Amazon ECS. + rpc DeployService(DeployServiceRequest) returns (DeployServiceResponse); + // ListEC2 lists the EC2 instances of the AWS account per region. // It uses the following API: // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html @@ -236,6 +239,53 @@ message DeployDatabaseServiceResponse { string cluster_dashboard_url = 2; } +// DeployServiceRequest is a request to deploy . +message DeployServiceRequest { + // Integration is the AWS OIDC Integration name. + // Required. + string integration = 1; + // Region is the AWS Region + // Required. + string region = 2; + // DeploymentMode is the deployment name that should be applied when creating the ECS Service. + // Allowed modes: database-service + // Required. + string deployment_mode = 3; + // SecurityGroups to apply to the service's network configuration. + // If empty, the default security group for the VPC is going to be used. + repeated string security_groups = 4; + // SubnetIds are the subnets for the network configuration. + // Required. + repeated string subnet_ids = 5; + // TaskRoleARN is the AWS IAM Role received by the deployed service. + // Required. + string task_role_arn = 6; + // TeleportVersion is the teleport version to be deployed. + // This is used to fetch the correct tag for the teleport container image. + // Eg, 14.3.4 (no "v" prefix) + // Required. + string teleport_version = 7; + // DeploymentJoinTokenName is the Teleport IAM Join Token to be used by the deployed + // service to join the cluster. + // Required. + string deployment_join_token_name = 8; + // TeleportConfigString is the teleport.yaml configuration (base64 encoded) used by teleport. + // Required. + string teleport_config_string = 9; +} + +// DeployServiceResponse contains information about the deployed service. +message DeployServiceResponse { + // ClusterArn identifies the cluster where the deployment was made. + string cluster_arn = 1; + // ServiceARN is the Amazon ECS Cluster Service ARN created to run the task. + string service_arn = 2; + // TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the Service. + string task_definition_arn = 3; + // ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console. + string service_dashboard_url = 4; +} + // ListEC2Request is a request for a paginated list of AWS EC2 instances. message ListEC2Request { // Integration is the AWS OIDC Integration name. diff --git a/lib/auth/integration/integrationv1/awsoidc.go b/lib/auth/integration/integrationv1/awsoidc.go index 3c617dea3bf21..dbca6522007a3 100644 --- a/lib/auth/integration/integrationv1/awsoidc.go +++ b/lib/auth/integration/integrationv1/awsoidc.go @@ -417,6 +417,56 @@ func (s *AWSOIDCService) DeployDatabaseService(ctx context.Context, req *integra }, nil } +// DeployService deploys Services into Amazon ECS. +func (s *AWSOIDCService) DeployService(ctx context.Context, req *integrationpb.DeployServiceRequest) (*integrationpb.DeployServiceResponse, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + + if err := authCtx.CheckAccessToKind(types.KindIntegration, types.VerbUse); err != nil { + return nil, trace.Wrap(err) + } + + clusterName, err := s.cache.GetClusterName() + if err != nil { + return nil, trace.Wrap(err) + } + + awsClientReq, err := s.awsClientReq(ctx, req.Integration, req.Region) + if err != nil { + return nil, trace.Wrap(err) + } + + deployServiceClient, err := awsoidc.NewDeployServiceClient(ctx, awsClientReq, s.cache) + if err != nil { + return nil, trace.Wrap(err) + } + + deployServiceResp, err := awsoidc.DeployService(ctx, deployServiceClient, awsoidc.DeployServiceRequest{ + DeploymentJoinTokenName: req.DeploymentJoinTokenName, + DeploymentMode: req.DeploymentMode, + TeleportConfigString: req.TeleportConfigString, + IntegrationName: req.Integration, + Region: req.Region, + SecurityGroups: req.SecurityGroups, + SubnetIDs: req.SubnetIds, + TaskRoleARN: req.TaskRoleArn, + TeleportClusterName: clusterName.GetClusterName(), + TeleportVersionTag: req.TeleportVersion, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + return &integrationpb.DeployServiceResponse{ + ClusterArn: deployServiceResp.ClusterARN, + ServiceArn: deployServiceResp.ServiceARN, + TaskDefinitionArn: deployServiceResp.TaskDefinitionARN, + ServiceDashboardUrl: deployServiceResp.ServiceDashboardURL, + }, nil +} + // ListEC2 returns a paginated list of AWS EC2 instances. func (s *AWSOIDCService) ListEC2(ctx context.Context, req *integrationpb.ListEC2Request) (*integrationpb.ListEC2Response, error) { authCtx, err := s.authorizer.Authorize(ctx) diff --git a/lib/auth/integration/integrationv1/awsoidc_test.go b/lib/auth/integration/integrationv1/awsoidc_test.go index b15a3a98a2e45..89b7c4c7313f5 100644 --- a/lib/auth/integration/integrationv1/awsoidc_test.go +++ b/lib/auth/integration/integrationv1/awsoidc_test.go @@ -179,3 +179,64 @@ func TestListEICE(t *testing.T) { require.True(t, trace.IsBadParameter(err), "expected BadParameter error, but got %T", err) }) } + +func TestDeployService(t *testing.T) { + t.Parallel() + + clusterName := "test-cluster" + proxyPublicAddr := "127.0.0.1.nip.io" + integrationName := "my-awsoidc-integration" + ig, err := types.NewIntegrationAWSOIDC( + types.Metadata{Name: integrationName}, + &types.AWSOIDCIntegrationSpecV1{ + RoleARN: "arn:aws:iam::123456789012:role/OpsTeam", + }, + ) + require.NoError(t, err) + + ca := newCertAuthority(t, types.HostCA, clusterName) + ctx, localClient, resourceSvc := initSvc(t, ca, clusterName, proxyPublicAddr) + + _, err = localClient.CreateIntegration(ctx, ig) + require.NoError(t, err) + + awsoidService, err := NewAWSOIDCService(&AWSOIDCServiceConfig{ + IntegrationService: resourceSvc, + Authorizer: resourceSvc.authorizer, + Cache: &mockCache{}, + }) + require.NoError(t, err) + + t.Run("fails when user doesn't have access to integration.use", func(t *testing.T) { + role := types.RoleSpecV6{ + Allow: types.RoleConditions{Rules: []types.Rule{{ + Resources: []string{types.KindIntegration}, + Verbs: []string{types.VerbRead}, + }}}, + } + + userCtx := authorizerForDummyUser(t, ctx, role, localClient) + + _, err = awsoidService.DeployService(userCtx, &integrationv1.DeployServiceRequest{ + Integration: integrationName, + Region: "my-region", + }) + require.True(t, trace.IsAccessDenied(err), "expected AccessDenied error, but got %T", err) + }) + t.Run("calls awsoidc package when user has access to integration.use/read", func(t *testing.T) { + role := types.RoleSpecV6{ + Allow: types.RoleConditions{Rules: []types.Rule{{ + Resources: []string{types.KindIntegration}, + Verbs: []string{types.VerbRead, types.VerbUse}, + }}}, + } + + userCtx := authorizerForDummyUser(t, ctx, role, localClient) + + _, err = awsoidService.DeployService(userCtx, &integrationv1.DeployServiceRequest{ + Integration: integrationName, + Region: "my-region", + }) + require.True(t, trace.IsBadParameter(err), "expected BadParameter error, but got %T", err) + }) +} diff --git a/lib/integrations/awsoidc/deployservice.go b/lib/integrations/awsoidc/deployservice.go index ec26a2edfaac9..c7805674e01b4 100644 --- a/lib/integrations/awsoidc/deployservice.go +++ b/lib/integrations/awsoidc/deployservice.go @@ -135,9 +135,6 @@ type DeployServiceRequest struct { // DeploymentJoinTokenName is the Teleport IAM Token to use in the deployed Service. DeploymentJoinTokenName string - // ProxyServerHostPort is the Teleport Proxy's Public. - ProxyServerHostPort string - // IntegrationName is the integration name. // Used for resource tagging when creating resources in AWS. IntegrationName string @@ -148,10 +145,6 @@ type DeployServiceRequest struct { // DeploymentMode is the identifier of a deployment mode - which Teleport Services to enable and their configuration. DeploymentMode string - // DatabaseResourceMatcherLabels contains the set of labels to be used by the DatabaseService. - // This is used when the deployment mode creates a Database Service. - DatabaseResourceMatcherLabels types.Labels - // TeleportVersionTag is the version of teleport to install. // Ensure the tag exists in: // public.ecr.aws/gravitational/teleport-distroless: @@ -159,9 +152,9 @@ type DeployServiceRequest struct { // Optional. Defaults to the current version. TeleportVersionTag string - // DeployServiceConfigString creates a teleport.yaml configuration that the agent - // deployed in a ECS Cluster (using Fargate) will use. - DeployServiceConfigString func(proxyHostPort, iamToken string, resourceMatcherLabels types.Labels) (string, error) + // TeleportConfigString is the `teleport.yaml` configuration for the service to be deployed. + // It should be base64 encoded as is expected by the `--config-string` param of `teleport start`. + TeleportConfigString string } // normalizeECSResourceName converts a name into a valid ECS Resource Name. @@ -251,10 +244,6 @@ func (r *DeployServiceRequest) CheckAndSetDefaults() error { r.TaskName = &taskName } - if r.ProxyServerHostPort == "" { - return trace.BadParameter("proxy address is required") - } - if r.IntegrationName == "" { return trace.BadParameter("integration name is required") } @@ -263,12 +252,8 @@ func (r *DeployServiceRequest) CheckAndSetDefaults() error { r.ResourceCreationTags = defaultResourceCreationTags(r.TeleportClusterName, r.IntegrationName) } - if len(r.DatabaseResourceMatcherLabels) == 0 { - return trace.BadParameter("at least one agent matcher label is required") - } - - if r.DeployServiceConfigString == nil { - return trace.BadParameter("deploy service config is required") + if r.TeleportConfigString == "" { + return trace.BadParameter("teleport config string is required") } return nil @@ -436,11 +421,6 @@ func DeployService(ctx context.Context, clt DeployServiceClient, req DeployServi return nil, trace.Wrap(err) } - teleportConfigString, err := req.DeployServiceConfigString(req.ProxyServerHostPort, req.DeploymentJoinTokenName, req.DatabaseResourceMatcherLabels) - if err != nil { - return nil, trace.Wrap(err) - } - upsertTaskReq := upsertTaskRequest{ TaskName: aws.ToString(req.TaskName), TaskRoleARN: req.TaskRoleARN, @@ -449,7 +429,7 @@ func DeployService(ctx context.Context, clt DeployServiceClient, req DeployServi TeleportVersionTag: req.TeleportVersionTag, ResourceCreationTags: req.ResourceCreationTags, Region: req.Region, - TeleportConfigB64: teleportConfigString, + TeleportConfigB64: req.TeleportConfigString, } taskDefinition, err := upsertTask(ctx, clt, upsertTaskReq) if err != nil { diff --git a/lib/integrations/awsoidc/deployservice_test.go b/lib/integrations/awsoidc/deployservice_test.go index d078b3c2ea1c3..a2f4f3f5cef0b 100644 --- a/lib/integrations/awsoidc/deployservice_test.go +++ b/lib/integrations/awsoidc/deployservice_test.go @@ -23,18 +23,12 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" "github.com/gravitational/trace" "github.com/stretchr/testify/require" "github.com/gravitational/teleport" - "github.com/gravitational/teleport/api/types" ) -func dummyGenerateTeleportConfigString(proxyHostPort, iamTokenName string, resourceMatcherLabels types.Labels) (string, error) { - return "", nil -} - func TestDeployServiceRequest(t *testing.T) { isBadParamErrFn := func(tt require.TestingT, err error, i ...any) { require.True(tt, trace.IsBadParameter(err), "expected bad parameter, got %v", err) @@ -42,16 +36,14 @@ func TestDeployServiceRequest(t *testing.T) { baseReqFn := func() DeployServiceRequest { return DeployServiceRequest{ - TeleportClusterName: "mycluster", - Region: "r", - SubnetIDs: []string{"1"}, - TaskRoleARN: "arn", - ProxyServerHostPort: "proxy.example.com:3080", - IntegrationName: "teleportdev", - DeploymentMode: DatabaseServiceDeploymentMode, - DatabaseResourceMatcherLabels: types.Labels{types.Wildcard: []string{types.Wildcard}}, - DeployServiceConfigString: dummyGenerateTeleportConfigString, - DeploymentJoinTokenName: "discover-aws-oidc-iam-token", + TeleportClusterName: "mycluster", + Region: "r", + SubnetIDs: []string{"1"}, + TaskRoleARN: "arn", + IntegrationName: "teleportdev", + DeploymentMode: DatabaseServiceDeploymentMode, + TeleportConfigString: "config using b64", + DeploymentJoinTokenName: "discover-aws-oidc-iam-token", } } @@ -132,10 +124,10 @@ func TestDeployServiceRequest(t *testing.T) { errCheck: isBadParamErrFn, }, { - name: "no label matchers", + name: "no teleport service config string", req: func() DeployServiceRequest { r := baseReqFn() - r.DatabaseResourceMatcherLabels = types.Labels{} + r.TeleportConfigString = "" return r }, errCheck: isBadParamErrFn, @@ -155,15 +147,13 @@ func TestDeployServiceRequest(t *testing.T) { TaskName: stringPointer("mycluster-teleport-database-service"), DeploymentJoinTokenName: "discover-aws-oidc-iam-token", IntegrationName: "teleportdev", - ProxyServerHostPort: "proxy.example.com:3080", ResourceCreationTags: AWSTags{ "teleport.dev/origin": "integration_awsoidc", "teleport.dev/cluster": "mycluster", "teleport.dev/integration": "teleportdev", }, - DeploymentMode: DatabaseServiceDeploymentMode, - DatabaseResourceMatcherLabels: types.Labels{types.Wildcard: []string{types.Wildcard}}, - DeployServiceConfigString: dummyGenerateTeleportConfigString, + DeploymentMode: DatabaseServiceDeploymentMode, + TeleportConfigString: "config using b64", }, }, } { @@ -176,7 +166,7 @@ func TestDeployServiceRequest(t *testing.T) { return } - require.Empty(t, cmp.Diff(tt.reqWithDefaults, r, cmpopts.IgnoreFields(DeployServiceRequest{}, "DeployServiceConfigString"))) + require.Empty(t, cmp.Diff(tt.reqWithDefaults, r)) }) } } diff --git a/lib/integrations/awsoidc/deployservice_vcr_test.go b/lib/integrations/awsoidc/deployservice_vcr_test.go index 0a11302042c5b..24c60c4ccdfa1 100644 --- a/lib/integrations/awsoidc/deployservice_vcr_test.go +++ b/lib/integrations/awsoidc/deployservice_vcr_test.go @@ -89,16 +89,12 @@ func TestDeployDBService(t *testing.T) { "subnet-0ef025345dd791986", "subnet-099632749366c2c56", }, - TaskRoleARN: taskRole, - TeleportClusterName: clusterName, - IntegrationName: integrationName, - DeploymentMode: DatabaseServiceDeploymentMode, - ProxyServerHostPort: "marcodinis.teleportdemo.net:443", - DatabaseResourceMatcherLabels: types.Labels{ - types.Wildcard: []string{types.Wildcard}, - }, - DeploymentJoinTokenName: "my-iam-join-token", - DeployServiceConfigString: dummyGenerateTeleportConfigString, + TaskRoleARN: taskRole, + TeleportClusterName: clusterName, + IntegrationName: integrationName, + DeploymentMode: DatabaseServiceDeploymentMode, + DeploymentJoinTokenName: "my-iam-join-token", + TeleportConfigString: "config using b64", } } diff --git a/lib/web/integrations_awsoidc.go b/lib/web/integrations_awsoidc.go index 080e3d2165697..43752013abaeb 100644 --- a/lib/web/integrations_awsoidc.go +++ b/lib/web/integrations_awsoidc.go @@ -131,9 +131,9 @@ func (h *Handler) awsOIDCDeployService(w http.ResponseWriter, r *http.Request, p return nil, trace.Wrap(err) } - awsClientReq, err := h.awsOIDCClientRequest(ctx, req.Region, p, sctx, site) - if err != nil { - return nil, trace.Wrap(err) + integrationName := p.ByName("name") + if integrationName == "" { + return nil, trace.BadParameter("an integration name is required") } clt, err := sctx.GetUserClient(ctx, site) @@ -141,16 +141,21 @@ func (h *Handler) awsOIDCDeployService(w http.ResponseWriter, r *http.Request, p return nil, trace.Wrap(err) } - deployDBServiceClient, err := awsoidc.NewDeployServiceClient(ctx, awsClientReq, clt) - if err != nil { - return nil, trace.Wrap(err) - } - databaseAgentMatcherLabels := make(types.Labels, len(req.DatabaseAgentMatcherLabels)) for _, label := range req.DatabaseAgentMatcherLabels { databaseAgentMatcherLabels[label.Name] = utils.Strings{label.Value} } + iamTokenName := deployserviceconfig.DefaultTeleportIAMTokenName + teleportConfigString, err := deployserviceconfig.GenerateTeleportConfigString( + h.PublicProxyAddr(), + iamTokenName, + databaseAgentMatcherLabels, + ) + if err != nil { + return nil, trace.Wrap(err) + } + teleportVersionTag := teleport.Version if automaticUpgrades(h.ClusterFeatures) { cloudStableVersion, err := h.cfg.AutomaticUpgradesChannels.DefaultVersion(ctx) @@ -162,33 +167,26 @@ func (h *Handler) awsOIDCDeployService(w http.ResponseWriter, r *http.Request, p teleportVersionTag = strings.TrimPrefix(cloudStableVersion, "v") } - deployServiceResp, err := awsoidc.DeployService(ctx, deployDBServiceClient, awsoidc.DeployServiceRequest{ - Region: req.Region, - AccountID: req.AccountID, - SubnetIDs: req.SubnetIDs, - SecurityGroups: req.SecurityGroups, - ClusterName: req.ClusterName, - ServiceName: req.ServiceName, - TaskName: req.TaskName, - TaskRoleARN: req.TaskRoleARN, - ProxyServerHostPort: h.PublicProxyAddr(), - TeleportClusterName: h.auth.clusterName, - TeleportVersionTag: teleportVersionTag, - DeploymentMode: req.DeploymentMode, - IntegrationName: awsClientReq.IntegrationName, - DatabaseResourceMatcherLabels: databaseAgentMatcherLabels, - DeployServiceConfigString: deployserviceconfig.GenerateTeleportConfigString, - DeploymentJoinTokenName: deployserviceconfig.DefaultTeleportIAMTokenName, + deployServiceResp, err := clt.IntegrationAWSOIDCClient().DeployService(ctx, &integrationv1.DeployServiceRequest{ + DeploymentJoinTokenName: iamTokenName, + DeploymentMode: req.DeploymentMode, + TeleportConfigString: teleportConfigString, + Integration: integrationName, + Region: req.Region, + SecurityGroups: req.SecurityGroups, + SubnetIds: req.SubnetIDs, + TaskRoleArn: req.TaskRoleARN, + TeleportVersion: teleportVersionTag, }) if err != nil { return nil, trace.Wrap(err) } return ui.AWSOIDCDeployServiceResponse{ - ClusterARN: deployServiceResp.ClusterARN, - ServiceARN: deployServiceResp.ServiceARN, - TaskDefinitionARN: deployServiceResp.TaskDefinitionARN, - ServiceDashboardURL: deployServiceResp.ServiceDashboardURL, + ClusterARN: deployServiceResp.ClusterArn, + ServiceARN: deployServiceResp.ServiceArn, + TaskDefinitionARN: deployServiceResp.TaskDefinitionArn, + ServiceDashboardURL: deployServiceResp.ServiceDashboardUrl, }, nil } diff --git a/lib/web/ui/integration.go b/lib/web/ui/integration.go index 4c7264c2051e0..d8b8cf6e9ddf5 100644 --- a/lib/web/ui/integration.go +++ b/lib/web/ui/integration.go @@ -147,21 +147,6 @@ type AWSOIDCDeployServiceRequest struct { // If empty, the default security group for the VPC is going to be used. SecurityGroups []string `json:"securityGroups"` - // ClusterName is the ECS Cluster to be used. - // Optional. - // Defaults to -teleport, eg. acme-teleport - ClusterName *string `json:"clusterName"` - - // ServiceName is the ECS Service that should be used. - // Optional. - // Defaults to -teleport-service, eg acme-teleport-service - ServiceName *string `json:"serviceName"` - - // TaskName is the ECS Task Definition family name. - // Optional. - // Defaults to -teleport-, eg acme-teleport-database-service - TaskName *string `json:"taskName"` - // TaskRoleARN is the AWS Role's ARN used within the Task execution. // Ensure the AWS Client's Role has `iam:PassRole` for this Role's ARN. // This can be either the ARN or the short name of the AWS Role.