Add Ownership tags when creating AWS Resources for External Audit Sto…

…rage (#44454)

* Add Ownership tags when creating AWS Resources

This PR adds the ownership tags to all aws resources created.
This will help users track everything that was created by the
integration/cluster.

* set tags on creation

* add comment to why we are using PutBucketTagging

* ensure bucket props even if bucket already exists

lib/integrations/awsoidc/create_ec2ice.go

@@ -26,6 +26,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 // CreateEC2ICERequest contains the required fields to create an AWS EC2 Instance Connect Endpoint.
@@ -46,7 +48,7 @@ type CreateEC2ICERequest struct {
 	// - teleport.dev/cluster: <cluster>
 	// - teleport.dev/origin: aws-oidc-integration
 	// - teleport.dev/integration: <integrationName>
-	ResourceCreationTags AWSTags
+	ResourceCreationTags tags.AWSTags
 }
 
 // EC2ICEEndpoint contains the information for a single Endpoint to be created.
@@ -83,7 +85,7 @@ func (req *CreateEC2ICERequest) CheckAndSetDefaults() error {
 	}
 
 	if len(req.ResourceCreationTags) == 0 {
-		req.ResourceCreationTags = defaultResourceCreationTags(req.Cluster, req.IntegrationName)
+		req.ResourceCreationTags = tags.DefaultResourceCreationTags(req.Cluster, req.IntegrationName)
 	}
 
 	return nil

lib/integrations/awsoidc/create_ec2ice_test.go

@@ -29,6 +29,8 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 type mockCreateEC2ICEClient struct {
@@ -185,7 +187,7 @@ func TestCreateEC2ICERequest(t *testing.T) {
 					SubnetID:         "subnet-123",
 					SecurityGroupIDs: []string{"sg-1", "sg-2"},
 				}},
-				ResourceCreationTags: AWSTags{
+				ResourceCreationTags: tags.AWSTags{
 					"teleport.dev/origin":      "integration_awsoidc",
 					"teleport.dev/cluster":     "teleport-cluster",
 					"teleport.dev/integration": "teleportdev",

lib/integrations/awsoidc/deploydatabaseservice.go

@@ -27,6 +27,7 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 // DeployDatabaseServiceRequest contains the required fields to deploy multiple Teleport Databases Services.
@@ -58,7 +59,7 @@ type DeployDatabaseServiceRequest struct {
 	TeleportVersionTag string
 
 	// ResourceCreationTags is used to add tags when creating resources in AWS.
-	ResourceCreationTags AWSTags
+	ResourceCreationTags tags.AWSTags
 
 	// DeploymentJoinTokenName is the Teleport IAM Join Token name that the deployed service must use to join the cluster.
 	DeploymentJoinTokenName string
@@ -115,7 +116,7 @@ func (r *DeployDatabaseServiceRequest) CheckAndSetDefaults() error {
 	}
 
 	if r.ResourceCreationTags == nil {
-		r.ResourceCreationTags = defaultResourceCreationTags(r.TeleportClusterName, r.IntegrationName)
+		r.ResourceCreationTags = tags.DefaultResourceCreationTags(r.TeleportClusterName, r.IntegrationName)
 	}
 
 	r.ecsClusterName = normalizeECSClusterName(r.TeleportClusterName)

lib/integrations/awsoidc/deploydatabaseservice_test.go

@@ -39,6 +39,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 func TestDeployDatabaseServiceRequest_CheckAndSetDefaults(t *testing.T) {
@@ -157,7 +158,7 @@ func TestDeployDatabaseServiceRequest_CheckAndSetDefaults(t *testing.T) {
 				Region:              "r",
 				TaskRoleARN:         "arn",
 				IntegrationName:     "teleportdev",
-				ResourceCreationTags: AWSTags{
+				ResourceCreationTags: tags.AWSTags{
 					"teleport.dev/origin":      "integration_awsoidc",
 					"teleport.dev/cluster":     "mycluster",
 					"teleport.dev/integration": "teleportdev",
@@ -202,7 +203,7 @@ type mockDeployServiceClient struct {
 	iamTokenMissing bool
 
 	iamAccessDeniedListServices bool
-	defaultTags                 AWSTags
+	defaultTags                 tags.AWSTags
 }
 
 // DescribeClusters lists ECS Clusters.

lib/integrations/awsoidc/deployservice.go

@@ -35,6 +35,7 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/utils/retryutils"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 	"github.com/gravitational/teleport/lib/modules"
 )
 
@@ -141,7 +142,7 @@ type DeployServiceRequest struct {
 	IntegrationName string
 
 	// ResourceCreationTags is used to add tags when creating resources in AWS.
-	ResourceCreationTags AWSTags
+	ResourceCreationTags tags.AWSTags
 
 	// DeploymentMode is the identifier of a deployment mode - which Teleport Services to enable and their configuration.
 	DeploymentMode string
@@ -250,7 +251,7 @@ func (r *DeployServiceRequest) CheckAndSetDefaults() error {
 	}
 
 	if r.ResourceCreationTags == nil {
-		r.ResourceCreationTags = defaultResourceCreationTags(r.TeleportClusterName, r.IntegrationName)
+		r.ResourceCreationTags = tags.DefaultResourceCreationTags(r.TeleportClusterName, r.IntegrationName)
 	}
 
 	if r.TeleportConfigString == "" {
@@ -471,7 +472,7 @@ type upsertTaskRequest struct {
 	ClusterName          string
 	ServiceName          string
 	TeleportVersionTag   string
-	ResourceCreationTags AWSTags
+	ResourceCreationTags tags.AWSTags
 	Region               string
 	TeleportConfigB64    string
 }
@@ -542,7 +543,7 @@ func upsertTask(ctx context.Context, clt DeployServiceClient, req upsertTaskRequ
 // It will re-create if its status is INACTIVE.
 // If the cluster status is not ACTIVE, an error is returned.
 // The cluster is returned.
-func upsertCluster(ctx context.Context, clt DeployServiceClient, clusterName string, resourceCreationTags AWSTags) (*ecsTypes.Cluster, error) {
+func upsertCluster(ctx context.Context, clt DeployServiceClient, clusterName string, resourceCreationTags tags.AWSTags) (*ecsTypes.Cluster, error) {
 	describeClustersResponse, err := clt.DescribeClusters(ctx, &ecs.DescribeClustersInput{
 		Clusters: []string{clusterName},
 		Include: []ecsTypes.ClusterField{
@@ -687,7 +688,7 @@ func deployServiceNetworkConfiguration(subnetIDs, securityGroups []string) *ecsT
 type upsertServiceRequest struct {
 	ServiceName          string
 	ClusterName          string
-	ResourceCreationTags AWSTags
+	ResourceCreationTags tags.AWSTags
 	SubnetIDs            []string
 	SecurityGroups       []string
 }

lib/integrations/awsoidc/deployservice_iam_config.go

@@ -30,6 +30,7 @@ import (
 
 	awsapiutils "github.com/gravitational/teleport/api/utils/aws"
 	awslib "github.com/gravitational/teleport/lib/cloud/aws"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 	awslibutils "github.com/gravitational/teleport/lib/utils/aws"
 )
 
@@ -68,7 +69,7 @@ type DeployServiceIAMConfigureRequest struct {
 	// - teleport.dev/cluster: <cluster>
 	// - teleport.dev/origin: aws-oidc-integration
 	// - teleport.dev/integration: <integrationName>
-	ResourceCreationTags AWSTags
+	ResourceCreationTags tags.AWSTags
 
 	// partitionID is the AWS Partition ID.
 	// Eg, aws, aws-cn, aws-us-gov
@@ -103,7 +104,7 @@ func (r *DeployServiceIAMConfigureRequest) CheckAndSetDefaults() error {
 	}
 
 	if len(r.ResourceCreationTags) == 0 {
-		r.ResourceCreationTags = defaultResourceCreationTags(r.Cluster, r.IntegrationName)
+		r.ResourceCreationTags = tags.DefaultResourceCreationTags(r.Cluster, r.IntegrationName)
 	}
 
 	r.partitionID = awsapiutils.GetPartitionFromRegion(r.Region)

lib/integrations/awsoidc/deployservice_iam_config_test.go

@@ -29,6 +29,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 var badParameterCheck = func(t require.TestingT, err error, msgAndArgs ...interface{}) {
@@ -72,7 +74,7 @@ func TestDeployServiceIAMConfigReqDefaults(t *testing.T) {
 				TaskRole:                           "taskrole",
 				partitionID:                        "aws",
 				IntegrationRoleDeployServicePolicy: "DeployService",
-				ResourceCreationTags: AWSTags{
+				ResourceCreationTags: tags.AWSTags{
 					"teleport.dev/cluster":     "mycluster",
 					"teleport.dev/integration": "myintegration",
 					"teleport.dev/origin":      "integration_awsoidc",

lib/integrations/awsoidc/deployservice_test.go

@@ -32,6 +32,7 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/automaticupgrades"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 func TestDeployServiceRequest(t *testing.T) {
@@ -152,7 +153,7 @@ func TestDeployServiceRequest(t *testing.T) {
 				TaskName:                stringPointer("mycluster-teleport-database-service"),
 				DeploymentJoinTokenName: "discover-aws-oidc-iam-token",
 				IntegrationName:         "teleportdev",
-				ResourceCreationTags: AWSTags{
+				ResourceCreationTags: tags.AWSTags{
 					"teleport.dev/origin":      "integration_awsoidc",
 					"teleport.dev/cluster":     "mycluster",
 					"teleport.dev/integration": "teleportdev",

lib/integrations/awsoidc/deployservice_update.go

@@ -32,6 +32,7 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/lib/automaticupgrades"
 	awslib "github.com/gravitational/teleport/lib/cloud/aws"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 // waitDuration specifies the amount of time to wait for a service to become healthy after an update.
@@ -44,7 +45,7 @@ type UpdateServiceRequest struct {
 	// TeleportVersionTag specifies the desired teleport version in the format "13.4.0"
 	TeleportVersionTag string
 	// OwnershipTags specifies ownership tags
-	OwnershipTags AWSTags
+	OwnershipTags tags.AWSTags
 }
 
 // CheckAndSetDefaults checks and sets default config values.
@@ -90,7 +91,7 @@ func UpdateDeployService(ctx context.Context, clt DeployServiceClient, log *slog
 	return nil
 }
 
-func updateServiceContainerImage(ctx context.Context, clt DeployServiceClient, log *slog.Logger, service *ecsTypes.Service, teleportImage string, ownershipTags AWSTags) error {
+func updateServiceContainerImage(ctx context.Context, clt DeployServiceClient, log *slog.Logger, service *ecsTypes.Service, teleportImage string, ownershipTags tags.AWSTags) error {
 	taskDefinition, err := getManagedTaskDefinition(ctx, clt, aws.ToString(service.TaskDefinition), ownershipTags)
 	if err != nil {
 		return trace.Wrap(err)
@@ -166,7 +167,7 @@ func getAllServiceNamesForCluster(ctx context.Context, clt DeployServiceClient,
 	return ret, nil
 }
 
-func getManagedServices(ctx context.Context, clt DeployServiceClient, log *slog.Logger, teleportClusterName string, ownershipTags AWSTags) ([]ecsTypes.Service, error) {
+func getManagedServices(ctx context.Context, clt DeployServiceClient, log *slog.Logger, teleportClusterName string, ownershipTags tags.AWSTags) ([]ecsTypes.Service, error) {
 	// The Cluster name is created using the Teleport Cluster Name.
 	// Check the DeployDatabaseServiceRequest.CheckAndSetDefaults
 	// and DeployServiceRequest.CheckAndSetDefaults.
@@ -224,7 +225,7 @@ func getManagedServices(ctx context.Context, clt DeployServiceClient, log *slog.
 	return ecsServices, nil
 }
 
-func getManagedTaskDefinition(ctx context.Context, clt DeployServiceClient, taskDefinitionName string, ownershipTags AWSTags) (*ecsTypes.TaskDefinition, error) {
+func getManagedTaskDefinition(ctx context.Context, clt DeployServiceClient, taskDefinitionName string, ownershipTags tags.AWSTags) (*ecsTypes.TaskDefinition, error) {
 	describeTaskDefinitionOut, err := clt.DescribeTaskDefinition(ctx, &ecs.DescribeTaskDefinitionInput{
 		TaskDefinition: aws.String(taskDefinitionName),
 		Include:        []ecsTypes.TaskDefinitionField{ecsTypes.TaskDefinitionFieldTags},

lib/integrations/awsoidc/deployservice_update_test.go

@@ -30,6 +30,7 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/automaticupgrades"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -160,7 +161,7 @@ func TestUpdateDeployServices(t *testing.T) {
 
 	clusterName := "my-cluster"
 	integrationName := "my-integration"
-	ownershipTags := defaultResourceCreationTags(clusterName, integrationName)
+	ownershipTags := tags.DefaultResourceCreationTags(clusterName, integrationName)
 	teleportVersion := teleport.Version
 	log := utils.NewSlogLoggerForTests().With("test", t.Name())
 

lib/integrations/awsoidc/idp_iam_config.go

@@ -41,6 +41,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	awslib "github.com/gravitational/teleport/lib/cloud/aws"
 	"github.com/gravitational/teleport/lib/defaults"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 	awsutil "github.com/gravitational/teleport/lib/utils/aws"
 	"github.com/gravitational/teleport/lib/utils/oidc"
 )
@@ -98,7 +99,7 @@ type IdPIAMConfigureRequest struct {
 	// IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP.
 	IntegrationRole string
 
-	ownershipTags AWSTags
+	ownershipTags tags.AWSTags
 }
 
 // CheckAndSetDefaults ensures the required fields are present.
@@ -151,7 +152,7 @@ func (r *IdPIAMConfigureRequest) CheckAndSetDefaults() error {
 		}
 	}
 
-	r.ownershipTags = defaultResourceCreationTags(r.Cluster, r.IntegrationName)
+	r.ownershipTags = tags.DefaultResourceCreationTags(r.Cluster, r.IntegrationName)
 
 	return nil
 }

lib/integrations/awsoidc/idp_iam_config_test.go

@@ -38,6 +38,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/lib"
+	"github.com/gravitational/teleport/lib/integrations/awsoidc/tags"
 )
 
 func TestIdPIAMConfigReqDefaults(t *testing.T) {
@@ -79,7 +80,7 @@ func TestIdPIAMConfigReqDefaults(t *testing.T) {
 				ProxyPublicAddress: "https://proxy.example.com",
 				issuer:             "proxy.example.com",
 				issuerURL:          "https://proxy.example.com",
-				ownershipTags: AWSTags{
+				ownershipTags: tags.AWSTags{
 					"teleport.dev/cluster":     "mycluster",
 					"teleport.dev/integration": "myintegration",
 					"teleport.dev/origin":      "integration_awsoidc",
@@ -110,7 +111,7 @@ func TestIdPIAMConfigReqDefaults(t *testing.T) {
 				S3JWKSContentsB64: base64EncodedString,
 				issuer:            "bucket-1.s3.amazonaws.com/prefix-2",
 				issuerURL:         "https://bucket-1.s3.amazonaws.com/prefix-2",
-				ownershipTags: AWSTags{
+				ownershipTags: tags.AWSTags{
 					"teleport.dev/cluster":     "mycluster",
 					"teleport.dev/integration": "myintegration",
 					"teleport.dev/origin":      "integration_awsoidc",