Web: Improve RDS enrollment flow #44671
Conversation
|
@kimlisa - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
This comment was marked as resolved.
This comment was marked as resolved.
web/packages/teleport/src/services/integrations/fetchAllAwsRdsEnginesDatabase.test.ts
Show resolved
Hide resolved
web/packages/teleport/src/services/integrations/integrations.ts
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/Discover/Database/DeployService/AutoDeploy/SelectSecurityGroups.tsx
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/Discover/Database/DeployService/AutoDeploy/SelectSubnetIds.tsx
Outdated
Show resolved
Hide resolved
...ackages/teleport/src/Discover/Shared/ConfigureDiscoveryService/ConfigureDiscoveryService.tsx
Outdated
Show resolved
Hide resolved
...ackages/teleport/src/Discover/Shared/ConfigureDiscoveryService/ConfigureDiscoveryService.tsx
Outdated
Show resolved
Hide resolved
...ackages/teleport/src/Discover/Shared/ConfigureDiscoveryService/ConfigureDiscoveryService.tsx
Outdated
Show resolved
Hide resolved
...ages/teleport/src/Discover/Shared/ConfigureDiscoveryService/CreatedDiscoveryConfigDialog.tsx
Outdated
Show resolved
Hide resolved
kimlisa
force-pushed
the
lisa/improve-rds-flow
branch
from
fd78099 to
852298b
Compare
web/packages/teleport/src/services/integrations/fetchAllAwsRdsEnginesDatabase.test.ts
Show resolved
Hide resolved
| <Flex> | ||
| <ButtonPrimary mr={3} width="50%" onClick={retry}> | ||
| <Flex gap={3} width="100%"> | ||
| <ButtonPrimary style={{ flex: 1 }} onClick={retry}> |
There was a problem hiding this comment.
Ah damn, I didn't realize <Button> doesn't support flex as an arg. Long term it'd definitely be a good idea to add this.
web/packages/teleport/src/Discover/Database/EnrollRdsDatabase/VpcSelector.tsx
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/Discover/Database/EnrollRdsDatabase/VpcSelector.tsx
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/Discover/Database/EnrollRdsDatabase/AutoEnrollment.tsx
Outdated
Show resolved
Hide resolved
| if (selectedSubnetIds.length === 0) { | ||
| setHasNoSubnets(true); | ||
| return; | ||
| } else { | ||
| setHasNoSubnets(false); | ||
| } |
There was a problem hiding this comment.
It feels like long term it'd be good to have a way to include this validation within validator.validate(). Otherwise we're going to end up with dozens of places doing such validations by hand while they could be using a dedicated mechanism for this instead.
web/packages/teleport/src/Discover/Database/CreateDatabase/useCreateDatabase.ts
Outdated
Show resolved
Hide resolved
...ackages/teleport/src/Discover/Shared/ConfigureDiscoveryService/ConfigureDiscoveryService.tsx
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/Discover/Database/DeployService/AutoDeploy/SelectSubnetIds.tsx
Show resolved
Hide resolved
| <Toggle | ||
| isToggled={wantAutoDiscover} | ||
| onToggle={toggleWantAutoDiscover} | ||
| disabled={disabled} | ||
| > |
There was a problem hiding this comment.
There's a lot of flashing when this toggle is clicked. For example, I shouldn't see "No results" for a split second when switching between toggle states. Presumably it's because of those extra effects used in AutoEnrollment and SingleEnrollment that I mentioned. Maybe addressing them will make the UI feel more stable as well.
There was a problem hiding this comment.
i made it less jumpy, but couldn't resolve why no results keep showing up before the actual data, it's strange, these are the render ticks. the table for some reason gets an empty item first, then the data comes on next render...
it's like setDataTable gets partially updated (because the fetchStatus: disabled is updated but not the items)...
web/packages/teleport/src/Discover/Database/EnrollRdsDatabase/AutoEnrollment.tsx
Show resolved
Hide resolved
| /> | ||
| )} | ||
| {showVpcSelector && !hasVpcs && ( | ||
| <P mt={-3}> |
There was a problem hiding this comment.
No worries, it's a minor thing in the grand scheme of things. It only becomes a problem when you want to reuse the component in different contexts where the hardcoded margins might not be necessary.
web/packages/teleport/src/services/integrations/integrations.ts
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/Discover/Database/DeployService/AutoDeploy/SelectSubnetIds.tsx
Show resolved
Hide resolved
kimlisa
force-pushed
the
lisa/improve-rds-flow
branch
from
6ea394c to
9649082
Compare
|
ping @rudream |
| </P3> | ||
| )} | ||
| <P3> | ||
| {`${selectedSubnetIds.length} ${pluralize(selectedSubnetIds.length, 'subnet')} selected`} |
There was a problem hiding this comment.
FYI, I just submitted this small PR which fixes my mistake in pluralize. ;) #44949
Since the count is no longer hidden behind a zero check, AFAIK it should say "0 subnets selected" instead of "0 subnet selected".
| The security groups you pick must meet the following requirements: | ||
| <ul> | ||
| <li> | ||
| all security groups must allow outbound connectivity (eg: | ||
| 0.0.0.0/0) to reach Teleport cluster | ||
| </li> | ||
| <li> | ||
| all security groups must allow inbound connectivity from the ECS | ||
| task security group or from the ECS task subnet(s) CIDR blocks | ||
| </li> | ||
| </ul> |
There was a problem hiding this comment.
| The security groups you pick must meet the following requirements: | |
| <ul> | |
| <li> | |
| all security groups must allow outbound connectivity (eg: | |
| 0.0.0.0/0) to reach Teleport cluster | |
| </li> | |
| <li> | |
| all security groups must allow inbound connectivity from the ECS | |
| task security group or from the ECS task subnet(s) CIDR blocks | |
| </li> | |
| </ul> | |
| Select security group(s) based on the following requirements: | |
| <ul> | |
| <li> | |
| The selected security group(s) must allow all outbound traffic | |
| (eg: 0.0.0.0/0) | |
| </li> | |
| <li> | |
| A security group attached to your database(s) must allow inbound | |
| traffic from a security group you select or from all IPs in the | |
| subnets you selected | |
| </li> |
Security groups are additive, so only one of the ECS task security groups needs to allow (0.0.0.0/0) outbound.
No inbound rules are needed for these either, but the databases' security groups need to allow inbound from the ECS task.
| running the database access agent. If you don't select any security | ||
| groups, the default one for the VPC will be used. |
There was a problem hiding this comment.
Could we make security group selection a requirement instead of optional?
I think it will be better to make the user think about and pick a security group than let them skip an optional step and then likely have to troubleshoot a failing deployment
|
|
||
| <Text mb={2}> | ||
| Select subnets to assign to the Fargate service that will be running the | ||
| database access agent. All of the subnets you select must have an |
There was a problem hiding this comment.
| database access agent. All of the subnets you select must have an | |
| Teleport Database Service. All of the subnets you select must have an |
| disabled={disabled} | ||
| > | ||
| <Box ml={2} mr={1}> | ||
| Auto-enroll all databases for selected region |
There was a problem hiding this comment.
| Auto-enroll all databases for selected region | |
| Auto-enroll all databases for the selected region |
kimlisa
force-pushed
the
lisa/improve-rds-flow
branch
from
9649082 to
561b5eb
Compare
kimlisa
force-pushed
the
lisa/improve-rds-flow
branch
from
561b5eb to
93641ef
Compare
kimlisa
force-pushed
the
lisa/improve-rds-flow
branch
from
93641ef to
584821c
Compare
- user selects a vpc to see RDS's - restrict deploying service to user selected vpc - allow and require selecting subnets and security groups - refactor EnrollRdsDatabase.tsx into SingleEnrollment and AutoEnrollment - for self hosted, move configuring discovery config into own step - fixes a query bug where not all db servers were returning because possible duplicates were not accounted for (fixed by removing limit, default limit is 1k which should be plenty)
kimlisa
force-pushed
the
lisa/improve-rds-flow
branch
from
584821c to
6c96447
Compare
- user selects a vpc to see RDS's - restrict deploying service to user selected vpc - allow and require selecting subnets and security groups - refactor EnrollRdsDatabase.tsx into SingleEnrollment and AutoEnrollment - for self hosted, move configuring discovery config into own step - fixes a query bug where not all db servers were returning because possible duplicates were not accounted for (fixed by removing limit, default limit is 1k which should be plenty)
- user selects a vpc to see RDS's - restrict deploying service to user selected vpc - allow and require selecting subnets and security groups - refactor EnrollRdsDatabase.tsx into SingleEnrollment and AutoEnrollment - for self hosted, move configuring discovery config into own step - fixes a query bug where not all db servers were returning because possible duplicates were not accounted for (fixed by removing limit, default limit is 1k which should be plenty)
* Web: Improve RDS enrollment flow (#44671) - user selects a vpc to see RDS's - restrict deploying service to user selected vpc - allow and require selecting subnets and security groups - refactor EnrollRdsDatabase.tsx into SingleEnrollment and AutoEnrollment - for self hosted, move configuring discovery config into own step - fixes a query bug where not all db servers were returning because possible duplicates were not accounted for (fixed by removing limit, default limit is 1k which should be plenty) * Web: Improve RDS flow 2 (#45179) * Don't default to auto discover * Allow redpeploy when auto deploying and improve pending deploy hints * Allow overwrite existing dbs and skip on heartbeat timeout during enrollment * Remove allowing custom labels * Emit rest of discovery config event * Remove blocking if db_service exists for a vpc Previously intended to determine if user already auto enrolled, but now that single and auto enrollment sets the same kind of labels for db_service, there is no distinction and can let user be blocked incorrectly.
part of #44366
part of #41004
recommend reviewing by commit
🛑 requires e2e once all the required backend changes are done:
Improvements:
configuring discovery serviceinto it's own stepTest plan:
Story locations for all the changes made in this PR:
changelog: Improve web UI enroll RDS flow where VPC, subnets, and security groups are now selectable