diff --git a/api/types/constants.go b/api/types/constants.go index 170f2ac6f83af..d5cd946413155 100644 --- a/api/types/constants.go +++ b/api/types/constants.go @@ -440,6 +440,10 @@ const ( // that the resource originates from. OriginLabel = TeleportNamespace + "/origin" + // ClusterLabel is a label that identifies the current cluster when creating resources on another systems. + // Eg, when creating a resource in AWS, this label must be set as a Tag in the resource. + ClusterLabel = TeleportNamespace + "/cluster" + // ADLabel is a resource metadata label name used to identify if resource is part of Active Directory ADLabel = TeleportNamespace + "/ad" @@ -467,6 +471,13 @@ const ( // created from the Okta service. OriginOkta = "okta" + // OriginIntegrationAWSOIDC is an origin value indicating that the resource was + // created from the AWS OIDC Integration. + OriginIntegrationAWSOIDC = "integration_awsoidc" + + // IntegrationLabel is a resource metadata label name used to identify the integration name that created the resource. + IntegrationLabel = TeleportNamespace + "/integration" + // AWSAccountIDLabel is used to identify nodes by AWS account ID // found via automatic discovery, to avoid re-running installation // commands on the node. diff --git a/go.mod b/go.mod index d03e649dec198..6e6150f89ce78 100644 --- a/go.mod +++ b/go.mod @@ -37,6 +37,7 @@ require ( github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.67 github.com/aws/aws-sdk-go-v2/service/athena v1.30.0 github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 + github.com/aws/aws-sdk-go-v2/service/ecs v1.27.1 github.com/aws/aws-sdk-go-v2/service/glue v1.50.0 github.com/aws/aws-sdk-go-v2/service/rds v1.44.1 github.com/aws/aws-sdk-go-v2/service/s3 v1.33.1 @@ -167,6 +168,7 @@ require ( google.golang.org/grpc/examples v0.0.0-20221010194801-c67245195065 google.golang.org/protobuf v1.30.0 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c + gopkg.in/dnaeon/go-vcr.v3 v3.1.2 gopkg.in/ini.v1 v1.67.0 gopkg.in/square/go-jose.v2 v2.6.0 gopkg.in/yaml.v2 v2.4.0 diff --git a/go.sum b/go.sum index ad4a58a1c08b4..3e6a4746962d4 100644 --- a/go.sum +++ b/go.sum @@ -334,6 +334,8 @@ github.com/aws/aws-sdk-go-v2/service/dynamodb v1.19.7 h1:yb2o8oh3Y+Gg2g+wlzrWS3p github.com/aws/aws-sdk-go-v2/service/dynamodb v1.19.7/go.mod h1:1MNss6sqoIsFGisX92do/5doiUCBrN7EjhZCS/8DUjI= github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 h1:WblDV33AG9dhv0zFEPEmGtD5UECSNpKMxtdENULfR8M= github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0/go.mod h1:L3ZT0N/vBsw77mOAawXmRnREpEjcHd2v5Hzf7AkIH8M= +github.com/aws/aws-sdk-go-v2/service/ecs v1.27.1 h1:54QSuWR3Pot7HqBRXd+c1yF97h2bqzDBID8qFSAkTlE= +github.com/aws/aws-sdk-go-v2/service/ecs v1.27.1/go.mod h1:SB6YszwN1iKvyt/Qk+ICeKsfBxjd0CTEwwkmej9qoa0= github.com/aws/aws-sdk-go-v2/service/glue v1.50.0 h1:GF6Lsy9g1+Ig2e1TpGygl00+oBcdYHIMyTHoKZa9VGE= github.com/aws/aws-sdk-go-v2/service/glue v1.50.0/go.mod h1:agadckFdb7BwFqeN4CXt3yrMtoFvY/8b2F+8FNeHVOc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.1/go.mod h1:GeUru+8VzrTXV/83XyMJ80KpH8xO89VPoUileyNQ+tc= @@ -2393,6 +2395,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/dnaeon/go-vcr.v3 v3.1.2 h1:F1smfXBqQqwpVifDfUBQG6zzaGjzT+EnVZakrOdr5wA= +gopkg.in/dnaeon/go-vcr.v3 v3.1.2/go.mod h1:2IMOnnlx9I6u9x+YBsM3tAMx6AlOxnJ0pWxQAzZ79Ag= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= diff --git a/lib/integrations/awsoidc/clients.go b/lib/integrations/awsoidc/clients.go index ebf5bc17b9cb0..eb4535ef84c57 100644 --- a/lib/integrations/awsoidc/clients.go +++ b/lib/integrations/awsoidc/clients.go @@ -22,6 +22,7 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/credentials/stscreds" + "github.com/aws/aws-sdk-go-v2/service/ecs" "github.com/aws/aws-sdk-go-v2/service/rds" "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/gravitational/trace" @@ -29,6 +30,9 @@ import ( // AWSClientRequest contains the required fields to set up an AWS service client. type AWSClientRequest struct { + // IntegrationName is the integration name that is going to issue an API Call. + IntegrationName string + // Token is the token used to issue the API Call. Token string @@ -37,10 +41,17 @@ type AWSClientRequest struct { // Region where the API call should be made. Region string + + // httpClient used in tests. + httpClient aws.HTTPClient } // CheckAndSetDefaults checks if the required fields are present. func (req *AWSClientRequest) CheckAndSetDefaults() error { + if req.IntegrationName == "" { + return trace.BadParameter("integration name is required") + } + if req.Token == "" { return trace.BadParameter("token is required") } @@ -58,11 +69,19 @@ func (req *AWSClientRequest) CheckAndSetDefaults() error { // newAWSConfig creates a new [aws.Config] using the [AWSClientRequest] fields. func newAWSConfig(ctx context.Context, req *AWSClientRequest) (*aws.Config, error) { + if err := req.CheckAndSetDefaults(); err != nil { + return nil, trace.Wrap(err) + } + cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(req.Region)) if err != nil { return nil, trace.Wrap(err) } + if req.httpClient != nil { + cfg.HTTPClient = req.httpClient + } + cfg.Credentials = stscreds.NewWebIdentityRoleProvider( sts.NewFromConfig(cfg), req.RoleARN, @@ -82,6 +101,16 @@ func newRDSClient(ctx context.Context, req *AWSClientRequest) (*rds.Client, erro return rds.NewFromConfig(*cfg), nil } +// newECSClient creates an [ecs.Client] using the provided Token, RoleARN and Region. +func newECSClient(ctx context.Context, req *AWSClientRequest) (*ecs.Client, error) { + cfg, err := newAWSConfig(ctx, req) + if err != nil { + return nil, trace.Wrap(err) + } + + return ecs.NewFromConfig(*cfg), nil +} + // IdentityToken is an implementation of [stscreds.IdentityTokenRetriever] for returning a static token. type IdentityToken string diff --git a/lib/integrations/awsoidc/deployservice.go b/lib/integrations/awsoidc/deployservice.go new file mode 100644 index 0000000000000..13b60fc16f5cd --- /dev/null +++ b/lib/integrations/awsoidc/deployservice.go @@ -0,0 +1,666 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awsoidc + +import ( + "context" + "fmt" + "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/service/ecs" + ecsTypes "github.com/aws/aws-sdk-go-v2/service/ecs/types" + "github.com/gravitational/trace" + "golang.org/x/exp/slices" + + "github.com/gravitational/teleport" + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/api/utils/retryutils" +) + +var ( + // launchTypeFargateString is the FARGATE LaunchType converted into a string. + launchTypeFargateString = string(ecsTypes.LaunchTypeFargate) + // requiredCapacityProviders contains the FARGATE type which is required to deploy a Teleport Service. + requiredCapacityProviders = []string{launchTypeFargateString} + + // Ensure Cpu and Memory use one of the allowed combinations: + // https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html + taskCPU = "2048" + taskMem = "4096" + + // taskAgentContainerName is the name of the container to run within the Task. + // Each task supports multiple containers, but, currently, there's only one being used. + taskAgentContainerName = "teleport-service" + + // oneAgent is used to define the desired agent count when creating a service. + oneAgent = int32(1) + + // defaultTeleportIAMTokenName is the default Teleport IAM Token to use when it's not specified. + defaultTeleportIAMTokenName = "discover-aws-oidc-iam-token" +) + +const ( + // teleportContainerImageFmt is the Teleport Container Image to be used + teleportContainerImageFmt = "public.ecr.aws/gravitational/teleport-distroless:%s" + + // clusterStatusActive is the string representing an ACTIVE ECS Cluster. + clusterStatusActive = "ACTIVE" + // clusterStatusInactive is the string representing an INACTIVE ECS Cluster. + clusterStatusInactive = "INACTIVE" + // clusterStatusProvisioning is the string representing an PROVISIONING ECS Cluster. + clusterStatusProvisioning = "PROVISIONING" + // clusterStatusProvisioningWaitTime defines for how long should the client wait for the Cluster to become available. + clusterStatusProvisioningWaitTime = 30 * time.Second + // clusterStatusProvisioningWaitTimeTick defines the interval between checks on Cluster status while it is Provisioning. + clusterStatusProvisioningWaitTimeTick = 1 * time.Second + + // serviceStatusActive is the string representing an ACTIVE ECS Service. + serviceStatusActive = "ACTIVE" + // serviceStatusDraining is the string representing an DRAINING ECS Service. + serviceStatusDraining = "DRAINING" +) + +var ( + // DatabaseServiceDeploymentMode is a deployment configuration for Deploying a Database Service. + // This mode starts a Database with the specificied Resource Matchers. + DatabaseServiceDeploymentMode = "database-service" + + // DeploymentModes has all the available deployment modes. + DeploymentModes = []string{ + DatabaseServiceDeploymentMode, + } +) + +// DeployServiceRequest contains the required fields to deploy a Teleport Service. +type DeployServiceRequest struct { + // Region is the AWS Region + Region string + + // SubnetIDs are the subnets associated with the service. + SubnetIDs []string + + // ClusterName is the ECS Cluster to be used. + // It will be created if it doesn't exist. + // It will be updated if it doesn't include the FARGATE capacity provider using PutClusterCapacityProviders. + ClusterName *string + + // ServiceName is the ECS Service to be used. + // It will be created if it doesn't exist. + // It will be updated if it doesn't match the required properties. + ServiceName *string + + // TaskName is the ECS Task Definition's Family Name. + TaskName *string + + // TaskRoleARN is the AWS Role's ARN used within the Task execution. + // Ensure the AWS Client has `iam:PassRole` for this Role's ARN. + TaskRoleARN string + + // TeleportClusterName is the Teleport Cluster Name, used to create default names for Cluster, Service and Task. + TeleportClusterName string + + // TeleportIAMTokenNameis the Teleport IAM Token to use in the deployed Service. + // Optional. + // Defaults to discover-aws-oidc-iam-token + TeleportIAMTokenName *string + + // ProxyServerHostPort is the Teleport Proxy's Public. + ProxyServerHostPort string + + // IntegrationName is the integration name. + // Used for resource tagging when creating resources in AWS. + IntegrationName string + + // ResourceCreationTags is used to add tags when creating resources in AWS. + ResourceCreationTags awsTags + + // DeploymentMode is the identifier of a deployment mode - which Teleport Services to enable and their configuration. + DeploymentMode string + + // DatabaseResourceMatcherLabels contains the set of labels to be used by the DatabaseService. + // This is used when the deployment mode creates a Database Service. + DatabaseResourceMatcherLabels types.Labels +} + +// normalizeECSResourceName converts a name into a valid ECS Resource Name. +// TeleportCluster name must match the following: +// > regexp.MustCompile(`^[0-9A-Za-z_\-@:./+]+$`) +// +// ECS Resources name must match the following: +// > Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. +// > regexp.MustCompile(`^[0-9A-Za-z_\-]+$`) +// The following resources should be normalized +// - ECS Cluster Name (r.ClusterName) +// - ECS Service Name (r.ServiceName) +// - ECS TaskDefinition Family (r.TaskName) +func normalizeECSResourceName(name string) string { + replacer := strings.NewReplacer( + "@", "_", + ":", "_", + ".", "_", + "/", "_", + "+", "_", + ) + + return replacer.Replace(name) +} + +// CheckAndSetDefaults checks if the required fields are present. +func (r *DeployServiceRequest) CheckAndSetDefaults() error { + if r.TeleportClusterName == "" { + return trace.BadParameter("teleport cluster name is required") + } + baseResourceName := normalizeECSResourceName(r.TeleportClusterName) + + if r.TeleportIAMTokenName == nil || *r.TeleportIAMTokenName == "" { + r.TeleportIAMTokenName = &defaultTeleportIAMTokenName + } + + if r.DeploymentMode == "" { + return trace.BadParameter("deployment mode is required, please use one of the following: %v", DeploymentModes) + } + + if !slices.Contains(DeploymentModes, r.DeploymentMode) { + return trace.BadParameter("invalid deployment mode, please use one of the following: %v", DeploymentModes) + } + + if r.Region == "" { + return trace.BadParameter("region is required") + } + + if len(r.SubnetIDs) == 0 { + return trace.BadParameter("at least one subnet id is required") + } + + if r.TaskRoleARN == "" { + return trace.BadParameter("task role arn is required") + } + + if r.ClusterName == nil || *r.ClusterName == "" { + clusterName := fmt.Sprintf("%s-teleport", baseResourceName) + r.ClusterName = &clusterName + } + + if r.ServiceName == nil || *r.ServiceName == "" { + serviceName := fmt.Sprintf("%s-teleport-%s", baseResourceName, r.DeploymentMode) + r.ServiceName = &serviceName + } + + if r.TaskName == nil || *r.TaskName == "" { + taskName := fmt.Sprintf("%s-teleport-%s", baseResourceName, r.DeploymentMode) + r.TaskName = &taskName + } + + if r.ProxyServerHostPort == "" { + return trace.BadParameter("proxy address is required") + } + + if r.IntegrationName == "" { + return trace.BadParameter("integration name is required") + } + + if r.ResourceCreationTags == nil { + r.ResourceCreationTags = DefaultResourceCreationTags(r.TeleportClusterName, r.IntegrationName) + } + + if len(r.DatabaseResourceMatcherLabels) == 0 { + return trace.BadParameter("at least one agent matcher label is required") + } + + return nil +} + +// DeployServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service. +type DeployServiceResponse struct { + // ClusterARN is the Amazon ECS Cluster ARN where the task was started. + ClusterARN string + + // ServiceARN is the Amazon ECS Cluster Service ARN created to run the task. + ServiceARN string + + // TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the Teleport Service. + TaskDefinitionARN string + + // ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console. + ServiceDashboardURL string +} + +// DeployServiceClient describes the required methods to Deploy a Teleport Service. +type DeployServiceClient interface { + // DescribeClusters lists ECS Clusters. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeClusters + DescribeClusters(ctx context.Context, params *ecs.DescribeClustersInput, optFns ...func(*ecs.Options)) (*ecs.DescribeClustersOutput, error) + + // CreateCluster creates a new cluster. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.CreateCluster + CreateCluster(ctx context.Context, params *ecs.CreateClusterInput, optFns ...func(*ecs.Options)) (*ecs.CreateClusterOutput, error) + + // PutClusterCapacityProviders sets the Capacity Providers available for services in a given cluster. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.PutClusterCapacityProviders + PutClusterCapacityProviders(ctx context.Context, params *ecs.PutClusterCapacityProvidersInput, optFns ...func(*ecs.Options)) (*ecs.PutClusterCapacityProvidersOutput, error) + + // DescribeServices lists the matching Services of a given Cluster. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeServices + DescribeServices(ctx context.Context, params *ecs.DescribeServicesInput, optFns ...func(*ecs.Options)) (*ecs.DescribeServicesOutput, error) + + // UpdateService updates the service. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.UpdateService + UpdateService(ctx context.Context, params *ecs.UpdateServiceInput, optFns ...func(*ecs.Options)) (*ecs.UpdateServiceOutput, error) + + // CreateService starts a task within a cluster. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.CreateService + CreateService(ctx context.Context, params *ecs.CreateServiceInput, optFns ...func(*ecs.Options)) (*ecs.CreateServiceOutput, error) + + // RegisterTaskDefinition registers a new task definition from the supplied family and containerDefinitions. + // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.RegisterTaskDefinition + RegisterTaskDefinition(ctx context.Context, params *ecs.RegisterTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.RegisterTaskDefinitionOutput, error) +} + +// NewDeployServiceClient creates a new DeployServiceClient using a AWSClientRequest. +func NewDeployServiceClient(ctx context.Context, clientReq *AWSClientRequest) (DeployServiceClient, error) { + fmt.Println(clientReq.Token) + return newECSClient(ctx, clientReq) +} + +// DeployService calls Amazon ECS APIs to deploy a Teleport Service. +// +// # Pre-requirement: Set up discover-aws-oidc-iam-token for auto join +// +// The Teleport Service connects via `discover-aws-oidc-iam-token`, so ensure your cluster has the following token: +// +// kind: token +// metadata: +// name: discover-aws-oidc-iam-token +// spec: +// allow: +// - aws_account: "" +// join_method: iam +// roles: +// - Db +// version: v2 +// +// You can also use the role received as parameter (req.TaskRoleARN) to have an even stricter matching. +// Eg of the identity ARN: "arn:aws:sts::0123456789012:assumed-role//" +// +// # Pre-requirement: TaskRole creation +// +// The req.TaskRoleARN Role must have permissions according to the Teleport Services being deployed. +// Example for a DatabaseService: +// +// { +// "Version": "2012-10-17", +// "Statement": [ +// { +// "Effect": "Allow", +// "Action": [ +// "iam:DeleteRolePolicy", +// "iam:PutRolePolicy", +// "iam:GetRolePolicy" +// ], +// "Resource": "arn:aws:iam::123456789012:role/" +// }, +// { +// "Effect": "Allow", +// "Action": [ +// "rds:DescribeDBInstances", +// "rds:ModifyDBInstance" +// ], +// "Resource": "*" +// }, +// { +// "Effect": "Allow", +// "Action": "logs:*", +// "Resource": "*" +// } +// ] +// } +// +// And the following Trust Policy +// +// { +// "Version": "2012-10-17", +// "Statement": [ +// { +// "Effect": "Allow", +// "Principal": { +// "Service": "ecs-tasks.amazonaws.com" +// }, +// "Action": "sts:AssumeRole" +// } +// ] +// } +// +// # Pre-requirement: AWS OIDC Integration Role +// +// To deploy those services the AWS OIDC Integration Role requires the following policy: +// +// { +// "Version": "2012-10-17", +// "Statement": [ +// { +// "Effect": "Allow", +// "Action": [ +// "ecs:CreateCluster", +// "ecs:PutClusterCapacityProviders", +// "ecs:DescribeClusters", +// "ecs:RegisterTaskDefinition", +// "ecs:CreateService", +// "ecs:DescribeServices", +// "ecs:UpdateService" +// ], +// "Resource": "*" +// }, +// { +// "Effect": "Allow", +// "Action": [ +// "iam:PassRole" +// ], +// "Resource": "arn:aws:iam::123456789012:role/" +// } +// ] +// } +// +// # Resource tagging +// +// Created resources have the following set of tags: +// - teleport.dev/cluster: +// - teleport.dev/origin: aws-oidc-integration +// - teleport.dev/integration: +// +// If resources already exist, only resources with those tags will be updated. +func DeployService(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest) (*DeployServiceResponse, error) { + if err := req.CheckAndSetDefaults(); err != nil { + return nil, trace.Wrap(err) + } + + teleportConfigString, err := generateTeleportConfigString(req) + if err != nil { + return nil, trace.Wrap(err) + } + + taskDefinition, err := upsertTask(ctx, clt, req, teleportConfigString) + if err != nil { + return nil, trace.Wrap(err) + } + taskDefinitionARN := *taskDefinition.TaskDefinitionArn + + cluster, err := upsertCluster(ctx, clt, req) + if err != nil { + return nil, trace.Wrap(err) + } + + service, err := upsertService(ctx, clt, req, taskDefinitionARN) + if err != nil { + return nil, trace.Wrap(err) + } + + serviceDashboardURL := fmt.Sprintf("https://%s.console.aws.amazon.com/ecs/v2/clusters/%s/services/%s", req.Region, *req.ClusterName, *req.ServiceName) + + return &DeployServiceResponse{ + ClusterARN: *cluster.ClusterArn, + ServiceARN: *service.ServiceArn, + TaskDefinitionARN: taskDefinitionARN, + ServiceDashboardURL: serviceDashboardURL, + }, nil +} + +// upsertTask ensures a TaskDefinition with TaskName exists +func upsertTask(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest, configB64 string) (*ecsTypes.TaskDefinition, error) { + taskAgentContainerImage := fmt.Sprintf(teleportContainerImageFmt, teleport.Version) + + taskDefOut, err := clt.RegisterTaskDefinition(ctx, &ecs.RegisterTaskDefinitionInput{ + Family: req.TaskName, + RequiresCompatibilities: []ecsTypes.Compatibility{ + ecsTypes.CompatibilityFargate, + }, + Cpu: &taskCPU, + Memory: &taskMem, + + NetworkMode: ecsTypes.NetworkModeAwsvpc, + TaskRoleArn: &req.TaskRoleARN, + ExecutionRoleArn: &req.TaskRoleARN, + ContainerDefinitions: []ecsTypes.ContainerDefinition{{ + Command: []string{ + "start", + "--config-string", + configB64, + }, + EntryPoint: []string{"teleport"}, + Image: &taskAgentContainerImage, + Name: &taskAgentContainerName, + LogConfiguration: &ecsTypes.LogConfiguration{ + LogDriver: ecsTypes.LogDriverAwslogs, + Options: map[string]string{ + "awslogs-group": "ecs-" + *req.ClusterName, + "awslogs-region": req.Region, + "awslogs-create-group": "true", + "awslogs-stream-prefix": *req.ServiceName + "/" + *req.TaskName, + }, + }, + }}, + Tags: req.ResourceCreationTags.ForECS(), + }) + if err != nil { + return nil, trace.Wrap(err) + } + return taskDefOut.TaskDefinition, nil +} + +// upsertCluster creates the cluster if it doesn't exist. +// It will update the cluster if it doesn't have the required capacity provider (FARGATE) +// It will re-create if its status is INACTIVE. +// If the cluster status is not ACTIVE, an error is returned. +// The cluster is returned. +func upsertCluster(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest) (*ecsTypes.Cluster, error) { + describeClustersResponse, err := clt.DescribeClusters(ctx, &ecs.DescribeClustersInput{ + Clusters: []string{*req.ClusterName}, + Include: []ecsTypes.ClusterField{ + ecsTypes.ClusterFieldTags, + }, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + if clusterMustBeCreated(describeClustersResponse.Clusters) { + createClusterResp, err := clt.CreateCluster(ctx, &ecs.CreateClusterInput{ + ClusterName: req.ClusterName, + CapacityProviders: requiredCapacityProviders, + Tags: req.ResourceCreationTags.ForECS(), + }) + if err != nil { + return nil, trace.Wrap(err) + } + + if err := waitForActiveCluster(ctx, clt, req, createClusterResp.Cluster); err != nil { + return nil, trace.Wrap(err) + } + + return createClusterResp.Cluster, nil + } + + // There's a cluster and it is not INACTIVE. + cluster := &describeClustersResponse.Clusters[0] + + ownershipTags := req.ResourceCreationTags + if !ownershipTags.MatchesECSTags(cluster.Tags) { + return nil, trace.Errorf("ECS Cluster %q already exists but is not managed by Teleport. "+ + "Add the following tags to allow Teleport to manage this cluster: %s", *req.ClusterName, req.ResourceCreationTags) + } + + if slices.Contains(cluster.CapacityProviders, launchTypeFargateString) { + return cluster, nil + } + + // Ensure the required capacity provider (Fargate) is available. + putClusterCPResp, err := clt.PutClusterCapacityProviders(ctx, &ecs.PutClusterCapacityProvidersInput{ + Cluster: req.ClusterName, + CapacityProviders: requiredCapacityProviders, + DefaultCapacityProviderStrategy: []ecsTypes.CapacityProviderStrategyItem{{ + CapacityProvider: &launchTypeFargateString, + }}, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + if err := waitForActiveCluster(ctx, clt, req, cluster); err != nil { + return nil, trace.Wrap(err) + } + + return putClusterCPResp.Cluster, nil +} + +// clusterMustBeCreated returns true if there's no cluster or the existing one has an Inactive (deleted) status. +func clusterMustBeCreated(clusters []ecsTypes.Cluster) bool { + if len(clusters) == 0 { + return true + } + + cluster := clusters[0] + + return *cluster.Status == clusterStatusInactive +} + +// waitForActiveCluster waits until the Cluster is Active. +// If the Cluster is Provisioning, then it waits at most clusterStatusProvisioningWaitTime (30 seconds) for it to become ready. +func waitForActiveCluster(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest, cluster *ecsTypes.Cluster) error { + if cluster.Status != nil && *cluster.Status == clusterStatusActive { + return nil + } + + retry, err := retryutils.NewConstant(clusterStatusProvisioningWaitTimeTick) + if err != nil { + return trace.Wrap(err) + } + retryCtx, cancel := context.WithTimeout(ctx, clusterStatusProvisioningWaitTime) + defer cancel() + + err = retry.For(retryCtx, func() error { + describeClustersResponse, err := clt.DescribeClusters(ctx, &ecs.DescribeClustersInput{ + Clusters: []string{*req.ClusterName}, + }) + if err != nil { + return retryutils.PermanentRetryError(trace.Wrap(err)) + } + + if len(describeClustersResponse.Clusters) == 0 { + return retryutils.PermanentRetryError(trace.NotFound("cluster %q does not exist", *cluster.ClusterName)) + } + + cluster := describeClustersResponse.Clusters[0] + if cluster.Status == nil { + return retryutils.PermanentRetryError(trace.Errorf("cluster %q has an unknown (nil) status", *cluster.ClusterName)) + } + + if *cluster.Status == clusterStatusActive { + return nil + } + + if *cluster.Status == clusterStatusProvisioning { + return trace.Errorf("cluster %q is provisioning...", *cluster.ClusterName) + } + + return retryutils.PermanentRetryError(trace.Errorf("unexpected status %s for ECS Cluster %q", *cluster.ClusterName, *cluster.Status)) + }) + + return trace.Wrap(err) +} + +// upsertService creates or updates the service. +// If the service exists but its LaunchType is not Fargate, then it gets re-created. +func upsertService(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest, taskARN string) (*ecsTypes.Service, error) { + describeServiceOut, err := clt.DescribeServices(ctx, &ecs.DescribeServicesInput{ + Services: []string{*req.ServiceName}, + Cluster: req.ClusterName, + Include: []ecsTypes.ServiceField{ + ecsTypes.ServiceFieldTags, + }, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + // Service already exists. + if len(describeServiceOut.Services) > 0 { + service := &describeServiceOut.Services[0] + + if service.Status == nil { + return nil, trace.Errorf("unknown status for ECS Service %q", *req.ServiceName) + } + + if *service.Status == serviceStatusDraining { + return nil, trace.Errorf("ECS Service is draining, please retry in a couple of minutes") + } + + if *service.Status == serviceStatusActive { + ownershipTags := req.ResourceCreationTags + if !ownershipTags.MatchesECSTags(service.Tags) { + return nil, trace.Errorf("ECS Service %q already exists but is not managed by Teleport. "+ + "Add the following tags to allow Teleport to manage this service: %s", *req.ServiceName, req.ResourceCreationTags) + } + + // If the LaunchType is the required one, than we can update the current Service. + // Otherwise we have to delete it. + if service.LaunchType != ecsTypes.LaunchTypeFargate { + return nil, trace.Errorf("ECS Service %q already exists but has an invalid LaunchType %q. Delete the Service and try again.", *req.ServiceName, service.LaunchType) + } + + updateServiceResp, err := clt.UpdateService(ctx, &ecs.UpdateServiceInput{ + Service: req.ServiceName, + DesiredCount: &oneAgent, + TaskDefinition: &taskARN, + Cluster: req.ClusterName, + NetworkConfiguration: &ecsTypes.NetworkConfiguration{ + AwsvpcConfiguration: &ecsTypes.AwsVpcConfiguration{ + AssignPublicIp: ecsTypes.AssignPublicIpEnabled, // no internet connection otherwise + Subnets: req.SubnetIDs, + }, + }, + ForceNewDeployment: true, + PropagateTags: ecsTypes.PropagateTagsService, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + return updateServiceResp.Service, nil + } + } + + createServiceOut, err := clt.CreateService(ctx, &ecs.CreateServiceInput{ + ServiceName: req.ServiceName, + DesiredCount: &oneAgent, + LaunchType: ecsTypes.LaunchTypeFargate, + TaskDefinition: &taskARN, + Cluster: req.ClusterName, + NetworkConfiguration: &ecsTypes.NetworkConfiguration{ + AwsvpcConfiguration: &ecsTypes.AwsVpcConfiguration{ + AssignPublicIp: ecsTypes.AssignPublicIpEnabled, // no internet connection otherwise + Subnets: req.SubnetIDs, + }, + }, + Tags: req.ResourceCreationTags.ForECS(), + PropagateTags: ecsTypes.PropagateTagsService, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + return createServiceOut.Service, nil +} diff --git a/lib/integrations/awsoidc/deployservice_config.go b/lib/integrations/awsoidc/deployservice_config.go new file mode 100644 index 0000000000000..ac6db9255b10c --- /dev/null +++ b/lib/integrations/awsoidc/deployservice_config.go @@ -0,0 +1,87 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awsoidc + +import ( + "encoding/base64" + + "github.com/gravitational/trace" + "gopkg.in/yaml.v2" + + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/lib/config" + "github.com/gravitational/teleport/lib/defaults" +) + +// generateTeleportConfigString creates a teleport.yaml configuration that the agent +// deployed in a ECS Cluster (using Fargate) will use. +// +// Returns config as base64-encoded string suitable for passing to teleport process +// via --config-string flag. +func generateTeleportConfigString(req DeployServiceRequest) (string, error) { + teleportConfig, err := config.MakeSampleFileConfig(config.SampleFlags{ + Version: defaults.TeleportConfigVersionV3, + ProxyAddress: req.ProxyServerHostPort, + }) + if err != nil { + return "", trace.Wrap(err) + } + + // Disable default services + teleportConfig.Auth.EnabledFlag = "no" + teleportConfig.Proxy.EnabledFlag = "no" + teleportConfig.SSH.EnabledFlag = "no" + + // Ensure the NodeName is not set to the current host (Teleport Proxy). + // Setting it to an empty string, ensures the NodeName is picked up from the host's hostname. + teleportConfig.NodeName = "" + + // Use IAM Token join method to enroll into the Cluster. + // req.TeleportIAMTokenName must have the following TokenRule: + /* + types.TokenRule{ + AWSAccount: "", + AWSARN: "arn:aws:sts:::assumed-role//*", + } + */ + teleportConfig.JoinParams = config.JoinParams{ + TokenName: *req.TeleportIAMTokenName, + Method: types.JoinMethodIAM, + } + + switch req.DeploymentMode { + case DatabaseServiceDeploymentMode: + teleportConfig.Databases.Service.EnabledFlag = "yes" + teleportConfig.Databases.ResourceMatchers = []config.ResourceMatcher{{ + Labels: req.DatabaseResourceMatcherLabels, + }} + + default: + return "", trace.BadParameter("invalid deployment mode %q, supported modes: %v", req.DeploymentMode, DeploymentModes) + } + + teleportConfigYAMLBytes, err := yaml.Marshal(teleportConfig) + if err != nil { + return "", trace.Wrap(err) + } + + // This Config is meant to be passed as argument to `teleport start` + // Eg, `teleport start --config-string ` + teleportConfigString := base64.StdEncoding.EncodeToString(teleportConfigYAMLBytes) + + return teleportConfigString, nil +} diff --git a/lib/integrations/awsoidc/deployservice_test.go b/lib/integrations/awsoidc/deployservice_test.go new file mode 100644 index 0000000000000..1453ff11b9c01 --- /dev/null +++ b/lib/integrations/awsoidc/deployservice_test.go @@ -0,0 +1,209 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awsoidc + +import ( + "regexp" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/gravitational/trace" + "github.com/stretchr/testify/require" + + "github.com/gravitational/teleport/api/types" +) + +func TestDeployServiceRequest(t *testing.T) { + isBadParamErrFn := func(tt require.TestingT, err error, i ...interface{}) { + require.True(tt, trace.IsBadParameter(err), "expected bad parameter, got %v", err) + } + + baseReqFn := func() DeployServiceRequest { + return DeployServiceRequest{ + TeleportClusterName: "mycluster", + Region: "r", + SubnetIDs: []string{"1"}, + TaskRoleARN: "arn", + ProxyServerHostPort: "proxy.example.com:3080", + IntegrationName: "teleportdev", + DeploymentMode: DatabaseServiceDeploymentMode, + DatabaseResourceMatcherLabels: types.Labels{types.Wildcard: []string{types.Wildcard}}, + } + } + + for _, tt := range []struct { + name string + req func() DeployServiceRequest + errCheck require.ErrorAssertionFunc + reqWithDefaults DeployServiceRequest + }{ + { + name: "no fields", + req: func() DeployServiceRequest { + return DeployServiceRequest{} + }, + errCheck: isBadParamErrFn, + }, + { + name: "missing teleport cluster name", + req: func() DeployServiceRequest { + r := baseReqFn() + r.TeleportClusterName = "" + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "missing region", + req: func() DeployServiceRequest { + r := baseReqFn() + r.Region = "" + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "empty list of subnets", + req: func() DeployServiceRequest { + r := baseReqFn() + r.SubnetIDs = []string{} + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "missing task role arn", + req: func() DeployServiceRequest { + r := baseReqFn() + r.TaskRoleARN = "" + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "missing integration name", + req: func() DeployServiceRequest { + r := baseReqFn() + r.IntegrationName = "" + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "invalid deployment mode", + req: func() DeployServiceRequest { + r := baseReqFn() + r.DeploymentMode = "invalid" + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "no deployment mode", + req: func() DeployServiceRequest { + r := baseReqFn() + r.DeploymentMode = "" + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "no label matchers", + req: func() DeployServiceRequest { + r := baseReqFn() + r.DatabaseResourceMatcherLabels = types.Labels{} + return r + }, + errCheck: isBadParamErrFn, + }, + { + name: "fill defaults", + req: baseReqFn, + errCheck: require.NoError, + reqWithDefaults: DeployServiceRequest{ + TeleportClusterName: "mycluster", + Region: "r", + SubnetIDs: []string{"1"}, + TaskRoleARN: "arn", + ClusterName: stringPointer("mycluster-teleport"), + ServiceName: stringPointer("mycluster-teleport-database-service"), + TaskName: stringPointer("mycluster-teleport-database-service"), + TeleportIAMTokenName: stringPointer("discover-aws-oidc-iam-token"), + IntegrationName: "teleportdev", + ProxyServerHostPort: "proxy.example.com:3080", + ResourceCreationTags: awsTags{ + "teleport.dev/origin": "integration_awsoidc", + "teleport.dev/cluster": "mycluster", + "teleport.dev/integration": "teleportdev", + }, + DeploymentMode: DatabaseServiceDeploymentMode, + DatabaseResourceMatcherLabels: types.Labels{types.Wildcard: []string{types.Wildcard}}, + }, + }, + } { + t.Run(tt.name, func(t *testing.T) { + r := tt.req() + err := r.CheckAndSetDefaults() + tt.errCheck(t, err) + + if err != nil { + return + } + + require.Empty(t, cmp.Diff(tt.reqWithDefaults, r)) + }) + } +} + +func TestNormalizeECSResourceName(t *testing.T) { + validClusterName := regexp.MustCompile(`^[0-9A-Za-z_\-@:./+]+$`) + validECSName := regexp.MustCompile(`^[0-9A-Za-z_\-]+$`) + for _, tt := range []struct { + name string + input string + expected string + }{ + { + name: "valid", + input: "mycluster", + expected: "mycluster", + }, + { + name: "with dots", + input: "mycluster.example", + expected: "mycluster_example", + }, + { + name: "cloud format", + input: "tenant.teleport.sh", + expected: "tenant_teleport_sh", + }, + { + name: "other special chars", + input: "cluster@with:another.host/with+numbers_123", + expected: "cluster_with_another_host_with_numbers_123", + }, + } { + t.Run(tt.name, func(t *testing.T) { + // ensure test case is valid + require.True(t, validClusterName.Match([]byte(tt.input))) + require.True(t, validECSName.Match([]byte(tt.expected))) + + require.Equal(t, normalizeECSResourceName(tt.input), tt.expected) + }) + } +} diff --git a/lib/integrations/awsoidc/deployservice_vcr_test.go b/lib/integrations/awsoidc/deployservice_vcr_test.go new file mode 100644 index 0000000000000..60621290c6e0f --- /dev/null +++ b/lib/integrations/awsoidc/deployservice_vcr_test.go @@ -0,0 +1,229 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awsoidc + +import ( + "context" + "net/http" + "regexp" + "testing" + + "github.com/stretchr/testify/require" + "gopkg.in/dnaeon/go-vcr.v3/cassette" + "gopkg.in/dnaeon/go-vcr.v3/recorder" + + "github.com/gravitational/teleport/api/types" +) + +func TestDeployDBService(t *testing.T) { + ctx := context.Background() + + // To record new fixtures ensure the following: + // - change recordingMode to recorder.ModeRecordOnce + recordingMode := recorder.ModeReplayOnly + // - get a token by + // - add `fmt.Println(clientReq.Token)` in `NewDeployServiceClient` + // - hosting teleport in a public endpoint and configure the AWS OIDC Integration + // - issue a DeployService call and look for the token in the logs + awsOIDCToken := "x.y.z" + + awsRegion := "us-east-1" + awsOIDCRoleARN := "arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider" + integrationName := "teleportdev" + + removeKeysRegex, err := regexp.Compile(`(?s)().*().*().*().*().*()`) + require.NoError(t, err) + removeSensitiveHeadersHook := func(i *cassette.Interaction) error { + i.Request.Headers.Del("Authorization") + i.Request.Headers.Del("X-Amz-Security-Token") + i.Request.Form.Del("WebIdentityToken") + + // Requests to STS contain tokens in both HTTP request and response. + if i.Request.URL == "https://sts.us-east-1.amazonaws.com/" { + i.Request.Body = "" + i.Response.Body = removeKeysRegex.ReplaceAllString(i.Response.Body, "${1}x${2}${3}x${4}${5}x${6}") + } + + return nil + } + + awsClientReqFunc := func(httpClient *http.Client) *AWSClientRequest { + return &AWSClientRequest{ + // To record new fixtures you will need a valid token. + // You can get one by getting the generated token in a real cluster. + Token: awsOIDCToken, + RoleARN: awsOIDCRoleARN, + Region: awsRegion, + IntegrationName: integrationName, + httpClient: httpClient, + } + } + + deployServiceReqFunc := func(clusterName string) DeployServiceRequest { + return DeployServiceRequest{ + Region: awsRegion, + SubnetIDs: []string{ + "subnet-0b7ab67161173748b", + "subnet-0dda93c8621eb2e99", + "subnet-034f17b3f7344e375", + "subnet-04a07d4721a3c96e0", + "subnet-0ef025345dd791986", + "subnet-099632749366c2c56", + }, + TaskRoleARN: "MarcoEC2Role", + TeleportClusterName: clusterName, + IntegrationName: "teleportdev", + DeploymentMode: DatabaseServiceDeploymentMode, + ProxyServerHostPort: "marcodinis.teleportdemo.net:443", + DatabaseResourceMatcherLabels: types.Labels{ + types.Wildcard: []string{types.Wildcard}, + }, + } + } + + mustRecordUsing := func(t *testing.T, name string) *recorder.Recorder { + r, err := recorder.NewWithOptions(&recorder.Options{ + CassetteName: name, + SkipRequestLatency: true, + Mode: recordingMode, + }) + require.NoError(t, err) + r.AddHook(removeSensitiveHeadersHook, recorder.BeforeSaveHook) + return r + } + + t.Run("nothing exists in aws account", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/emptyaccount") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + resp, err := DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.NoError(t, err) + + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport", resp.ClusterARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service", resp.ServiceARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1", resp.TaskDefinitionARN) + require.Equal(t, "https://us-east-1.console.aws.amazon.com/ecs/v2/clusters/cluster1002-teleport/services/cluster1002-teleport-database-service", resp.ServiceDashboardURL) + }) + + t.Run("recreate everything", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/replace") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + resp, err := DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.NoError(t, err) + + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport", resp.ClusterARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service", resp.ServiceARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2", resp.TaskDefinitionARN) + require.Equal(t, "https://us-east-1.console.aws.amazon.com/ecs/v2/clusters/cluster1002-teleport/services/cluster1002-teleport-database-service", resp.ServiceDashboardURL) + }) + + t.Run("service is being deleted", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/servicedeleted") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + _, err = DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.ErrorContains(t, err, "ECS Service is draining, please retry in a couple of minutes") + }) + + t.Run("cluster is being deleted", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/clusterdeleted") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + resp, err := DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.NoError(t, err) + + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport", resp.ClusterARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service", resp.ServiceARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5", resp.TaskDefinitionARN) + require.Equal(t, "https://us-east-1.console.aws.amazon.com/ecs/v2/clusters/cluster1002-teleport/services/cluster1002-teleport-database-service", resp.ServiceDashboardURL) + }) + + t.Run("cluster does not have the required capacity provider", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/clustercapacityprovider") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + resp, err := DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.NoError(t, err) + + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport", resp.ClusterARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service", resp.ServiceARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:9", resp.TaskDefinitionARN) + require.Equal(t, "https://us-east-1.console.aws.amazon.com/ecs/v2/clusters/cluster1002-teleport/services/cluster1002-teleport-database-service", resp.ServiceDashboardURL) + }) + + t.Run("cluster does not have the ownership tags", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/cluster_without_ownership_tags") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + _, err = DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.ErrorContains(t, err, `ECS Cluster "cluster1002-teleport" already exists but is not managed by Teleport. Add the following tags to allow Teleport to manage this cluster:`) + }) + + t.Run("service does not have the ownership tags", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/service_without_ownership_tags") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + _, err = DeployService(ctx, ecsClient, deployServiceReqFunc("cluster1002")) + require.ErrorContains(t, err, `ECS Service "cluster1002-teleport-database-service" already exists but is not managed by Teleport. Add the following tags to allow Teleport to manage this service:`) + }) + + t.Run("cluster name with dots", func(t *testing.T) { + r := mustRecordUsing(t, "fixtures/cluster_name_with_dots") + defer r.Stop() + + awsClientRecorder := awsClientReqFunc(r.GetDefaultClient()) + ecsClient, err := newECSClient(ctx, awsClientRecorder) + require.NoError(t, err) + + resp, err := DeployService(ctx, ecsClient, deployServiceReqFunc("tenant-a.teleport.sh")) + require.NoError(t, err) + + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:cluster/tenant-a_teleport_sh-teleport", resp.ClusterARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:service/tenant-a_teleport_sh-teleport/tenant-a_teleport_sh-teleport-database-service", resp.ServiceARN) + require.Equal(t, "arn:aws:ecs:us-east-1:278576220453:task-definition/tenant-a_teleport_sh-teleport-database-service:1", resp.TaskDefinitionARN) + require.Equal(t, "https://us-east-1.console.aws.amazon.com/ecs/v2/clusters/tenant-a_teleport_sh-teleport/services/tenant-a_teleport_sh-teleport-database-service", resp.ServiceDashboardURL) + }) +} diff --git a/lib/integrations/awsoidc/fixtures/cluster_name_with_dots.yaml b/lib/integrations/awsoidc/fixtures/cluster_name_with_dots.yaml new file mode 100644 index 0000000000000..c9396cf3b3e8d --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/cluster_name_with_dots.yaml @@ -0,0 +1,603 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911152857792573" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 427dc06d-e6fa-443e-96a1-e5057fa55a95 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911152857792573 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911152857792573 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:53Z + + system:proxy + + + 9a19bee7-07bb-4568-a462-637855a6c088 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:53 GMT + X-Amzn-Requestid: + - 9a19bee7-07bb-4568-a462-637855a6c088 + status: 200 OK + code: 200 + duration: 1.105605065s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1748 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-tenant-a_teleport_sh-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"tenant-a_teleport_sh-teleport-database-service/tenant-a_teleport_sh-teleport-database-service"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"tenant-a_teleport_sh-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"tenant-a.teleport.sh"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 1ffcf95b-3231-4232-906d-bc8f7d53345c + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102553Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2698 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"tenant-a.teleport.sh"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-tenant-a_teleport_sh-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"tenant-a_teleport_sh-teleport-database-service/tenant-a_teleport_sh-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"tenant-a_teleport_sh-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686911154608E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911152857792573","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":1,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/tenant-a_teleport_sh-teleport-database-service:1","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2698" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:54 GMT + X-Amzn-Requestid: + - ea196952-82b3-4ed1-b483-960e117e8902 + status: 200 OK + code: 200 + duration: 762.93508ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911154728313073" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 243d866f-a30a-4b8b-b56c-bea727c51977 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911154728313073 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911154728313073 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:54Z + + system:proxy + + + 35f3af71-b03d-4cc4-9261-1b11e2e17124 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:54 GMT + X-Amzn-Requestid: + - 35f3af71-b03d-4cc4-9261-1b11e2e17124 + status: 200 OK + code: 200 + duration: 148.425139ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 65 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["tenant-a_teleport_sh-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - b71a9033-4118-44dd-93f4-5326935506d3 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102554Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 130 + uncompressed: false + body: '{"clusters":[],"failures":[{"arn":"arn:aws:ecs:us-east-1:278576220453:cluster/tenant-a_teleport_sh-teleport","reason":"MISSING"}]}' + headers: + Content-Length: + - "130" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:54 GMT + X-Amzn-Requestid: + - 501fc81f-448c-4819-8354-44e7ef4696af + status: 200 OK + code: 200 + duration: 150.975685ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911155029147918" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - d4c31ef9-630c-4b79-b06a-759e2929fccc + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911155029147918 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911155029147918 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:55Z + + system:proxy + + + 90c84a87-1b2c-4120-8e71-1504b632764a + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:54 GMT + X-Amzn-Requestid: + - 90c84a87-1b2c-4120-8e71-1504b632764a + status: 200 OK + code: 200 + duration: 172.678556ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 267 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"capacityProviders":["FARGATE"],"clusterName":"tenant-a_teleport_sh-teleport","tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"tenant-a.teleport.sh"},{"key":"teleport.dev/integration","value":"teleportdev"}]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 2ec1d1d5-0604-40e4-8f32-5173061ffa6b + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102555Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.CreateCluster + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 622 + uncompressed: false + body: '{"cluster":{"activeServicesCount":0,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/tenant-a_teleport_sh-teleport","clusterName":"tenant-a_teleport_sh-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":0,"settings":[{"name":"containerInsights","value":"disabled"}],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"tenant-a.teleport.sh"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]},"clusterCount":0}' + headers: + Content-Length: + - "622" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:55 GMT + X-Amzn-Requestid: + - 6a2257bb-a00a-4325-be52-ed7831abc9eb + status: 200 OK + code: 200 + duration: 328.933829ms + - id: 6 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911155532239167" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 09290c6f-51e4-42de-bae8-4d25866a70b9 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911155532239167 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911155532239167 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:55Z + + system:proxy + + + 342c77b3-3e63-4657-8f4d-63234ff54856 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:55 GMT + X-Amzn-Requestid: + - 342c77b3-3e63-4657-8f4d-63234ff54856 + status: 200 OK + code: 200 + duration: 143.520728ms + - id: 7 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 124 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"tenant-a_teleport_sh-teleport","include":["TAGS"],"services":["tenant-a_teleport_sh-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 8afbe769-56f9-4b44-95a9-1a65f8d2d8cb + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102555Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 147 + uncompressed: false + body: '{"failures":[{"arn":"arn:aws:ecs:us-east-1:278576220453:service/tenant-a_teleport_sh-teleport-database-service","reason":"MISSING"}],"services":[]}' + headers: + Content-Length: + - "147" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:55 GMT + X-Amzn-Requestid: + - c328ded6-fc05-481d-abe2-ebee10c82c5e + status: 200 OK + code: 200 + duration: 159.242457ms + - id: 8 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911155844582408" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 0f355697-1fb6-445c-8636-cd74d1a60f34 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911155844582408 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911155844582408 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:55Z + + system:proxy + + + 88e7a7e0-6bae-44da-a04a-b31cfa508893 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:55 GMT + X-Amzn-Requestid: + - 88e7a7e0-6bae-44da-a04a-b31cfa508893 + status: 200 OK + code: 200 + duration: 137.757837ms + - id: 9 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 729 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"tenant-a_teleport_sh-teleport","desiredCount":1,"launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"propagateTags":"SERVICE","serviceName":"tenant-a_teleport_sh-teleport-database-service","tags":[{"key":"teleport.dev/cluster","value":"tenant-a.teleport.sh"},{"key":"teleport.dev/integration","value":"teleportdev"},{"key":"teleport.dev/origin","value":"integration_awsoidc"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/tenant-a_teleport_sh-teleport-database-service:1"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 0e20e46f-e75f-4c4b-9a95-0aceeea44a26 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102555Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.CreateService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2441 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/tenant-a_teleport_sh-teleport","createdAt":1.686911156487E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686911156487E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/9715965138496391411","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/9715965138496391411 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/tenant-a_teleport_sh-teleport-database-service:1","updatedAt":1.686911156487E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/tenant-a_teleport_sh-teleport/tenant-a_teleport_sh-teleport-database-service","serviceName":"tenant-a_teleport_sh-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"tenant-a.teleport.sh"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/tenant-a_teleport_sh-teleport-database-service:1","version":0}}' + headers: + Content-Length: + - "2441" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:56 GMT + X-Amzn-Requestid: + - fc76c853-e3d9-47e6-95d1-ecc4c7559295 + status: 200 OK + code: 200 + duration: 615.89935ms diff --git a/lib/integrations/awsoidc/fixtures/cluster_without_ownership_tags.yaml b/lib/integrations/awsoidc/fixtures/cluster_without_ownership_tags.yaml new file mode 100644 index 0000000000000..c1766140ae739 --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/cluster_without_ownership_tags.yaml @@ -0,0 +1,243 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911061865572432" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 1692ecc6-8382-4ef0-80e8-6e55b3c64f52 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911061865572432 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911061865572432 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:24:22Z + + system:proxy + + + e8f7bf82-d225-4731-99ed-021ff32030ce + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:24:22 GMT + X-Amzn-Requestid: + - e8f7bf82-d225-4731-99ed-021ff32030ce + status: 200 OK + code: 200 + duration: 1.104729648s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service","awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - a7311aca-3ae9-46e4-9ab2-b5ed6b3f6b40 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102422Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686911063628E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911061865572432","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":6,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:6","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:24:23 GMT + X-Amzn-Requestid: + - da156dde-91a9-47c0-92a4-c52d2d3bb7c1 + status: 200 OK + code: 200 + duration: 770.550376ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911063742378737" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 1f3967d5-3388-49f2-b0a6-44d8f4de4865 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911063742378737 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911063742378737 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:24:23Z + + system:proxy + + + d8e65c45-a90f-43f5-8edc-dd044966dbe6 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:24:23 GMT + X-Amzn-Requestid: + - d8e65c45-a90f-43f5-8edc-dd044966dbe6 + status: 200 OK + code: 200 + duration: 139.753879ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 840f3656-bb9e-4b7c-a362-9733d0969a2a + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102423Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 548 + uncompressed: false + body: '{"clusters":[{"activeServicesCount":1,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":1,"settings":[],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1001"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]}],"failures":[]}' + headers: + Content-Length: + - "548" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:24:23 GMT + X-Amzn-Requestid: + - 499a9b02-a9a8-4d5d-9c91-1bfa4ae13550 + status: 200 OK + code: 200 + duration: 179.053835ms diff --git a/lib/integrations/awsoidc/fixtures/clustercapacityprovider.yaml b/lib/integrations/awsoidc/fixtures/clustercapacityprovider.yaml new file mode 100644 index 0000000000000..5df30d53daabe --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/clustercapacityprovider.yaml @@ -0,0 +1,723 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911414502217606" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 87bc027f-2bbf-45bd-a05c-b805f4a9cf74 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911414502217606 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911414502217606 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:30:15Z + + system:proxy + + + 719676fc-9e50-40a5-b6a5-c4f30ebee796 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:30:14 GMT + X-Amzn-Requestid: + - 719676fc-9e50-40a5-b6a5-c4f30ebee796 + status: 200 OK + code: 200 + duration: 1.079726618s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 6b149feb-be2f-490f-a75f-590a8f0d0c6f + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T103015Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686911416291E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911414502217606","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":9,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:9","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:30:15 GMT + X-Amzn-Requestid: + - 671db742-6d70-4cb9-8d72-b3f9db7b3706 + status: 200 OK + code: 200 + duration: 818.133531ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911416409823902" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 06928b35-3de4-4418-8a5c-7274e78ba978 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911416409823902 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911416409823902 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:30:16Z + + system:proxy + + + 209d5437-1dd2-4d38-a6a9-893753ce5724 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:30:15 GMT + X-Amzn-Requestid: + - 209d5437-1dd2-4d38-a6a9-893753ce5724 + status: 200 OK + code: 200 + duration: 138.301264ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 55a054a3-f1dc-4768-ba3d-82968b9ee446 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T103016Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 608 + uncompressed: false + body: '{"clusters":[{"activeServicesCount":0,"capacityProviders":["FARGATE_SPOT"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[{"base":1,"capacityProvider":"FARGATE_SPOT","weight":1}],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":0,"settings":[],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]}],"failures":[]}' + headers: + Content-Length: + - "608" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:30:16 GMT + X-Amzn-Requestid: + - 6763fb29-6676-4851-84b9-a2566c710be0 + status: 200 OK + code: 200 + duration: 183.176383ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911416738501632" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 107e2a41-d6ac-4945-a195-9b637d80a17e + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911416738501632 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911416738501632 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:30:16Z + + system:proxy + + + 36b0a3f1-2b81-412b-af42-0d20dc4d4e1c + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:30:16 GMT + X-Amzn-Requestid: + - 36b0a3f1-2b81-412b-af42-0d20dc4d4e1c + status: 200 OK + code: 200 + duration: 144.419467ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 133 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"capacityProviders":["FARGATE"],"cluster":"cluster1002-teleport","defaultCapacityProviderStrategy":[{"capacityProvider":"FARGATE"}]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 6b2b7903-63e1-422d-8430-2f6f42d999e8 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T103016Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.PutClusterCapacityProviders + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 517 + uncompressed: false + body: '{"cluster":{"activeServicesCount":0,"attachments":[],"attachmentsStatus":"UPDATE_IN_PROGRESS","capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[{"base":0,"capacityProvider":"FARGATE","weight":0}],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":0,"settings":[{"name":"containerInsights","value":"disabled"}],"statistics":[],"status":"ACTIVE","tags":[]}}' + headers: + Content-Length: + - "517" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:30:16 GMT + X-Amzn-Requestid: + - c69873c0-548b-401e-907c-a638c731b1b1 + status: 200 OK + code: 200 + duration: 307.395526ms + - id: 6 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911417191628929" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - e005a035-be68-4260-8ae0-9f14158821c5 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911417191628929 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911417191628929 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:30:17Z + + system:proxy + + + 1952e7ff-4d99-4575-8c8a-38b024e46ffa + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:30:16 GMT + X-Amzn-Requestid: + - 1952e7ff-4d99-4575-8c8a-38b024e46ffa + status: 200 OK + code: 200 + duration: 150.372238ms + - id: 7 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 106 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","include":["TAGS"],"services":["cluster1002-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 98d283b2-512c-4535-996b-4e731c7c20b3 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T103017Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2237 + uncompressed: false + body: '{"failures":[],"services":[{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686911018875E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686911018875E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/4405686048337041128","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"COMPLETED","rolloutStateReason":"ECS deployment ecs-svc/4405686048337041128 completed.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","updatedAt":1.686911276471E9}],"desiredCount":0,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Inactive","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"INACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","version":0}]}' + headers: + Content-Length: + - "2237" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:30:16 GMT + X-Amzn-Requestid: + - e2653498-4325-4bbb-9ac4-cc27e4a43f3c + status: 200 OK + code: 200 + duration: 182.426226ms + - id: 8 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911417525904237" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 172620b7-271e-4b0a-bd22-d800e8b45d8b + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911417525904237 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911417525904237 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:30:17Z + + system:proxy + + + 2dfee334-96ba-4b28-b1ab-f03d7319e4c3 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:30:17 GMT + X-Amzn-Requestid: + - 2dfee334-96ba-4b28-b1ab-f03d7319e4c3 + status: 200 OK + code: 200 + duration: 151.698158ms + - id: 9 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 97 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","force":true,"service":"cluster1002-teleport-database-service"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - be391402-50ed-47f4-8c60-01bd985e1567 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T103017Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DeleteService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2220 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686911018875E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686911018875E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/4405686048337041128","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"COMPLETED","rolloutStateReason":"ECS deployment ecs-svc/4405686048337041128 completed.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","updatedAt":1.686911276471E9}],"desiredCount":0,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Inactive","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"INACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","version":0}}' + headers: + Content-Length: + - "2220" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:30:17 GMT + X-Amzn-Requestid: + - b7dbd92d-43be-4a99-ba31-92fc9bf1a369 + status: 200 OK + code: 200 + duration: 199.660618ms + - id: 10 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911417878844563" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 698f1046-ff5f-4fa6-b4e4-22cb884fd75e + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911417878844563 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911417878844563 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:30:17Z + + system:proxy + + + a229c289-fa55-41b2-a834-03612aa9a715 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:30:17 GMT + X-Amzn-Requestid: + - a229c289-fa55-41b2-a834-03612aa9a715 + status: 200 OK + code: 200 + duration: 145.1559ms + - id: 11 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 693 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","desiredCount":1,"launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"propagateTags":"SERVICE","serviceName":"cluster1002-teleport-database-service","tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:9"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - cdf86819-8fce-4448-9935-03a92a55552f + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T103018Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.CreateService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2397 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.68691141864E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.68691141864E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/4110934217736066391","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/4110934217736066391 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:9","updatedAt":1.68691141864E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Unknown","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:9","version":0}}' + headers: + Content-Length: + - "2397" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:30:18 GMT + X-Amzn-Requestid: + - 74f7a2f4-336a-4b00-8cce-95f7a7316233 + status: 200 OK + code: 200 + duration: 720.112397ms diff --git a/lib/integrations/awsoidc/fixtures/clusterdeleted.yaml b/lib/integrations/awsoidc/fixtures/clusterdeleted.yaml new file mode 100644 index 0000000000000..aabe355a491f4 --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/clusterdeleted.yaml @@ -0,0 +1,603 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911015303171093" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 3a2ac659-e984-4e9a-ba39-0a3d7beed5ef + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911015303171093 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911015303171093 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:23:36Z + + system:proxy + + + 2a9da673-0f47-4bb6-91dd-366671d81336 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:23:36 GMT + X-Amzn-Requestid: + - 2a9da673-0f47-4bb6-91dd-366671d81336 + status: 200 OK + code: 200 + duration: 1.084193694s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 814af374-ec43-4838-90c8-8aef9ecc2b16 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102336Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686911017061E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911015303171093","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":5,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:23:36 GMT + X-Amzn-Requestid: + - 9a0f78d0-2968-4a3c-8271-92417a9eb9f5 + status: 200 OK + code: 200 + duration: 781.994571ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911017171905120" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 0f1e8c92-5197-4d31-a8c5-12eb8aa88b00 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911017171905120 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911017171905120 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:23:37Z + + system:proxy + + + e2bb9ffc-682e-4079-915a-4d7a4808fa1f + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:23:37 GMT + X-Amzn-Requestid: + - e2bb9ffc-682e-4079-915a-4d7a4808fa1f + status: 200 OK + code: 200 + duration: 142.424782ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - e9d95420-aaa6-4cc1-bf6a-2107c0cee3f5 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102337Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 548 + uncompressed: false + body: '{"clusters":[{"activeServicesCount":0,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":0,"settings":[],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]}],"failures":[]}' + headers: + Content-Length: + - "548" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:23:37 GMT + X-Amzn-Requestid: + - 767e4aea-5243-44d8-94fb-9d0172ec7fb6 + status: 200 OK + code: 200 + duration: 180.19523ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911017497654970" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 994b16a8-1358-4c53-8462-70250fcdcbd4 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911017497654970 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911017497654970 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:23:37Z + + system:proxy + + + 6fa7c57c-a095-4ce7-95da-4f3eb2ad3034 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:23:37 GMT + X-Amzn-Requestid: + - 6fa7c57c-a095-4ce7-95da-4f3eb2ad3034 + status: 200 OK + code: 200 + duration: 137.223613ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 106 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","include":["TAGS"],"services":["cluster1002-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 8fa7c018-8224-4b3a-b92c-1dfc8460dd95 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102337Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2240 + uncompressed: false + body: '{"failures":[],"services":[{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686910651901E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.68691073965E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/9596191636721638307","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/9596191636721638307 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","updatedAt":1.686910887907E9}],"desiredCount":0,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Inactive","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"INACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","version":0}]}' + headers: + Content-Length: + - "2240" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:23:37 GMT + X-Amzn-Requestid: + - 4e23cdbb-a1a3-454e-bd12-834067db7d59 + status: 200 OK + code: 200 + duration: 186.472276ms + - id: 6 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911017829781203" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 268f875b-2dba-4d85-b110-2bbb6c092561 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911017829781203 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911017829781203 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:23:37Z + + system:proxy + + + 5385652c-3790-4323-86d6-166b3a67dc00 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:23:37 GMT + X-Amzn-Requestid: + - 5385652c-3790-4323-86d6-166b3a67dc00 + status: 200 OK + code: 200 + duration: 152.749148ms + - id: 7 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 97 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","force":true,"service":"cluster1002-teleport-database-service"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - ada8dfc0-0c04-4956-aadf-239083d1e382 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102337Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DeleteService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2223 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686910651901E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.68691073965E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/9596191636721638307","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/9596191636721638307 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","updatedAt":1.686910887907E9}],"desiredCount":0,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Inactive","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"INACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","version":0}}' + headers: + Content-Length: + - "2223" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:23:37 GMT + X-Amzn-Requestid: + - ac078326-e71c-4a34-bb2b-481cda74db95 + status: 200 OK + code: 200 + duration: 180.63118ms + - id: 8 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911018164695155" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 03a8664f-0cea-4f0d-9866-babd00b0b5e8 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911018164695155 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911018164695155 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:23:38Z + + system:proxy + + + 6fb7e9cb-0930-46dd-88fc-cc5174e844a2 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:23:38 GMT + X-Amzn-Requestid: + - 6fb7e9cb-0930-46dd-88fc-cc5174e844a2 + status: 200 OK + code: 200 + duration: 148.511174ms + - id: 9 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 693 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","desiredCount":1,"launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"propagateTags":"SERVICE","serviceName":"cluster1002-teleport-database-service","tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - aefd3195-8a6f-47e9-b127-93d700acf557 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102338Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.CreateService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2400 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686911018875E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686911018875E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/4405686048337041128","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/4405686048337041128 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","updatedAt":1.686911018875E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Unknown","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","version":0}}' + headers: + Content-Length: + - "2400" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:23:38 GMT + X-Amzn-Requestid: + - f1613a7d-bcf3-4f0c-b5e7-ef347d9c4cb4 + status: 200 OK + code: 200 + duration: 685.396222ms diff --git a/lib/integrations/awsoidc/fixtures/emptyaccount.yaml b/lib/integrations/awsoidc/fixtures/emptyaccount.yaml new file mode 100644 index 0000000000000..8e7396ce7356c --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/emptyaccount.yaml @@ -0,0 +1,603 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910648103790394" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 0ec16bbb-d12d-4f16-8b52-420c4f3814cb + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910648103790394 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910648103790394 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:17:29Z + + system:proxy + + + 714cf5a1-1b33-48ce-a6cb-c6631cd89901 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:17:28 GMT + X-Amzn-Requestid: + - 714cf5a1-1b33-48ce-a6cb-c6631cd89901 + status: 200 OK + code: 200 + duration: 1.149154693s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service","awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 5ca473cc-b779-421a-b136-701caf4ce932 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101729Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686910649892E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910648103790394","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":1,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:17:29 GMT + X-Amzn-Requestid: + - c569b627-652f-43db-a7bb-edaf884d070c + status: 200 OK + code: 200 + duration: 756.013031ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910650010453356" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - d8fdb754-fffb-4460-8af9-362363f065e5 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910650010453356 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910650010453356 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:17:30Z + + system:proxy + + + 39802281-a543-4888-983e-e3d2b63fdde4 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:17:29 GMT + X-Amzn-Requestid: + - 39802281-a543-4888-983e-e3d2b63fdde4 + status: 200 OK + code: 200 + duration: 158.400558ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - cefebee1-8507-4d72-b54a-3a76da1d257c + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101730Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 121 + uncompressed: false + body: '{"clusters":[],"failures":[{"arn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","reason":"MISSING"}]}' + headers: + Content-Length: + - "121" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:17:30 GMT + X-Amzn-Requestid: + - 5c5124a4-7455-45da-849b-31a7f079c278 + status: 200 OK + code: 200 + duration: 217.33819ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910650387214490" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 0002d160-a1c8-49ce-ab5a-0b4628c065f3 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910650387214490 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910650387214490 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:17:30Z + + system:proxy + + + f7c67b09-a2de-4efc-9490-154e258f47f1 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:17:29 GMT + X-Amzn-Requestid: + - f7c67b09-a2de-4efc-9490-154e258f47f1 + status: 200 OK + code: 200 + duration: 139.254623ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 249 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"capacityProviders":["FARGATE"],"clusterName":"cluster1002-teleport","tags":[{"key":"teleport.dev/integration","value":"teleportdev"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"}]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 3a803920-8890-43a0-90bb-e33ddfe3b03b + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101730Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.CreateCluster + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 595 + uncompressed: false + body: '{"cluster":{"activeServicesCount":0,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":0,"settings":[{"name":"containerInsights","value":"disabled"}],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]},"clusterCount":0}' + headers: + Content-Length: + - "595" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:17:30 GMT + X-Amzn-Requestid: + - 79becd92-6fe3-449c-b4de-ea621a6e8a69 + status: 200 OK + code: 200 + duration: 342.249596ms + - id: 6 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910650870254453" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 38a0227b-c0d4-4d45-bd87-95205fc17172 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910650870254453 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910650870254453 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:17:30Z + + system:proxy + + + e43463ca-2484-4bd7-9bac-3c6107e48415 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:17:30 GMT + X-Amzn-Requestid: + - e43463ca-2484-4bd7-9bac-3c6107e48415 + status: 200 OK + code: 200 + duration: 141.740345ms + - id: 7 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 106 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","include":["TAGS"],"services":["cluster1002-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - ea60f52e-5aa1-499e-a6a0-edc025538fdc + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101731Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 138 + uncompressed: false + body: '{"failures":[{"arn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport-database-service","reason":"MISSING"}],"services":[]}' + headers: + Content-Length: + - "138" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:17:31 GMT + X-Amzn-Requestid: + - 07d1c761-0564-41fe-b652-90cee79a7f8c + status: 200 OK + code: 200 + duration: 170.572086ms + - id: 8 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910651184282997" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - e0d21fed-06e3-46e2-a90d-83144dee0af4 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910651184282997 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910651184282997 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:17:31Z + + system:proxy + + + a785d6e1-cd93-4fc8-b4f8-8d89620c477d + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:17:30 GMT + X-Amzn-Requestid: + - a785d6e1-cd93-4fc8-b4f8-8d89620c477d + status: 200 OK + code: 200 + duration: 148.727427ms + - id: 9 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 693 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","desiredCount":1,"launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"propagateTags":"SERVICE","serviceName":"cluster1002-teleport-database-service","tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 8016bfc2-0358-44fb-88b9-6d05a0bf1ad5 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101731Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.CreateService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2378 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686910651901E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686910651901E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/1232828310745079648","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/1232828310745079648 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","updatedAt":1.686910651901E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runningCount":0,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","version":0}}' + headers: + Content-Length: + - "2378" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:17:31 GMT + X-Amzn-Requestid: + - ba794ef5-7f97-478e-835e-a7b0264337df + status: 200 OK + code: 200 + duration: 666.538747ms diff --git a/lib/integrations/awsoidc/fixtures/replace.yaml b/lib/integrations/awsoidc/fixtures/replace.yaml new file mode 100644 index 0000000000000..b7d64880999fa --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/replace.yaml @@ -0,0 +1,483 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910736627520216" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 85391854-7893-4e70-b931-5f5aab724452 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910736627520216 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910736627520216 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:18:57Z + + system:proxy + + + 5e613fa6-80ce-493b-a96d-50f8b0f00aff + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:18:57 GMT + X-Amzn-Requestid: + - 5e613fa6-80ce-493b-a96d-50f8b0f00aff + status: 200 OK + code: 200 + duration: 1.0508353s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 6e9fb77a-d68c-4169-b988-108aea590d7b + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101857Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686910738291E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910736627520216","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":2,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:18:57 GMT + X-Amzn-Requestid: + - 292c364b-712e-4927-b7ea-ed35b43617aa + status: 200 OK + code: 200 + duration: 724.527903ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910738404698814" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 6aa8e137-de7f-47af-b233-b86a989f1143 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910738404698814 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910738404698814 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:18:58Z + + system:proxy + + + f3897610-ff1e-416a-812b-5fdba24e12a4 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:18:58 GMT + X-Amzn-Requestid: + - f3897610-ff1e-416a-812b-5fdba24e12a4 + status: 200 OK + code: 200 + duration: 145.492676ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 04603a04-39a0-46f0-ab1f-4081f81af429 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101858Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 548 + uncompressed: false + body: '{"clusters":[{"activeServicesCount":1,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":1,"settings":[],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]}],"failures":[]}' + headers: + Content-Length: + - "548" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:18:58 GMT + X-Amzn-Requestid: + - 9d17c5e6-4f93-4825-b645-e518b0f1f167 + status: 200 OK + code: 200 + duration: 184.047841ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910738735562164" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 01fdf3e9-f551-46fd-aed9-c2202e22de14 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910738735562164 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910738735562164 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:18:58Z + + system:proxy + + + 4ab8bc85-db6f-432a-bc11-50777f2264fd + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:18:58 GMT + X-Amzn-Requestid: + - 4ab8bc85-db6f-432a-bc11-50777f2264fd + status: 200 OK + code: 200 + duration: 144.014392ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 106 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","include":["TAGS"],"services":["cluster1002-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 87c60cd6-1af0-4570-a37b-50804832a361 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101858Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2974 + uncompressed: false + body: '{"failures":[],"services":[{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686910651901E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686910651901E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/1232828310745079648","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"COMPLETED","rolloutStateReason":"ECS deployment ecs-svc/1232828310745079648 completed.","runningCount":1,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","updatedAt":1.686910686813E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[{"createdAt":1.686910686818E9,"id":"ca5ece75-e4ea-41c8-8ad8-edf095100e2d","message":"(service cluster1002-teleport-database-service) has reached a steady state."},{"createdAt":1.686910686817E9,"id":"222346ec-1b7e-4c81-aabf-f295aa801242","message":"(service cluster1002-teleport-database-service) (deployment ecs-svc/1232828310745079648) deployment completed."},{"createdAt":1.686910657518E9,"id":"ae6c53a7-c6c5-40c2-96ff-f92614b68a47","message":"(service cluster1002-teleport-database-service) has started 1 tasks: (task 44749166194b4226b1b18d60a46451fc)."}],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"SteadyState","runningCount":1,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","version":0}]}' + headers: + Content-Length: + - "2974" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:18:58 GMT + X-Amzn-Requestid: + - a2a270ac-344b-41b8-ac00-9cb36a57e24c + status: 200 OK + code: 200 + duration: 187.743994ms + - id: 6 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910739068896807" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 85cbfbdc-a456-4c32-811b-d3420c88c15f + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910739068896807 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910739068896807 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:18:59Z + + system:proxy + + + 3754099e-707d-4c7f-89db-5931c547396c + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:18:58 GMT + X-Amzn-Requestid: + - 3754099e-707d-4c7f-89db-5931c547396c + status: 200 OK + code: 200 + duration: 132.256221ms + - id: 7 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 513 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","desiredCount":1,"forceNewDeployment":true,"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"propagateTags":"SERVICE","service":"cluster1002-teleport-database-service","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 39683ebe-91cb-414f-ae9a-939e6a8be39d + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T101859Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.UpdateService + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 3566 + uncompressed: false + body: '{"service":{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686910651901E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.68691073965E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/9596191636721638307","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/9596191636721638307 in progress.","runningCount":0,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","updatedAt":1.68691073965E9},{"createdAt":1.686910651901E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/1232828310745079648","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"COMPLETED","rolloutStateReason":"ECS deployment ecs-svc/1232828310745079648 completed.","runningCount":1,"status":"ACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","updatedAt":1.686910686813E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[{"createdAt":1.686910686818E9,"id":"ca5ece75-e4ea-41c8-8ad8-edf095100e2d","message":"(service cluster1002-teleport-database-service) has reached a steady state."},{"createdAt":1.686910686817E9,"id":"222346ec-1b7e-4c81-aabf-f295aa801242","message":"(service cluster1002-teleport-database-service) (deployment ecs-svc/1232828310745079648) deployment completed."},{"createdAt":1.686910657518E9,"id":"ae6c53a7-c6c5-40c2-96ff-f92614b68a47","message":"(service cluster1002-teleport-database-service) has started 1 tasks: (task 44749166194b4226b1b18d60a46451fc)."}],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"SteadyState","runningCount":1,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","version":0}}' + headers: + Content-Length: + - "3566" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:18:59 GMT + X-Amzn-Requestid: + - de1ff65d-2b3d-4277-8f77-0905880e3936 + status: 200 OK + code: 200 + duration: 529.992623ms diff --git a/lib/integrations/awsoidc/fixtures/service_without_ownership_tags.yaml b/lib/integrations/awsoidc/fixtures/service_without_ownership_tags.yaml new file mode 100644 index 0000000000000..692d897641140 --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/service_without_ownership_tags.yaml @@ -0,0 +1,363 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911098435542029" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - bcfb65e6-3d88-4331-aeb2-f839d9e6060c + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911098435542029 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911098435542029 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:24:59Z + + system:proxy + + + bd57d79a-87b5-4b43-bf47-425cb90789cf + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:24:59 GMT + X-Amzn-Requestid: + - bd57d79a-87b5-4b43-bf47-425cb90789cf + status: 200 OK + code: 200 + duration: 1.154254825s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - fa23fa36-c918-470f-8066-f4274fa6fe40 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102459Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686911100252E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911098435542029","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":7,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:7","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:24:59 GMT + X-Amzn-Requestid: + - 14c3b5b8-2549-4207-9e38-a8f318d20927 + status: 200 OK + code: 200 + duration: 787.700865ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911100379112147" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 11017248-7baa-44f4-9c7c-9b82028c2711 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911100379112147 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911100379112147 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:00Z + + system:proxy + + + 43eb61dd-ac40-4bca-90ac-1d7d12a5661f + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:00 GMT + X-Amzn-Requestid: + - 43eb61dd-ac40-4bca-90ac-1d7d12a5661f + status: 200 OK + code: 200 + duration: 139.637922ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 5db33d58-7bb7-42c9-a873-8a9ccee46d07 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102500Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 548 + uncompressed: false + body: '{"clusters":[{"activeServicesCount":1,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":1,"settings":[],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]}],"failures":[]}' + headers: + Content-Length: + - "548" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:00 GMT + X-Amzn-Requestid: + - 1ee3cccd-cd5d-4757-aa95-49a96128ca31 + status: 200 OK + code: 200 + duration: 185.564423ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686911100705802122" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - a62f20e5-fc64-407c-bcd5-5e6d276fce62 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686911100705802122 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686911100705802122 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:25:00Z + + system:proxy + + + 34b3678b-c3e9-4ff6-b176-c62e4f92b279 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:25:00 GMT + X-Amzn-Requestid: + - 34b3678b-c3e9-4ff6-b176-c62e4f92b279 + status: 200 OK + code: 200 + duration: 145.865702ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 106 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","include":["TAGS"],"services":["cluster1002-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 4e9f605c-98fb-43a8-b8dd-6a12f9543159 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102500Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2974 + uncompressed: false + body: '{"failures":[],"services":[{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686911018875E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.686911018875E9,"desiredCount":1,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/4405686048337041128","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"COMPLETED","rolloutStateReason":"ECS deployment ecs-svc/4405686048337041128 completed.","runningCount":1,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","updatedAt":1.686911052717E9}],"desiredCount":1,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[{"createdAt":1.686911052725E9,"id":"e812395f-3a97-47e3-ac7c-264fd5991bee","message":"(service cluster1002-teleport-database-service) has reached a steady state."},{"createdAt":1.686911052724E9,"id":"3f552842-5a91-4f0a-b5e0-8a8038b46e58","message":"(service cluster1002-teleport-database-service) (deployment ecs-svc/4405686048337041128) deployment completed."},{"createdAt":1.686911023075E9,"id":"0dd1be6f-87d0-4ddc-8e44-0c0fdab088d2","message":"(service cluster1002-teleport-database-service) has started 1 tasks: (task 1ad87fcbc1a54cfbbcc1bb16da64b4a7)."}],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"SteadyState","runningCount":1,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1001"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:5","version":0}]}' + headers: + Content-Length: + - "2974" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:25:00 GMT + X-Amzn-Requestid: + - 55b93c4d-7e66-4b0f-8702-b61c25e6c806 + status: 200 OK + code: 200 + duration: 184.333605ms diff --git a/lib/integrations/awsoidc/fixtures/servicedeleted.yaml b/lib/integrations/awsoidc/fixtures/servicedeleted.yaml new file mode 100644 index 0000000000000..8ee28ef216940 --- /dev/null +++ b/lib/integrations/awsoidc/fixtures/servicedeleted.yaml @@ -0,0 +1,363 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910874064151403" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 83145c79-f826-4f77-bd75-5e82d28c2340 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910874064151403 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910874064151403 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:21:15Z + + system:proxy + + + 582b7133-0c2c-4d76-beeb-f27d0cb3310d + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:21:14 GMT + X-Amzn-Requestid: + - 582b7133-0c2c-4d76-beeb-f27d0cb3310d + status: 200 OK + code: 200 + duration: 1.087512264s + - id: 1 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 1703 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"entryPoint":["teleport"],"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"name":"teleport-service"}],"cpu":"2048","executionRoleArn":"MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","requiresCompatibilities":["FARGATE"],"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskRoleArn":"MarcoEC2Role"}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 11e9b430-ce55-4001-9103-e35e341609b3 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102115Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.RegisterTaskDefinition + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 2644 + uncompressed: false + body: '{"tags":[{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/integration","value":"teleportdev"}],"taskDefinition":{"compatibilities":["EC2","FARGATE"],"containerDefinitions":[{"command":["start","--config-string","dmVyc2lvbjogdjMKdGVsZXBvcnQ6CiAgZGF0YV9kaXI6IC92YXIvbGliL3RlbGVwb3J0CiAgam9pbl9wYXJhbXM6CiAgICB0b2tlbl9uYW1lOiBkaXNjb3Zlci1hd3Mtb2lkYy1pYW0tdG9rZW4KICAgIG1ldGhvZDogaWFtCiAgcHJveHlfc2VydmVyOiBtYXJjb2RpbmlzLnRlbGVwb3J0ZGVtby5uZXQ6NDQzCiAgbG9nOgogICAgb3V0cHV0OiBzdGRlcnIKICAgIHNldmVyaXR5OiBJTkZPCiAgICBmb3JtYXQ6CiAgICAgIG91dHB1dDogdGV4dAogIGNhX3BpbjogIiIKICBkaWFnX2FkZHI6ICIiCmF1dGhfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgbGlzdGVuX2FkZHI6IDAuMC4wLjA6MzAyNQogIHByb3h5X2xpc3RlbmVyX21vZGU6IG11bHRpcGxleApzc2hfc2VydmljZToKICBlbmFibGVkOiAibm8iCiAgY29tbWFuZHM6CiAgLSBuYW1lOiBob3N0bmFtZQogICAgY29tbWFuZDogW2hvc3RuYW1lXQogICAgcGVyaW9kOiAxbTBzCnByb3h5X3NlcnZpY2U6CiAgZW5hYmxlZDogIm5vIgogIGh0dHBzX2tleXBhaXJzOiBbXQogIGh0dHBzX2tleXBhaXJzX3JlbG9hZF9pbnRlcnZhbDogMHMKICBhY21lOiB7fQpkYl9zZXJ2aWNlOgogIGVuYWJsZWQ6ICJ5ZXMiCiAgZGF0YWJhc2VzOiBbXQogIHJlc291cmNlczoKICAtIGxhYmVsczoKICAgICAgJyonOiAnKicK"],"cpu":0,"entryPoint":["teleport"],"environment":[],"essential":true,"image":"public.ecr.aws/gravitational/teleport-distroless:13.1.1","logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"ecs-cluster1002-teleport","awslogs-region":"us-east-1","awslogs-stream-prefix":"cluster1002-teleport-database-service/cluster1002-teleport-database-service"}},"mountPoints":[],"name":"teleport-service","portMappings":[],"volumesFrom":[]}],"cpu":"2048","executionRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","family":"cluster1002-teleport-database-service","memory":"4096","networkMode":"awsvpc","placementConstraints":[],"registeredAt":1.686910875785E9,"registeredBy":"arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910874064151403","requiresAttributes":[{"name":"com.amazonaws.ecs.capability.logging-driver.awslogs"},{"name":"ecs.capability.execution-role-awslogs"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.19"},{"name":"com.amazonaws.ecs.capability.task-iam-role"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.18"},{"name":"ecs.capability.task-eni"},{"name":"com.amazonaws.ecs.capability.docker-remote-api.1.29"}],"requiresCompatibilities":["FARGATE"],"revision":3,"status":"ACTIVE","taskDefinitionArn":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:3","taskRoleArn":"arn:aws:iam::278576220453:role/MarcoEC2Role","volumes":[]}}' + headers: + Content-Length: + - "2644" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:21:15 GMT + X-Amzn-Requestid: + - a8fce2bc-9fb0-4968-afe3-83411bac673b + status: 200 OK + code: 200 + duration: 746.311319ms + - id: 2 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910875900082744" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - 13d25227-2b61-4b24-986d-9ccc092c1ec5 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910875900082744 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910875900082744 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:21:15Z + + system:proxy + + + 40a4fc63-7873-4ac3-a6a6-4da2a6eb96c8 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:21:15 GMT + X-Amzn-Requestid: + - 40a4fc63-7873-4ac3-a6a6-4da2a6eb96c8 + status: 200 OK + code: 200 + duration: 140.115809ms + - id: 3 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 56 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"clusters":["cluster1002-teleport"],"include":["TAGS"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 5abd650e-1765-4815-b705-1374a343d43a + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102116Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeClusters + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 548 + uncompressed: false + body: '{"clusters":[{"activeServicesCount":0,"capacityProviders":["FARGATE"],"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","clusterName":"cluster1002-teleport","defaultCapacityProviderStrategy":[],"pendingTasksCount":0,"registeredContainerInstancesCount":0,"runningTasksCount":2,"settings":[],"statistics":[],"status":"ACTIVE","tags":[{"key":"teleport.dev/cluster","value":"cluster1002"},{"key":"teleport.dev/origin","value":"integration_awsoidc"},{"key":"teleport.dev/integration","value":"teleportdev"}]}],"failures":[]}' + headers: + Content-Length: + - "548" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:21:15 GMT + X-Amzn-Requestid: + - ded4bb2f-b1b1-451f-96ba-5a5c80e3e58a + status: 200 OK + code: 200 + duration: 166.952212ms + - id: 4 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 841 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: "" + form: + Action: + - AssumeRoleWithWebIdentity + RoleArn: + - arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider + RoleSessionName: + - "1686910876208800294" + Version: + - "2011-06-15" + headers: + Amz-Sdk-Invocation-Id: + - a6760ac2-93ad-4bdd-9020-c91e421a32e7 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-www-form-urlencoded + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/sts/1.19.0 + url: https://sts.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 1930 + uncompressed: false + body: | + + + discover.teleport + + AROAUBXDPZES62GD44VBR:1686910876208800294 + arn:aws:sts::278576220453:assumed-role/MarcoTestRoleOIDCProvider/1686910876208800294 + + arn:aws:iam::278576220453:oidc-provider/marcodinis.teleportdemo.net + + xxx + 2023-06-16T11:21:16Z + + system:proxy + + + dd2d0a03-7ddc-4be7-bd2f-ffbbf41160b1 + + + headers: + Content-Length: + - "1930" + Content-Type: + - text/xml + Date: + - Fri, 16 Jun 2023 10:21:15 GMT + X-Amzn-Requestid: + - dd2d0a03-7ddc-4be7-bd2f-ffbbf41160b1 + status: 200 OK + code: 200 + duration: 143.453061ms + - id: 5 + request: + proto: "" + proto_major: 0 + proto_minor: 0 + content_length: 106 + transfer_encoding: [] + trailer: {} + host: "" + remote_addr: "" + request_uri: "" + body: '{"cluster":"cluster1002-teleport","include":["TAGS"],"services":["cluster1002-teleport-database-service"]}' + form: {} + headers: + Amz-Sdk-Invocation-Id: + - 5f0fc7fe-8e43-4e03-8d94-5a3166c24d40 + Amz-Sdk-Request: + - attempt=1; max=3 + Content-Type: + - application/x-amz-json-1.1 + User-Agent: + - aws-sdk-go-v2/1.18.0 os/linux lang/go/1.20.4 md/GOOS/linux md/GOARCH/amd64 api/ecs/1.27.1 + X-Amz-Date: + - 20230616T102116Z + X-Amz-Target: + - AmazonEC2ContainerServiceV20141113.DescribeServices + url: https://ecs.us-east-1.amazonaws.com/ + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 3777 + uncompressed: false + body: '{"failures":[],"services":[{"clusterArn":"arn:aws:ecs:us-east-1:278576220453:cluster/cluster1002-teleport","createdAt":1.686910651901E9,"createdBy":"arn:aws:iam::278576220453:role/MarcoTestRoleOIDCProvider","deploymentConfiguration":{"deploymentCircuitBreaker":{"enable":false,"rollback":false},"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"deployments":[{"createdAt":1.68691073965E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/9596191636721638307","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"IN_PROGRESS","rolloutStateReason":"ECS deployment ecs-svc/9596191636721638307 in progress.","runningCount":1,"status":"PRIMARY","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","updatedAt":1.686910871683E9},{"createdAt":1.686910651901E9,"desiredCount":0,"failedLaunchTaskCount":0,"failedTasks":0,"id":"ecs-svc/1232828310745079648","launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"platformFamily":"Linux","platformVersion":"1.4.0","replacedTaskCount":0,"rolloutState":"COMPLETED","rolloutStateReason":"ECS deployment ecs-svc/1232828310745079648 completed.","runningCount":1,"status":"ACTIVE","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:1","updatedAt":1.686910819021E9}],"desiredCount":0,"enableECSManagedTags":false,"enableExecuteCommand":false,"events":[{"createdAt":1.686910770752E9,"id":"f58b5999-d12c-41b7-8923-c833c9c611ac","message":"(service cluster1002-teleport-database-service) has started 1 tasks: (task c5e1045426c2453cbed8c1d261d99923)."},{"createdAt":1.686910686818E9,"id":"ca5ece75-e4ea-41c8-8ad8-edf095100e2d","message":"(service cluster1002-teleport-database-service) has reached a steady state."},{"createdAt":1.686910686817E9,"id":"222346ec-1b7e-4c81-aabf-f295aa801242","message":"(service cluster1002-teleport-database-service) (deployment ecs-svc/1232828310745079648) deployment completed."},{"createdAt":1.686910657518E9,"id":"ae6c53a7-c6c5-40c2-96ff-f92614b68a47","message":"(service cluster1002-teleport-database-service) has started 1 tasks: (task 44749166194b4226b1b18d60a46451fc)."}],"launchType":"FARGATE","loadBalancers":[],"networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"ENABLED","securityGroups":[],"subnets":["subnet-0b7ab67161173748b","subnet-0dda93c8621eb2e99","subnet-034f17b3f7344e375","subnet-04a07d4721a3c96e0","subnet-0ef025345dd791986","subnet-099632749366c2c56"]}},"pendingCount":0,"placementConstraints":[],"placementStrategy":[],"platformFamily":"Linux","platformVersion":"LATEST","propagateTags":"SERVICE","roleArn":"arn:aws:iam::278576220453:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS","runStatus":"Unset","runningCount":2,"schedulingStrategy":"REPLICA","serviceArn":"arn:aws:ecs:us-east-1:278576220453:service/cluster1002-teleport/cluster1002-teleport-database-service","serviceName":"cluster1002-teleport-database-service","serviceRegistries":[],"status":"DRAINING","taskDefinition":"arn:aws:ecs:us-east-1:278576220453:task-definition/cluster1002-teleport-database-service:2","version":0}]}' + headers: + Content-Length: + - "3777" + Content-Type: + - application/x-amz-json-1.1 + Date: + - Fri, 16 Jun 2023 10:21:15 GMT + X-Amzn-Requestid: + - 0018bde1-cab5-40b7-9ad4-0172ad01be8a + status: 200 OK + code: 200 + duration: 176.604987ms diff --git a/lib/integrations/awsoidc/tags.go b/lib/integrations/awsoidc/tags.go new file mode 100644 index 0000000000000..e0e4b64e3f726 --- /dev/null +++ b/lib/integrations/awsoidc/tags.go @@ -0,0 +1,81 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awsoidc + +import ( + "fmt" + "strings" + + ecsTypes "github.com/aws/aws-sdk-go-v2/service/ecs/types" + + "github.com/gravitational/teleport/api/types" +) + +type awsTags map[string]string + +// String converts awsTags into a ',' separated list of k:v +func (d awsTags) String() string { + tagsString := make([]string, 0, len(d)) + for k, v := range d { + tagsString = append(tagsString, fmt.Sprintf("%s:%s", k, v)) + } + + return strings.Join(tagsString, ", ") +} + +// DefaultResourceCreationTags returns the default tags that should be applied when creating new AWS resources. +// The following tags are returned: +// - teleport.dev/cluster: +// - teleport.dev/origin: aws-oidc-integration +// - teleport.dev/integration: +func DefaultResourceCreationTags(clusterName, integrationName string) awsTags { + return awsTags{ + types.ClusterLabel: clusterName, + types.OriginLabel: types.OriginIntegrationAWSOIDC, + types.IntegrationLabel: integrationName, + } +} + +// ForECS returns the default tags using the expected type for ECS resources: [ecsTypes.Tag] +func (d awsTags) ForECS() []ecsTypes.Tag { + ecsTags := make([]ecsTypes.Tag, 0, len(d)) + for k, v := range d { + k, v := k, v + ecsTags = append(ecsTags, ecsTypes.Tag{ + Key: &k, + Value: &v, + }) + } + return ecsTags +} + +// MatchesECSTags checks if the awsTags are present and have the same value in resourceTags. +func (d awsTags) MatchesECSTags(resourceTags []ecsTypes.Tag) bool { + resourceTagsMap := make(map[string]string, len(resourceTags)) + for _, tag := range resourceTags { + resourceTagsMap[*tag.Key] = *tag.Value + } + + for awsTagKey, awsTagValue := range d { + resourceTagValue, found := resourceTagsMap[awsTagKey] + if !found || resourceTagValue != awsTagValue { + return false + } + } + + return true +} diff --git a/lib/integrations/awsoidc/tags_test.go b/lib/integrations/awsoidc/tags_test.go new file mode 100644 index 0000000000000..e9e03c214aee9 --- /dev/null +++ b/lib/integrations/awsoidc/tags_test.go @@ -0,0 +1,81 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package awsoidc + +import ( + "testing" + + ecsTypes "github.com/aws/aws-sdk-go-v2/service/ecs/types" + "github.com/stretchr/testify/require" +) + +func TestDefaultTags(t *testing.T) { + clusterName := "mycluster" + integrationName := "myawsaccount" + d := DefaultResourceCreationTags(clusterName, integrationName) + + expectedTags := awsTags{ + "teleport.dev/cluster": "mycluster", + "teleport.dev/integration": "myawsaccount", + "teleport.dev/origin": "integration_awsoidc", + } + require.Equal(t, expectedTags, d) + + t.Run("ecs tags", func(t *testing.T) { + expectedECSTags := []ecsTypes.Tag{ + {Key: stringPointer("teleport.dev/cluster"), Value: stringPointer("mycluster")}, + {Key: stringPointer("teleport.dev/integration"), Value: stringPointer("myawsaccount")}, + {Key: stringPointer("teleport.dev/origin"), Value: stringPointer("integration_awsoidc")}, + } + require.ElementsMatch(t, expectedECSTags, d.ForECS()) + }) + + t.Run("resource is teleport managed", func(t *testing.T) { + t.Run("all tags match", func(t *testing.T) { + awsResourceTags := []ecsTypes.Tag{ + {Key: stringPointer("teleport.dev/cluster"), Value: stringPointer("mycluster")}, + {Key: stringPointer("teleport.dev/integration"), Value: stringPointer("myawsaccount")}, + {Key: stringPointer("teleport.dev/origin"), Value: stringPointer("integration_awsoidc")}, + } + require.True(t, d.MatchesECSTags(awsResourceTags), "resource was wrongly detected as not Teleport managed") + }) + t.Run("extra tags in aws resource", func(t *testing.T) { + awsResourceTags := []ecsTypes.Tag{ + {Key: stringPointer("teleport.dev/cluster"), Value: stringPointer("mycluster")}, + {Key: stringPointer("teleport.dev/integration"), Value: stringPointer("myawsaccount")}, + {Key: stringPointer("teleport.dev/origin"), Value: stringPointer("integration_awsoidc")}, + {Key: stringPointer("unrelated"), Value: stringPointer("true")}, + } + require.True(t, d.MatchesECSTags(awsResourceTags), "resource was wrongly detected as not Teleport managed") + }) + t.Run("missing one of the labels should return false", func(t *testing.T) { + awsResourceTags := []ecsTypes.Tag{ + {Key: stringPointer("teleport.dev/cluster"), Value: stringPointer("mycluster")}, + {Key: stringPointer("teleport.dev/integration"), Value: stringPointer("myawsaccount")}, + } + require.False(t, d.MatchesECSTags(awsResourceTags), "resource was wrongly detected as Teleport managed") + }) + t.Run("one of the labels has a different value, should return false", func(t *testing.T) { + awsResourceTags := []ecsTypes.Tag{ + {Key: stringPointer("teleport.dev/cluster"), Value: stringPointer("another-cluster")}, + {Key: stringPointer("teleport.dev/integration"), Value: stringPointer("myawsaccount")}, + {Key: stringPointer("teleport.dev/origin"), Value: stringPointer("integration_awsoidc")}, + } + require.False(t, d.MatchesECSTags(awsResourceTags), "resource was wrongly detected as Teleport managed") + }) + }) +} diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go index 8244b8acb8419..d97a7b345896e 100644 --- a/lib/web/apiserver.go +++ b/lib/web/apiserver.go @@ -761,6 +761,7 @@ func (h *Handler) bindDefaultEndpoints() { // AWS OIDC Integration Actions h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/databases", h.WithClusterAuth(h.awsOIDCListDatabases)) + h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService)) // AWS OIDC Integration specific endpoints: // Unauthenticated access to OpenID Configuration - used for AWS OIDC IdP integration diff --git a/lib/web/integrations_awsoidc.go b/lib/web/integrations_awsoidc.go index 71b87cde6b036..7fe849979bcdb 100644 --- a/lib/web/integrations_awsoidc.go +++ b/lib/web/integrations_awsoidc.go @@ -21,6 +21,7 @@ import ( "github.com/julienschmidt/httprouter" "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/api/utils" "github.com/gravitational/teleport/lib/httplib" "github.com/gravitational/teleport/lib/integrations/awsoidc" "github.com/gravitational/teleport/lib/reversetunnel" @@ -104,8 +105,58 @@ func (h *Handler) awsOIDCClientRequest(ctx context.Context, region string, p htt } return &awsoidc.AWSClientRequest{ - Token: token, - RoleARN: awsoidcSpec.RoleARN, - Region: region, + IntegrationName: integrationName, + Token: token, + RoleARN: awsoidcSpec.RoleARN, + Region: region, + }, nil +} + +// awsOIDCDeployService deploys a Discovery Service and a Database Service in Amazon ECS. +func (h *Handler) awsOIDCDeployService(w http.ResponseWriter, r *http.Request, p httprouter.Params, sctx *SessionContext, site reversetunnel.RemoteSite) (interface{}, error) { + ctx := r.Context() + + var req ui.AWSOIDCDeployServiceRequest + if err := httplib.ReadJSON(r, &req); err != nil { + return nil, trace.Wrap(err) + } + + awsClientReq, err := h.awsOIDCClientRequest(ctx, req.Region, p, sctx, site) + if err != nil { + return nil, trace.Wrap(err) + } + + deployDBServiceClient, err := awsoidc.NewDeployServiceClient(ctx, awsClientReq) + if err != nil { + return nil, trace.Wrap(err) + } + + databaseAgentMatcherLabels := make(types.Labels, len(req.DatabaseAgentMatcherLabels)) + for _, label := range req.DatabaseAgentMatcherLabels { + databaseAgentMatcherLabels[label.Name] = utils.Strings{label.Value} + } + + deployServiceResp, err := awsoidc.DeployService(ctx, deployDBServiceClient, awsoidc.DeployServiceRequest{ + Region: req.Region, + SubnetIDs: req.SubnetIDs, + ClusterName: req.ClusterName, + ServiceName: req.ServiceName, + TaskName: req.TaskName, + TaskRoleARN: req.TaskRoleARN, + ProxyServerHostPort: h.PublicProxyAddr(), + TeleportClusterName: h.auth.clusterName, + DeploymentMode: req.DeploymentMode, + IntegrationName: awsClientReq.IntegrationName, + DatabaseResourceMatcherLabels: databaseAgentMatcherLabels, + }) + if err != nil { + return nil, trace.Wrap(err) + } + + return ui.AWSOIDCDeployServiceResponse{ + ClusterARN: deployServiceResp.ClusterARN, + ServiceARN: deployServiceResp.ServiceARN, + TaskDefinitionARN: deployServiceResp.TaskDefinitionARN, + ServiceDashboardURL: deployServiceResp.ServiceDashboardURL, }, nil } diff --git a/lib/web/ui/integration.go b/lib/web/ui/integration.go index d795ba7451fd8..0f42452f5bb89 100644 --- a/lib/web/ui/integration.go +++ b/lib/web/ui/integration.go @@ -126,3 +126,56 @@ type AWSOIDCListDatabasesResponse struct { // If non-empty, it can be used to request the next page. NextToken string `json:"nextToken,omitempty"` } + +// AWSOIDCDeployServiceRequest contains the required fields to perform a DeployService request. +type AWSOIDCDeployServiceRequest struct { + // Region is the AWS Region for the Service. + Region string `json:"region"` + + // SubnetIDs associated with the Service. + // If deploying a Database Service, you should use the SubnetIDs returned by the List Database API call. + SubnetIDs []string `json:"subnetIds"` + + // ClusterName is the ECS Cluster to be used. + // Optional. + // Defaults to -teleport, eg. acme-teleport + ClusterName *string `json:"clusterName"` + + // ServiceName is the ECS Service that should be used. + // Optional. + // Defaults to -teleport-service, eg acme-teleport-service + ServiceName *string `json:"serviceName"` + + // TaskName is the ECS Task Definition family name. + // Optional. + // Defaults to -teleport-, eg acme-teleport-database-service + TaskName *string `json:"taskName"` + + // TaskRoleARN is the AWS Role's ARN used within the Task execution. + // Ensure the AWS Client's Role has `iam:PassRole` for this Role's ARN. + // This can be either the ARN or the short name of the AWS Role. + TaskRoleARN string `json:"taskRoleArn"` + + // DeploymentMode is the deployment configuration for the service. + // This indicates what set of services should be deployed. + DeploymentMode string `json:"deploymentMode"` + + // DatabaseAgentMatcherLabels are the labels to be used when deploying a Database Service. + // Those are the resource labels that the Service will monitor and proxy connections to. + DatabaseAgentMatcherLabels []Label `json:"databaseAgentMatcherLabels"` +} + +// AWSOIDCDeployServiceResponse contains the resources that were used to deploy a Teleport Service. +type AWSOIDCDeployServiceResponse struct { + // ClusterARN is the Amazon ECS Cluster ARN where the task was started. + ClusterARN string `json:"clusterArn"` + + // ServiceARN is the Amazon ECS Cluster Service ARN created to run the task. + ServiceARN string `json:"serviceArn"` + + // TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the Service. + TaskDefinitionARN string `json:"taskDefinitionArn"` + + // ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console. + ServiceDashboardURL string `json:"serviceDashboardUrl"` +}