AWS OIDC - DeployService: configure IAM

[marcoandredinis]

DeployService allows the user to deploy a Database Service (other services will be available later on) in a single click.
You can read more about it here:
#27035
#25521 (comment)

The IAM set up consists of:

• creating a new Role with specific Policies and set a Boundary Policy
• allowing the Integration role to pass that Role when starting the ECS Service
  It's quite tedious and error prone.

Instead of giving users a detailed guide on how to set this up, we will ask users to run this command on their machine or Amazon CloudShell.
They must have the following permission to be able to run the configuration command:

- iam:CreatePolicy
- iam:CreateRole
- iam:PutRolePolicy
- iam:TagPolicy
- iam:TagRole

The script does not try to be smart:

• only creates the resources if they don't exist previously
• does not attempt to rollback any created resources if some action fails

We can add more checks to ensure a better UX, but we decided to keep things simple and safe for now.
If you think otherwise, please let me know.

Demo:

ubuntu@ip-172-31-39-120 ~/pg [1]> teleport integration configure deployservice-iam --cluster lenix --name teleportdev --aws-region eu-west-1 --role MarcoTestRoleOIDCProvider --task-role MarcoRoleForDS
2023/06/26 16:21:51 TaskRole: Boundary Policy "MarcoRoleForDSBoundary" created.
2023/06/26 16:21:51 TaskRole: Role "MarcoRoleForDS" created with Boundary "arn:aws:iam::278576220453:policy/MarcoRoleForDSBoundary".
2023/06/26 16:21:51 TaskRole: IAM Policy "MarcoRoleForDS" added to Role "MarcoRoleForDS".
2023/06/26 16:21:51 IntegrationRole: IAM Policy "DeployService" added to Role "MarcoTestRoleOIDCProvider"

Running the script again, returns an error indicating that the policy (used as Task Role Boundary) already exists

ubuntu@ip-172-31-39-120 ~/pg> teleport integration configure deployservice-iam --cluster lenix --name teleportdev --aws-region eu-west-1 --role MarcoTestRoleOIDCProvider --task-role MarcoRoleForDS
ERROR: Policy "MarcoRoleForDSBoundary" already exists, please remove it and try again.

If the IntegrationRole does not exist:

ubuntu@ip-172-31-39-120 ~/pg [1]> teleport integration configure deployservice-iam --cluster lenix --name teleportdev --aws-region eu-west-1 --role RoleThatDoesNotExist --task-role MarcoRoleForDS
2023/06/26 16:23:55 TaskRole: Boundary Policy "MarcoRoleForDSBoundary" created.
2023/06/26 16:23:55 TaskRole: Role "MarcoRoleForDS" created with Boundary "arn:aws:iam::278576220453:policy/MarcoRoleForDSBoundary".
2023/06/26 16:23:55 TaskRole: IAM Policy "MarcoRoleForDS" added to Role "MarcoRoleForDS".
ERROR: Role "RoleThatDoesNotExist" not found.

[smallinsky]

First pass.

[smallinsky]

Suggested change

	Principals map[string]SliceOrString `json:"Principal,omitempty"`
	Principal map[string]SliceOrString `json:"Principal,omitempty"`

[marcoandredinis]

I was trying to be consistent with the fields above
They use plural form but then the json tag is singular
Should we change them to singular as well? Resource and Action vs Resources and Actions

[smallinsky]

Oh, I haven't notice this. Lets ignore my comment and keep this constant.

[smallinsky]

The integration is quite generic but what is the difference between :
-- teleprot discovery bootstrap
-- db configure bootstrap

Do we need to introduce new patter for the deployservice-iam service.

Can we just create teleport deployservice-iam bootstrap/configure commands ?

[marcoandredinis]

This is not (yet) discovery related.
It only installs a DatabaseService in Amazon ECS for the proxy.

We can, yeah
We might have other configuration needs when setting up the IAM requirements for other integrations and I was trying to create an abstraction/layer for them. So that they don't pollute the top level teleport commands

[marcoandredinis]

Friendly ping @smallinsky @gabrielcorado @greedy52 🙏

[smallinsky]

Left some nit comments but mostly LGTM.

[smallinsky]

Oh, I haven't notice this. Lets ignore my comment and keep this constant.

[smallinsky]

Key and Value of d awsTags[map[string]string are "value" types. Why do we need make a second copy ?

[marcoandredinis]

But then we use their address because iamTypes.Tag.Key/Value require string pointers.
I just removed the second copy and the tests in tags_test.go fail because of it

[greedy52]

i think they will fix this in newer go, eventually
https://github.com/golang/go/wiki/LoopvarExperiment.
An alternative is to use aws.String() instead of &k/&v that takes care of the copy through function call

[gabrielcorado]

LGTM.

[gabrielcorado]

Nit: maybe a good place to put these functions is lib/utils/aws/aws.go. There are some similar functions, but for the IAM role and user.

[marcoandredinis]

	awsapiutils "github.com/gravitational/teleport/api/utils/aws"
	awslib "github.com/gravitational/teleport/lib/cloud/aws"
	awslibutils "github.com/gravitational/teleport/lib/utils/aws"

🥵

[gabrielcorado]

A question that might be outside this PR scope: What about using the already existing cloud clients for getting AWS clients? It already initializes the connection (I know the db configurator does not rely on it too, but there is no reason not to use it). The good thing is that AWS already supports some good options, like cross-account clients, and already has a test implementation. That would also help us get everything to use the same SDK major version.

[greedy52]

My 2c on this, we should really move to v2. I submitted a small request in v1 a few months ago. They rejected and ask me to request it in v2. Maybe we should start a cloud.ClientsV2.

[marcoandredinis]

Yeah, I really wanted to use V2 here
I could create the same abstraction for V2, but that seemed to be overkill for this PR

[greedy52]

is there plan to support other DB types of deploy service? if so, ideally can share this with the db actions listed in configurators/aws. I guess we can refactor when that days comes too =D.

[marcoandredinis]

We will probably have more in the future 👍

There's indeed some duplication that we should get rid off.
Let's see how the DeployService evolves and then centralize all these statements.

[greedy52]

should here return the converted type?

[marcoandredinis]

I wanted to change the message so that it includes an action to resolve the issue ("remove it").
This way, the user can fix it.

If I return the converted type, then it will be the raw AWS error message.

[greedy52]

i meant the return trace.Wrap(err) after the already exist check (like return trace.Wrap(the-converted-error). I guess not big difference.

[marcoandredinis]

Oh right 🙏
Yes! changing

[greedy52]

Can an intergration role used for multiple task roles? if so, the policy names will collide.

[marcoandredinis]

We might need to change this when we have multiple Deployment Modes.
For now, there's only database-service so they should not collide.

I'll make sure to add a suffix when we add a policy for another deployment.
Or we might have this policy always having the set of required statements for the deployments we have

[public-teleport-github-review-bot]

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v13	Failed