Skip to content

Use the regions in specified in the teleport config instead of the environment for discovery bootstrap #31401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lxea merged 1 commit into from
Sep 11, 2023
Merged

Use the regions in specified in the teleport config instead of the environment for discovery bootstrap #31401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 34 additions & 11 deletions lib/configurators/aws/aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,8 +296,8 @@ type ConfiguratorConfig struct {
AWSSTSClient stsiface.STSAPI
// AWSIAMClient AWS IAM client.
AWSIAMClient iamiface.IAMAPI
// AWSSSMClient AWS SSM Client
AWSSSMClient ssmiface.SSMAPI
// AWSSSMClient is a mapping of region -> ssm client
AWSSSMClients map[string]ssmiface.SSMAPI
// Policies instance of the `Policies` that the actions use.
Policies awslib.Policies
// Identity is the current AWS credentials chain identity.
Expand Down Expand Up @@ -338,8 +338,29 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error {
return trace.Wrap(err)
}
}
if c.AWSSSMClient == nil {
c.AWSSSMClient = ssm.New(c.AWSSession)
if c.AWSSSMClients == nil {
c.AWSSSMClients = make(map[string]ssmiface.SSMAPI)
for _, matcher := range c.ServiceConfig.Discovery.AWSMatchers {
if !slices.Contains(matcher.Types, services.AWSMatcherEC2) {
continue
}
for _, region := range matcher.Regions {
if _, ok := c.AWSSSMClients[region]; ok {
continue
}
session, err := awssession.NewSessionWithOptions(awssession.Options{
Config: aws.Config{
Region: &region,
},
SharedConfigState: awssession.SharedConfigEnable,
})
if err != nil {
return trace.Wrap(err)
}
c.AWSSSMClients[region] = ssm.New(session)
}
}

}

if c.Policies == nil {
Expand Down Expand Up @@ -487,7 +508,7 @@ func buildDiscoveryActions(config ConfiguratorConfig, targetCfg targetConfig) ([
return nil, err
}

actions = append(actions, buildSSMDocumentCreators(config.AWSSSMClient, targetCfg, proxyAddr)...)
actions = append(actions, buildSSMDocumentCreators(config.AWSSSMClients, targetCfg, proxyAddr)...)
return actions, nil
}

Expand Down Expand Up @@ -749,18 +770,20 @@ func getProxyAddrFromConfig(cfg *servicecfg.Config, flags configurators.Bootstra
return "", trace.NotFound("proxy address not found, please provide --proxy, or set either teleport.proxy_server or proxy_service.public_addr in the teleport config")
}

func buildSSMDocumentCreators(ssm ssmiface.SSMAPI, targetCfg targetConfig, proxyAddr string) []configurators.ConfiguratorAction {
func buildSSMDocumentCreators(ssm map[string]ssmiface.SSMAPI, targetCfg targetConfig, proxyAddr string) []configurators.ConfiguratorAction {
var creators []configurators.ConfiguratorAction
for _, matcher := range targetCfg.awsMatchers {
if !slices.Contains(matcher.Types, services.AWSMatcherEC2) {
continue
}
ssmCreator := awsSSMDocumentCreator{
ssm: ssm,
Name: matcher.SSM.DocumentName,
Contents: EC2DiscoverySSMDocument(proxyAddr),
for _, region := range matcher.Regions {
ssmCreator := awsSSMDocumentCreator{
ssm: ssm[region],
Name: matcher.SSM.DocumentName,
Contents: EC2DiscoverySSMDocument(proxyAddr),
}
creators = append(creators, &ssmCreator)
}
creators = append(creators, &ssmCreator)
}
return creators
}
Expand Down
19 changes: 10 additions & 9 deletions lib/configurators/aws/aws_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1809,14 +1809,15 @@ func TestAWSDocumentConfigurator(t *testing.T) {
AWSSession: &awssession.Session{},
AWSIAMClient: &iamMock{},
AWSSTSClient: &STSMock{ARN: "arn:aws:iam::1234567:role/example-role"},
AWSSSMClient: &SSMMock{
t: t,
expectedInput: &ssm.CreateDocumentInput{
Content: aws.String(EC2DiscoverySSMDocument("https://proxy.example.org:443")),
DocumentType: aws.String("Command"),
DocumentFormat: aws.String("YAML"),
Name: aws.String("document"),
},
AWSSSMClients: map[string]ssmiface.SSMAPI{
"eu-central-1": &SSMMock{
t: t,
expectedInput: &ssm.CreateDocumentInput{
Content: aws.String(EC2DiscoverySSMDocument("https://proxy.example.org:443")),
DocumentType: aws.String("Command"),
DocumentFormat: aws.String("YAML"),
Name: aws.String("document"),
}},
},
ServiceConfig: serviceConfig,
Flags: configurators.BootstrapFlags{
Expand Down Expand Up @@ -1849,7 +1850,7 @@ func TestAWSConfigurator(t *testing.T) {
AWSSession: &awssession.Session{},
AWSIAMClient: &iamMock{},
AWSSTSClient: &STSMock{ARN: "arn:aws:iam::1234567:role/example-role"},
AWSSSMClient: &SSMMock{},
AWSSSMClients: map[string]ssmiface.SSMAPI{"eu-central-1": &SSMMock{}},
ServiceConfig: &servicecfg.Config{},
Flags: configurators.BootstrapFlags{
AttachToUser: "some-user",
Expand Down