[Web] Add Discover flow for enrolling EC2 Instances with EICE#32202
[Web] Add Discover flow for enrolling EC2 Instances with EICE#32202
Conversation
|
@rudream - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
rudream
force-pushed
the
yassine/ec2ice/flow
branch
from
a58f52d to
60be26e
Compare
rudream
force-pushed
the
yassine/ec2ice/flow
branch
2 times, most recently
from
97cbe12 to
990dd5e
Compare
marcoandredinis
left a comment
marcoandredinis
left a comment
There was a problem hiding this comment.
Awesome job 💪
I left some comments.
The only blocker I'm seeing is the Test Connection part
Btw, I tested this locally and using Cloud Stage and both envs worked 👍
| AssistAccessRequest assist_access_request = 38; | ||
| AssistAction assist_action = 39; | ||
| UIDiscoverEC2InstanceSelectionEvent ui_discover_ec2_instance_selection = 40; | ||
| UIDiscoverEICEDeployNodeCreateEvent ui_discover_eice_deploy_node_create = 41; |
There was a problem hiding this comment.
Can we have two separate events here?
One for deploying the EICE and another one for creating the resource in teleport.
There was a problem hiding this comment.
can you split this into two PRs:
- events (including frontend bits)
- web stuff
I generally try not to mix backend/frontend bits like this unless it's trivial or small (maybe this is what you meant if you should split, and sorry if i mislead you :)).
I will also split, if there are no dependency (or if one bit can block the entire PR from merging).
kimlisa
left a comment
kimlisa
left a comment
There was a problem hiding this comment.
i'll take a closer look tomorrow while testing the e2e tomorrow
rudream
force-pushed
the
yassine/ec2ice/flow
branch
from
990dd5e to
c6781d4
Compare
rudream
force-pushed
the
yassine/ec2ice/flow
branch
3 times, most recently
from
f086bf2 to
3815d0d
Compare
|
Backend looks good to me 👍 |
There was a problem hiding this comment.
with some minor comments, lgtm
please take care of particularly #32202 (comment) and the one below it
avatus
left a comment
avatus
left a comment
There was a problem hiding this comment.
After the suggested fixes LGTM
rudream
force-pushed
the
yassine/ec2ice/flow
branch
from
39af7af to
423ab04
Compare
5 participants
Purpose
Part of #29317
Adds a Discover flow to enroll an AWS EC2 Instance using an EC2 Instance Connect Endpoint.
PR for usage events: #32617
Flow
Step 1: The user selects the AWS OIDC integration to use. If they don't have any, they can be redirected to the steps to add the integration, and after that they will be returned to the Discover flow. (This is the same behaviour as the first step for RDS).
Step 2: The user selects the AWS region they want to list EC2 instances for and selects the EC2 instance they want to enroll. If there is an AWS-related permissions error that prevents them from listing their EC2 instances, we show a CloudShell script that they can run which will configure the required IAM permissions.
At this stage, we check whether or not there is already an EC2 Instance Connect Endpoint (EICE) that exists in that VPC.
If there are no already existing EICE's, we go to step 3 where we create one.
If there is an EICE, and it is in state
create-complete(meaning it has been created and is ready to be used), we skip step 3 and 4 and go straight to step 5 where the Teleport node is created.If there is an EICE but it is in state
create-in-progress, then we skip step 3 and go straight to step 4 and wait for it to becomecreate-complete.Step 3: The user selects security groups that they want to assign to the new EICE that is about to be created. Selecting security groups here is optional. Once they click
Next, we deploy the new EICE and a dialog is shown.Step 4: The dialog shows a loading bar and waits for the EICE to be in the
create-completestate, until then, it will becreate-in-progress. It will poll every 10 seconds to check the state of the EICE.create-failed, we display an error message letting the user know that there was an error during the creation process and provide them with a link to their AWS dashboard where they can troubleshoot the problem or manually create the EICE. We still continue polling so that if they do resolve the issue and the EICE becomescreate-complete, we can continue the flow.create-complete, we automatically go to step 5. The user doesn't have to click anything.Step 5: Still in the same dialog, we create the Teleport node, this only take a couple of seconds. After this they can proceed to the next step.
Step 6: The user configures the OS users that will be used to connect to the newly created node.
Step 7: The user can test the connection to the newly created node.
Demo
Select EC2 Instance
Select Security Groups
EICE Deployment Dialog