BYOB: Bootstrap Athena Infrastructure#33272
Conversation
logand22
force-pushed
the
logan/bootstrap-athena-infra
branch
from
62e8a86 to
b01cac2
Compare
nklaassen
left a comment
nklaassen
left a comment
There was a problem hiding this comment.
Looking pretty good, a few comments
| integrationBootstrapCmd := integrationCmd.Command("bootstrap", "Bootstrap an integration") | ||
| integrationBootstrapCreateExternalCloudAuditCmd := integrationBootstrapCmd.Command("externalcloudaudit", "Bootstraps external cloud audit infrastructure.") | ||
| integrationBootstrapCreateExternalCloudAuditCmd.Flag("aws-region", "The region to use. Overrides config/env settings").StringVar(&ccf. | ||
| IntegrationBootstrapCreateExternalCloudAuditArguments.Region) | ||
| integrationBootstrapCreateExternalCloudAuditCmd.Flag("long-term-storage-bucket", "S3 Bucket for long term storage of audit events and session recordings."). | ||
| Required().StringVar(&ccf.IntegrationBootstrapCreateExternalCloudAuditArguments.LongTermStorageBucket) | ||
| integrationBootstrapCreateExternalCloudAuditCmd.Flag("transient-bucket", "S3 bucket for transient storage of athena query results and large payloads."). | ||
| Required().StringVar(&ccf.IntegrationBootstrapCreateExternalCloudAuditArguments.TransientBucket) | ||
|
|
||
| integrationBootstrapCreateExternalCloudAuditCmd.Flag("athena-workgroup", "Name of athena workgroup").Default("teleport").StringVar(&ccf. | ||
| IntegrationBootstrapCreateExternalCloudAuditArguments.AthenaWorkgroup) | ||
| integrationBootstrapCreateExternalCloudAuditCmd.Flag("glue-database-name", "Name of the glue database to create").Default("teleport").StringVar(&ccf. | ||
| IntegrationBootstrapCreateExternalCloudAuditArguments.DatabaseName) | ||
| integrationBootstrapCreateExternalCloudAuditCmd.Flag("glue-table-name", "Name of the glue table to create").Default("auditevents").StringVar(&ccf. | ||
| IntegrationBootstrapCreateExternalCloudAuditArguments.TableName) |
There was a problem hiding this comment.
I met with the design team yesterday and we agreed it would be preferable to have a single one-off command to handle both the resource bootstrap and creating the IAM permissions. Instead of a whole bunch of arguments I think I'd like to pass the entire ExternalCloudAudit config as a JSON blob. Maybe leave the CLI command out of this PR, I will handle combining it with the IAM permissions command I already created, if you can just write the function that handles creating all the resources, taking this ExternalCloudAudit type and the region as input. Eventually I think I will actually add the region to that type, we should store it somewhere.
logand22
force-pushed
the
logan/bootstrap-athena-infra
branch
from
d9c7317 to
d48be80
Compare
![orca-security-us[bot]](https://avatars.githubusercontent.com/in/276250?s=60&v=4){kind=small}
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
 Passed |
Infrastructure as Code |  0  0  0  0 |
View in Orca |
| Passed |
Vulnerabilities | 0 0 0 0 |
View in Orca |
| Passed |
Secrets | 0 0 0 0 |
View in Orca |
nklaassen
left a comment
nklaassen
left a comment
There was a problem hiding this comment.
This is looking really clean, I like it
| return "", "", trace.BadParameter("input is nil") | ||
| } | ||
|
|
||
| auditEventsBucket, err := url.Parse(input.AuditEventsLongTermURI) |
There was a problem hiding this comment.
I wrote something to validate s3 URIs here, maybe you can reuse it (and/or improve it, I just realized I forgot to check for the s3 scheme 🤦 )
But you'll still have to re-parse them here so maybe not much benefit
There was a problem hiding this comment.
I'm wondering if it it's better to store the URIs in there raw form or already parsed. That way, we validate and parse before storing it and then don't need to parse later. Idk what's more common. In this case I'd have to parse again to extract the values as I don't need prefix. In addition to my stricter rules I think it's best to keep them separate for now.
|
|
||
| for _, tc := range tt { | ||
| t.Run(tc.desc, func(t *testing.T) { | ||
| clt := &fakeBootstrapInfraClient{ |
There was a problem hiding this comment.
if you want to go one step further with this test, the fake client could actually store some representation of everything that got created, and you could then check that it's right
You could use this to write a test for idempotency by making the client actually return AlreadyExists errors if the thing was already created. I guess that's kind of what you're doing with the *Exists booleans but this way you could even call BootstrapInfra twice with semi-realistic results, and optionally make the first call fail halfway through with some other error
There was a problem hiding this comment.
Yea I definitely am looking for improvements on the testing side of things. I'll try to incorporate what you mentioned above and see how it turns out thanks.
There was a problem hiding this comment.
So I refactored slightly given your recommendations in 48cda44. Let me know what you think and how I could potentially improve it further
logand22
force-pushed
the
logan/bootstrap-athena-infra
branch
from
fba93f3 to
a560205
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
logand22
added
the
no-changelog
|
Basing the |
codingllama
left a comment
codingllama
left a comment
There was a problem hiding this comment.
Reviewing mostly for Go style, as I'm not familiar with the AWS RPCs themselves.
public-teleport-github-review-bot
Bot
removed the request for review
from Joerger
* [v14] external cloud audit proto Backport #33022 to branch/v14 * [v14] external_cloud_audit: add resource layer Backport #32833 to branch/v14 * [v14] feat: IAM permissions for BYOBucket Backport #33416 to branch/v14 This commit adds a one-off teleport command that configures the necessary IAM permissions for the upcoming External Cloud Audit (BYOBucket) feature. An example command invocation looks like: ``` $ teleport integration configure externalcloudaudit-iam \ --aws-region us-west-2 --role nic-byob-test --policy nic-byob \ --session-recordings s3://nic-byob/sess-rec-v2 \ --audit-events s3://nic-byob/events --athena-results s3://nic-byob/results \ --athena-workgroup primary --glue-database nic_byob --glue-table nic_byob_table ``` In normal usage this command will be generated for the user so that they can just copy a command from the Web UI and run it in AWS CloudShell. The permissions generated here are based on https://github.com/gravitational/cloud/blob/rfd/77-bring-your-own-bucket/rfd/0077-Bring-your-own-bucket.md, but only include the permissions necessary for using the feature at runtime and not any permissions necessary to bootstrap/create the resources. * [v14] feat: generate randomized ExternalCloudAudit config Backport #33555 to branch/v14 * [v14] BYOB: Bootstrap Athena Infrastructure Backport #33272 to branch/v14 * [v14] feat: cached auto-refreshing AWS credentials for BYOBucket Backport #34380 to branch/v14 This commit implements a "Configurator" for the BYOBucket feature that provides AWS credentials that can be used by the v1 or v2 AWS SDKs for Go. These credentials are generated via an AWS OIDC integration: auth signs a JWT and we swap that with AWS STS for AWS credentials. It also reports whether or not the BYOB feature `IsUsed()` currently, and provides access to the current cluster ExternalCloudAudit spec. This looks a bit weird because of a chicken-egg problem where the audit log must be set up before the auth server can be created, but the auth server must be created to provide the OIDC signing facilities. This will be more clear in following PRs. * [v14] fix: correct IAM policies for BYOB Backport #34484 to branch/v14 This commit fixes the IAM policies generated by the oneoff externalcloudaudit bootstrap command based on manual testing, and brings them more in line with the original RFD https://github.com/gravitational/cloud/blob/master/rfd/0077-Bring-your-own-bucket.md * [v14] feat: enable External Cloud Audit backend Backport #34606 to branch/v14 This commit enables the External Cloud Audit (BYOBucket) feature with a fully functional backend by setting up the Athena and S3 audit components with the right AWS configurations and resource locations. * [v14] Add ExternalCloudAudit permissions to user context ACL Backport #34289 to branch/v14 --------- Co-authored-by: Tobiasz Heller <14020794+tobiaszheller@users.noreply.github.com> Co-authored-by: Logan Davis <38335829+logand22@users.noreply.github.com> Co-authored-by: matheus <matheus.battirola@goteleport.com>
3 participants
This PR is a part of https://github.com/gravitational/cloud/blob/master/rfd/0077-Bring-your-own-bucket.md. This PR adds the ability to deploy the infrastructure necessary to run the new scalable audit logs on the desired infrastructure instead of the cloud.
We expect the customer to run the following AWS services themselves:
In addition to the above resources, we also are slightly opinionated about things like:
This is stay in line with cloud in addition to encourage some best practices.