Remove support for legacy (Amazon Linux 2) AMIs

.drone.yml

@@ -1607,78 +1607,6 @@ image_pull_secrets:
 # Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
-kind: pipeline
-type: kubernetes
-name: build-legacy-amis
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- build-linux-amd64
-- build-linux-amd64-fips
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow release-teleport-legacy-amis.yaml -workflow-ref=${DRONE_TAG}
-    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-- name: Send Slack notification
-  image: plugins/slack:1.4.1
-  settings:
-    template: |-
-      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
-      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
-    webhook:
-      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
-  when:
-    status:
-    - failure
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
 kind: pipeline
 type: kubernetes
 name: build-oci
@@ -12048,6 +11976,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: 4ebe6803bd4211a77094240d8e91c2cc9ac7e9b97956e277fbfa3b5e52962fdd
+hmac: 759cdb197a5962b5bbd5f2e21bffb709d04429e28e18f07e0894d78d12073450
 
 ...

CHANGELOG.md

@@ -150,6 +150,15 @@ naming scheme for these AMIs has been changed to include the architecture.
 - Previous naming scheme: `teleport-oss-14.0.0-$TIMESTAMP`
 - New naming scheme: `teleport-oss-15.0.0-x86_64-$TIMESTAMP`
 
+##### Legacy Amazon Linux 2 AMIs
+
+Teleport-provided Amazon Linux 2 AMIs were deprecated, and Teleport 14 is the
+last version to produce such legacy AMIs. With Teleport 15's release, only
+the newer hardened Amazon Linux 2023 AMIs will be produced.
+
+The legacy AMIs will continue to be published for Teleport 13 and 14 throughout
+the remainder of these releases' lifecycle.
+
 ## 14.0.0 (09/20/23)
 
 Teleport 14 brings the following new major features and improvements:

assets/aws/Makefile

@@ -1,112 +1,26 @@
-# VPC ID used for builds
-BUILD_VPC_ID ?=
-
-# VPC subnet used for builds
-BUILD_SUBNET_ID ?=
-
-# Public AMI name
-PUBLIC_AMI_NAME ?=
-
-# Default build region
-AWS_REGION ?= us-west-2
-
 # Teleport version
 # This must be a _released_ version of Teleport, i.e. one which has binaries
-# available for download on https://gravitational.com/teleport/download
+# available for download on https://goteleport.com/download
 # Unreleased versions will fail to build.
 TELEPORT_VERSION ?= 14.3.0
 
 # Teleport UID is the UID of a non-privileged 'teleport' user
 TELEPORT_UID ?= 1007
 
-# Instance type to build the AMI on
-INSTANCE_TYPE ?= t2.medium
-
 # Use comma-separated values without spaces for multiple regions
 # For now, limit AMI publishing to non opt-in regions
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
 # You can get this with $(AWS_DEFAULT_REGION=us-west-2 aws ec2 describe-regions | jq -r '.Regions | map(.RegionName) | join(",")')
-DESTINATION_REGIONS ?= eu-north-1,ap-south-1,eu-west-3,eu-west-2,eu-west-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,sa-east-1,ca-central-1,ap-southeast-1,ap-southeast-2,eu-central-1,us-east-1,us-east-2,us-west-1,us-west-2
+DESTINATION_REGIONS ?= ap-northeast-1,ap-northeast-2,ap-northeast-3,ap-south-1,ap-southeast-1,ap-southeast-2,ca-central-1,eu-central-1,eu-north-1,eu-west-1,eu-west-2,eu-west-3,sa-east-1,us-east-1,us-east-2,us-west-1,us-west-2
 
 # Generate timestamp for builds
 BUILD_TIMESTAMP := $(shell TZ=UTC /bin/date "+%Y%m%d-%H%M%S%Z")
 
-# Telegraf version
-TELEGRAF_VERSION ?= 1.9.3
-
-# InfluxDB version
-INFLUXDB_VERSION ?= 1.8.5
-
-# Grafana version
-GRAFANA_VERSION ?= 9.0.7
-
 # AWS account ID which hosts the public Teleport AMIs
-AWS_ACCOUNT_ID ?= 126027368216
+AWS_ACCOUNT_ID ?= 146628656107
 export
 
 
-# Build local 'debug' AMI
-.PHONY: oss
-oss: TELEPORT_TYPE=oss
-oss: check-vars
-oss:
-	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE)"
-	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
-	mkdir -p files/build
-	packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -only teleport-aws-linux -var destination_regions=$(AWS_REGION) single-ami.json
-	@echo "$(BUILD_TIMESTAMP)" > files/build/oss_build_timestamp.txt
-
-# Build named 'production' AMI and marketplace version
-.PHONY: oss-ci-build
-oss-ci-build: TELEPORT_TYPE=oss
-oss-ci-build: check-vars
-oss-ci-build:
-	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE) via CI"
-	@echo "Public AMI name: $(PUBLIC_AMI_NAME)"
-	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
-	mkdir -p files/build
-	packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var build_timestamp=$(BUILD_TIMESTAMP) -except teleport-aws-linux-fips single-ami.json
-	@echo "$(BUILD_TIMESTAMP)" > files/build/oss_build_timestamp.txt
-
-.PHONY: change-amis-to-public-oss
-change-amis-to-public-oss:
-	@echo "Making OSS AMIs public"
-	bash files/make-amis-public.sh oss $(DESTINATION_REGIONS)
-
-# Build local 'debug' AMI
-.PHONY: ent
-ent: TELEPORT_TYPE=ent
-ent: check-vars
-	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE)"
-	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
-	mkdir -p files/build
-	packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -only teleport-aws-linux -var destination_regions=$(AWS_REGION) single-ami.json
-	@echo "$(BUILD_TIMESTAMP)" > files/build/ent_build_timestamp.txt
-
-# Build named 'production' AMI and marketplace version
-.PHONY: ent-ci-build
-ent-ci-build: TELEPORT_TYPE=ent
-ent-ci-build: check-vars
-ent-ci-build:
-	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE) via CI"
-	@echo "Public AMI name: $(PUBLIC_AMI_NAME)"
-	@echo "FIPS AMI name: $(FIPS_AMI_NAME)"
-	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
-	mkdir -p files/build
-	packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var fips_ami_name=$(FIPS_AMI_NAME) -var build_timestamp=$(BUILD_TIMESTAMP) single-ami.json
-	@echo "$(BUILD_TIMESTAMP)" > files/build/ent_build_timestamp.txt
-
-.PHONY: change-amis-to-public-ent
-change-amis-to-public-ent:
-	@echo "Making Enterprise AMIs public"
-	bash files/make-amis-public.sh ent $(DESTINATION_REGIONS)
-
-.PHONY: change-amis-to-public-ent-fips
-change-amis-to-public-ent-fips:
-	@echo "Making FIPS Enterprise AMIs public"
-	bash files/make-amis-public.sh ent-fips $(DESTINATION_REGIONS)
-
-
 # Other helpers
 .PHONY: check-vars
 check-vars:
@@ -123,7 +37,7 @@ update-ami-ids-terraform:
 	@echo -e "\nUpdating Enterprise FIPS Terraform image IDs"
 	go run ./cmd/update-ami-id --aws-account $(AWS_ACCOUNT_ID) --regions $(DESTINATION_REGIONS) --version $(TELEPORT_VERSION) --type ent-fips
 
-# you will need the Github 'gh' CLI installed and working to be able to use this target
+# you will need the GitHub 'gh' CLI installed and working to be able to use this target
 # https://github.com/cli/cli/releases/latest
 AUTO_BRANCH_NAME := "ami-auto-branch-$(shell date +%s)"
 MAKEFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))

assets/aws/README.md

@@ -8,8 +8,8 @@ Instructions for building Teleport AWS AMIs.
 
 AWS CLI and Packer are required to build Teleport AMIs.
 
-Minimum versions:  
-awscli == 1.14  
+Minimum versions:
+awscli == 1.14
 packer == v1.4.0 
 
 On macOS:
@@ -35,19 +35,15 @@ Follow instructions at: https://www.packer.io/docs/install/index.html
 
 | Param               | Description                                                                                                 |
 |---------------------|-------------------------------------------------------------------------------------------------------------|
-| BUILD_VPC_ID        | With the region you selected in step 3, create or use an existing VPC. ex. `vpc-xxxxxxxx`.                  |
-| BUILD_SUBNET_ID     | Within the VPC above, select a subnet. ex. `subnet-xxxxxxxx`                                                |
-| AWS_REGION          | Region you selected in step 3. ex. `us-east-1`                                                              |
 | TELEPORT_VERSION    | Teleport version. See [Teleport releases](https://github.com/gravitational/teleport/releases). ex. `4.2.10` |
-| INSTANCE_TYPE       | The instance type used for the build. ex. `t2.micro`                                                        |
 | DESTINATION_REGIONS | The regions the AMI will be replicated to. ex. `us-east-1,us-east-2`                                        |
 
 5. Run 
 ```
 make oss
 ```
 
-6. Once complete, your AMI should be available, in the regions you specified, with the name  `teleport-debug-ami-<type>-<version>`. (e.g. teleport-debug-ami-oss-4.2.10)
+6. Once complete, your AMI should be available, in the regions you specified, with the name  `teleport-<type>-<version>-<arch>`. (e.g. teleport-oss-4.2.10-arm64)
 
 ## Usage instructions