RFD 0173: Authenticating the Terraform Provider with MachineID#42868
RFD 0173: Authenticating the Terraform Provider with MachineID#42868
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
hugoShaka
requested review from
Joerger,
klizhentas,
r0mant,
strideynet,
thedevelopnik and
xinding33
and removed request for
lxea and
tigrato
hugoShaka
added
the
no-changelog
Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
|
|
||
| Depending on their license, Teleport customers can have clusters dialing home and reporting usage. | ||
| We can leverage this to report metrics from the auth. An option would be to add an annotation on the bot resource such as | ||
| `teleport.dev/integration: terraform` or `teleport.dev/usage: terraform`. Potential values could be expanded as we add |
There was a problem hiding this comment.
Annotation strategy would work fine for your bootstrapping, but if someone set up a Bot/Token themselves, we wouldn't necessarily be aware.
| } | ||
| ``` | ||
|
|
||
| Telemetry would be gated by the `TELEPORT_ANONYMOUS_TELEMETRY=1` environment variable. |
There was a problem hiding this comment.
FWIW: Uptake on anonymous Telemetry remains fairly low
| - the fact `bootstrap` is only usable on local laptop. It requires a valid `~/.tsh` profile and the ability to pass an | ||
| MFA challenge (when MFA4A is enabled, which we are pushing everywhere and is Cloud's default). Intensive CI usage will | ||
| use existing bot resources and the `onboarding` configuration. | ||
| - the bootstrap resource expiry, by default 1 hour. |
There was a problem hiding this comment.
Am I reading this correctly as the bots from bootstrap being removed after 1 hour, not just the local certs having a 1hr TTL?
I know when I'm first trying a new thing out with Terraform, or even first trying out a new IaC tool (and for some small number of people we may be the first thing they use Terraform with), I can easily end up running terraform apply several times per minute to get this freaking thing working, but I think an hour is a good default. I probably wouldn't create more than ~80 bots during that time. If this is just the local TTL though, and the bots hang around on the backend, this is my notification that I could easily create ~80 bots in an hour. Several days in a row. I'm often dumb in very specific ways that make me great for testing edge cases 😄 .
There was a problem hiding this comment.
You're correct, this si the resoucre TTL, not the certs. So I don't expect more than a 100 bots in a very intensive setup session. This is noisy, but should not impact performance. We can add a GET call beforeto count the bots and limit their number if needed (e.g. 20 bots max)
klizhentas
left a comment
klizhentas
left a comment
There was a problem hiding this comment.
my only question is whether we can group those bots to view properly in TAG, so they don't pollute the view and other stats.
| ##### Note regarding CGO | ||
|
|
||
| The Terraform provider is currently built without CGO but `tbot` depends on `lib/auth`, which depends on `lib/services` | ||
| which depends on CGO. As CGO is not supported in Hashicorp Terraform Cloud, the embedded tbot | ||
| will rely on the work currently done by @rosstimothy and the MachineID team to remove the CGO dependency from tbot. |
There was a problem hiding this comment.
This is no longer true on master or any supported release branches. I've got PRs out now to make building tbot use CGO_ENABLED=0 by default.
r0mant
left a comment
r0mant
left a comment
There was a problem hiding this comment.
lgtm with a few questions/nitpicks
| joining = { | ||
| token = "gha-runner" | ||
| method = "github" | ||
| } |
There was a problem hiding this comment.
What would this look like if I want to test the provider locally from my laptop?
There was a problem hiding this comment.
You cannot join locally because you don't have any delegated join methods available.
Joining is reserved for delegated joining because we don't store the state, so secret-based bot would be single use.
To run TF locally you would use the tctl terraform-helper and the terraform section would be empty.
public-teleport-github-review-bot
Bot
removed the request for review
from xinding33
7 participants
Rendered version
Part of #39744