Introduce the `tctl terraform env` command by hugoShaka · Pull Request #43664 · gravitational/teleport

hugoShaka · 2024-06-28T19:22:35Z

This is the implementation of the "running Terraform locally" part of RFD-173.

Fixes #39744 on local setups.

This PR introduces a new command: tctl terraform env. The design is described in more details in the RFD but basically the UX looks like:

tsh login ...
eval $(tctl terraform env)
# progress + potential MFA challenge

terraform plan
# automatically logged in

User documentation and reference will come in a future PR.

In addition to the few unit tests and the proxy/auth integration tests, this has been tested with a local instance (-c teleport.yaml) and with a Teleport Cloud tenant.

Changelog: Add the tctl terraform env command that makes running the Terraform Provider locally easier.

Changelog: Add a new role preset terraform-provider with all permissions required to use the Teleport Terraform provider. Any existing role with the same name will take precedence.

r0mant · 2024-07-03T00:49:38Z

I don't think terraform provider needs to connect to these resources. Can we leave remove these wildcards and leave label selectors empty?

No because of the way resource access control is implemented in teleport. You cannot see something you don't have access to. For the terraform provider or the operator to be able to reconcile those resources, they must see them, so they need to be able to access them, this is why we need the wildcards. This is mitigated by the fact the role does not grant any login.

I will add a comment about this in the code.

r0mant · 2024-07-03T00:50:30Z

Is there a "master list" of all resource kinds terraform provider supports somewhere so we can just update that list when adding a new resource?

No, this can become the master list if we move it to presets.

r0mant · 2024-07-03T22:39:13Z

Nit: I would just name this flag --role.

hugoShaka · 2024-07-05T14:53:47Z

Blocked by: #43877 (tbot doesn't build on windows)

Co-authored-by: Roman Tkachenko <roman@goteleport.com>

…rtBytes

…provider'

public-teleport-github-review-bot · 2024-07-10T22:16:06Z

@hugoShaka See the table below for backport results.

Branch	Result
branch/v16	Failed

* Introduce the `tctl terrafor env` command * fix tests * address marco's feedback + use correct b64 lib * add license * add created-by label as specified in the RFD * Update tool/tctl/common/terraform_command.go Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Apply suggestions from code review Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Have telpeort create the Terraform default role * rename use-existing-role -> role, and stop hijacking identity.SSHCACertBytes * Make the terraform provider role a real preset, rename to 'terraform-provider' * lint * Fix tbot's invocation after rebase --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>

) * Introduce the `tctl terraform env` command (#43664) * Introduce the `tctl terrafor env` command * fix tests * address marco's feedback + use correct b64 lib * add license * add created-by label as specified in the RFD * Update tool/tctl/common/terraform_command.go Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Apply suggestions from code review Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Have telpeort create the Terraform default role * rename use-existing-role -> role, and stop hijacking identity.SSHCACertBytes * Make the terraform provider role a real preset, rename to 'terraform-provider' * lint * Fix tbot's invocation after rebase --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com> * Refactor Terraform credential loading (#44037) * Refactor Terraform credential loading * Warn about expiry * kip expired credentials * fixup! kip expired credentials * Use constants everywhere + add godocs * fixup! Use constants everywhere + add godocs * Address marco's feedback * fixup! Address marco's feedback * tidy go mod * lint * re-render TF docs * Update v16 version in error message * Add Terraform Provider native MachineID support (#44306) * Add Terraform Provider native MachineID support * Reject 'token' join method * lint: fix imports * re-render TF docs * fix tests + add license * lint * tidy go mod * use v16 client.Expiry() function --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>

hugoShaka force-pushed the hugo/tctl-terraform-env branch from 9cd1c1c to d5fab1e Compare June 28, 2024 19:47

hugoShaka requested a review from marcoandredinis June 28, 2024 19:51

marcoandredinis changed the title ~~Introduce the tctl terrafor env command~~ Introduce the tctl terraform env command Jul 1, 2024

marcoandredinis reviewed Jul 1, 2024

View reviewed changes

hugoShaka force-pushed the hugo/tctl-terraform-env branch from 9b34016 to 82d1cdb Compare July 2, 2024 20:03

hugoShaka marked this pull request as ready for review July 2, 2024 20:03

hugoShaka requested a review from marcoandredinis July 2, 2024 20:03

github-actions Bot added size/lg tctl tctl - Teleport admin tool labels Jul 2, 2024

github-actions Bot requested a review from tigrato July 2, 2024 20:04

hugoShaka requested a review from r0mant July 2, 2024 20:05

r0mant reviewed Jul 3, 2024

View reviewed changes

hugoShaka requested a review from r0mant July 3, 2024 16:27

r0mant approved these changes Jul 3, 2024

View reviewed changes

Comment thread tool/tctl/common/terraform_command.go Outdated

Copy link
Copy Markdown

Collaborator

r0mant Jul 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I would just name this flag --role.

marcoandredinis approved these changes Jul 4, 2024

View reviewed changes

public-teleport-github-review-bot Bot removed the request for review from tigrato July 4, 2024 07:47

strideynet approved these changes Jul 4, 2024

View reviewed changes

hugoShaka enabled auto-merge July 4, 2024 15:17

hugoShaka added this pull request to the merge queue Jul 4, 2024

hugoShaka added the backport/branch/v16 label Jul 4, 2024

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 4, 2024

hugoShaka enabled auto-merge July 9, 2024 15:47

hugoShaka and others added 7 commits July 10, 2024 17:33

Introduce the tctl terrafor env command

2a582cd

fix tests

927849f

address marco's feedback + use correct b64 lib

3b4daa6

add license

247cfb1

add created-by label as specified in the RFD

e07762f

Update tool/tctl/common/terraform_command.go

638cb8f

Co-authored-by: Roman Tkachenko <roman@goteleport.com>

Apply suggestions from code review

36a23f5

Co-authored-by: Roman Tkachenko <roman@goteleport.com>

hugoShaka added 5 commits July 10, 2024 17:33

Have telpeort create the Terraform default role

7db1e17

rename use-existing-role -> role, and stop hijacking identity.SSHCACe…

111c115

…rtBytes

Make the terraform provider role a real preset, rename to 'terraform-…

c7f065a

…provider'

lint

f4dd7aa

Fix tbot's invocation after rebase

05e6380

hugoShaka force-pushed the hugo/tctl-terraform-env branch from b5e9001 to 05e6380 Compare July 10, 2024 21:35

hugoShaka added this pull request to the merge queue Jul 10, 2024

Merged via the queue into master with commit 2248a4b Jul 10, 2024

hugoShaka deleted the hugo/tctl-terraform-env branch July 10, 2024 22:15

hugoShaka mentioned this pull request Jul 26, 2024

[v16] RFD 173 implementation: Terraform provider UX improvements #44690

Merged

Conversation

hugoShaka commented Jun 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

r0mant Jul 3, 2024

Choose a reason for hiding this comment

Uh oh!

hugoShaka Jul 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

r0mant Jul 3, 2024

Choose a reason for hiding this comment

Uh oh!

hugoShaka Jul 3, 2024

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

r0mant Jul 3, 2024

Choose a reason for hiding this comment

Uh oh!

Uh oh!

hugoShaka commented Jul 5, 2024

Uh oh!

public-teleport-github-review-bot Bot commented Jul 10, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

hugoShaka commented Jun 28, 2024 •

edited

Loading

hugoShaka Jul 3, 2024 •

edited

Loading