gravitational · sclevine · May 21, 2025 · Mar 31, 2025 · May 1, 2025 · May 1, 2025
diff --git a/entitlements/entitlements.go b/entitlements/entitlements.go
@@ -27,38 +27,39 @@ type EntitlementKind string
 // All EntitlementKinds added here should also be added to AllEntitlements below and defaultEntitlements in
 // web/packages/teleport/src/entitlement.ts.
 const (
-	AccessLists            EntitlementKind = "AccessLists"
-	AccessMonitoring       EntitlementKind = "AccessMonitoring"
-	AccessRequests         EntitlementKind = "AccessRequests"
-	App                    EntitlementKind = "App"
-	CloudAuditLogRetention EntitlementKind = "CloudAuditLogRetention"
-	DB                     EntitlementKind = "DB"
-	Desktop                EntitlementKind = "Desktop"
-	DeviceTrust            EntitlementKind = "DeviceTrust"
-	ExternalAuditStorage   EntitlementKind = "ExternalAuditStorage"
-	FeatureHiding          EntitlementKind = "FeatureHiding"
-	HSM                    EntitlementKind = "HSM"
-	Identity               EntitlementKind = "Identity"
-	JoinActiveSessions     EntitlementKind = "JoinActiveSessions"
-	K8s                    EntitlementKind = "K8s"
-	MobileDeviceManagement EntitlementKind = "MobileDeviceManagement"
-	OIDC                   EntitlementKind = "OIDC"
-	OktaSCIM               EntitlementKind = "OktaSCIM"
-	OktaUserSync           EntitlementKind = "OktaUserSync"
-	Policy                 EntitlementKind = "Policy"
-	SAML                   EntitlementKind = "SAML"
-	SessionLocks           EntitlementKind = "SessionLocks"
-	UpsellAlert            EntitlementKind = "UpsellAlert"
-	UsageReporting         EntitlementKind = "UsageReporting"
-	LicenseAutoUpdate      EntitlementKind = "LicenseAutoUpdate"
-	AccessGraphDemoMode    EntitlementKind = "AccessGraphDemoMode"
+	AccessLists                EntitlementKind = "AccessLists"
+	AccessMonitoring           EntitlementKind = "AccessMonitoring"
+	AccessRequests             EntitlementKind = "AccessRequests"
+	App                        EntitlementKind = "App"
+	CloudAuditLogRetention     EntitlementKind = "CloudAuditLogRetention"
+	DB                         EntitlementKind = "DB"
+	Desktop                    EntitlementKind = "Desktop"
+	DeviceTrust                EntitlementKind = "DeviceTrust"
+	ExternalAuditStorage       EntitlementKind = "ExternalAuditStorage"
+	FeatureHiding              EntitlementKind = "FeatureHiding"
+	HSM                        EntitlementKind = "HSM"
+	Identity                   EntitlementKind = "Identity"
+	JoinActiveSessions         EntitlementKind = "JoinActiveSessions"
+	K8s                        EntitlementKind = "K8s"
+	MobileDeviceManagement     EntitlementKind = "MobileDeviceManagement"
+	OIDC                       EntitlementKind = "OIDC"
+	OktaSCIM                   EntitlementKind = "OktaSCIM"
+	OktaUserSync               EntitlementKind = "OktaUserSync"
+	Policy                     EntitlementKind = "Policy"
+	SAML                       EntitlementKind = "SAML"
+	SessionLocks               EntitlementKind = "SessionLocks"
+	UnrestrictedManagedUpdates EntitlementKind = "UnrestrictedManagedUpdates"
+	UpsellAlert                EntitlementKind = "UpsellAlert"
+	UsageReporting             EntitlementKind = "UsageReporting"
+	LicenseAutoUpdate          EntitlementKind = "LicenseAutoUpdate"
+	AccessGraphDemoMode        EntitlementKind = "AccessGraphDemoMode"
 )
 
 // AllEntitlements returns all Entitlements; should be 1:1 with the const declared above.
 var AllEntitlements = []EntitlementKind{
 	AccessLists, AccessMonitoring, AccessRequests, App, CloudAuditLogRetention, DB, Desktop, DeviceTrust,
 	ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, MobileDeviceManagement, OIDC, OktaSCIM,
-	OktaUserSync, Policy, SAML, SessionLocks, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode,
+	OktaUserSync, Policy, SAML, SessionLocks, UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode,
 }
 
 // BackfillFeatures ensures entitlements are backwards compatible.

diff --git a/entitlements/entitlements_test.go b/entitlements/entitlements_test.go
@@ -67,59 +67,61 @@ func TestBackfillFeatures(t *testing.T) {
 				MobileDeviceManagement:     false,
 				AccessMonitoringConfigured: false,
 				Entitlements: map[string]*proto.EntitlementInfo{
-					string(AccessLists):            {Enabled: true, Limit: 111},
-					string(AccessMonitoring):       {Enabled: true, Limit: 2113},
-					string(AccessRequests):         {Enabled: true, Limit: 39},
-					string(App):                    {Enabled: false},
-					string(CloudAuditLogRetention): {Enabled: true},
-					string(DB):                     {Enabled: true},
-					string(Desktop):                {Enabled: true},
-					string(DeviceTrust):            {Enabled: true, Limit: 103},
-					string(ExternalAuditStorage):   {Enabled: true},
-					string(FeatureHiding):          {Enabled: true},
-					string(HSM):                    {Enabled: true},
-					string(Identity):               {Enabled: true},
-					string(JoinActiveSessions):     {Enabled: true},
-					string(K8s):                    {Enabled: true},
-					string(MobileDeviceManagement): {Enabled: true},
-					string(OIDC):                   {Enabled: true},
-					string(OktaSCIM):               {Enabled: true},
-					string(OktaUserSync):           {Enabled: true},
-					string(Policy):                 {Enabled: true},
-					string(SAML):                   {Enabled: true},
-					string(SessionLocks):           {Enabled: true},
-					string(UpsellAlert):            {Enabled: true},
-					string(UsageReporting):         {Enabled: true},
-					string(LicenseAutoUpdate):      {Enabled: true},
-					string(AccessGraphDemoMode):    {Enabled: true},
+					string(AccessLists):                {Enabled: true, Limit: 111},
+					string(AccessMonitoring):           {Enabled: true, Limit: 2113},
+					string(AccessRequests):             {Enabled: true, Limit: 39},
+					string(App):                        {Enabled: false},
+					string(CloudAuditLogRetention):     {Enabled: true},
+					string(DB):                         {Enabled: true},
+					string(Desktop):                    {Enabled: true},
+					string(DeviceTrust):                {Enabled: true, Limit: 103},
+					string(ExternalAuditStorage):       {Enabled: true},
+					string(FeatureHiding):              {Enabled: true},
+					string(HSM):                        {Enabled: true},
+					string(Identity):                   {Enabled: true},
+					string(JoinActiveSessions):         {Enabled: true},
+					string(K8s):                        {Enabled: true},
+					string(MobileDeviceManagement):     {Enabled: true},
+					string(OIDC):                       {Enabled: true},
+					string(OktaSCIM):                   {Enabled: true},
+					string(OktaUserSync):               {Enabled: true},
+					string(Policy):                     {Enabled: true},
+					string(SAML):                       {Enabled: true},
+					string(SessionLocks):               {Enabled: true},
+					string(UpsellAlert):                {Enabled: true},
+					string(UsageReporting):             {Enabled: true},
+					string(LicenseAutoUpdate):          {Enabled: true},
+					string(AccessGraphDemoMode):        {Enabled: true},
+					string(UnrestrictedManagedUpdates): {Enabled: true},
 				},
 			},
 			expected: map[string]*proto.EntitlementInfo{
-				string(AccessLists):            {Enabled: true, Limit: 111},
-				string(AccessMonitoring):       {Enabled: true, Limit: 2113},
-				string(AccessRequests):         {Enabled: true, Limit: 39},
-				string(App):                    {Enabled: false},
-				string(CloudAuditLogRetention): {Enabled: true},
-				string(DB):                     {Enabled: true},
-				string(Desktop):                {Enabled: true},
-				string(DeviceTrust):            {Enabled: true, Limit: 103},
-				string(ExternalAuditStorage):   {Enabled: true},
-				string(FeatureHiding):          {Enabled: true},
-				string(HSM):                    {Enabled: true},
-				string(Identity):               {Enabled: true},
-				string(JoinActiveSessions):     {Enabled: true},
-				string(K8s):                    {Enabled: true},
-				string(MobileDeviceManagement): {Enabled: true},
-				string(OIDC):                   {Enabled: true},
-				string(OktaSCIM):               {Enabled: true},
-				string(OktaUserSync):           {Enabled: true},
-				string(Policy):                 {Enabled: true},
-				string(SAML):                   {Enabled: true},
-				string(SessionLocks):           {Enabled: true},
-				string(UpsellAlert):            {Enabled: true},
-				string(UsageReporting):         {Enabled: true},
-				string(LicenseAutoUpdate):      {Enabled: true},
-				string(AccessGraphDemoMode):    {Enabled: true},
+				string(AccessLists):                {Enabled: true, Limit: 111},
+				string(AccessMonitoring):           {Enabled: true, Limit: 2113},
+				string(AccessRequests):             {Enabled: true, Limit: 39},
+				string(App):                        {Enabled: false},
+				string(CloudAuditLogRetention):     {Enabled: true},
+				string(DB):                         {Enabled: true},
+				string(Desktop):                    {Enabled: true},
+				string(DeviceTrust):                {Enabled: true, Limit: 103},
+				string(ExternalAuditStorage):       {Enabled: true},
+				string(FeatureHiding):              {Enabled: true},
+				string(HSM):                        {Enabled: true},
+				string(Identity):                   {Enabled: true},
+				string(JoinActiveSessions):         {Enabled: true},
+				string(K8s):                        {Enabled: true},
+				string(MobileDeviceManagement):     {Enabled: true},
+				string(OIDC):                       {Enabled: true},
+				string(OktaSCIM):                   {Enabled: true},
+				string(OktaUserSync):               {Enabled: true},
+				string(Policy):                     {Enabled: true},
+				string(SAML):                       {Enabled: true},
+				string(SessionLocks):               {Enabled: true},
+				string(UpsellAlert):                {Enabled: true},
+				string(UsageReporting):             {Enabled: true},
+				string(LicenseAutoUpdate):          {Enabled: true},
+				string(AccessGraphDemoMode):        {Enabled: true},
+				string(UnrestrictedManagedUpdates): {Enabled: true},
 			},
 		},
 		{
@@ -192,11 +194,12 @@ func TestBackfillFeatures(t *testing.T) {
 				string(SAML):                   {Enabled: true},
 				string(SessionLocks):           {Enabled: true},
 				// defaults, no legacy equivalent
-				string(UsageReporting):         {Enabled: false},
-				string(UpsellAlert):            {Enabled: false},
-				string(CloudAuditLogRetention): {Enabled: false},
-				string(LicenseAutoUpdate):      {Enabled: false},
-				string(AccessGraphDemoMode):    {Enabled: false},
+				string(UsageReporting):             {Enabled: false},
+				string(UpsellAlert):                {Enabled: false},
+				string(CloudAuditLogRetention):     {Enabled: false},
+				string(LicenseAutoUpdate):          {Enabled: false},
+				string(AccessGraphDemoMode):        {Enabled: false},
+				string(UnrestrictedManagedUpdates): {Enabled: false},
 			},
 		},
 		{
@@ -266,11 +269,12 @@ func TestBackfillFeatures(t *testing.T) {
 				string(SAML):                   {Enabled: true},
 
 				// defaults, no legacy equivalent
-				string(UsageReporting):         {Enabled: false},
-				string(UpsellAlert):            {Enabled: false},
-				string(CloudAuditLogRetention): {Enabled: false},
-				string(LicenseAutoUpdate):      {Enabled: false},
-				string(AccessGraphDemoMode):    {Enabled: false},
+				string(UsageReporting):             {Enabled: false},
+				string(UpsellAlert):                {Enabled: false},
+				string(CloudAuditLogRetention):     {Enabled: false},
+				string(LicenseAutoUpdate):          {Enabled: false},
+				string(AccessGraphDemoMode):        {Enabled: false},
+				string(UnrestrictedManagedUpdates): {Enabled: false},
 				// Identity off, fields false
 				string(Identity):     {Enabled: false},
 				string(SessionLocks): {Enabled: false},

diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go
@@ -31,6 +31,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	update "github.com/gravitational/teleport/api/types/autoupdate"
 	apievents "github.com/gravitational/teleport/api/types/events"
+	"github.com/gravitational/teleport/entitlements"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/autoupdate/rollout"
 	"github.com/gravitational/teleport/lib/events"
@@ -1073,11 +1074,12 @@ func validateServerSideAgentConfig(config *autoupdate.AutoUpdateConfig) error {
 		return trace.Wrap(err, "validating autoupdate config")
 	}
 
-	var maxGroups int
-	isCloud := modules.GetModules().Features().Cloud
+	isLimitedCloud := modules.GetModules().Features().Cloud &&
+		!modules.GetModules().Features().Entitlements[entitlements.UnrestrictedManagedUpdates].Enabled
 
+	var maxGroups int
 	switch {
-	case isCloud && agentsSpec.GetStrategy() == update.AgentsStrategyHaltOnError:
+	case isLimitedCloud && agentsSpec.GetStrategy() == update.AgentsStrategyHaltOnError:
 		maxGroups = maxGroupsHaltOnErrorStrategyCloud
 	case agentsSpec.GetStrategy() == update.AgentsStrategyHaltOnError:
 		maxGroups = maxGroupsHaltOnErrorStrategy
@@ -1091,7 +1093,7 @@ func validateServerSideAgentConfig(config *autoupdate.AutoUpdateConfig) error {
 		return trace.BadParameter("max groups (%d) exceeded for strategy %s, %s schedule contains %d groups", maxGroups, agentsSpec.GetStrategy(), update.AgentsScheduleRegular, len(agentsSpec.GetSchedules().GetRegular()))
 	}
 
-	if !isCloud {
+	if !isLimitedCloud {
 		return nil
 	}
 
@@ -1109,7 +1111,6 @@ func validateServerSideAgentConfig(config *autoupdate.AutoUpdateConfig) error {
 		if !maps.Equal(cloudWeekdays, weekdays) {
 			return trace.BadParameter("weekdays must be set to %v in cloud", cloudGroupUpdateDays)
 		}
-
 	}
 
 	if duration := computeMinRolloutTime(agentsSpec.GetSchedules().GetRegular()); duration > maxRolloutDurationCloudHours {

diff --git a/lib/auth/autoupdate/autoupdatev1/service_test.go b/lib/auth/autoupdate/autoupdatev1/service_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/autoupdate"
 	apievents "github.com/gravitational/teleport/api/types/events"
+	"github.com/gravitational/teleport/entitlements"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/backend/memory"
 	libevents "github.com/gravitational/teleport/lib/events"
@@ -883,6 +884,14 @@ func TestValidateServerSideAgentConfig(t *testing.T) {
 			Cloud: true,
 		},
 	}
+	cloudUnlimitedModules := &modules.TestModules{
+		TestFeatures: modules.Features{
+			Cloud: true,
+			Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
+				entitlements.UnrestrictedManagedUpdates: {Enabled: true},
+			},
+		},
+	}
 	selfHostedModules := &modules.TestModules{
 		TestFeatures: modules.Features{
 			Cloud: false,
@@ -925,6 +934,18 @@ func TestValidateServerSideAgentConfig(t *testing.T) {
 			},
 			expectErr: require.Error,
 		},
+		{
+			name:    "over max groups halt-on-error cloud unlimited",
+			modules: cloudUnlimitedModules,
+			config: &autoupdatev1pb.AutoUpdateConfigSpecAgents{
+				Mode:     autoupdate.AgentsUpdateModeEnabled,
+				Strategy: autoupdate.AgentsStrategyHaltOnError,
+				Schedules: &autoupdatev1pb.AgentAutoUpdateSchedules{
+					Regular: generateGroups(maxGroupsHaltOnErrorStrategy+1, cloudGroupUpdateDays),
+				},
+			},
+			expectErr: require.Error,
+		},
 		{
 			name:    "over max groups halt-on-error cloud",
 			modules: cloudModules,
@@ -949,6 +970,18 @@ func TestValidateServerSideAgentConfig(t *testing.T) {
 			},
 			expectErr: require.Error,
 		},
+		{
+			name:    "cloud unlimited should allow custom weekdays",
+			modules: cloudUnlimitedModules,
+			config: &autoupdatev1pb.AutoUpdateConfigSpecAgents{
+				Mode:     autoupdate.AgentsUpdateModeEnabled,
+				Strategy: autoupdate.AgentsStrategyHaltOnError,
+				Schedules: &autoupdatev1pb.AgentAutoUpdateSchedules{
+					Regular: generateGroups(maxGroupsHaltOnErrorStrategyCloud, []string{"Mon"}),
+				},
+			},
+			expectErr: require.NoError,
+		},
 		{
 			name:    "self-hosted should allow custom weekdays",
 			modules: selfHostedModules,
@@ -976,6 +1009,21 @@ func TestValidateServerSideAgentConfig(t *testing.T) {
 			},
 			expectErr: require.Error,
 		},
+		{
+			name:    "cloud should allow long rollouts with entitlement",
+			modules: cloudUnlimitedModules,
+			config: &autoupdatev1pb.AutoUpdateConfigSpecAgents{
+				Mode:     autoupdate.AgentsUpdateModeEnabled,
+				Strategy: autoupdate.AgentsStrategyHaltOnError,
+				Schedules: &autoupdatev1pb.AgentAutoUpdateSchedules{
+					Regular: []*autoupdatev1pb.AgentAutoUpdateGroup{
+						{Name: "g1", Days: cloudGroupUpdateDays},
+						{Name: "g2", Days: cloudGroupUpdateDays, WaitHours: maxRolloutDurationCloudHours},
+					},
+				},
+			},
+			expectErr: require.NoError,
+		},
 		{
 			name:    "self-hosted should allow long rollouts",
 			modules: selfHostedModules,