gravitational · rosstimothy · May 9, 2025 · May 6, 2025
diff --git a/lib/cache/cache.go b/lib/cache/cache.go
@@ -38,7 +38,6 @@ import (
 	"github.com/gravitational/teleport/api/client/proto"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
-	provisioningv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1"
 	"github.com/gravitational/teleport/api/internalutils/stream"
 	apitracing "github.com/gravitational/teleport/api/observability/tracing"
 	"github.com/gravitational/teleport/api/types"
@@ -505,8 +504,6 @@ type Cache struct {
 	secReportsCache              services.SecReports
 	eventsFanout                 *services.FanoutV2
 	lowVolumeEventsFanout        *utils.RoundRobin[*services.FanoutV2]
-	provisioningStatesCache      *local.ProvisioningStateService
-	identityCenterCache          *local.IdentityCenterService
 	pluginStaticCredentialsCache *local.PluginStaticCredentialsService
 	gitServersCache              *local.GitServerService
 
@@ -900,12 +897,6 @@ func New(config Config) (*Cache, error) {
 		return nil, trace.Wrap(err)
 	}
 
-	provisioningStatesCache, err := local.NewProvisioningStateService(config.Backend)
-	if err != nil {
-		cancel()
-		return nil, trace.Wrap(err)
-	}
-
 	secReportsCache, err := local.NewSecReportsService(config.Backend, config.Clock)
 	if err != nil {
 		cancel()
@@ -924,13 +915,6 @@ func New(config Config) (*Cache, error) {
 		return nil, trace.Wrap(err)
 	}
 
-	identityCenterCache, err := local.NewIdentityCenterService(local.IdentityCenterServiceConfig{
-		Backend: config.Backend})
-	if err != nil {
-		cancel()
-		return nil, trace.Wrap(err)
-	}
-
 	pluginStaticCredentialsCache, err := local.NewPluginStaticCredentialsService(config.Backend)
 	if err != nil {
 		cancel()
@@ -966,8 +950,6 @@ func New(config Config) (*Cache, error) {
 		secReportsCache:              secReportsCache,
 		eventsFanout:                 fanout,
 		lowVolumeEventsFanout:        utils.NewRoundRobin(lowVolumeFanouts),
-		provisioningStatesCache:      provisioningStatesCache,
-		identityCenterCache:          identityCenterCache,
 		pluginStaticCredentialsCache: pluginStaticCredentialsCache,
 		gitServersCache:              gitServersCache,
 		collections:                  collections,
@@ -2054,16 +2036,3 @@ func buildListResourcesResponse[T types.ResourceWithLabels](resources iter.Seq[T
 
 	return &resp, nil
 }
-
-func (c *Cache) GetProvisioningState(ctx context.Context, downstream services.DownstreamID, id services.ProvisioningStateID) (*provisioningv1.PrincipalState, error) {
-	ctx, span := c.Tracer.Start(ctx, "cache/GetProvisioningState")
-	defer span.End()
-
-	rg, err := readLegacyCollectionCache(c, c.legacyCacheCollections.provisioningStates)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-	defer rg.Release()
-
-	return rg.reader.GetProvisioningState(ctx, downstream, id)
-}
diff --git a/lib/cache/collections.go b/lib/cache/collections.go
@@ -31,6 +31,7 @@ import (
 	kubewaitingcontainerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/kubewaitingcontainer/v1"
 	machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
 	notificationsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1"
+	provisioningv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1"
 	userprovisioningv2 "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2"
 	usertasksv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1"
 	workloadidentityv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
@@ -64,70 +65,72 @@ type collectionHandler interface {
 type collections struct {
 	byKind map[resourceKind]collectionHandler
 
-	provisionTokens                  *collection[types.ProvisionToken, provisionTokenIndex]
-	staticTokens                     *collection[types.StaticTokens, staticTokensIndex]
-	certAuthorities                  *collection[types.CertAuthority, certAuthorityIndex]
-	users                            *collection[types.User, userIndex]
-	roles                            *collection[types.Role, roleIndex]
-	authServers                      *collection[types.Server, authServerIndex]
-	proxyServers                     *collection[types.Server, proxyServerIndex]
-	nodes                            *collection[types.Server, nodeIndex]
-	apps                             *collection[types.Application, appIndex]
-	appServers                       *collection[types.AppServer, appServerIndex]
-	dbs                              *collection[types.Database, databaseIndex]
-	dbServers                        *collection[types.DatabaseServer, databaseServerIndex]
-	dbServices                       *collection[types.DatabaseService, databaseServiceIndex]
-	kubeServers                      *collection[types.KubeServer, kubeServerIndex]
-	kubeClusters                     *collection[types.KubeCluster, kubeClusterIndex]
-	kubeWaitingContainers            *collection[*kubewaitingcontainerv1.KubernetesWaitingContainer, kubeWaitingContainerIndex]
-	windowsDesktops                  *collection[types.WindowsDesktop, windowsDesktopIndex]
-	windowsDesktopServices           *collection[types.WindowsDesktopService, windowsDesktopServiceIndex]
-	dynamicWindowsDesktops           *collection[types.DynamicWindowsDesktop, dynamicWindowsDesktopIndex]
-	userGroups                       *collection[types.UserGroup, userGroupIndex]
-	identityCenterAccounts           *collection[*identitycenterv1.Account, identityCenterAccountIndex]
-	identityCenterAccountAssignments *collection[*identitycenterv1.AccountAssignment, identityCenterAccountAssignmentIndex]
-	healthCheckConfig                *collection[*healthcheckconfigv1.HealthCheckConfig, healthCheckConfigIndex]
-	reverseTunnels                   *collection[types.ReverseTunnel, reverseTunnelIndex]
-	spiffeFederations                *collection[*machineidv1.SPIFFEFederation, spiffeFederationIndex]
-	workloadIdentity                 *collection[*workloadidentityv1.WorkloadIdentity, workloadIdentityIndex]
-	userNotifications                *collection[*notificationsv1.Notification, userNotificationIndex]
-	globalNotifications              *collection[*notificationsv1.GlobalNotification, globalNotificationIndex]
-	clusterName                      *collection[types.ClusterName, clusterNameIndex]
-	auditConfig                      *collection[types.ClusterAuditConfig, clusterAuditConfigIndex]
-	networkingConfig                 *collection[types.ClusterNetworkingConfig, clusterNetworkingConfigIndex]
-	authPreference                   *collection[types.AuthPreference, authPreferenceIndex]
-	sessionRecordingConfig           *collection[types.SessionRecordingConfig, sessionRecordingConfigIndex]
-	autoUpdateConfig                 *collection[*autoupdatev1.AutoUpdateConfig, autoUpdateConfigIndex]
-	autoUpdateVerion                 *collection[*autoupdatev1.AutoUpdateVersion, autoUpdateVersionIndex]
-	autoUpdateRollout                *collection[*autoupdatev1.AutoUpdateAgentRollout, autoUpdateAgentRolloutIndex]
-	oktaImportRules                  *collection[types.OktaImportRule, oktaImportRuleIndex]
-	oktaAssignments                  *collection[types.OktaAssignment, oktaAssignmentIndex]
-	samlIdPServiceProviders          *collection[types.SAMLIdPServiceProvider, samlIdPServiceProviderIndex]
-	samlIdPSessions                  *collection[types.WebSession, samlIdPSessionIndex]
-	webSessions                      *collection[types.WebSession, webSessionIndex]
-	appSessions                      *collection[types.WebSession, appSessionIndex]
-	snowflakeSessions                *collection[types.WebSession, snowflakeSessionIndex]
-	accessLists                      *collection[*accesslist.AccessList, accessListIndex]
-	accessListMembers                *collection[*accesslist.AccessListMember, accessListMemberIndex]
-	accessListReviews                *collection[*accesslist.Review, accessListReviewIndex]
-	crownJewels                      *collection[*crownjewelv1.CrownJewel, crownJewelIndex]
-	accessGraphSettings              *collection[*clusterconfigv1.AccessGraphSettings, accessGraphSettingsIndex]
-	integrations                     *collection[types.Integration, integrationIndex]
-	pluginStaticCredentials          *collection[types.PluginStaticCredentials, pluginStaticCredentialsIndex]
-	accessMonitoringRules            *collection[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex]
-	webTokens                        *collection[types.WebToken, webTokenIndex]
-	uiConfigs                        *collection[types.UIConfig, webUIConfigIndex]
-	installers                       *collection[types.Installer, installerIndex]
-	locks                            *collection[types.Lock, lockIndex]
-	tunnelConnections                *collection[types.TunnelConnection, tunnelConnectionIndex]
-	remoteClusters                   *collection[types.RemoteCluster, remoteClusterIndex]
-	userTasks                        *collection[*usertasksv1.UserTask, userTaskIndex]
-	userLoginStates                  *collection[*userloginstate.UserLoginState, userLoginStateIndex]
-	gitServers                       *collection[types.Server, gitServerIndex]
-	databaseObjects                  *collection[*dbobjectv1.DatabaseObject, databaseObjectIndex]
-	staticHostUsers                  *collection[*userprovisioningv2.StaticHostUser, staticHostUserIndex]
-	networkRestrictions              *collection[types.NetworkRestrictions, networkingRestrictionIndex]
-	discoveryConfigs                 *collection[*discoveryconfig.DiscoveryConfig, discoveryConfigIndex]
+	provisionTokens                    *collection[types.ProvisionToken, provisionTokenIndex]
+	staticTokens                       *collection[types.StaticTokens, staticTokensIndex]
+	certAuthorities                    *collection[types.CertAuthority, certAuthorityIndex]
+	users                              *collection[types.User, userIndex]
+	roles                              *collection[types.Role, roleIndex]
+	authServers                        *collection[types.Server, authServerIndex]
+	proxyServers                       *collection[types.Server, proxyServerIndex]
+	nodes                              *collection[types.Server, nodeIndex]
+	apps                               *collection[types.Application, appIndex]
+	appServers                         *collection[types.AppServer, appServerIndex]
+	dbs                                *collection[types.Database, databaseIndex]
+	dbServers                          *collection[types.DatabaseServer, databaseServerIndex]
+	dbServices                         *collection[types.DatabaseService, databaseServiceIndex]
+	kubeServers                        *collection[types.KubeServer, kubeServerIndex]
+	kubeClusters                       *collection[types.KubeCluster, kubeClusterIndex]
+	kubeWaitingContainers              *collection[*kubewaitingcontainerv1.KubernetesWaitingContainer, kubeWaitingContainerIndex]
+	windowsDesktops                    *collection[types.WindowsDesktop, windowsDesktopIndex]
+	windowsDesktopServices             *collection[types.WindowsDesktopService, windowsDesktopServiceIndex]
+	dynamicWindowsDesktops             *collection[types.DynamicWindowsDesktop, dynamicWindowsDesktopIndex]
+	userGroups                         *collection[types.UserGroup, userGroupIndex]
+	identityCenterAccounts             *collection[*identitycenterv1.Account, identityCenterAccountIndex]
+	identityCenterAccountAssignments   *collection[*identitycenterv1.AccountAssignment, identityCenterAccountAssignmentIndex]
+	healthCheckConfig                  *collection[*healthcheckconfigv1.HealthCheckConfig, healthCheckConfigIndex]
+	reverseTunnels                     *collection[types.ReverseTunnel, reverseTunnelIndex]
+	spiffeFederations                  *collection[*machineidv1.SPIFFEFederation, spiffeFederationIndex]
+	workloadIdentity                   *collection[*workloadidentityv1.WorkloadIdentity, workloadIdentityIndex]
+	userNotifications                  *collection[*notificationsv1.Notification, userNotificationIndex]
+	globalNotifications                *collection[*notificationsv1.GlobalNotification, globalNotificationIndex]
+	clusterName                        *collection[types.ClusterName, clusterNameIndex]
+	auditConfig                        *collection[types.ClusterAuditConfig, clusterAuditConfigIndex]
+	networkingConfig                   *collection[types.ClusterNetworkingConfig, clusterNetworkingConfigIndex]
+	authPreference                     *collection[types.AuthPreference, authPreferenceIndex]
+	sessionRecordingConfig             *collection[types.SessionRecordingConfig, sessionRecordingConfigIndex]
+	autoUpdateConfig                   *collection[*autoupdatev1.AutoUpdateConfig, autoUpdateConfigIndex]
+	autoUpdateVerion                   *collection[*autoupdatev1.AutoUpdateVersion, autoUpdateVersionIndex]
+	autoUpdateRollout                  *collection[*autoupdatev1.AutoUpdateAgentRollout, autoUpdateAgentRolloutIndex]
+	oktaImportRules                    *collection[types.OktaImportRule, oktaImportRuleIndex]
+	oktaAssignments                    *collection[types.OktaAssignment, oktaAssignmentIndex]
+	samlIdPServiceProviders            *collection[types.SAMLIdPServiceProvider, samlIdPServiceProviderIndex]
+	samlIdPSessions                    *collection[types.WebSession, samlIdPSessionIndex]
+	webSessions                        *collection[types.WebSession, webSessionIndex]
+	appSessions                        *collection[types.WebSession, appSessionIndex]
+	snowflakeSessions                  *collection[types.WebSession, snowflakeSessionIndex]
+	accessLists                        *collection[*accesslist.AccessList, accessListIndex]
+	accessListMembers                  *collection[*accesslist.AccessListMember, accessListMemberIndex]
+	accessListReviews                  *collection[*accesslist.Review, accessListReviewIndex]
+	crownJewels                        *collection[*crownjewelv1.CrownJewel, crownJewelIndex]
+	accessGraphSettings                *collection[*clusterconfigv1.AccessGraphSettings, accessGraphSettingsIndex]
+	integrations                       *collection[types.Integration, integrationIndex]
+	pluginStaticCredentials            *collection[types.PluginStaticCredentials, pluginStaticCredentialsIndex]
+	accessMonitoringRules              *collection[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex]
+	webTokens                          *collection[types.WebToken, webTokenIndex]
+	uiConfigs                          *collection[types.UIConfig, webUIConfigIndex]
+	installers                         *collection[types.Installer, installerIndex]
+	locks                              *collection[types.Lock, lockIndex]
+	tunnelConnections                  *collection[types.TunnelConnection, tunnelConnectionIndex]
+	remoteClusters                     *collection[types.RemoteCluster, remoteClusterIndex]
+	userTasks                          *collection[*usertasksv1.UserTask, userTaskIndex]
+	userLoginStates                    *collection[*userloginstate.UserLoginState, userLoginStateIndex]
+	gitServers                         *collection[types.Server, gitServerIndex]
+	databaseObjects                    *collection[*dbobjectv1.DatabaseObject, databaseObjectIndex]
+	staticHostUsers                    *collection[*userprovisioningv2.StaticHostUser, staticHostUserIndex]
+	networkRestrictions                *collection[types.NetworkRestrictions, networkingRestrictionIndex]
+	discoveryConfigs                   *collection[*discoveryconfig.DiscoveryConfig, discoveryConfigIndex]
+	provisioningStates                 *collection[*provisioningv1.PrincipalState, principalStateIndex]
+	identityCenterPrincipalAssignments *collection[*identitycenterv1.PrincipalAssignment, identityCenterPrincipalAssignmentIndex]
 }
 
 // setupCollections ensures that the appropriate [collection] is
@@ -658,6 +661,23 @@ func setupCollections(c Config) (*collections, error) {
 
 			out.discoveryConfigs = collect
 			out.byKind[resourceKind] = out.discoveryConfigs
+		case types.KindProvisioningPrincipalState:
+
+			collect, err := newPrincipalStateCollection(c.ProvisioningStates, watch)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			out.provisioningStates = collect
+			out.byKind[resourceKind] = out.provisioningStates
+		case types.KindIdentityCenterPrincipalAssignment:
+			collect, err := newIdentityCenterPrincipalAssignmentCollection(c.IdentityCenter, watch)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			out.identityCenterPrincipalAssignments = collect
+			out.byKind[resourceKind] = out.identityCenterPrincipalAssignments
 		}
 	}