check integration reference in the current state of the plugin resource#56138
check integration reference in the current state of the plugin resource#56138flyinghermit merged 3 commits intomasterfrom
Conversation
|
Note to reviewer: I am open to keep the conditional deletion and only fix the core issue to provide correct backend key name. if you think its worth keeping it. |
flyinghermit
changed the title
| switch pluginV1.GetType() { | ||
| case types.PluginType(types.PluginTypeAWSIdentityCenter): | ||
| if awsIC := pluginV1.Spec.GetAwsIc(); awsIC != nil { | ||
| if awsIC.IntegrationName == name { |
There was a problem hiding this comment.
// IntegrationName is the Teleport OIDC integration used to gain access to the
// AWS account. May be empty if [CredentialsSource] isSYSTEM.
// DEPRECATED: Use [Credentials] instead. DELETE in Teleport 19+
string integration_name = 1 [deprecated = true];
I fee like we should switch to https://github.com/gravitational/teleport/blob/master/api/proto/teleport/legacy/types/types.proto#L7369
There was a problem hiding this comment.
Good point. The plugin create plugin handle still references integration name field https://github.com/gravitational/teleport.e/blob/master/lib/web/plugindescriptor_aws_ic.go#L85C5-L87C59. I think it would be better to update all the references at once.
public-teleport-github-review-bot
Bot
removed the request for review
from tigrato
Existing access to AWS will not be affected but the identity center service will not be able to provision new account assignment and de-provisioning existing assignments. |
Co-authored-by: Marek Smoliński <marek@goteleport.com>
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
|
@flyinghermit See the table below for backport results.
|
4 participants
In the
DeleteIntegrationwe need to ensure that the integration which is being deleted is not referenced by the AWS identity center plugin. If it is not referenced, a backend condition was added to ensure that the revision of the plugin is not changed between the reference check and the final backend delete op. This condition incorrectly referenced "integration name" instead of "plugin name" in the plugin backend key. This led the revision value never match during the delete operation, preventing deletion of integration.There is another issue with the current conditional deletion approach based on revision value. Given the plugin spec holds plugin status field, which is expected to be updated frequently in tandem to the service runtime status, users might still occasionally hit revision mismatch error when trying to delete the integration.
Since the integration field can only be manually configured when creating/editing the plugin and the system checks for existence of integration resource before creating the plugin, imho the ux issue created with the revision mismatch outweighs the prevention ensured by the conditional deletion. As such, the
integrationReferencedByAWSICPluginis now updated to only check for integration reference in the identity center plugin in the current state of the plugin resource in the backend.changelog: Fixed an issue that prevented deletion of an integration resource if AWS Identity Center plugin was installed in the Teleport cluster.