awsoidc

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 71 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// DatabaseServiceDeploymentMode is a deployment configuration for Deploying a Database Service.
	// This mode starts a Database with the specificied Resource Matchers.
	DatabaseServiceDeploymentMode = "database-service"
)

Variables

View Source 
var (
	// DeploymentModes has all the available deployment modes.
	DeploymentModes = []string{
		DatabaseServiceDeploymentMode,
	}
)

Functions

func ConfigureAccessGraphSyncIAM 

func ConfigureAccessGraphSyncIAM(ctx context.Context, clt AccessGraphIAMConfigureClient, req AccessGraphAWSIAMConfigureRequest) error

ConfigureAccessGraphSyncIAM sets up the roles required for Teleport to be able to pool AWS resources into Teleport. The following actions must be allowed by the IAM Role assigned in the Client.

  • iam:PutRolePolicy

func ConfigureDeployServiceIAM 

func ConfigureDeployServiceIAM(ctx context.Context, clt DeployServiceIAMConfigureClient, req DeployServiceIAMConfigureRequest) error

ConfigureDeployServiceIAM set ups the roles required for calling the DeployService action. It creates the following:

A) Role to be used by the deployed service, also known as _TaskRole_. The Role is able to manage policies and create logs. To ensure there's no priv escalation, we also set up a boundary policy. The boundary policy only allows the above permissions and the `rds-db:connect`.

B) Create a Policy in the Integration Role - the role used when setting up the integration. This policy allows for the required API Calls to set up the Amazon ECS TaskDefinition, Cluster and Service. It also allows to 'iam:PassRole' only for the _TaskRole_.

The following actions must be allowed by the IAM Role assigned in the Client. - iam:CreatePolicy - iam:CreateRole - iam:PutRolePolicy - iam:TagPolicy - iam:TagRole

func ConfigureEICEIAM 

func ConfigureEICEIAM(ctx context.Context, clt EICEIAMConfigureClient, req EICEIAMConfigureRequest) error

ConfigureEICEIAM set ups the roles required for accessing an EC2 Instance using EICE. It creates an embedded policy with the following permissions:

Action: List EC2 instances to add them as Teleport Nodes

  • ec2:DescribeInstances

Action: List EC2 Instance Connect Endpoints so that knows if they must create one Endpoint.

  • ec2:DescribeInstanceConnectEndpoints

Action: Select one or more SecurityGroups to apply to the EC2 Instance Connect Endpoints (the VPC's default SG is applied if no SG is provided).

  • ec2:DescribeSecurityGroups

Action: Create EC2 Instance Connect Endpoint so the user can open a tunnel to the EC2 instance. More info: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html

  • ec2:CreateInstanceConnectEndpoint
  • ec2:CreateTags
  • ec2:CreateNetworkInterface
  • iam:CreateServiceLinkedRole

Action: Send a temporary SSH Key to the target host.

  • ec2-instance-connect:SendSSHPublicKey

Action: Open a Tunnel to the EC2 using the Endpoint

  • ec2-instance-connect:OpenTunnel

The following actions must be allowed by the IAM Role assigned in the Client.

  • iam:PutRolePolicy

func ConfigureEKSIAM 

func ConfigureEKSIAM(ctx context.Context, clt EKSIAMConfigureClient, req EKSIAMConfigureRequest) error

ConfigureEKSIAM sets up the roles required for enrolling EKS clusters into Teleport. It creates an embedded policy with the following permissions: - eks:ListClusters - eks:DescribeCluster - eks:ListAccessEntries - eks:CreateAccessEntry - eks:DeleteAccessEntry - eks:AssociateAccessPolicy

For more info about EKS access entries see: https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/

The following actions must be allowed by the IAM Role assigned in the Client.

  • iam:PutRolePolicy

func ConfigureExternalAuditStorage 

func ConfigureExternalAuditStorage(
	ctx context.Context,
	clt ConfigureExternalAuditStorageClient,
	params *easconfig.ExternalAuditStorageConfiguration,
) error

ConfigureExternalAuditStorage attaches an IAM policy with necessary permissions for the ExternalAuditStorage feature to an existing IAM role associated with an AWS OIDC integration.

func ConfigureIdPIAM 

func ConfigureIdPIAM(ctx context.Context, clt IdPIAMConfigureClient, req IdPIAMConfigureRequest) error

ConfigureIdPIAM creates a new IAM OIDC IdP in AWS.

The Provider URL is Teleport's Public Address. It also creates a new Role configured to trust the recently created IdP.

The following actions must be allowed by the IAM Role assigned in the Client.

  • iam:CreateOpenIDConnectProvider
  • iam:CreateRole

func ConfigureListDatabasesIAM 

func ConfigureListDatabasesIAM(ctx context.Context, clt ListDatabasesIAMConfigureClient, req ConfigureIAMListDatabasesRequest) error

ConfigureListDatabasesIAM set ups the policy required for accessing an RDS DB Instances and RDS DB Clusters. It creates an inline policy with the following permissions:

  • rds:DescribeDBInstances
  • rds:DescribeDBClusters

The following actions must be allowed by the IAM Role assigned in the Client.

  • iam:PutRolePolicy

func NewAWSCredentialsProvider 

func NewAWSCredentialsProvider(ctx context.Context, req *AWSClientRequest) (aws.CredentialsProvider, error)

NewAWSCredentialsProvider creates an [aws.CredentialsProvider] using the provided Token, RoleARN and Region.

func NewSessionV1 

func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region string, integrationName string) (*session.Session, error)

NewSessionV1 creates a new AWS Session for the region using the integration as source of credentials. This session is usable for AWS SDK Go V1.

func SendSSHPublicKeyToEC2 

func SendSSHPublicKeyToEC2(ctx context.Context, clt EICESendSSHPublicKeyClient, req SendSSHPublicKeyToEC2Request) (ssh.Signer, error)

SendSSHPublicKeyToEC2 sends an SSH Public Key to a target EC2 Instance. This key will be removed by AWS after 60 seconds and can only be used to authenticate the EC2SSHLoginUser. An ssh.Signer is then returned and can be used to access the host.

func ThumbprintIdP 

func ThumbprintIdP(ctx context.Context, publicAddress string) (string, error)

ThumbprintIdP returns the thumbprint as required by AWS when adding an OIDC Identity Provider. This is documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html Returns the thumbprint of the top intermediate CA that signed the TLS cert used to serve HTTPS requests. In case of a self signed certificate, then it returns the thumbprint of the TLS cert itself.

func UpdateDeployService 

func UpdateDeployService(ctx context.Context, clt DeployServiceClient, log *logrus.Entry, req UpdateServiceRequest) error

UpdateDeployService updates all the AWS OIDC deployed services with the specified version tag.

Types

type AWSClientRequest 

type AWSClientRequest struct {
	// IntegrationName is the integration name that is going to issue an API Call.
	IntegrationName string

	// Token is the token used to issue the API Call.
	Token string

	// RoleARN is the IAM Role ARN to assume.
	RoleARN string

	// Region where the API call should be made.
	Region string
	// contains filtered or unexported fields
}

AWSClientRequest contains the required fields to set up an AWS service client.

func (*AWSClientRequest) CheckAndSetDefaults 

func (req *AWSClientRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type AWSTags 

type AWSTags map[string]string

func (AWSTags) MatchesECSTags 

func (d AWSTags) MatchesECSTags(resourceTags []ecsTypes.Tag) bool

MatchesECSTags checks if the AWSTags are present and have the same value in resourceTags.

func (AWSTags) String 

func (d AWSTags) String() string

String converts AWSTags into a ',' separated list of k:v

func (AWSTags) ToEC2Tags 

func (d AWSTags) ToEC2Tags() []ec2Types.Tag

ToEC2Tags the default tags using the expected type for EC2 resources: ec2Types.Tag

func (AWSTags) ToECSTags 

func (d AWSTags) ToECSTags() []ecsTypes.Tag

ToECSTags returns the default tags using the expected type for ECS resources: ecsTypes.Tag

func (AWSTags) ToIAMTags 

func (d AWSTags) ToIAMTags() []iamTypes.Tag

ToIAMTags returns the default tags using the expected type for IAM resources: iamTypes.Tag

type AccessGraphAWSIAMConfigureRequest 

type AccessGraphAWSIAMConfigureRequest struct {
	// IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP.
	IntegrationRole string

	// IntegrationRoleTAGPolicy is the Policy Name that is created to allow access to call AWS APIs.
	// Defaults to "AccessGraphSyncAccess"
	IntegrationRoleTAGPolicy string
}

AccessGraphAWSIAMConfigureRequest is a request to configure the required Policies to use the TAG AWS Sync.

func (*AccessGraphAWSIAMConfigureRequest) CheckAndSetDefaults 

func (r *AccessGraphAWSIAMConfigureRequest) CheckAndSetDefaults() error

CheckAndSetDefaults ensures the required fields are present.

type AccessGraphIAMConfigureClient 

type AccessGraphIAMConfigureClient interface {
	// PutRolePolicy creates or replaces a Policy by its name in a IAM Role.
	PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
}

AccessGraphIAMConfigureClient describes the required methods to create the IAM Policies required for enrolling Access Graph AWS Sync into Teleport.

func NewAccessGraphIAMConfigureClient 

func NewAccessGraphIAMConfigureClient(ctx context.Context) (AccessGraphIAMConfigureClient, error)

NewAccessGraphIAMConfigureClient creates a new TAGIAMConfigureClient.

type CIDR 

type CIDR struct {
	// CIDR is the IP range using CIDR notation.
	CIDR string `json:"cidr"`
	// Description contains a small text describing the CIDR.
	Description string `json:"description"`
}

CIDR has a CIDR (IP Range) and a description for the value.

type ConfigureExternalAuditStorageClient 

type ConfigureExternalAuditStorageClient interface {
	PutRolePolicy(context.Context, *iam.PutRolePolicyInput, ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
	GetCallerIdentity(context.Context, *sts.GetCallerIdentityInput, ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
}

ConfigureExternalAuditStorageClient is an interface for the AWS client methods used by ConfigureExternalAuditStorage.

type ConfigureIAMListDatabasesRequest 

type ConfigureIAMListDatabasesRequest struct {
	// Region is the AWS Region.
	// Used to set up the AWS SDK Client.
	Region string

	// IntegrationRole is the Integration's AWS Role used by the integration.
	IntegrationRole string
}

ConfigureIAMListDatabasesRequest is a request to configure the required Policy to use the List Databases action.

func (*ConfigureIAMListDatabasesRequest) CheckAndSetDefaults 

func (r *ConfigureIAMListDatabasesRequest) CheckAndSetDefaults() error

CheckAndSetDefaults ensures the required fields are present.

type CreateEC2ICEClient 

type CreateEC2ICEClient interface {
	// CreateInstanceConnectEndpoint creates an EC2 Instance Connect Endpoint. An EC2 Instance Connect Endpoint
	// allows you to connect to an instance, without requiring the instance to have a
	// public IPv4 address. For more information, see Connect to your instances
	// without requiring a public IPv4 address using EC2 Instance Connect Endpoint (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html)
	// in the Amazon EC2 User Guide.
	CreateInstanceConnectEndpoint(ctx context.Context, params *ec2.CreateInstanceConnectEndpointInput, optFns ...func(*ec2.Options)) (*ec2.CreateInstanceConnectEndpointOutput, error)
}

CreateEC2ICE describes the required methods to List EC2 Instances using a 3rd Party API.

func NewCreateEC2ICEClient 

func NewCreateEC2ICEClient(ctx context.Context, req *AWSClientRequest) (CreateEC2ICEClient, error)

NewCreateEC2ICEClient creates a new CreateEC2ICEClient using a AWSClientRequest.

type CreateEC2ICERequest 

type CreateEC2ICERequest struct {
	// Cluster is the Teleport Cluster Name.
	// Used to tag resources created in AWS.
	Cluster string

	// IntegrationName is the integration name.
	// Used to tag resources created in AWS.
	IntegrationName string

	// Endpoints is a list of EC2 Instance Connect Endpoints to be createed.
	Endpoints []EC2ICEEndpoint

	// ResourceCreationTags is used to add tags when creating resources in AWS.
	// Defaults to:
	// - teleport.dev/cluster: <cluster>
	// - teleport.dev/origin: aws-oidc-integration
	// - teleport.dev/integration: <integrationName>
	ResourceCreationTags AWSTags
}

CreateEC2ICERequest contains the required fields to create an AWS EC2 Instance Connect Endpoint.

func (*CreateEC2ICERequest) CheckAndSetDefaults 

func (req *CreateEC2ICERequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type CreateEC2ICEResponse 

type CreateEC2ICEResponse struct {
	// Name is the Endpoint ID.
	Name string

	// CreatedEndpoints contains the name of created endpoints and their Subnet.
	CreatedEndpoints []EC2ICEEndpoint
}

CreateEC2ICEResponse contains the newly created EC2 Instance Connect Endpoint name.

func CreateEC2ICE 

func CreateEC2ICE(ctx context.Context, clt CreateEC2ICEClient, req CreateEC2ICERequest) (*CreateEC2ICEResponse, error)

CreateEC2ICE calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html It creates an EC2 Instance Connect Endpoint using the provided Subnet and Security Group IDs.

type DefaultConfigureExternalAuditStorageClient 

type DefaultConfigureExternalAuditStorageClient struct {
	Iam *iam.Client
	Sts *sts.Client
}

DefaultConfigureExternalAuditStorageClient wraps an iam and sts client to implement ConfigureExternalAuditStorageClient.

func (*DefaultConfigureExternalAuditStorageClient) GetCallerIdentity 

func (d *DefaultConfigureExternalAuditStorageClient) GetCallerIdentity(ctx context.Context, input *sts.GetCallerIdentityInput, opts ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)

GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation.

func (*DefaultConfigureExternalAuditStorageClient) PutRolePolicy 

func (d *DefaultConfigureExternalAuditStorageClient) PutRolePolicy(ctx context.Context, input *iam.PutRolePolicyInput, opts ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)

PutRolePolicy adds or updates an inline policy document that is embedded in the specified IAM role.

type DeployDatabaseServiceRequest 

type DeployDatabaseServiceRequest struct {
	// Region is the AWS Region
	Region string

	// Deployments contains a list of services to be deployed.
	Deployments []DeployDatabaseServiceRequestDeployment

	// TaskRoleARN is the AWS Role's ARN used within the Task execution.
	// Ensure the AWS Client has `iam:PassRole` for this Role's ARN.
	TaskRoleARN string

	// TeleportClusterName is the Teleport Cluster Name.
	// Used to create names for Cluster and TaskDefinitions, and AWS resource tags.
	TeleportClusterName string

	// ProxyServerHostPort is the Teleport Proxy's Public.
	// The Deployed services will connect to this service.
	ProxyServerHostPort string

	// IntegrationName is the integration name.
	// Used for resource tagging when creating resources in AWS.
	IntegrationName string

	// TeleportVersionTag is the version of teleport to install.
	// Ensure the tag exists in:
	// public.ecr.aws/gravitational/teleport-distroless:<TeleportVersionTag>
	// Eg, 13.2.0
	// Optional. Defaults to the current version.
	TeleportVersionTag string

	// ResourceCreationTags is used to add tags when creating resources in AWS.
	ResourceCreationTags AWSTags

	// CreateDeployServiceConfig creates a teleport.yaml configuration that the agent
	// deployed in a ECS Cluster (using Fargate) will use.
	CreateDeployServiceConfig func(proxyHostPort, iamToken string, resourceMatcherLabels types.Labels) (string, error)
	// contains filtered or unexported fields
}

DeployDatabaseServiceRequest contains the required fields to deploy multiple Teleport Databases Services. Each Service will proxy a specific set of Databases, based on their "account-id", "region" and "vpc-id" labels.

func (*DeployDatabaseServiceRequest) CheckAndSetDefaults 

func (r *DeployDatabaseServiceRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type DeployDatabaseServiceRequestDeployment 

type DeployDatabaseServiceRequestDeployment struct {
	// VPCID is the VPCID where the service is going to be deployed.
	VPCID string

	// SubnetIDs are the subnets for the network configuration.
	// They must belong to the VPCID above.
	SubnetIDs []string

	// SecurityGroupIDs are the SecurityGroups that should be applied to the ECS Service.
	// Optional. If empty, uses the VPC's default SecurityGroup.
	SecurityGroupIDs []string
}

DeployDatabaseServiceRequestDeployment identifies the required fields to deploy a DatabaseService.

type DeployDatabaseServiceResponse 

type DeployDatabaseServiceResponse struct {
	// ClusterARN is the Amazon ECS Cluster ARN where the task was started.
	ClusterARN string

	// ClusterDashboardURL is a link to the Cluster's Dashboard URL in Amazon Console.
	ClusterDashboardURL string
}

DeployDatabaseServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service.

func DeployDatabaseService 

func DeployDatabaseService(ctx context.Context, clt DeployServiceClient, req DeployDatabaseServiceRequest) (*DeployDatabaseServiceResponse, error)

DeployDatabaseService calls Amazon ECS APIs to deploy multiple Teleport DatabaseService. Each DatabaseService is created per Deployment and proxies the DBs that match a specific set of labels.

Those DatabaseServices join the cluster using an IAM Join Token, which is created if it doesn't exist yet.

The following AWS ECS resources are created: Cluster, Services and Task Definition.

A single ECS Cluster is created, named <teleport-cluster-name>-teleport Eg, tenant_teleport_sh-teleport

An ECS TaskDefinition is created per deployment. It uses Teleport Image and is configured to start a DatabaseService proxying the databases that match on `account-id`, `region` and `vpc-id`. A new revision is created if it already exists. Example of an ECS TaskDefinition name: tenant_teleport_sh-teleport-database-service-vpc-123:1

An ECS Service is created per deployment/ECS TaskDefinition. It will be configured to run on the VPC and have the Subnets and SecurityGroups defined in each deployment. If no SecurityGroup is provided, it will be assigned the VPC's default SecurityGroup. Its IAM access are the ones defined in the TaskRoleARN AWS IAM Role. For the required permissions, see the method ConfigureDeployServiceIAM. Example of an ECS Service name: database-service-vpc-123

Each of those AWS ECS Resources will have the following set of tags:

- teleport.dev/cluster: <clusterName>

- teleport.dev/origin: aws-oidc-integration

- teleport.dev/integration: <integrationName>

If resources already exist, only resources with those tags will be updated.

type DeployServiceClient 

type DeployServiceClient interface {
	// DescribeClusters lists ECS Clusters.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeClusters
	DescribeClusters(ctx context.Context, params *ecs.DescribeClustersInput, optFns ...func(*ecs.Options)) (*ecs.DescribeClustersOutput, error)

	// CreateCluster creates a new cluster.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.CreateCluster
	CreateCluster(ctx context.Context, params *ecs.CreateClusterInput, optFns ...func(*ecs.Options)) (*ecs.CreateClusterOutput, error)

	// PutClusterCapacityProviders sets the Capacity Providers available for services in a given cluster.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.PutClusterCapacityProviders
	PutClusterCapacityProviders(ctx context.Context, params *ecs.PutClusterCapacityProvidersInput, optFns ...func(*ecs.Options)) (*ecs.PutClusterCapacityProvidersOutput, error)

	// DescribeServices lists the matching Services of a given Cluster.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeServices
	DescribeServices(ctx context.Context, params *ecs.DescribeServicesInput, optFns ...func(*ecs.Options)) (*ecs.DescribeServicesOutput, error)

	// ListServices returns a list of services. You can filter the results by cluster, launch type,
	// and scheduling strategy.
	ListServices(ctx context.Context, params *ecs.ListServicesInput, optFns ...func(*ecs.Options)) (*ecs.ListServicesOutput, error)

	// UpdateService updates the service.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.UpdateService
	UpdateService(ctx context.Context, params *ecs.UpdateServiceInput, optFns ...func(*ecs.Options)) (*ecs.UpdateServiceOutput, error)

	// CreateService starts a task within a cluster.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.CreateService
	CreateService(ctx context.Context, params *ecs.CreateServiceInput, optFns ...func(*ecs.Options)) (*ecs.CreateServiceOutput, error)

	// DescribeTaskDefinition describes the task definition.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeTaskDefinition
	DescribeTaskDefinition(ctx context.Context, params *ecs.DescribeTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.DescribeTaskDefinitionOutput, error)

	// RegisterTaskDefinition registers a new task definition from the supplied family and containerDefinitions.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.RegisterTaskDefinition
	RegisterTaskDefinition(ctx context.Context, params *ecs.RegisterTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.RegisterTaskDefinitionOutput, error)

	// DeregisterTaskDefinition deregisters the task definition.
	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DeregisterTaskDefinition
	DeregisterTaskDefinition(ctx context.Context, params *ecs.DeregisterTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.DeregisterTaskDefinitionOutput, error)

	// TokenService are the required methods to manage the IAM Join Token.
	// When the deployed service connects to the cluster, it will use the IAM Join method.
	// Before deploying the service, it must ensure that the token exists and has the appropriate token rul.
	TokenService

	// GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation.
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
}

DeployServiceClient describes the required methods to Deploy a Teleport Service.

func NewDeployServiceClient 

func NewDeployServiceClient(ctx context.Context, clientReq *AWSClientRequest, tokenServiceClient TokenService) (DeployServiceClient, error)

NewDeployServiceClient creates a new DeployServiceClient using a AWSClientRequest.

type DeployServiceIAMConfigureClient 

type DeployServiceIAMConfigureClient interface {
	// GetCallerIdentity returns information about the caller identity.
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)

	// CreatePolicy creates a new IAM Policy.
	CreatePolicy(ctx context.Context, params *iam.CreatePolicyInput, optFns ...func(*iam.Options)) (*iam.CreatePolicyOutput, error)

	// CreateRole creates a new IAM Role.
	CreateRole(ctx context.Context, params *iam.CreateRoleInput, optFns ...func(*iam.Options)) (*iam.CreateRoleOutput, error)

	// PutRolePolicy creates or replaces a Policy by its name in a IAM Role.
	PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
}

DeployServiceIAMConfigureClient describes the required methods to create the IAM Roles/Policies required for the DeployService action.

func NewDeployServiceIAMConfigureClient 

func NewDeployServiceIAMConfigureClient(ctx context.Context, region string) (DeployServiceIAMConfigureClient, error)

NewDeployServiceIAMConfigureClient creates a new DeployServiceIAMConfigureClient.

type DeployServiceIAMConfigureRequest 

type DeployServiceIAMConfigureRequest struct {
	// Cluster is the Teleport Cluster.
	// Used for tagging the created Roles/Policies.
	Cluster string

	// IntegrationName is the Integration Name.
	// Used for tagging the created Roles/Policies.
	IntegrationName string

	// Region is the AWS Region.
	// Used to set up the AWS SDK Client.
	Region string

	// IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP.
	IntegrationRole string

	// IntegrationRoleDeployServicePolicy is the Policy Name that is created to allow the DeployService to call AWS APIs (ecs, logs).
	// Defaults to DeployService.
	IntegrationRoleDeployServicePolicy string

	// TaskRole is the AWS Role used by the deployed service.
	TaskRole string

	// TaskRoleBoundaryPolicyName is the name to be used to create a Policy to be used as boundary for the TaskRole.
	// Defaults to <TaskRole>Boundary
	TaskRoleBoundaryPolicyName string

	// AccountID is the AWS Account ID.
	// Optional. sts.GetCallerIdentity is used if not provided.
	AccountID string

	// ResourceCreationTags is used to add tags when creating resources in AWS.
	// Defaults to:
	// - teleport.dev/cluster: <cluster>
	// - teleport.dev/origin: aws-oidc-integration
	// - teleport.dev/integration: <integrationName>
	ResourceCreationTags AWSTags
	// contains filtered or unexported fields
}

DeployServiceIAMConfigureRequest is a request to configure the DeployService action required Roles.

func (*DeployServiceIAMConfigureRequest) CheckAndSetDefaults 

func (r *DeployServiceIAMConfigureRequest) CheckAndSetDefaults() error

CheckAndSetDefaults ensures the required fields are present.

type DeployServiceRequest 

type DeployServiceRequest struct {
	// Region is the AWS Region
	Region string

	// AccountID is the AWS Account ID.
	// Optional. sts.GetCallerIdentity is used if the value is not provided.
	AccountID string

	// SubnetIDs are the subnets associated with the service.
	SubnetIDs []string

	// SecurityGroups to apply to the service's network configuration.
	// If empty, the default security group for the VPC is going to be used.
	SecurityGroups []string

	// ClusterName is the ECS Cluster to be used.
	// It will be created if it doesn't exist.
	// It will be updated if it doesn't include the FARGATE capacity provider using PutClusterCapacityProviders.
	ClusterName *string

	// ServiceName is the ECS Service to be used.
	// It will be created if it doesn't exist.
	// It will be updated if it doesn't match the required properties.
	ServiceName *string

	// TaskName is the ECS Task Definition's Family Name.
	TaskName *string

	// TaskRoleARN is the AWS Role's ARN used within the Task execution.
	// Ensure the AWS Client has `iam:PassRole` for this Role's ARN.
	TaskRoleARN string

	// TeleportClusterName is the Teleport Cluster Name, used to create default names for Cluster, Service and Task.
	TeleportClusterName string

	// TeleportIAMTokenNameis the Teleport IAM Token to use in the deployed Service.
	// Optional.
	// Defaults to discover-aws-oidc-iam-token
	TeleportIAMTokenName string

	// ProxyServerHostPort is the Teleport Proxy's Public.
	ProxyServerHostPort string

	// IntegrationName is the integration name.
	// Used for resource tagging when creating resources in AWS.
	IntegrationName string

	// ResourceCreationTags is used to add tags when creating resources in AWS.
	ResourceCreationTags AWSTags

	// DeploymentMode is the identifier of a deployment mode - which Teleport Services to enable and their configuration.
	DeploymentMode string

	// DatabaseResourceMatcherLabels contains the set of labels to be used by the DatabaseService.
	// This is used when the deployment mode creates a Database Service.
	DatabaseResourceMatcherLabels types.Labels

	// TeleportVersionTag is the version of teleport to install.
	// Ensure the tag exists in:
	// public.ecr.aws/gravitational/teleport-distroless:<TeleportVersionTag>
	// Eg, 13.2.0
	// Optional. Defaults to the current version.
	TeleportVersionTag string

	// DeployServiceConfigString creates a teleport.yaml configuration that the agent
	// deployed in a ECS Cluster (using Fargate) will use.
	DeployServiceConfigString func(proxyHostPort, iamToken string, resourceMatcherLabels types.Labels) (string, error)
}

DeployServiceRequest contains the required fields to deploy a Teleport Service.

func (*DeployServiceRequest) CheckAndSetDefaults 

func (r *DeployServiceRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type DeployServiceResponse 

type DeployServiceResponse struct {
	// ClusterARN is the Amazon ECS Cluster ARN where the task was started.
	ClusterARN string

	// ServiceARN is the Amazon ECS Cluster Service ARN created to run the task.
	ServiceARN string

	// TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the  Teleport Service.
	TaskDefinitionARN string

	// ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console.
	ServiceDashboardURL string
}

DeployServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service.

func DeployService 

func DeployService(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest) (*DeployServiceResponse, error)

Resource tagging

Created resources have the following set of tags: - teleport.dev/cluster: <clusterName> - teleport.dev/origin: aws-oidc-integration - teleport.dev/integration: <integrationName>

If resources already exist, only resources with those tags will be updated.

type EC2ICEEndpoint 

type EC2ICEEndpoint struct {
	// Name is the endpoint name.
	Name string

	// SubnetID is the Subnet where the Endpoint will be created.
	SubnetID string

	// SecurityGroupIDs is a list of SecurityGroups to assign to the Endpoint.
	// If not specified, the Endpoint will receive the default SG for the Subnet's VPC.
	SecurityGroupIDs []string
}

EC2ICEEndpoint contains the information for a single Endpoint to be created.

type EC2InstanceConnectEndpoint 

type EC2InstanceConnectEndpoint struct {
	// Name is the endpoint name.
	Name string `json:"name,omitempty"`

	// State is the endpoint state.
	// Known values:
	// create-in-progress | create-complete | create-failed | delete-in-progress | delete-complete | delete-failed
	State string `json:"state,omitempty"`

	// StateMessage contains a message describing the state of the EICE.
	// Can be empty.
	StateMessage string `json:"stateMessage,omitempty"`

	// DashboardLink is a URL to AWS Console where the user can see the EC2 Instance Connect Endpoint.
	DashboardLink string `json:"dashboardLink,omitempty"`

	// SubnetID is the subnet used by the endpoint.
	// Please note that the Endpoint should be able to reach any subnet within the VPC.
	SubnetID string `json:"subnetId,omitempty"`

	// VPCID is the VPC ID where the Endpoint is created.
	VPCID string `json:"vpcId,omitempty"`
}

EC2InstanceConnectEndpoint is the Teleport representation of an EC2 Instance Connect Endpoint

type EICEIAMConfigureClient 

type EICEIAMConfigureClient interface {
	// PutRolePolicy creates or replaces a Policy by its name in a IAM Role.
	PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
}

EICEIAMConfigureClient describes the required methods to create the IAM Policies required for accessing EC2 instances usine EICE.

func NewEICEIAMConfigureClient 

func NewEICEIAMConfigureClient(ctx context.Context, region string) (EICEIAMConfigureClient, error)

NewEICEIAMConfigureClient creates a new EICEIAMConfigureClient.

type EICEIAMConfigureRequest 

type EICEIAMConfigureRequest struct {
	// Region is the AWS Region.
	// Used to set up the AWS SDK Client.
	Region string

	// IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP.
	IntegrationRole string

	// IntegrationRoleEICEPolicy is the Policy Name that is created to allow access to call AWS APIs.
	// Defaults to EC2InstanceConnectEndpoint
	IntegrationRoleEICEPolicy string
}

EICEIAMConfigureRequest is a request to configure the required Policies to use the EC2 Instance Connect Endpoint feature.

func (*EICEIAMConfigureRequest) CheckAndSetDefaults 

func (r *EICEIAMConfigureRequest) CheckAndSetDefaults() error

CheckAndSetDefaults ensures the required fields are present.

type EICESendSSHPublicKeyClient 

type EICESendSSHPublicKeyClient interface {
	// SendSSHPublicKey pushes an SSH public key to the specified EC2 instance for use by the specified
	// user. The key remains for 60 seconds. For more information, see Connect to your
	// Linux instance using EC2 Instance Connect (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html)
	// in the Amazon EC2 User Guide.
	SendSSHPublicKey(ctx context.Context, params *ec2instanceconnect.SendSSHPublicKeyInput, optFns ...func(*ec2instanceconnect.Options)) (*ec2instanceconnect.SendSSHPublicKeyOutput, error)
}

EICESendSSHPublicKeyClient describes the required methods to send an SSH Public Key to an EC2 Instance. This is is remains for 60 seconds and is removed afterwards.

func NewEICESendSSHPublicKeyClient 

func NewEICESendSSHPublicKeyClient(ctx context.Context, clientReq *AWSClientRequest) (EICESendSSHPublicKeyClient, error)

NewEICESendSSHPublicKeyClient creates a EICESendSSHPublicKeyClient using AWSClientRequest.

type EKSCluster 

type EKSCluster struct {
	// Name is the name of AWS EKS cluster.
	Name string

	// Region is an AWS region.
	Region string

	// Arn is an AWS ARN identification of the EKS cluster.
	Arn string

	// Labels are labels of a EKS cluster.
	Labels map[string]string

	// JoinLabels are Teleport labels that should be injected into kube agent
	// if the cluster will be enrolled into Teleport (agent installed on it).
	JoinLabels map[string]string

	// Status is a current status of an EKS cluster in AWS.
	Status string
}

EKSCluster represents a cluster in AWS EKS.

type EKSIAMConfigureClient 

type EKSIAMConfigureClient interface {
	// PutRolePolicy creates or replaces a Policy by its name in a IAM Role.
	PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
}

EKSIAMConfigureClient describes the required methods to create the IAM Policies required for enrolling EKS clusters into Teleport.

func NewEKSIAMConfigureClient 

func NewEKSIAMConfigureClient(ctx context.Context, region string) (EKSIAMConfigureClient, error)

NewEKSIAMConfigureClient creates a new EKSIAMConfigureClient.

type EKSIAMConfigureRequest 

type EKSIAMConfigureRequest struct {
	// Region is the AWS Region.
	// Used to set up the AWS SDK Client.
	Region string

	// IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP.
	IntegrationRole string

	// IntegrationRoleEKSPolicy is the Policy Name that is created to allow access to call AWS APIs.
	// Defaults to "EKSAccess"
	IntegrationRoleEKSPolicy string
}

EKSIAMConfigureRequest is a request to configure the required Policies to use the EKS.

func (*EKSIAMConfigureRequest) CheckAndSetDefaults 

func (r *EKSIAMConfigureRequest) CheckAndSetDefaults() error

CheckAndSetDefaults ensures the required fields are present.

type EnrollEKSCLusterClient 

type EnrollEKSCLusterClient interface {
	// CreateAccessEntry creates an access entry. An access entry allows an IAM principal to access an EKS cluster.
	CreateAccessEntry(ctx context.Context, params *eks.CreateAccessEntryInput, optFns ...func(*eks.Options)) (*eks.CreateAccessEntryOutput, error)

	// AssociateAccessPolicy associates an access policy and its scope to an access entry.
	AssociateAccessPolicy(ctx context.Context, params *eks.AssociateAccessPolicyInput, optFns ...func(*eks.Options)) (*eks.AssociateAccessPolicyOutput, error)

	// ListAccessEntries lists the access entries for an EKS cluster.
	ListAccessEntries(ctx context.Context, params *eks.ListAccessEntriesInput, optFns ...func(*eks.Options)) (*eks.ListAccessEntriesOutput, error)

	// DeleteAccessEntry deletes an access entry from an EKS cluster.
	DeleteAccessEntry(ctx context.Context, params *eks.DeleteAccessEntryInput, optFns ...func(*eks.Options)) (*eks.DeleteAccessEntryOutput, error)

	// DescribeCluster returns detailed information about an EKS cluster.
	DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, optFns ...func(*eks.Options)) (*eks.DescribeClusterOutput, error)

	// GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation.
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)

	// CheckAgentAlreadyInstalled checks if teleport-kube-agent Helm chart is already installed on the EKS cluster.
	CheckAgentAlreadyInstalled(context.Context, genericclioptions.RESTClientGetter, logrus.FieldLogger) (bool, error)

	// InstallKubeAgent installs teleport-kube-agent Helm chart to the EKS cluster.
	InstallKubeAgent(context.Context, *eksTypes.Cluster, string, string, string, genericclioptions.RESTClientGetter, logrus.FieldLogger, EnrollEKSClustersRequest) error

	// CreateToken creates provisioning token on the auth server. That token can be used to install kube agent to an EKS cluster.
	CreateToken(context.Context, types.ProvisionToken) error
}

EnrollEKSCLusterClient defines functions required for EKS cluster enrollment.

func NewEnrollEKSClustersClient 

func NewEnrollEKSClustersClient(ctx context.Context, req *AWSClientRequest, tokenCreator TokenCreator) (EnrollEKSCLusterClient, error)

NewEnrollEKSClustersClient returns new client that can be used to enroll EKS clusters into Teleport.

type EnrollEKSClusterResponse 

type EnrollEKSClusterResponse struct {
	// Results contain an error per a cluster enrollment if there was one.
	Results []EnrollEKSClusterResult
}

EnrollEKSClusterResponse contains result for enrollment .

func EnrollEKSClusters 

func EnrollEKSClusters(ctx context.Context, log logrus.FieldLogger, clock clockwork.Clock, proxyAddr string, credsProvider aws.CredentialsProvider, clt EnrollEKSCLusterClient, req EnrollEKSClustersRequest) *EnrollEKSClusterResponse

EnrollEKSClusters enrolls EKS clusters into Teleport by installing teleport-kube-agent chart on the clusters. It returns list of result individually for each EKS cluster. Clusters are enrolled concurrently. If an error occurs during a cluster enrollment an error message will be present in the result for this cluster. Otherwise result will contain resource ID - this is ID from the join token used by the enrolled cluster and can be used by UI to check when agent joins Teleport cluster.

During enrollment we create access entry for an EKS cluster if needed and cluster admin policy is associated with that entry, so our AWS integration can access the target EKS cluster during the chart installation. After enrollment is done we remove the access entry (if it was created by us), since we don't need it anymore.

type EnrollEKSClusterResult 

type EnrollEKSClusterResult struct {
	// ClusterName is the name of an EKS cluster.
	ClusterName string
	// ResourceId is resource ID for the cluster, it is taken from the join token used to enroll the cluster.
	ResourceId string
	// Error contains an error that happened during enrollment, if there was one.
	Error error
}

EnrollEKSClusterResult contains result for a single EKS cluster enrollment, if it was successful 'Error' will be nil otherwise it will contain an error happened during enrollment.

type EnrollEKSClustersRequest 

type EnrollEKSClustersRequest struct {
	// Region is the AWS Region.
	Region string

	// ClusterNames is name of the EKS cluster to enroll.
	ClusterNames []string

	// EnableAppDiscovery specifies if we should enable Kubernetes App Discovery inside the enrolled EKS cluster.
	EnableAppDiscovery bool

	// EnableAutoUpgrades specifies if we should enable agent auto upgrades.
	EnableAutoUpgrades bool

	// IsCloud specifies if enrollment is done for the Teleport Cloud client.
	IsCloud bool

	// AgentVersion specifies version of the Helm chart that will be installed during enrollment.
	AgentVersion string
}

EnrollEKSClustersRequest contains the required fields to enroll EKS cluster to Teleport.

type IdPIAMConfigureClient 

type IdPIAMConfigureClient interface {
	// GetCallerIdentity returns information about the caller identity.
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)

	// CreateOpenIDConnectProvider creates an IAM OIDC IdP.
	CreateOpenIDConnectProvider(ctx context.Context, params *iam.CreateOpenIDConnectProviderInput, optFns ...func(*iam.Options)) (*iam.CreateOpenIDConnectProviderOutput, error)

	// CreateRole creates a new IAM Role.
	CreateRole(ctx context.Context, params *iam.CreateRoleInput, optFns ...func(*iam.Options)) (*iam.CreateRoleOutput, error)
}

IdPIAMConfigureClient describes the required methods to create the AWS OIDC IdP and a Role that trusts that identity provider.

func NewIdPIAMConfigureClient 

func NewIdPIAMConfigureClient(ctx context.Context) (IdPIAMConfigureClient, error)

NewIdPIAMConfigureClient creates a new IdPIAMConfigureClient.

type IdPIAMConfigureRequest 

type IdPIAMConfigureRequest struct {
	// Cluster is the Teleport Cluster.
	// Used for tagging the created Roles/IdP.
	Cluster string

	// AccountID is the AWS Account ID.
	// Optional. sts.GetCallerIdentity is used if not provided.
	AccountID string

	// IntegrationName is the Integration Name.
	// Used for tagging the created Roles/IdP.
	IntegrationName string

	// ProxyPublicAddress is the URL to use as provider URL.
	// This must be a valid URL (ie, url.Parse'able)
	// Eg, https://<tenant>.teleport.sh, https://proxy.example.org:443, https://teleport.ec2.aws:3080
	ProxyPublicAddress string

	// IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP.
	IntegrationRole string
	// contains filtered or unexported fields
}

IdPIAMConfigureRequest is a request to configure the required Policies to use the EC2 Instance Connect Endpoint feature.

func (*IdPIAMConfigureRequest) CheckAndSetDefaults 

func (r *IdPIAMConfigureRequest) CheckAndSetDefaults() error

CheckAndSetDefaults ensures the required fields are present.

type IdentityGetter 

type IdentityGetter func(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)

IdentityGetter returns AWS identity of the caller.

type IdentityToken 

type IdentityToken string

IdentityToken is an implementation of [stscreds.IdentityTokenRetriever] for returning a static token.

func (IdentityToken) FetchToken 

func (j IdentityToken) FetchToken(ctx credentials.Context) ([]byte, error)

FetchToken returns the token.

func (IdentityToken) GetIdentityToken 

func (j IdentityToken) GetIdentityToken() ([]byte, error)

GetIdentityToken returns the token configured.

type IntegrationTokenFetcher 

type IntegrationTokenFetcher func(context.Context) ([]byte, error)

IntegrationTokenFetcher handles dynamic token generation using a callback function. Useful to embed as a [stscreds.TokenFetcher].

func (IntegrationTokenFetcher) FetchToken 

func (genFn IntegrationTokenFetcher) FetchToken(ctx context.Context) ([]byte, error)

FetchToken returns a token by calling the callback function.

type IntegrationTokenGenerator 

type IntegrationTokenGenerator interface {
	// GetIntegration returns the specified integration resources.
	GetIntegration(ctx context.Context, name string) (types.Integration, error)

	// GetProxies returns a list of registered proxies.
	GetProxies() ([]types.Server, error)

	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
	GenerateAWSOIDCToken(ctx context.Context) (string, error)
}

IntegrationTokenGenerator is an interface that indicates which APIs are required to generate an Integration Token.

type ListDatabasesClient 

type ListDatabasesClient interface {
	// Returns information about provisioned RDS instances.
	// This API supports pagination.
	DescribeDBInstances(ctx context.Context, params *rds.DescribeDBInstancesInput, optFns ...func(*rds.Options)) (*rds.DescribeDBInstancesOutput, error)

	// Returns information about Amazon Aurora DB clusters and Multi-AZ DB clusters.
	// This API supports pagination
	DescribeDBClusters(ctx context.Context, params *rds.DescribeDBClustersInput, optFns ...func(*rds.Options)) (*rds.DescribeDBClustersOutput, error)
}

ListDatabasesClient describes the required methods to List Databases (Instances and Clusters) using a 3rd Party API.

func NewListDatabasesClient 

func NewListDatabasesClient(ctx context.Context, req *AWSClientRequest) (ListDatabasesClient, error)

NewListDatabasesClient creates a new ListDatabasesClient using a AWSClientRequest.

type ListDatabasesIAMConfigureClient 

type ListDatabasesIAMConfigureClient interface {
	// PutRolePolicy creates or replaces a Policy by its name in a IAM Role.
	PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
}

ListDatabasesIAMConfigureClient describes the required methods to create the IAM Policies required for Listing Databases.

type ListDatabasesRequest 

type ListDatabasesRequest struct {
	// Region is the AWS Region
	Region string
	// RDSType is either `instance` or `cluster`.
	RDSType string
	// Engines filters the returned Databases based on their engine.
	// Eg, mysql, postgres, mariadb, aurora, aurora-mysql, aurora-postgresql
	Engines []string
	// NextToken is the token to be used to fetch the next page.
	// If empty, the first page is fetched.
	NextToken string
}

ListDatabasesRequest contains the required fields to list AWS Databases.

func (*ListDatabasesRequest) CheckAndSetDefaults 

func (req *ListDatabasesRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type ListDatabasesResponse 

type ListDatabasesResponse struct {
	// Databases contains the page of Databases
	Databases []types.Database

	// NextToken is used for pagination.
	// If non-empty, it can be used to request the next page.
	NextToken string
}

ListDatabasesResponse contains a page of AWS Databases.

func ListAllDatabases 

func ListAllDatabases(ctx context.Context, clt ListDatabasesClient, region string) (*ListDatabasesResponse, error)

ListAllDatabases collects dbs until end of pages for all supported RDS engines and types.

func ListDatabases 

func ListDatabases(ctx context.Context, clt ListDatabasesClient, req ListDatabasesRequest) (*ListDatabasesResponse, error)

ListDatabases calls the following AWS API: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html It returns a list of Databases and an optional NextToken that can be used to fetch the next page

type ListEC2Client 

type ListEC2Client interface {
	// DescribeInstances describes the specified instances or all instances.
	DescribeInstances(ctx context.Context, params *ec2.DescribeInstancesInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstancesOutput, error)

	// GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation.
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
}

ListEC2Client describes the required methods to List EC2 Instances using a 3rd Party API.

func NewListEC2Client 

func NewListEC2Client(ctx context.Context, req *AWSClientRequest) (ListEC2Client, error)

NewListEC2Client creates a new ListEC2Client using a AWSClientRequest.

type ListEC2ICEClient 

type ListEC2ICEClient interface {
	// DescribeInstanceConnectEndpoints describes the specified EC2 Instance Connect Endpoints or all EC2 Instance
	// Connect Endpoints.
	DescribeInstanceConnectEndpoints(ctx context.Context, params *ec2.DescribeInstanceConnectEndpointsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstanceConnectEndpointsOutput, error)
}

ListEC2ICEClient describes the required methods to List EC2 Instances using a 3rd Party API.

func NewListEC2ICEClient 

func NewListEC2ICEClient(ctx context.Context, req *AWSClientRequest) (ListEC2ICEClient, error)

NewListEC2ICEClient creates a new ListEC2ICEClient using a AWSClientRequest.

type ListEC2ICERequest 

type ListEC2ICERequest struct {
	// Region is the region of the EICE.
	Region string

	// VPCIDs is a list of VPCs to filter EC2 Instance Connect Endpoints.
	VPCIDs []string

	// NextToken is the token to be used to fetch the next page.
	// If empty, the first page is fetched.
	NextToken string
}

ListEC2ICERequest contains the required fields to list AWS EC2 Instance Connect Endpoints.

func (*ListEC2ICERequest) CheckAndSetDefaults 

func (req *ListEC2ICERequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type ListEC2ICEResponse 

type ListEC2ICEResponse struct {
	// EC2ICEs contains the page of EC2 Instance Connect Endpoint.
	EC2ICEs []EC2InstanceConnectEndpoint `json:"ec2InstanceConnectEndpoints,omitempty"`

	// DashboardLink is the URL for AWS Web Console that lists all the Endpoints for the queries VPCs.
	DashboardLink string `json:"dashboardLink,omitempty"`

	// NextToken is used for pagination.
	// If non-empty, it can be used to request the next page.
	NextToken string `json:"nextToken,omitempty"`
}

ListEC2ICEResponse contains a page of AWS EC2 Instances as Teleport Servers.

func ListEC2ICE 

func ListEC2ICE(ctx context.Context, clt ListEC2ICEClient, req ListEC2ICERequest) (*ListEC2ICEResponse, error)

ListEC2ICE calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html It returns a list of EC2 Instance Connect Endpoints and an optional NextToken that can be used to fetch the next page

type ListEC2Request 

type ListEC2Request struct {
	// Integration is the AWS OIDC Integration name.
	// This is used to populate the Server resource.
	// When connecting to the Node, this is the integration that is going to be used.
	Integration string

	// Region is the AWS Region.
	Region string

	// NextToken is the token to be used to fetch the next page.
	// If empty, the first page is fetched.
	NextToken string
}

ListEC2Request contains the required fields to list AWS EC2 Instances.

func (*ListEC2Request) CheckAndSetDefaults 

func (req *ListEC2Request) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type ListEC2Response 

type ListEC2Response struct {
	// Servers contains the page of Servers.
	Servers []types.Server

	// NextToken is used for pagination.
	// If non-empty, it can be used to request the next page.
	NextToken string
}

ListEC2Response contains a page of AWS EC2 Instances as Teleport Servers.

func ListEC2 

func ListEC2(ctx context.Context, clt ListEC2Client, req ListEC2Request) (*ListEC2Response, error)

ListEC2 calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html It returns a list of EC2 Instances and an optional NextToken that can be used to fetch the next page Only Platform!=Windows and State=Running instances are returned.

type ListEKSClustersClient 

type ListEKSClustersClient interface {
	// ListClusters lists the EKS clusters.
	ListClusters(ctx context.Context, params *eks.ListClustersInput, optFns ...func(*eks.Options)) (*eks.ListClustersOutput, error)

	// DescribeCluster returns detailed information about an EKS cluster.
	DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, optFns ...func(*eks.Options)) (*eks.DescribeClusterOutput, error)
}

ListEKSClustersClient describes the required methods to List EKS clusters using a 3rd Party API.

func NewListEKSClustersClient 

func NewListEKSClustersClient(ctx context.Context, req *AWSClientRequest) (ListEKSClustersClient, error)

NewListEKSClustersClient creates a new ListEKSClusters client using AWSClientRequest.

type ListEKSClustersRequest 

type ListEKSClustersRequest struct {
	// Region is the AWS Region.
	Region string

	// NextToken is the token to be used to fetch the next page.
	// If empty, the first page is fetched.
	NextToken string
}

ListEKSClustersRequest contains the required fields to list AWS EKS Clusters.

func (*ListEKSClustersRequest) CheckAndSetDefaults 

func (req *ListEKSClustersRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type ListEKSClustersResponse 

type ListEKSClustersResponse struct {
	// Servers contains the page of Servers.
	Clusters []EKSCluster

	// NextToken is used for pagination.
	// If non-empty, it can be used to request the next page.
	NextToken string

	// ClusterFetchingErrors contains errors for fetching detailed information about specific cluster, if any happened.
	ClusterFetchingErrors map[string]error
}

ListEKSClustersResponse contains a page of AWS EKS Clusters.

func ListEKSClusters 

func ListEKSClusters(ctx context.Context, clt ListEKSClustersClient, req ListEKSClustersRequest) (*ListEKSClustersResponse, error)

ListEKSClusters calls the following AWS API: https://docs.aws.amazon.com/eks/latest/APIReference/API_ListClusters.html - to list available EKS clusters https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html - to get more detailed information about the each cluster in the list we received. It returns a list of EKS clusters with detailed information about them.

type ListSecurityGroupsClient 

type ListSecurityGroupsClient interface {
	// DescribeSecurityGroups describes the specified security groups or all of your security groups.
	DescribeSecurityGroups(ctx context.Context, params *ec2.DescribeSecurityGroupsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeSecurityGroupsOutput, error)
}

ListSecurityGroupsClient describes the required methods to List Security Groups a 3rd Party API.

func NewListSecurityGroupsClient 

func NewListSecurityGroupsClient(ctx context.Context, req *AWSClientRequest) (ListSecurityGroupsClient, error)

NewListSecurityGroupsClient creates a new ListSecurityGroupsClient using a AWSClientRequest.

type ListSecurityGroupsRequest 

type ListSecurityGroupsRequest struct {
	// VPCID is the VPC to filter Security Groups.
	VPCID string

	// NextToken is the token to be used to fetch the next page.
	// If empty, the first page is fetched.
	NextToken string
}

ListSecurityGroupsRequest contains the required fields to list VPC Security Groups.

func (*ListSecurityGroupsRequest) CheckAndSetDefaults 

func (req *ListSecurityGroupsRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type ListSecurityGroupsResponse 

type ListSecurityGroupsResponse struct {
	// SecurityGroups contains the page of VPC Security Groups.
	SecurityGroups []SecurityGroup `json:"securityGroups"`

	// NextToken is used for pagination.
	// If non-empty, it can be used to request the next page.
	NextToken string `json:"nextToken"`
}

ListSecurityGroupsResponse contains a page of SecurityGroups.

func ListSecurityGroups 

func ListSecurityGroups(ctx context.Context, clt ListSecurityGroupsClient, req ListSecurityGroupsRequest) (*ListSecurityGroupsResponse, error)

ListSecurityGroups calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html It returns a list of VPC Security Groups and an optional NextToken that can be used to fetch the next page

type OpenTunnelEC2Client 

type OpenTunnelEC2Client interface {
	// DescribeInstanceConnectEndpoints describes the specified EC2 Instance Connect Endpoints or all EC2 Instance
	// Connect Endpoints.
	DescribeInstanceConnectEndpoints(ctx context.Context, params *ec2.DescribeInstanceConnectEndpointsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstanceConnectEndpointsOutput, error)

	// Retrieve returns nil if it successfully retrieved the value.
	// Error is returned if the value were not obtainable, or empty.
	Retrieve(ctx context.Context) (aws.Credentials, error)
}

OpenTunnelEC2Client describes the required methods to Open a Tunnel to an EC2 Instance using EC2 Instance Connect Endpoint.

func NewOpenTunnelEC2Client 

func NewOpenTunnelEC2Client(ctx context.Context, clientReq *AWSClientRequest) (OpenTunnelEC2Client, error)

NewOpenTunnelEC2Client creates a OpenTunnelEC2Client using AWSClientRequest.

type OpenTunnelEC2Request 

type OpenTunnelEC2Request struct {
	// Region is the AWS Region.
	Region string

	// VPCID is the VPC where the EC2 Instance is located.
	// Used to look for the EC2 Instance Connect Endpoint.
	// Each VPC ID can only have one EC2 Instance Connect Endpoint.
	VPCID string

	// EC2Address is the address to connect to in the EC2 Instance.
	// Eg, ip-172-31-32-234.eu-west-2.compute.internal:22
	EC2Address string

	// EC2InstanceID is the EC2 Instance ID.
	EC2InstanceID string
	// contains filtered or unexported fields
}

OpenTunnelEC2Request contains the required fields to open a tunnel to an EC2 instance. This will create a TCP socket that forwards incoming connections to the EC2's private IP address.

func (*OpenTunnelEC2Request) CheckAndSetDefaults 

func (r *OpenTunnelEC2Request) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type OpenTunnelEC2Response 

type OpenTunnelEC2Response struct {
	// Tunnel is a net.Conn that is connected to the EC2 instance.
	// The SSH Client must use this connection to connect to it.
	Tunnel net.Conn
}

OpenTunnelEC2Response contains the response for creating a Tunnel to an EC2 Instance. It returns the listening address and the SSH Private Key (PEM encoded).

func OpenTunnelEC2 

func OpenTunnelEC2(ctx context.Context, clt OpenTunnelEC2Client, req OpenTunnelEC2Request) (*OpenTunnelEC2Response, error)

OpenTunnelEC2 creates a tunnel to an ec2 instance using its private IP. Ref: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-using-eice.html - https://github.com/aws/aws-cli/blob/f6c820e89d8b566ab54ab9d863754ec4b713fd6a/awscli/customizations/ec2instanceconnect/opentunnel.py

High level archictecture: - does a lookup for an EC2 Instance Connect Endpoint available (create-complete state) for the target VPC - connects to it (websockets) and returns the connection - the connection can be used to access the EC2 instance directly (tcp stream)

type SecurityGroup 

type SecurityGroup struct {
	// Name is the Security Group name.
	// This is just a friendly name and should not be used for further API calls
	Name string `json:"name"`

	// ID is the security group ID.
	// This is the value that should be used when doing further API calls.
	ID string `json:"id"`

	// Description is a small description of the Security Group.
	// Might be empty.
	Description string `json:"description"`

	// InboundRules describe the Security Group Inbound Rules.
	// The CIDR of each rule represents the source IP that the rule applies to.
	InboundRules []SecurityGroupRule `json:"inboundRules"`

	// OutboundRules describe the Security Group Outbound Rules.
	// The CIDR of each rule represents the destination IP that the rule applies to.
	OutboundRules []SecurityGroupRule `json:"outboundRules"`
}

SecurityGroup is the Teleport representation of an EC2 Instance Connect Endpoint

type SecurityGroupRule 

type SecurityGroupRule struct {
	// IPProtocol is the protocol used to describe the rule.
	// If the rule applies to all protocols, the "all" value is used.
	// The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol
	// Numbers (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)).
	IPProtocol string `json:"ipProtocol"`

	// FromPort is the inclusive start of the Port range for the Rule.
	FromPort int `json:"fromPort"`

	// ToPort is the inclusive end of the Port range for the Rule.
	ToPort int `json:"toPort"`

	// CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
	CIDRs []CIDR `json:"cidrs"`
}

SecurityGroupRule is a SecurityGroup role. It describes which protocol, port range and a list of IPs the rule applies to.

type SendSSHPublicKeyToEC2Request 

type SendSSHPublicKeyToEC2Request struct {
	// InstanceID is the EC2 Instance's ID.
	InstanceID string

	// EC2SSHLoginUser is the OS user to use when the user wants SSH access.
	EC2SSHLoginUser string
}

SendSSHPublicKeyToEC2Request contains the required fields to request the upload of an SSH Public Key.

func (*SendSSHPublicKeyToEC2Request) CheckAndSetDefaults 

func (r *SendSSHPublicKeyToEC2Request) CheckAndSetDefaults() error

CheckAndSetDefaults checks if the required fields are present.

type TokenCreator 

type TokenCreator func(ctx context.Context, token types.ProvisionToken) error

TokenCreator creates join token on the auth server.

type TokenService 

type TokenService interface {
	// GetToken returns a provision token by name.
	GetToken(ctx context.Context, name string) (types.ProvisionToken, error)

	// UpsertToken creates or updates a provision token.
	UpsertToken(ctx context.Context, token types.ProvisionToken) error
}

TokenService defines the required methods to upsert the Provision Token used by the Deploy Service.

type UpdateServiceRequest 

type UpdateServiceRequest struct {
	// TeleportClusterName specifies the teleport cluster name
	TeleportClusterName string
	// TeleportVersionTag specifies the desired teleport version in the format "13.4.0"
	TeleportVersionTag string
	// OwnershipTags specifies ownership tags
	OwnershipTags AWSTags
}

UpdateServiceRequest contains the required fields to update a Teleport Service.

func (*UpdateServiceRequest) CheckAndSetDefaults 

func (req *UpdateServiceRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.