Documentation ¶
Index ¶
- Constants
- Variables
- func ConfigureAccessGraphSyncIAM(ctx context.Context, clt AccessGraphIAMConfigureClient, ...) error
- func ConfigureDeployServiceIAM(ctx context.Context, clt DeployServiceIAMConfigureClient, ...) error
- func ConfigureEICEIAM(ctx context.Context, clt EICEIAMConfigureClient, req EICEIAMConfigureRequest) error
- func ConfigureEKSIAM(ctx context.Context, clt EKSIAMConfigureClient, req EKSIAMConfigureRequest) error
- func ConfigureExternalAuditStorage(ctx context.Context, clt ConfigureExternalAuditStorageClient, ...) error
- func ConfigureIdPIAM(ctx context.Context, clt IdPIAMConfigureClient, req IdPIAMConfigureRequest) error
- func ConfigureListDatabasesIAM(ctx context.Context, clt ListDatabasesIAMConfigureClient, ...) error
- func NewAWSCredentialsProvider(ctx context.Context, req *AWSClientRequest) (aws.CredentialsProvider, error)
- func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region string, ...) (*session.Session, error)
- func SendSSHPublicKeyToEC2(ctx context.Context, clt EICESendSSHPublicKeyClient, ...) (ssh.Signer, error)
- func ThumbprintIdP(ctx context.Context, publicAddress string) (string, error)
- func UpdateDeployService(ctx context.Context, clt DeployServiceClient, log *logrus.Entry, ...) error
- type AWSClientRequest
- type AWSTags
- type AccessGraphAWSIAMConfigureRequest
- type AccessGraphIAMConfigureClient
- type CIDR
- type ConfigureExternalAuditStorageClient
- type ConfigureIAMListDatabasesRequest
- type CreateEC2ICEClient
- type CreateEC2ICERequest
- type CreateEC2ICEResponse
- type DefaultConfigureExternalAuditStorageClient
- func (d *DefaultConfigureExternalAuditStorageClient) GetCallerIdentity(ctx context.Context, input *sts.GetCallerIdentityInput, ...) (*sts.GetCallerIdentityOutput, error)
- func (d *DefaultConfigureExternalAuditStorageClient) PutRolePolicy(ctx context.Context, input *iam.PutRolePolicyInput, opts ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
- type DeployDatabaseServiceRequest
- type DeployDatabaseServiceRequestDeployment
- type DeployDatabaseServiceResponse
- type DeployServiceClient
- type DeployServiceIAMConfigureClient
- type DeployServiceIAMConfigureRequest
- type DeployServiceRequest
- type DeployServiceResponse
- type EC2ICEEndpoint
- type EC2InstanceConnectEndpoint
- type EICEIAMConfigureClient
- type EICEIAMConfigureRequest
- type EICESendSSHPublicKeyClient
- type EKSCluster
- type EKSIAMConfigureClient
- type EKSIAMConfigureRequest
- type EnrollEKSCLusterClient
- type EnrollEKSClusterResponse
- type EnrollEKSClusterResult
- type EnrollEKSClustersRequest
- type IdPIAMConfigureClient
- type IdPIAMConfigureRequest
- type IdentityGetter
- type IdentityToken
- type IntegrationTokenFetcher
- type IntegrationTokenGenerator
- type ListDatabasesClient
- type ListDatabasesIAMConfigureClient
- type ListDatabasesRequest
- type ListDatabasesResponse
- type ListEC2Client
- type ListEC2ICEClient
- type ListEC2ICERequest
- type ListEC2ICEResponse
- type ListEC2Request
- type ListEC2Response
- type ListEKSClustersClient
- type ListEKSClustersRequest
- type ListEKSClustersResponse
- type ListSecurityGroupsClient
- type ListSecurityGroupsRequest
- type ListSecurityGroupsResponse
- type OpenTunnelEC2Client
- type OpenTunnelEC2Request
- type OpenTunnelEC2Response
- type SecurityGroup
- type SecurityGroupRule
- type SendSSHPublicKeyToEC2Request
- type TokenCreator
- type TokenService
- type UpdateServiceRequest
Constants ¶
const ( // DatabaseServiceDeploymentMode is a deployment configuration for Deploying a Database Service. // This mode starts a Database with the specificied Resource Matchers. DatabaseServiceDeploymentMode = "database-service" )
Variables ¶
var ( // DeploymentModes has all the available deployment modes. DeploymentModes = []string{ DatabaseServiceDeploymentMode, } )
Functions ¶
func ConfigureAccessGraphSyncIAM ¶
func ConfigureAccessGraphSyncIAM(ctx context.Context, clt AccessGraphIAMConfigureClient, req AccessGraphAWSIAMConfigureRequest) error
ConfigureAccessGraphSyncIAM sets up the roles required for Teleport to be able to pool AWS resources into Teleport. The following actions must be allowed by the IAM Role assigned in the Client.
- iam:PutRolePolicy
func ConfigureDeployServiceIAM ¶
func ConfigureDeployServiceIAM(ctx context.Context, clt DeployServiceIAMConfigureClient, req DeployServiceIAMConfigureRequest) error
ConfigureDeployServiceIAM set ups the roles required for calling the DeployService action. It creates the following:
A) Role to be used by the deployed service, also known as _TaskRole_. The Role is able to manage policies and create logs. To ensure there's no priv escalation, we also set up a boundary policy. The boundary policy only allows the above permissions and the `rds-db:connect`.
B) Create a Policy in the Integration Role - the role used when setting up the integration. This policy allows for the required API Calls to set up the Amazon ECS TaskDefinition, Cluster and Service. It also allows to 'iam:PassRole' only for the _TaskRole_.
The following actions must be allowed by the IAM Role assigned in the Client. - iam:CreatePolicy - iam:CreateRole - iam:PutRolePolicy - iam:TagPolicy - iam:TagRole
func ConfigureEICEIAM ¶
func ConfigureEICEIAM(ctx context.Context, clt EICEIAMConfigureClient, req EICEIAMConfigureRequest) error
ConfigureEICEIAM set ups the roles required for accessing an EC2 Instance using EICE. It creates an embedded policy with the following permissions:
Action: List EC2 instances to add them as Teleport Nodes
- ec2:DescribeInstances
Action: List EC2 Instance Connect Endpoints so that knows if they must create one Endpoint.
- ec2:DescribeInstanceConnectEndpoints
Action: Select one or more SecurityGroups to apply to the EC2 Instance Connect Endpoints (the VPC's default SG is applied if no SG is provided).
- ec2:DescribeSecurityGroups
Action: Create EC2 Instance Connect Endpoint so the user can open a tunnel to the EC2 instance. More info: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html
- ec2:CreateInstanceConnectEndpoint
- ec2:CreateTags
- ec2:CreateNetworkInterface
- iam:CreateServiceLinkedRole
Action: Send a temporary SSH Key to the target host.
- ec2-instance-connect:SendSSHPublicKey
Action: Open a Tunnel to the EC2 using the Endpoint
- ec2-instance-connect:OpenTunnel
The following actions must be allowed by the IAM Role assigned in the Client.
- iam:PutRolePolicy
func ConfigureEKSIAM ¶
func ConfigureEKSIAM(ctx context.Context, clt EKSIAMConfigureClient, req EKSIAMConfigureRequest) error
ConfigureEKSIAM sets up the roles required for enrolling EKS clusters into Teleport. It creates an embedded policy with the following permissions: - eks:ListClusters - eks:DescribeCluster - eks:ListAccessEntries - eks:CreateAccessEntry - eks:DeleteAccessEntry - eks:AssociateAccessPolicy
For more info about EKS access entries see: https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/
The following actions must be allowed by the IAM Role assigned in the Client.
- iam:PutRolePolicy
func ConfigureExternalAuditStorage ¶
func ConfigureExternalAuditStorage( ctx context.Context, clt ConfigureExternalAuditStorageClient, params *easconfig.ExternalAuditStorageConfiguration, ) error
ConfigureExternalAuditStorage attaches an IAM policy with necessary permissions for the ExternalAuditStorage feature to an existing IAM role associated with an AWS OIDC integration.
func ConfigureIdPIAM ¶
func ConfigureIdPIAM(ctx context.Context, clt IdPIAMConfigureClient, req IdPIAMConfigureRequest) error
ConfigureIdPIAM creates a new IAM OIDC IdP in AWS.
The Provider URL is Teleport's Public Address. It also creates a new Role configured to trust the recently created IdP.
The following actions must be allowed by the IAM Role assigned in the Client.
- iam:CreateOpenIDConnectProvider
- iam:CreateRole
func ConfigureListDatabasesIAM ¶
func ConfigureListDatabasesIAM(ctx context.Context, clt ListDatabasesIAMConfigureClient, req ConfigureIAMListDatabasesRequest) error
ConfigureListDatabasesIAM set ups the policy required for accessing an RDS DB Instances and RDS DB Clusters. It creates an inline policy with the following permissions:
- rds:DescribeDBInstances
- rds:DescribeDBClusters
The following actions must be allowed by the IAM Role assigned in the Client.
- iam:PutRolePolicy
func NewAWSCredentialsProvider ¶
func NewAWSCredentialsProvider(ctx context.Context, req *AWSClientRequest) (aws.CredentialsProvider, error)
NewAWSCredentialsProvider creates an [aws.CredentialsProvider] using the provided Token, RoleARN and Region.
func NewSessionV1 ¶
func NewSessionV1(ctx context.Context, client IntegrationTokenGenerator, region string, integrationName string) (*session.Session, error)
NewSessionV1 creates a new AWS Session for the region using the integration as source of credentials. This session is usable for AWS SDK Go V1.
func SendSSHPublicKeyToEC2 ¶
func SendSSHPublicKeyToEC2(ctx context.Context, clt EICESendSSHPublicKeyClient, req SendSSHPublicKeyToEC2Request) (ssh.Signer, error)
SendSSHPublicKeyToEC2 sends an SSH Public Key to a target EC2 Instance. This key will be removed by AWS after 60 seconds and can only be used to authenticate the EC2SSHLoginUser. An ssh.Signer is then returned and can be used to access the host.
func ThumbprintIdP ¶
ThumbprintIdP returns the thumbprint as required by AWS when adding an OIDC Identity Provider. This is documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html Returns the thumbprint of the top intermediate CA that signed the TLS cert used to serve HTTPS requests. In case of a self signed certificate, then it returns the thumbprint of the TLS cert itself.
func UpdateDeployService ¶
func UpdateDeployService(ctx context.Context, clt DeployServiceClient, log *logrus.Entry, req UpdateServiceRequest) error
UpdateDeployService updates all the AWS OIDC deployed services with the specified version tag.
Types ¶
type AWSClientRequest ¶
type AWSClientRequest struct { // IntegrationName is the integration name that is going to issue an API Call. IntegrationName string // Token is the token used to issue the API Call. Token string // RoleARN is the IAM Role ARN to assume. RoleARN string // Region where the API call should be made. Region string // contains filtered or unexported fields }
AWSClientRequest contains the required fields to set up an AWS service client.
func (*AWSClientRequest) CheckAndSetDefaults ¶
func (req *AWSClientRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type AWSTags ¶
func (AWSTags) MatchesECSTags ¶
MatchesECSTags checks if the AWSTags are present and have the same value in resourceTags.
func (AWSTags) ToEC2Tags ¶
ToEC2Tags the default tags using the expected type for EC2 resources: ec2Types.Tag
func (AWSTags) ToECSTags ¶
ToECSTags returns the default tags using the expected type for ECS resources: ecsTypes.Tag
type AccessGraphAWSIAMConfigureRequest ¶
type AccessGraphAWSIAMConfigureRequest struct { // IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP. IntegrationRole string // IntegrationRoleTAGPolicy is the Policy Name that is created to allow access to call AWS APIs. // Defaults to "AccessGraphSyncAccess" IntegrationRoleTAGPolicy string }
AccessGraphAWSIAMConfigureRequest is a request to configure the required Policies to use the TAG AWS Sync.
func (*AccessGraphAWSIAMConfigureRequest) CheckAndSetDefaults ¶
func (r *AccessGraphAWSIAMConfigureRequest) CheckAndSetDefaults() error
CheckAndSetDefaults ensures the required fields are present.
type AccessGraphIAMConfigureClient ¶
type AccessGraphIAMConfigureClient interface { // PutRolePolicy creates or replaces a Policy by its name in a IAM Role. PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) }
AccessGraphIAMConfigureClient describes the required methods to create the IAM Policies required for enrolling Access Graph AWS Sync into Teleport.
func NewAccessGraphIAMConfigureClient ¶
func NewAccessGraphIAMConfigureClient(ctx context.Context) (AccessGraphIAMConfigureClient, error)
NewAccessGraphIAMConfigureClient creates a new TAGIAMConfigureClient.
type CIDR ¶
type CIDR struct { // CIDR is the IP range using CIDR notation. CIDR string `json:"cidr"` // Description contains a small text describing the CIDR. Description string `json:"description"` }
CIDR has a CIDR (IP Range) and a description for the value.
type ConfigureExternalAuditStorageClient ¶
type ConfigureExternalAuditStorageClient interface { PutRolePolicy(context.Context, *iam.PutRolePolicyInput, ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) GetCallerIdentity(context.Context, *sts.GetCallerIdentityInput, ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) }
ConfigureExternalAuditStorageClient is an interface for the AWS client methods used by ConfigureExternalAuditStorage.
type ConfigureIAMListDatabasesRequest ¶
type ConfigureIAMListDatabasesRequest struct { // Region is the AWS Region. // Used to set up the AWS SDK Client. Region string // IntegrationRole is the Integration's AWS Role used by the integration. IntegrationRole string }
ConfigureIAMListDatabasesRequest is a request to configure the required Policy to use the List Databases action.
func (*ConfigureIAMListDatabasesRequest) CheckAndSetDefaults ¶
func (r *ConfigureIAMListDatabasesRequest) CheckAndSetDefaults() error
CheckAndSetDefaults ensures the required fields are present.
type CreateEC2ICEClient ¶
type CreateEC2ICEClient interface { // CreateInstanceConnectEndpoint creates an EC2 Instance Connect Endpoint. An EC2 Instance Connect Endpoint // allows you to connect to an instance, without requiring the instance to have a // public IPv4 address. For more information, see Connect to your instances // without requiring a public IPv4 address using EC2 Instance Connect Endpoint (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html) // in the Amazon EC2 User Guide. CreateInstanceConnectEndpoint(ctx context.Context, params *ec2.CreateInstanceConnectEndpointInput, optFns ...func(*ec2.Options)) (*ec2.CreateInstanceConnectEndpointOutput, error) }
CreateEC2ICE describes the required methods to List EC2 Instances using a 3rd Party API.
func NewCreateEC2ICEClient ¶
func NewCreateEC2ICEClient(ctx context.Context, req *AWSClientRequest) (CreateEC2ICEClient, error)
NewCreateEC2ICEClient creates a new CreateEC2ICEClient using a AWSClientRequest.
type CreateEC2ICERequest ¶
type CreateEC2ICERequest struct { // Cluster is the Teleport Cluster Name. // Used to tag resources created in AWS. Cluster string // IntegrationName is the integration name. // Used to tag resources created in AWS. IntegrationName string // Endpoints is a list of EC2 Instance Connect Endpoints to be createed. Endpoints []EC2ICEEndpoint // ResourceCreationTags is used to add tags when creating resources in AWS. // Defaults to: // - teleport.dev/cluster: <cluster> // - teleport.dev/origin: aws-oidc-integration // - teleport.dev/integration: <integrationName> ResourceCreationTags AWSTags }
CreateEC2ICERequest contains the required fields to create an AWS EC2 Instance Connect Endpoint.
func (*CreateEC2ICERequest) CheckAndSetDefaults ¶
func (req *CreateEC2ICERequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type CreateEC2ICEResponse ¶
type CreateEC2ICEResponse struct { // Name is the Endpoint ID. Name string // CreatedEndpoints contains the name of created endpoints and their Subnet. CreatedEndpoints []EC2ICEEndpoint }
CreateEC2ICEResponse contains the newly created EC2 Instance Connect Endpoint name.
func CreateEC2ICE ¶
func CreateEC2ICE(ctx context.Context, clt CreateEC2ICEClient, req CreateEC2ICERequest) (*CreateEC2ICEResponse, error)
CreateEC2ICE calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html It creates an EC2 Instance Connect Endpoint using the provided Subnet and Security Group IDs.
type DefaultConfigureExternalAuditStorageClient ¶
DefaultConfigureExternalAuditStorageClient wraps an iam and sts client to implement ConfigureExternalAuditStorageClient.
func (*DefaultConfigureExternalAuditStorageClient) GetCallerIdentity ¶
func (d *DefaultConfigureExternalAuditStorageClient) GetCallerIdentity(ctx context.Context, input *sts.GetCallerIdentityInput, opts ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation.
func (*DefaultConfigureExternalAuditStorageClient) PutRolePolicy ¶
func (d *DefaultConfigureExternalAuditStorageClient) PutRolePolicy(ctx context.Context, input *iam.PutRolePolicyInput, opts ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
PutRolePolicy adds or updates an inline policy document that is embedded in the specified IAM role.
type DeployDatabaseServiceRequest ¶
type DeployDatabaseServiceRequest struct { // Region is the AWS Region Region string // Deployments contains a list of services to be deployed. Deployments []DeployDatabaseServiceRequestDeployment // TaskRoleARN is the AWS Role's ARN used within the Task execution. // Ensure the AWS Client has `iam:PassRole` for this Role's ARN. TaskRoleARN string // TeleportClusterName is the Teleport Cluster Name. // Used to create names for Cluster and TaskDefinitions, and AWS resource tags. TeleportClusterName string // ProxyServerHostPort is the Teleport Proxy's Public. // The Deployed services will connect to this service. ProxyServerHostPort string // IntegrationName is the integration name. // Used for resource tagging when creating resources in AWS. IntegrationName string // TeleportVersionTag is the version of teleport to install. // Ensure the tag exists in: // public.ecr.aws/gravitational/teleport-distroless:<TeleportVersionTag> // Eg, 13.2.0 // Optional. Defaults to the current version. TeleportVersionTag string // ResourceCreationTags is used to add tags when creating resources in AWS. ResourceCreationTags AWSTags // CreateDeployServiceConfig creates a teleport.yaml configuration that the agent // deployed in a ECS Cluster (using Fargate) will use. CreateDeployServiceConfig func(proxyHostPort, iamToken string, resourceMatcherLabels types.Labels) (string, error) // contains filtered or unexported fields }
DeployDatabaseServiceRequest contains the required fields to deploy multiple Teleport Databases Services. Each Service will proxy a specific set of Databases, based on their "account-id", "region" and "vpc-id" labels.
func (*DeployDatabaseServiceRequest) CheckAndSetDefaults ¶
func (r *DeployDatabaseServiceRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type DeployDatabaseServiceRequestDeployment ¶
type DeployDatabaseServiceRequestDeployment struct { // VPCID is the VPCID where the service is going to be deployed. VPCID string // SubnetIDs are the subnets for the network configuration. // They must belong to the VPCID above. SubnetIDs []string // SecurityGroupIDs are the SecurityGroups that should be applied to the ECS Service. // Optional. If empty, uses the VPC's default SecurityGroup. SecurityGroupIDs []string }
DeployDatabaseServiceRequestDeployment identifies the required fields to deploy a DatabaseService.
type DeployDatabaseServiceResponse ¶
type DeployDatabaseServiceResponse struct { // ClusterARN is the Amazon ECS Cluster ARN where the task was started. ClusterARN string // ClusterDashboardURL is a link to the Cluster's Dashboard URL in Amazon Console. ClusterDashboardURL string }
DeployDatabaseServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service.
func DeployDatabaseService ¶
func DeployDatabaseService(ctx context.Context, clt DeployServiceClient, req DeployDatabaseServiceRequest) (*DeployDatabaseServiceResponse, error)
DeployDatabaseService calls Amazon ECS APIs to deploy multiple Teleport DatabaseService. Each DatabaseService is created per Deployment and proxies the DBs that match a specific set of labels.
Those DatabaseServices join the cluster using an IAM Join Token, which is created if it doesn't exist yet.
The following AWS ECS resources are created: Cluster, Services and Task Definition.
A single ECS Cluster is created, named <teleport-cluster-name>-teleport Eg, tenant_teleport_sh-teleport
An ECS TaskDefinition is created per deployment. It uses Teleport Image and is configured to start a DatabaseService proxying the databases that match on `account-id`, `region` and `vpc-id`. A new revision is created if it already exists. Example of an ECS TaskDefinition name: tenant_teleport_sh-teleport-database-service-vpc-123:1
An ECS Service is created per deployment/ECS TaskDefinition. It will be configured to run on the VPC and have the Subnets and SecurityGroups defined in each deployment. If no SecurityGroup is provided, it will be assigned the VPC's default SecurityGroup. Its IAM access are the ones defined in the TaskRoleARN AWS IAM Role. For the required permissions, see the method ConfigureDeployServiceIAM. Example of an ECS Service name: database-service-vpc-123
Each of those AWS ECS Resources will have the following set of tags:
- teleport.dev/cluster: <clusterName>
- teleport.dev/origin: aws-oidc-integration
- teleport.dev/integration: <integrationName>
If resources already exist, only resources with those tags will be updated.
type DeployServiceClient ¶
type DeployServiceClient interface { // DescribeClusters lists ECS Clusters. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeClusters DescribeClusters(ctx context.Context, params *ecs.DescribeClustersInput, optFns ...func(*ecs.Options)) (*ecs.DescribeClustersOutput, error) // CreateCluster creates a new cluster. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.CreateCluster CreateCluster(ctx context.Context, params *ecs.CreateClusterInput, optFns ...func(*ecs.Options)) (*ecs.CreateClusterOutput, error) // PutClusterCapacityProviders sets the Capacity Providers available for services in a given cluster. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.PutClusterCapacityProviders PutClusterCapacityProviders(ctx context.Context, params *ecs.PutClusterCapacityProvidersInput, optFns ...func(*ecs.Options)) (*ecs.PutClusterCapacityProvidersOutput, error) // DescribeServices lists the matching Services of a given Cluster. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeServices DescribeServices(ctx context.Context, params *ecs.DescribeServicesInput, optFns ...func(*ecs.Options)) (*ecs.DescribeServicesOutput, error) // ListServices returns a list of services. You can filter the results by cluster, launch type, // and scheduling strategy. ListServices(ctx context.Context, params *ecs.ListServicesInput, optFns ...func(*ecs.Options)) (*ecs.ListServicesOutput, error) // UpdateService updates the service. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.UpdateService UpdateService(ctx context.Context, params *ecs.UpdateServiceInput, optFns ...func(*ecs.Options)) (*ecs.UpdateServiceOutput, error) // CreateService starts a task within a cluster. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.CreateService CreateService(ctx context.Context, params *ecs.CreateServiceInput, optFns ...func(*ecs.Options)) (*ecs.CreateServiceOutput, error) // DescribeTaskDefinition describes the task definition. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DescribeTaskDefinition DescribeTaskDefinition(ctx context.Context, params *ecs.DescribeTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.DescribeTaskDefinitionOutput, error) // RegisterTaskDefinition registers a new task definition from the supplied family and containerDefinitions. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.RegisterTaskDefinition RegisterTaskDefinition(ctx context.Context, params *ecs.RegisterTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.RegisterTaskDefinitionOutput, error) // DeregisterTaskDefinition deregisters the task definition. // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ecs@v1.27.1#Client.DeregisterTaskDefinition DeregisterTaskDefinition(ctx context.Context, params *ecs.DeregisterTaskDefinitionInput, optFns ...func(*ecs.Options)) (*ecs.DeregisterTaskDefinitionOutput, error) // TokenService are the required methods to manage the IAM Join Token. // When the deployed service connects to the cluster, it will use the IAM Join method. // Before deploying the service, it must ensure that the token exists and has the appropriate token rul. TokenService // GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation. GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) }
DeployServiceClient describes the required methods to Deploy a Teleport Service.
func NewDeployServiceClient ¶
func NewDeployServiceClient(ctx context.Context, clientReq *AWSClientRequest, tokenServiceClient TokenService) (DeployServiceClient, error)
NewDeployServiceClient creates a new DeployServiceClient using a AWSClientRequest.
type DeployServiceIAMConfigureClient ¶
type DeployServiceIAMConfigureClient interface { // GetCallerIdentity returns information about the caller identity. GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) // CreatePolicy creates a new IAM Policy. CreatePolicy(ctx context.Context, params *iam.CreatePolicyInput, optFns ...func(*iam.Options)) (*iam.CreatePolicyOutput, error) // CreateRole creates a new IAM Role. CreateRole(ctx context.Context, params *iam.CreateRoleInput, optFns ...func(*iam.Options)) (*iam.CreateRoleOutput, error) // PutRolePolicy creates or replaces a Policy by its name in a IAM Role. PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) }
DeployServiceIAMConfigureClient describes the required methods to create the IAM Roles/Policies required for the DeployService action.
func NewDeployServiceIAMConfigureClient ¶
func NewDeployServiceIAMConfigureClient(ctx context.Context, region string) (DeployServiceIAMConfigureClient, error)
NewDeployServiceIAMConfigureClient creates a new DeployServiceIAMConfigureClient.
type DeployServiceIAMConfigureRequest ¶
type DeployServiceIAMConfigureRequest struct { // Cluster is the Teleport Cluster. // Used for tagging the created Roles/Policies. Cluster string // IntegrationName is the Integration Name. // Used for tagging the created Roles/Policies. IntegrationName string // Region is the AWS Region. // Used to set up the AWS SDK Client. Region string // IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP. IntegrationRole string // IntegrationRoleDeployServicePolicy is the Policy Name that is created to allow the DeployService to call AWS APIs (ecs, logs). // Defaults to DeployService. IntegrationRoleDeployServicePolicy string // TaskRole is the AWS Role used by the deployed service. TaskRole string // TaskRoleBoundaryPolicyName is the name to be used to create a Policy to be used as boundary for the TaskRole. // Defaults to <TaskRole>Boundary TaskRoleBoundaryPolicyName string // AccountID is the AWS Account ID. // Optional. sts.GetCallerIdentity is used if not provided. AccountID string // ResourceCreationTags is used to add tags when creating resources in AWS. // Defaults to: // - teleport.dev/cluster: <cluster> // - teleport.dev/origin: aws-oidc-integration // - teleport.dev/integration: <integrationName> ResourceCreationTags AWSTags // contains filtered or unexported fields }
DeployServiceIAMConfigureRequest is a request to configure the DeployService action required Roles.
func (*DeployServiceIAMConfigureRequest) CheckAndSetDefaults ¶
func (r *DeployServiceIAMConfigureRequest) CheckAndSetDefaults() error
CheckAndSetDefaults ensures the required fields are present.
type DeployServiceRequest ¶
type DeployServiceRequest struct { // Region is the AWS Region Region string // AccountID is the AWS Account ID. // Optional. sts.GetCallerIdentity is used if the value is not provided. AccountID string // SubnetIDs are the subnets associated with the service. SubnetIDs []string // SecurityGroups to apply to the service's network configuration. // If empty, the default security group for the VPC is going to be used. SecurityGroups []string // ClusterName is the ECS Cluster to be used. // It will be created if it doesn't exist. // It will be updated if it doesn't include the FARGATE capacity provider using PutClusterCapacityProviders. ClusterName *string // ServiceName is the ECS Service to be used. // It will be created if it doesn't exist. // It will be updated if it doesn't match the required properties. ServiceName *string // TaskName is the ECS Task Definition's Family Name. TaskName *string // TaskRoleARN is the AWS Role's ARN used within the Task execution. // Ensure the AWS Client has `iam:PassRole` for this Role's ARN. TaskRoleARN string // TeleportClusterName is the Teleport Cluster Name, used to create default names for Cluster, Service and Task. TeleportClusterName string // TeleportIAMTokenNameis the Teleport IAM Token to use in the deployed Service. // Optional. // Defaults to discover-aws-oidc-iam-token TeleportIAMTokenName string // ProxyServerHostPort is the Teleport Proxy's Public. ProxyServerHostPort string // IntegrationName is the integration name. // Used for resource tagging when creating resources in AWS. IntegrationName string // ResourceCreationTags is used to add tags when creating resources in AWS. ResourceCreationTags AWSTags // DeploymentMode is the identifier of a deployment mode - which Teleport Services to enable and their configuration. DeploymentMode string // DatabaseResourceMatcherLabels contains the set of labels to be used by the DatabaseService. // This is used when the deployment mode creates a Database Service. DatabaseResourceMatcherLabels types.Labels // TeleportVersionTag is the version of teleport to install. // Ensure the tag exists in: // public.ecr.aws/gravitational/teleport-distroless:<TeleportVersionTag> // Eg, 13.2.0 // Optional. Defaults to the current version. TeleportVersionTag string // DeployServiceConfigString creates a teleport.yaml configuration that the agent // deployed in a ECS Cluster (using Fargate) will use. DeployServiceConfigString func(proxyHostPort, iamToken string, resourceMatcherLabels types.Labels) (string, error) }
DeployServiceRequest contains the required fields to deploy a Teleport Service.
func (*DeployServiceRequest) CheckAndSetDefaults ¶
func (r *DeployServiceRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type DeployServiceResponse ¶
type DeployServiceResponse struct { // ClusterARN is the Amazon ECS Cluster ARN where the task was started. ClusterARN string // ServiceARN is the Amazon ECS Cluster Service ARN created to run the task. ServiceARN string // TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the Teleport Service. TaskDefinitionARN string // ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console. ServiceDashboardURL string }
DeployServiceResponse contains the ARNs of the Amazon resources used to deploy the Teleport Service.
func DeployService ¶
func DeployService(ctx context.Context, clt DeployServiceClient, req DeployServiceRequest) (*DeployServiceResponse, error)
Resource tagging ¶
Created resources have the following set of tags: - teleport.dev/cluster: <clusterName> - teleport.dev/origin: aws-oidc-integration - teleport.dev/integration: <integrationName>
If resources already exist, only resources with those tags will be updated.
type EC2ICEEndpoint ¶
type EC2ICEEndpoint struct { // Name is the endpoint name. Name string // SubnetID is the Subnet where the Endpoint will be created. SubnetID string // SecurityGroupIDs is a list of SecurityGroups to assign to the Endpoint. // If not specified, the Endpoint will receive the default SG for the Subnet's VPC. SecurityGroupIDs []string }
EC2ICEEndpoint contains the information for a single Endpoint to be created.
type EC2InstanceConnectEndpoint ¶
type EC2InstanceConnectEndpoint struct { // Name is the endpoint name. Name string `json:"name,omitempty"` // State is the endpoint state. // Known values: // create-in-progress | create-complete | create-failed | delete-in-progress | delete-complete | delete-failed State string `json:"state,omitempty"` // StateMessage contains a message describing the state of the EICE. // Can be empty. StateMessage string `json:"stateMessage,omitempty"` // DashboardLink is a URL to AWS Console where the user can see the EC2 Instance Connect Endpoint. DashboardLink string `json:"dashboardLink,omitempty"` // SubnetID is the subnet used by the endpoint. // Please note that the Endpoint should be able to reach any subnet within the VPC. SubnetID string `json:"subnetId,omitempty"` // VPCID is the VPC ID where the Endpoint is created. VPCID string `json:"vpcId,omitempty"` }
EC2InstanceConnectEndpoint is the Teleport representation of an EC2 Instance Connect Endpoint
type EICEIAMConfigureClient ¶
type EICEIAMConfigureClient interface { // PutRolePolicy creates or replaces a Policy by its name in a IAM Role. PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) }
EICEIAMConfigureClient describes the required methods to create the IAM Policies required for accessing EC2 instances usine EICE.
func NewEICEIAMConfigureClient ¶
func NewEICEIAMConfigureClient(ctx context.Context, region string) (EICEIAMConfigureClient, error)
NewEICEIAMConfigureClient creates a new EICEIAMConfigureClient.
type EICEIAMConfigureRequest ¶
type EICEIAMConfigureRequest struct { // Region is the AWS Region. // Used to set up the AWS SDK Client. Region string // IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP. IntegrationRole string // IntegrationRoleEICEPolicy is the Policy Name that is created to allow access to call AWS APIs. // Defaults to EC2InstanceConnectEndpoint IntegrationRoleEICEPolicy string }
EICEIAMConfigureRequest is a request to configure the required Policies to use the EC2 Instance Connect Endpoint feature.
func (*EICEIAMConfigureRequest) CheckAndSetDefaults ¶
func (r *EICEIAMConfigureRequest) CheckAndSetDefaults() error
CheckAndSetDefaults ensures the required fields are present.
type EICESendSSHPublicKeyClient ¶
type EICESendSSHPublicKeyClient interface { // SendSSHPublicKey pushes an SSH public key to the specified EC2 instance for use by the specified // user. The key remains for 60 seconds. For more information, see Connect to your // Linux instance using EC2 Instance Connect (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) // in the Amazon EC2 User Guide. SendSSHPublicKey(ctx context.Context, params *ec2instanceconnect.SendSSHPublicKeyInput, optFns ...func(*ec2instanceconnect.Options)) (*ec2instanceconnect.SendSSHPublicKeyOutput, error) }
EICESendSSHPublicKeyClient describes the required methods to send an SSH Public Key to an EC2 Instance. This is is remains for 60 seconds and is removed afterwards.
func NewEICESendSSHPublicKeyClient ¶
func NewEICESendSSHPublicKeyClient(ctx context.Context, clientReq *AWSClientRequest) (EICESendSSHPublicKeyClient, error)
NewEICESendSSHPublicKeyClient creates a EICESendSSHPublicKeyClient using AWSClientRequest.
type EKSCluster ¶
type EKSCluster struct { // Name is the name of AWS EKS cluster. Name string // Region is an AWS region. Region string // Arn is an AWS ARN identification of the EKS cluster. Arn string // Labels are labels of a EKS cluster. Labels map[string]string // JoinLabels are Teleport labels that should be injected into kube agent // if the cluster will be enrolled into Teleport (agent installed on it). JoinLabels map[string]string // Status is a current status of an EKS cluster in AWS. Status string }
EKSCluster represents a cluster in AWS EKS.
type EKSIAMConfigureClient ¶
type EKSIAMConfigureClient interface { // PutRolePolicy creates or replaces a Policy by its name in a IAM Role. PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) }
EKSIAMConfigureClient describes the required methods to create the IAM Policies required for enrolling EKS clusters into Teleport.
func NewEKSIAMConfigureClient ¶
func NewEKSIAMConfigureClient(ctx context.Context, region string) (EKSIAMConfigureClient, error)
NewEKSIAMConfigureClient creates a new EKSIAMConfigureClient.
type EKSIAMConfigureRequest ¶
type EKSIAMConfigureRequest struct { // Region is the AWS Region. // Used to set up the AWS SDK Client. Region string // IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP. IntegrationRole string // IntegrationRoleEKSPolicy is the Policy Name that is created to allow access to call AWS APIs. // Defaults to "EKSAccess" IntegrationRoleEKSPolicy string }
EKSIAMConfigureRequest is a request to configure the required Policies to use the EKS.
func (*EKSIAMConfigureRequest) CheckAndSetDefaults ¶
func (r *EKSIAMConfigureRequest) CheckAndSetDefaults() error
CheckAndSetDefaults ensures the required fields are present.
type EnrollEKSCLusterClient ¶
type EnrollEKSCLusterClient interface { // CreateAccessEntry creates an access entry. An access entry allows an IAM principal to access an EKS cluster. CreateAccessEntry(ctx context.Context, params *eks.CreateAccessEntryInput, optFns ...func(*eks.Options)) (*eks.CreateAccessEntryOutput, error) // AssociateAccessPolicy associates an access policy and its scope to an access entry. AssociateAccessPolicy(ctx context.Context, params *eks.AssociateAccessPolicyInput, optFns ...func(*eks.Options)) (*eks.AssociateAccessPolicyOutput, error) // ListAccessEntries lists the access entries for an EKS cluster. ListAccessEntries(ctx context.Context, params *eks.ListAccessEntriesInput, optFns ...func(*eks.Options)) (*eks.ListAccessEntriesOutput, error) // DeleteAccessEntry deletes an access entry from an EKS cluster. DeleteAccessEntry(ctx context.Context, params *eks.DeleteAccessEntryInput, optFns ...func(*eks.Options)) (*eks.DeleteAccessEntryOutput, error) // DescribeCluster returns detailed information about an EKS cluster. DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, optFns ...func(*eks.Options)) (*eks.DescribeClusterOutput, error) // GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation. GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) // CheckAgentAlreadyInstalled checks if teleport-kube-agent Helm chart is already installed on the EKS cluster. CheckAgentAlreadyInstalled(context.Context, genericclioptions.RESTClientGetter, logrus.FieldLogger) (bool, error) // InstallKubeAgent installs teleport-kube-agent Helm chart to the EKS cluster. InstallKubeAgent(context.Context, *eksTypes.Cluster, string, string, string, genericclioptions.RESTClientGetter, logrus.FieldLogger, EnrollEKSClustersRequest) error // CreateToken creates provisioning token on the auth server. That token can be used to install kube agent to an EKS cluster. CreateToken(context.Context, types.ProvisionToken) error }
EnrollEKSCLusterClient defines functions required for EKS cluster enrollment.
func NewEnrollEKSClustersClient ¶
func NewEnrollEKSClustersClient(ctx context.Context, req *AWSClientRequest, tokenCreator TokenCreator) (EnrollEKSCLusterClient, error)
NewEnrollEKSClustersClient returns new client that can be used to enroll EKS clusters into Teleport.
type EnrollEKSClusterResponse ¶
type EnrollEKSClusterResponse struct { // Results contain an error per a cluster enrollment if there was one. Results []EnrollEKSClusterResult }
EnrollEKSClusterResponse contains result for enrollment .
func EnrollEKSClusters ¶
func EnrollEKSClusters(ctx context.Context, log logrus.FieldLogger, clock clockwork.Clock, proxyAddr string, credsProvider aws.CredentialsProvider, clt EnrollEKSCLusterClient, req EnrollEKSClustersRequest) *EnrollEKSClusterResponse
EnrollEKSClusters enrolls EKS clusters into Teleport by installing teleport-kube-agent chart on the clusters. It returns list of result individually for each EKS cluster. Clusters are enrolled concurrently. If an error occurs during a cluster enrollment an error message will be present in the result for this cluster. Otherwise result will contain resource ID - this is ID from the join token used by the enrolled cluster and can be used by UI to check when agent joins Teleport cluster.
During enrollment we create access entry for an EKS cluster if needed and cluster admin policy is associated with that entry, so our AWS integration can access the target EKS cluster during the chart installation. After enrollment is done we remove the access entry (if it was created by us), since we don't need it anymore.
type EnrollEKSClusterResult ¶
type EnrollEKSClusterResult struct { // ClusterName is the name of an EKS cluster. ClusterName string // ResourceId is resource ID for the cluster, it is taken from the join token used to enroll the cluster. ResourceId string // Error contains an error that happened during enrollment, if there was one. Error error }
EnrollEKSClusterResult contains result for a single EKS cluster enrollment, if it was successful 'Error' will be nil otherwise it will contain an error happened during enrollment.
type EnrollEKSClustersRequest ¶
type EnrollEKSClustersRequest struct { // Region is the AWS Region. Region string // ClusterNames is name of the EKS cluster to enroll. ClusterNames []string // EnableAppDiscovery specifies if we should enable Kubernetes App Discovery inside the enrolled EKS cluster. EnableAppDiscovery bool // EnableAutoUpgrades specifies if we should enable agent auto upgrades. EnableAutoUpgrades bool // IsCloud specifies if enrollment is done for the Teleport Cloud client. IsCloud bool // AgentVersion specifies version of the Helm chart that will be installed during enrollment. AgentVersion string }
EnrollEKSClustersRequest contains the required fields to enroll EKS cluster to Teleport.
type IdPIAMConfigureClient ¶
type IdPIAMConfigureClient interface { // GetCallerIdentity returns information about the caller identity. GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) // CreateOpenIDConnectProvider creates an IAM OIDC IdP. CreateOpenIDConnectProvider(ctx context.Context, params *iam.CreateOpenIDConnectProviderInput, optFns ...func(*iam.Options)) (*iam.CreateOpenIDConnectProviderOutput, error) // CreateRole creates a new IAM Role. CreateRole(ctx context.Context, params *iam.CreateRoleInput, optFns ...func(*iam.Options)) (*iam.CreateRoleOutput, error) }
IdPIAMConfigureClient describes the required methods to create the AWS OIDC IdP and a Role that trusts that identity provider.
func NewIdPIAMConfigureClient ¶
func NewIdPIAMConfigureClient(ctx context.Context) (IdPIAMConfigureClient, error)
NewIdPIAMConfigureClient creates a new IdPIAMConfigureClient.
type IdPIAMConfigureRequest ¶
type IdPIAMConfigureRequest struct { // Cluster is the Teleport Cluster. // Used for tagging the created Roles/IdP. Cluster string // AccountID is the AWS Account ID. // Optional. sts.GetCallerIdentity is used if not provided. AccountID string // IntegrationName is the Integration Name. // Used for tagging the created Roles/IdP. IntegrationName string // ProxyPublicAddress is the URL to use as provider URL. // This must be a valid URL (ie, url.Parse'able) // Eg, https://<tenant>.teleport.sh, https://proxy.example.org:443, https://teleport.ec2.aws:3080 ProxyPublicAddress string // IntegrationRole is the Integration's AWS Role used to set up Teleport as an OIDC IdP. IntegrationRole string // contains filtered or unexported fields }
IdPIAMConfigureRequest is a request to configure the required Policies to use the EC2 Instance Connect Endpoint feature.
func (*IdPIAMConfigureRequest) CheckAndSetDefaults ¶
func (r *IdPIAMConfigureRequest) CheckAndSetDefaults() error
CheckAndSetDefaults ensures the required fields are present.
type IdentityGetter ¶
type IdentityGetter func(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
IdentityGetter returns AWS identity of the caller.
type IdentityToken ¶
type IdentityToken string
IdentityToken is an implementation of [stscreds.IdentityTokenRetriever] for returning a static token.
func (IdentityToken) FetchToken ¶
func (j IdentityToken) FetchToken(ctx credentials.Context) ([]byte, error)
FetchToken returns the token.
func (IdentityToken) GetIdentityToken ¶
func (j IdentityToken) GetIdentityToken() ([]byte, error)
GetIdentityToken returns the token configured.
type IntegrationTokenFetcher ¶
IntegrationTokenFetcher handles dynamic token generation using a callback function. Useful to embed as a [stscreds.TokenFetcher].
func (IntegrationTokenFetcher) FetchToken ¶
func (genFn IntegrationTokenFetcher) FetchToken(ctx context.Context) ([]byte, error)
FetchToken returns a token by calling the callback function.
type IntegrationTokenGenerator ¶
type IntegrationTokenGenerator interface { // GetIntegration returns the specified integration resources. GetIntegration(ctx context.Context, name string) (types.Integration, error) // GetProxies returns a list of registered proxies. GetProxies() ([]types.Server, error) // GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action. GenerateAWSOIDCToken(ctx context.Context) (string, error) }
IntegrationTokenGenerator is an interface that indicates which APIs are required to generate an Integration Token.
type ListDatabasesClient ¶
type ListDatabasesClient interface { // Returns information about provisioned RDS instances. // This API supports pagination. DescribeDBInstances(ctx context.Context, params *rds.DescribeDBInstancesInput, optFns ...func(*rds.Options)) (*rds.DescribeDBInstancesOutput, error) // Returns information about Amazon Aurora DB clusters and Multi-AZ DB clusters. // This API supports pagination DescribeDBClusters(ctx context.Context, params *rds.DescribeDBClustersInput, optFns ...func(*rds.Options)) (*rds.DescribeDBClustersOutput, error) }
ListDatabasesClient describes the required methods to List Databases (Instances and Clusters) using a 3rd Party API.
func NewListDatabasesClient ¶
func NewListDatabasesClient(ctx context.Context, req *AWSClientRequest) (ListDatabasesClient, error)
NewListDatabasesClient creates a new ListDatabasesClient using a AWSClientRequest.
type ListDatabasesIAMConfigureClient ¶
type ListDatabasesIAMConfigureClient interface { // PutRolePolicy creates or replaces a Policy by its name in a IAM Role. PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error) }
ListDatabasesIAMConfigureClient describes the required methods to create the IAM Policies required for Listing Databases.
type ListDatabasesRequest ¶
type ListDatabasesRequest struct { // Region is the AWS Region Region string // RDSType is either `instance` or `cluster`. RDSType string // Engines filters the returned Databases based on their engine. // Eg, mysql, postgres, mariadb, aurora, aurora-mysql, aurora-postgresql Engines []string // NextToken is the token to be used to fetch the next page. // If empty, the first page is fetched. NextToken string }
ListDatabasesRequest contains the required fields to list AWS Databases.
func (*ListDatabasesRequest) CheckAndSetDefaults ¶
func (req *ListDatabasesRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type ListDatabasesResponse ¶
type ListDatabasesResponse struct { // Databases contains the page of Databases Databases []types.Database // NextToken is used for pagination. // If non-empty, it can be used to request the next page. NextToken string }
ListDatabasesResponse contains a page of AWS Databases.
func ListAllDatabases ¶
func ListAllDatabases(ctx context.Context, clt ListDatabasesClient, region string) (*ListDatabasesResponse, error)
ListAllDatabases collects dbs until end of pages for all supported RDS engines and types.
func ListDatabases ¶
func ListDatabases(ctx context.Context, clt ListDatabasesClient, req ListDatabasesRequest) (*ListDatabasesResponse, error)
ListDatabases calls the following AWS API: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html It returns a list of Databases and an optional NextToken that can be used to fetch the next page
type ListEC2Client ¶
type ListEC2Client interface { // DescribeInstances describes the specified instances or all instances. DescribeInstances(ctx context.Context, params *ec2.DescribeInstancesInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstancesOutput, error) // GetCallerIdentity returns details about the IAM user or role whose credentials are used to call the operation. GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) }
ListEC2Client describes the required methods to List EC2 Instances using a 3rd Party API.
func NewListEC2Client ¶
func NewListEC2Client(ctx context.Context, req *AWSClientRequest) (ListEC2Client, error)
NewListEC2Client creates a new ListEC2Client using a AWSClientRequest.
type ListEC2ICEClient ¶
type ListEC2ICEClient interface { // DescribeInstanceConnectEndpoints describes the specified EC2 Instance Connect Endpoints or all EC2 Instance // Connect Endpoints. DescribeInstanceConnectEndpoints(ctx context.Context, params *ec2.DescribeInstanceConnectEndpointsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstanceConnectEndpointsOutput, error) }
ListEC2ICEClient describes the required methods to List EC2 Instances using a 3rd Party API.
func NewListEC2ICEClient ¶
func NewListEC2ICEClient(ctx context.Context, req *AWSClientRequest) (ListEC2ICEClient, error)
NewListEC2ICEClient creates a new ListEC2ICEClient using a AWSClientRequest.
type ListEC2ICERequest ¶
type ListEC2ICERequest struct { // Region is the region of the EICE. Region string // VPCIDs is a list of VPCs to filter EC2 Instance Connect Endpoints. VPCIDs []string // NextToken is the token to be used to fetch the next page. // If empty, the first page is fetched. NextToken string }
ListEC2ICERequest contains the required fields to list AWS EC2 Instance Connect Endpoints.
func (*ListEC2ICERequest) CheckAndSetDefaults ¶
func (req *ListEC2ICERequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type ListEC2ICEResponse ¶
type ListEC2ICEResponse struct { // EC2ICEs contains the page of EC2 Instance Connect Endpoint. EC2ICEs []EC2InstanceConnectEndpoint `json:"ec2InstanceConnectEndpoints,omitempty"` // DashboardLink is the URL for AWS Web Console that lists all the Endpoints for the queries VPCs. DashboardLink string `json:"dashboardLink,omitempty"` // NextToken is used for pagination. // If non-empty, it can be used to request the next page. NextToken string `json:"nextToken,omitempty"` }
ListEC2ICEResponse contains a page of AWS EC2 Instances as Teleport Servers.
func ListEC2ICE ¶
func ListEC2ICE(ctx context.Context, clt ListEC2ICEClient, req ListEC2ICERequest) (*ListEC2ICEResponse, error)
ListEC2ICE calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html It returns a list of EC2 Instance Connect Endpoints and an optional NextToken that can be used to fetch the next page
type ListEC2Request ¶
type ListEC2Request struct { // Integration is the AWS OIDC Integration name. // This is used to populate the Server resource. // When connecting to the Node, this is the integration that is going to be used. Integration string // Region is the AWS Region. Region string // NextToken is the token to be used to fetch the next page. // If empty, the first page is fetched. NextToken string }
ListEC2Request contains the required fields to list AWS EC2 Instances.
func (*ListEC2Request) CheckAndSetDefaults ¶
func (req *ListEC2Request) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type ListEC2Response ¶
type ListEC2Response struct { // Servers contains the page of Servers. Servers []types.Server // NextToken is used for pagination. // If non-empty, it can be used to request the next page. NextToken string }
ListEC2Response contains a page of AWS EC2 Instances as Teleport Servers.
func ListEC2 ¶
func ListEC2(ctx context.Context, clt ListEC2Client, req ListEC2Request) (*ListEC2Response, error)
ListEC2 calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html It returns a list of EC2 Instances and an optional NextToken that can be used to fetch the next page Only Platform!=Windows and State=Running instances are returned.
type ListEKSClustersClient ¶
type ListEKSClustersClient interface { // ListClusters lists the EKS clusters. ListClusters(ctx context.Context, params *eks.ListClustersInput, optFns ...func(*eks.Options)) (*eks.ListClustersOutput, error) // DescribeCluster returns detailed information about an EKS cluster. DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, optFns ...func(*eks.Options)) (*eks.DescribeClusterOutput, error) }
ListEKSClustersClient describes the required methods to List EKS clusters using a 3rd Party API.
func NewListEKSClustersClient ¶
func NewListEKSClustersClient(ctx context.Context, req *AWSClientRequest) (ListEKSClustersClient, error)
NewListEKSClustersClient creates a new ListEKSClusters client using AWSClientRequest.
type ListEKSClustersRequest ¶
type ListEKSClustersRequest struct { // Region is the AWS Region. Region string // NextToken is the token to be used to fetch the next page. // If empty, the first page is fetched. NextToken string }
ListEKSClustersRequest contains the required fields to list AWS EKS Clusters.
func (*ListEKSClustersRequest) CheckAndSetDefaults ¶
func (req *ListEKSClustersRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type ListEKSClustersResponse ¶
type ListEKSClustersResponse struct { // Servers contains the page of Servers. Clusters []EKSCluster // NextToken is used for pagination. // If non-empty, it can be used to request the next page. NextToken string // ClusterFetchingErrors contains errors for fetching detailed information about specific cluster, if any happened. ClusterFetchingErrors map[string]error }
ListEKSClustersResponse contains a page of AWS EKS Clusters.
func ListEKSClusters ¶
func ListEKSClusters(ctx context.Context, clt ListEKSClustersClient, req ListEKSClustersRequest) (*ListEKSClustersResponse, error)
ListEKSClusters calls the following AWS API: https://docs.aws.amazon.com/eks/latest/APIReference/API_ListClusters.html - to list available EKS clusters https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html - to get more detailed information about the each cluster in the list we received. It returns a list of EKS clusters with detailed information about them.
type ListSecurityGroupsClient ¶
type ListSecurityGroupsClient interface { // DescribeSecurityGroups describes the specified security groups or all of your security groups. DescribeSecurityGroups(ctx context.Context, params *ec2.DescribeSecurityGroupsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeSecurityGroupsOutput, error) }
ListSecurityGroupsClient describes the required methods to List Security Groups a 3rd Party API.
func NewListSecurityGroupsClient ¶
func NewListSecurityGroupsClient(ctx context.Context, req *AWSClientRequest) (ListSecurityGroupsClient, error)
NewListSecurityGroupsClient creates a new ListSecurityGroupsClient using a AWSClientRequest.
type ListSecurityGroupsRequest ¶
type ListSecurityGroupsRequest struct { // VPCID is the VPC to filter Security Groups. VPCID string // NextToken is the token to be used to fetch the next page. // If empty, the first page is fetched. NextToken string }
ListSecurityGroupsRequest contains the required fields to list VPC Security Groups.
func (*ListSecurityGroupsRequest) CheckAndSetDefaults ¶
func (req *ListSecurityGroupsRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type ListSecurityGroupsResponse ¶
type ListSecurityGroupsResponse struct { // SecurityGroups contains the page of VPC Security Groups. SecurityGroups []SecurityGroup `json:"securityGroups"` // NextToken is used for pagination. // If non-empty, it can be used to request the next page. NextToken string `json:"nextToken"` }
ListSecurityGroupsResponse contains a page of SecurityGroups.
func ListSecurityGroups ¶
func ListSecurityGroups(ctx context.Context, clt ListSecurityGroupsClient, req ListSecurityGroupsRequest) (*ListSecurityGroupsResponse, error)
ListSecurityGroups calls the following AWS API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html It returns a list of VPC Security Groups and an optional NextToken that can be used to fetch the next page
type OpenTunnelEC2Client ¶
type OpenTunnelEC2Client interface { // DescribeInstanceConnectEndpoints describes the specified EC2 Instance Connect Endpoints or all EC2 Instance // Connect Endpoints. DescribeInstanceConnectEndpoints(ctx context.Context, params *ec2.DescribeInstanceConnectEndpointsInput, optFns ...func(*ec2.Options)) (*ec2.DescribeInstanceConnectEndpointsOutput, error) // Retrieve returns nil if it successfully retrieved the value. // Error is returned if the value were not obtainable, or empty. Retrieve(ctx context.Context) (aws.Credentials, error) }
OpenTunnelEC2Client describes the required methods to Open a Tunnel to an EC2 Instance using EC2 Instance Connect Endpoint.
func NewOpenTunnelEC2Client ¶
func NewOpenTunnelEC2Client(ctx context.Context, clientReq *AWSClientRequest) (OpenTunnelEC2Client, error)
NewOpenTunnelEC2Client creates a OpenTunnelEC2Client using AWSClientRequest.
type OpenTunnelEC2Request ¶
type OpenTunnelEC2Request struct { // Region is the AWS Region. Region string // VPCID is the VPC where the EC2 Instance is located. // Used to look for the EC2 Instance Connect Endpoint. // Each VPC ID can only have one EC2 Instance Connect Endpoint. VPCID string // EC2Address is the address to connect to in the EC2 Instance. // Eg, ip-172-31-32-234.eu-west-2.compute.internal:22 EC2Address string // EC2InstanceID is the EC2 Instance ID. EC2InstanceID string // contains filtered or unexported fields }
OpenTunnelEC2Request contains the required fields to open a tunnel to an EC2 instance. This will create a TCP socket that forwards incoming connections to the EC2's private IP address.
func (*OpenTunnelEC2Request) CheckAndSetDefaults ¶
func (r *OpenTunnelEC2Request) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type OpenTunnelEC2Response ¶
type OpenTunnelEC2Response struct { // Tunnel is a net.Conn that is connected to the EC2 instance. // The SSH Client must use this connection to connect to it. Tunnel net.Conn }
OpenTunnelEC2Response contains the response for creating a Tunnel to an EC2 Instance. It returns the listening address and the SSH Private Key (PEM encoded).
func OpenTunnelEC2 ¶
func OpenTunnelEC2(ctx context.Context, clt OpenTunnelEC2Client, req OpenTunnelEC2Request) (*OpenTunnelEC2Response, error)
OpenTunnelEC2 creates a tunnel to an ec2 instance using its private IP. Ref: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-using-eice.html - https://github.com/aws/aws-cli/blob/f6c820e89d8b566ab54ab9d863754ec4b713fd6a/awscli/customizations/ec2instanceconnect/opentunnel.py
High level archictecture: - does a lookup for an EC2 Instance Connect Endpoint available (create-complete state) for the target VPC - connects to it (websockets) and returns the connection - the connection can be used to access the EC2 instance directly (tcp stream)
type SecurityGroup ¶
type SecurityGroup struct { // Name is the Security Group name. // This is just a friendly name and should not be used for further API calls Name string `json:"name"` // ID is the security group ID. // This is the value that should be used when doing further API calls. ID string `json:"id"` // Description is a small description of the Security Group. // Might be empty. Description string `json:"description"` // InboundRules describe the Security Group Inbound Rules. // The CIDR of each rule represents the source IP that the rule applies to. InboundRules []SecurityGroupRule `json:"inboundRules"` // OutboundRules describe the Security Group Outbound Rules. // The CIDR of each rule represents the destination IP that the rule applies to. OutboundRules []SecurityGroupRule `json:"outboundRules"` }
SecurityGroup is the Teleport representation of an EC2 Instance Connect Endpoint
type SecurityGroupRule ¶
type SecurityGroupRule struct { // IPProtocol is the protocol used to describe the rule. // If the rule applies to all protocols, the "all" value is used. // The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol // Numbers (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). IPProtocol string `json:"ipProtocol"` // FromPort is the inclusive start of the Port range for the Rule. FromPort int `json:"fromPort"` // ToPort is the inclusive end of the Port range for the Rule. ToPort int `json:"toPort"` // CIDRs contains a list of IP ranges that this rule applies to and a description for the value. CIDRs []CIDR `json:"cidrs"` }
SecurityGroupRule is a SecurityGroup role. It describes which protocol, port range and a list of IPs the rule applies to.
type SendSSHPublicKeyToEC2Request ¶
type SendSSHPublicKeyToEC2Request struct { // InstanceID is the EC2 Instance's ID. InstanceID string // EC2SSHLoginUser is the OS user to use when the user wants SSH access. EC2SSHLoginUser string }
SendSSHPublicKeyToEC2Request contains the required fields to request the upload of an SSH Public Key.
func (*SendSSHPublicKeyToEC2Request) CheckAndSetDefaults ¶
func (r *SendSSHPublicKeyToEC2Request) CheckAndSetDefaults() error
CheckAndSetDefaults checks if the required fields are present.
type TokenCreator ¶
type TokenCreator func(ctx context.Context, token types.ProvisionToken) error
TokenCreator creates join token on the auth server.
type TokenService ¶
type TokenService interface { // GetToken returns a provision token by name. GetToken(ctx context.Context, name string) (types.ProvisionToken, error) // UpsertToken creates or updates a provision token. UpsertToken(ctx context.Context, token types.ProvisionToken) error }
TokenService defines the required methods to upsert the Provision Token used by the Deploy Service.
type UpdateServiceRequest ¶
type UpdateServiceRequest struct { // TeleportClusterName specifies the teleport cluster name TeleportClusterName string // TeleportVersionTag specifies the desired teleport version in the format "13.4.0" TeleportVersionTag string // OwnershipTags specifies ownership tags OwnershipTags AWSTags }
UpdateServiceRequest contains the required fields to update a Teleport Service.
func (*UpdateServiceRequest) CheckAndSetDefaults ¶
func (req *UpdateServiceRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default config values.
Source Files ¶
- access_graph_aws_sync.go
- clients.go
- clientsv1.go
- create_ec2ice.go
- deploydatabaseservice.go
- deployservice.go
- deployservice_iam_config.go
- deployservice_iam_jointoken.go
- deployservice_update.go
- eice_iam_config.go
- eice_opentunnel.go
- eice_sendsshpublickey.go
- eks_enroll_clusters.go
- eks_iam_config.go
- eks_list_clusters.go
- externalauditstorage_iam_config.go
- idp_iam_config.go
- idp_thumbprint.go
- list_ec2ice.go
- list_security_groups.go
- listdatabases.go
- listdatabases_iam_config.go
- listec2.go
- tags.go