Add tctl plugins install awsic #51239
Conversation
Adds a comand-line installation tool for the AWS Identity Center integration. Co-authored-by: Marek Smoliński <[email protected]>
tcsc
force-pushed
the
smallinsky/aws-ic-instal-plugin
branch
from
5ca783d to
367ac0a
Compare
tcsc
added
no-changelog
tool/tctl/common/plugin/awsic.go
Outdated
| CredentialsSource: types.AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_SYSTEM, | ||
| GroupSyncFilters: groupFilters, | ||
| AwsAccountsFilters: accountFilters, |
There was a problem hiding this comment.
The user_sync_filter is missing.
When using Okta as the Identity Source, we want to sync only Okta-originated users to AWS IC using the mechanism implemented in this PR.
Otherwise, a Teleport local user will be pushed to the AWS IC catalog and then fetched by Okta. - I’m not sure what side effects this behavior might cause.
There was a problem hiding this comment.
Untested hypothesis:
- user will be provisioned into AWS IC
- user AWS permissions will be managed as per any other
- User will not be able to log in as Okta cannot verify them
| }, | ||
| } | ||
|
|
||
| _, err = args.plugins.CreatePlugin(ctx, req) |
There was a problem hiding this comment.
Don't we expose an API like we do with Okta? It would be nice to stop creating those plugins directly and start using the same API that the UI does
| cmd.Flag("default-owner", "List of Teleport users that are default owners for the imported access lists. Multiple flags allowed.").Required().StringsVar(&p.install.awsIC.defaultOwners) | ||
| cmd.Flag("url", "AWS Identity Center SCIM provisioning endpoint").Required().StringVar(&p.install.awsIC.scimURL) | ||
| cmd.Flag("token", "AWS Identify Center SCIM provisioning token.").Required().StringVar(&p.install.awsIC.scimToken) | ||
| cmd.Flag("region", "AWS Identity center instance region").Required().StringVar(&p.install.awsIC.region) | ||
| cmd.Flag("arn", "AWS Identify center instance ARN").Required().StringVar(&p.install.awsIC.arn) |
There was a problem hiding this comment.
nit: since these flags are available under root awsic subcommand, i think spelling out flag names provides better context on the expected values. So the changes would become:
- default-owner -> access-list-default-owner
- url -> scim-url
- token -> scim-token
- region -> instance-region
- arn -> instance-arn
| // We are using a manual validator here rather than the canonical one defined | ||
| // in the AWS IC integration itself, because those filter tools are not | ||
| // available to OSS builds of tctl. |
There was a problem hiding this comment.
Will it be a non-trivial migration to move that to oss? I think we should reuse validation logics at minimum rather than having two different definition that risk going out of sync.
There was a problem hiding this comment.
I definitely want to move it, but I think it should be done in a separate PR.
| accountIDFilters []string | ||
| } | ||
|
|
||
| func (a *awsICArgs) validate() error { |
There was a problem hiding this comment.
add validation for region, scimURL field?
| }, | ||
| }, | ||
| } | ||
|
|
There was a problem hiding this comment.
before installing plugin, I think we should check if saml service provider for the identity center is installed and guide user to do so if it isn't.
| func (p *PluginsCommand) initInstallAWSIC(parent *kingpin.CmdClause) { | ||
| p.install.awsIC.cmd = parent.Command("awsic", "Install an AWS Identity Center integration.") | ||
| cmd := p.install.awsIC.cmd | ||
| cmd.Flag("default-owner", "List of Teleport users that are default owners for the imported access lists. Multiple flags allowed.").Required().StringsVar(&p.install.awsIC.defaultOwners) |
There was a problem hiding this comment.
will it be better ux by supporting comma separate values over multiple flag? not sure what we do for other existing commands.
| @@ -330,6 +332,8 @@ func (p *PluginsCommand) TryRun(ctx context.Context, cmd string, clientFunc comm | |||
| commandFunc = p.InstallEntra | |||
| case p.install.netIQ.cmd.FullCommand(): | |||
| commandFunc = p.InstallNetIQ | |||
| case p.install.awsIC.cmd.FullCommand(): | |||
| commandFunc = p.InstallAWSIC | |||
There was a problem hiding this comment.
Does plugin deletion works by default? If yes, i think we should support resource cleanup or guide users to do it manually before letting them delete the plugin.
What
AWS CLI to install AWS IC plugin with local creds.
usage: