Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS OIDC: List Deployed Database Services HTTP API #49352

Open
wants to merge 3 commits into
base: marco/awsoidc-listdatabaseservices-impl
Choose a base branch
from
Open

AWS OIDC: List Deployed Database Services HTTP API #49352

wants to merge 3 commits into from
+649 −0

Conversation

marcoandredinis
Copy link
Contributor

This PR adds a new endpoint which returns the deployed database services.

Calling the ECS APIs requires a region, so we had to iterate over the following resources to collect the relevant regions:

  • databases
  • database services
  • discovery configs

Demo:
curl --silent 'https://.../integrations/aws-oidc/teleportdev/listdeployeddatabaseservices' -XPOST ... | jq

{
  "services": [
    {
      "name": "database-service-vpc-47381f2f",
      "dashboardUrl": "https://eu-west-2.console.aws.amazon.com/ecs/v2/clusters/lenix_marcoandredinis_com-teleport/services/database-service-vpc-47381f2f",
      "validTeleportConfig": true,
      "matchingLabels": [
        {
          "name": "region",
          "value": "eu-west-2"
        },
        {
          "name": "vpc-id",
          "value": "vpc-47381f2f"
        },
        {
          "name": "account-id",
          "value": "278576220453"
        }
      ]
    }
  ]
}

@marcoandredinis marcoandredinis added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v16 backport/branch/v17 labels Nov 22, 2024
@marcoandredinis marcoandredinis mentioned this pull request Nov 22, 2024
Open
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch 2 times, most recently from 4831b35 to 3dc5a4f Compare November 22, 2024 15:29
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 46744e1 to f131a9f Compare November 22, 2024 15:38
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 3dc5a4f to f69697f Compare November 22, 2024 15:39
@marcoandredinis marcoandredinis marked this pull request as ready for review November 22, 2024 15:39
@github-actions github-actions bot requested review from eriktate and zmb3 November 22, 2024 15:39
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from f131a9f to 696d356 Compare November 25, 2024 10:33
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from f69697f to cc2c59d Compare November 25, 2024 10:33
@marcoandredinis marcoandredinis mentioned this pull request Nov 26, 2024
Merged
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 696d356 to b7237e5 Compare November 28, 2024 13:54
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from cc2c59d to d6b59a8 Compare November 28, 2024 13:55
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from b7237e5 to 6cd29f8 Compare November 28, 2024 18:31
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from d6b59a8 to 0846c4d Compare November 28, 2024 18:33
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 6cd29f8 to 557241b Compare December 2, 2024 10:59
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 0846c4d to 5962451 Compare December 2, 2024 11:01
@marcoandredinis
Copy link
Contributor Author

@eriktate @zmb3 Can you please take a look when you get a chance?

@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 557241b to aef905d Compare December 6, 2024 11:07
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 5962451 to d2ce837 Compare December 6, 2024 11:08
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from aef905d to c4f7b14 Compare December 9, 2024 11:44
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from d2ce837 to 682d719 Compare December 9, 2024 11:44
michellescripts
michellescripts reviewed Dec 9, 2024
View reviewed changes
lib/web/apiserver.go Outdated
@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be GET?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have been using POST for most of the integration actions, even when listing things.

teleport/lib/web/apiserver.go

Line 984 in 04bc1c9

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/databases", h.WithClusterAuth(h.awsOIDCListDatabases))

teleport/lib/web/apiserver.go

Line 990 in 04bc1c9

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/ec2", h.WithClusterAuth(h.awsOIDCListEC2))

teleport/lib/web/apiserver.go

Line 991 in 04bc1c9

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/eksclusters", h.WithClusterAuth(h.awsOIDCListEKSClusters))

teleport/lib/web/apiserver.go

Lines 995 to 997 in 04bc1c9

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/securitygroups", h.WithClusterAuth(h.awsOIDCListSecurityGroups))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/databasevpcs", h.WithClusterAuth(h.awsOIDCListDatabaseVPCs))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/subnets", h.WithClusterAuth(h.awsOIDCListSubnets))

I see these endpoints as a way to execute some action in the Integration. So, something closer to a RPC over HTTP, in contrast with a more typical REST format.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have been using POST for most of the integration actions

Hmm, any background on why we decided to do this? Unless there's strong reason, sticking with established conventions is usually the preferred option.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it started like this because we wanted this RPC-like interface where we could register a single endpoint but then use url path variables to call the AWS OIDC gRPC methods directly.

Things evolved in a different manner, and at this point I would argue that following a more REST-y approach would be better (less surprises).

So, we either start converting them to use GETs where is makes sense or we keep it as is.
No strong opinion on which one to follow.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my 2c: keep the existing endpoints as-is for backward compatibility (unless you want to migrate them), but for this PR make the new list deployed db services endpoint GET

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switched to GET
cc @michellescripts

zmb3
zmb3 reviewed Dec 9, 2024
View reviewed changes
lib/web/apiserver.go Outdated
@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/ui/integration.go Outdated Show resolved Hide resolved
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from c4f7b14 to 6da2178 Compare December 10, 2024 10:44
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 682d719 to 502e32d Compare December 10, 2024 11:33
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 6da2178 to 0bfa0b8 Compare December 10, 2024 11:35
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 502e32d to 39dfbe7 Compare December 10, 2024 11:35
GavinFrazar
GavinFrazar approved these changes Dec 13, 2024
View reviewed changes
lib/web/integrations_awsoidc.go Show resolved Hide resolved
lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/integrations_awsoidc_test.go Outdated Show resolved Hide resolved
lib/web/apiserver.go Outdated
@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my 2c: keep the existing endpoints as-is for backward compatibility (unless you want to migrate them), but for this PR make the new list deployed db services endpoint GET

@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 0bfa0b8 to 5634a35 Compare December 16, 2024 10:06
@marcoandredinis
AWS OIDC: List Deployed Database Services HTTP API
d949d2a 
This PR adds a new endpoint which returns the deployed database
services.

Calling the ECS APIs requires a region, so we had to iterate over the
following resources to collect the relevant regions:
- databases
- database services
- discovery configs
@marcoandredinis
extract loops
be41afa
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 39dfbe7 to be41afa Compare December 16, 2024 10:06
@marcoandredinis
Copy link
Contributor Author

@zmb3 Can you please take another look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GavinFrazar GavinFrazar GavinFrazar approved these changes

@eriktate eriktate Awaiting requested review from eriktate

@michellescripts michellescripts Awaiting requested review from michellescripts

@zmb3 zmb3 Awaiting requested review from zmb3

Assignees
No one assigned
Labels
backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marcoandredinis @zmb3 @michellescripts @GavinFrazar