Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS OIDC: List Deployed Database Services HTTP API #49352

Merged
merged 5 commits into from
Dec 20, 2024

Conversation

marcoandredinis
Copy link
Contributor

This PR adds a new endpoint which returns the deployed database services.

Calling the ECS APIs requires a region, so we had to iterate over the following resources to collect the relevant regions:

  • databases
  • database services
  • discovery configs

Demo:
curl --silent 'https://.../integrations/aws-oidc/teleportdev/listdeployeddatabaseservices' -XPOST ... | jq

{
  "services": [
    {
      "name": "database-service-vpc-47381f2f",
      "dashboardUrl": "https://eu-west-2.console.aws.amazon.com/ecs/v2/clusters/lenix_marcoandredinis_com-teleport/services/database-service-vpc-47381f2f",
      "validTeleportConfig": true,
      "matchingLabels": [
        {
          "name": "region",
          "value": "eu-west-2"
        },
        {
          "name": "vpc-id",
          "value": "vpc-47381f2f"
        },
        {
          "name": "account-id",
          "value": "278576220453"
        }
      ]
    }
  ]
}

@marcoandredinis marcoandredinis added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v16 backport/branch/v17 labels Nov 22, 2024
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch 2 times, most recently from 4831b35 to 3dc5a4f Compare November 22, 2024 15:29
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 46744e1 to f131a9f Compare November 22, 2024 15:38
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 3dc5a4f to f69697f Compare November 22, 2024 15:39
@marcoandredinis marcoandredinis marked this pull request as ready for review November 22, 2024 15:39
@github-actions github-actions bot requested review from eriktate and zmb3 November 22, 2024 15:39
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from f131a9f to 696d356 Compare November 25, 2024 10:33
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from f69697f to cc2c59d Compare November 25, 2024 10:33
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 696d356 to b7237e5 Compare November 28, 2024 13:54
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from cc2c59d to d6b59a8 Compare November 28, 2024 13:55
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from b7237e5 to 6cd29f8 Compare November 28, 2024 18:31
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from d6b59a8 to 0846c4d Compare November 28, 2024 18:33
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 6cd29f8 to 557241b Compare December 2, 2024 10:59
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 0846c4d to 5962451 Compare December 2, 2024 11:01
@marcoandredinis
Copy link
Contributor Author

@eriktate @zmb3 Can you please take a look when you get a chance?

@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 557241b to aef905d Compare December 6, 2024 11:07
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 5962451 to d2ce837 Compare December 6, 2024 11:08
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from aef905d to c4f7b14 Compare December 9, 2024 11:44
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from d2ce837 to 682d719 Compare December 9, 2024 11:44
@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be GET?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have been using POST for most of the integration actions, even when listing things.

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/databases", h.WithClusterAuth(h.awsOIDCListDatabases))

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/ec2", h.WithClusterAuth(h.awsOIDCListEC2))

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/eksclusters", h.WithClusterAuth(h.awsOIDCListEKSClusters))

h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/securitygroups", h.WithClusterAuth(h.awsOIDCListSecurityGroups))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/databasevpcs", h.WithClusterAuth(h.awsOIDCListDatabaseVPCs))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/subnets", h.WithClusterAuth(h.awsOIDCListSubnets))

I see these endpoints as a way to execute some action in the Integration. So, something closer to a RPC over HTTP, in contrast with a more typical REST format.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have been using POST for most of the integration actions

Hmm, any background on why we decided to do this? Unless there's strong reason, sticking with established conventions is usually the preferred option.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it started like this because we wanted this RPC-like interface where we could register a single endpoint but then use url path variables to call the AWS OIDC gRPC methods directly.

Things evolved in a different manner, and at this point I would argue that following a more REST-y approach would be better (less surprises).

So, we either start converting them to use GETs where is makes sense or we keep it as is.
No strong opinion on which one to follow.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my 2c: keep the existing endpoints as-is for backward compatibility (unless you want to migrate them), but for this PR make the new list deployed db services endpoint GET

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switched to GET
cc @michellescripts

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It panics with:

panic: 'aws-oidc' in new path '/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices' conflicts with existing wildcard ':name' in existing prefix '/webapi/sites/:site/integrations/:name'

Either we implement a handler that picks the correct flow or we changed it back to POST.
I decided to change it back to a POST, unless someone has a strong opinion on going the other option.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to be a limitation of httprouter, unfortunately 😞 There are workarounds but they aren't great, so differentiating the routes with different methods seems to be the most straightforward solution. It's surprising that httprouter doesn't handle this case 🤔

@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/ui/integration.go Outdated Show resolved Hide resolved
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from c4f7b14 to 6da2178 Compare December 10, 2024 10:44
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 682d719 to 502e32d Compare December 10, 2024 11:33
lib/web/integrations_awsoidc.go Show resolved Hide resolved
lib/web/integrations_awsoidc.go Outdated Show resolved Hide resolved
lib/web/integrations_awsoidc_test.go Outdated Show resolved Hide resolved
@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my 2c: keep the existing endpoints as-is for backward compatibility (unless you want to migrate them), but for this PR make the new list deployed db services endpoint GET

@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 0bfa0b8 to 5634a35 Compare December 16, 2024 10:06
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 39dfbe7 to be41afa Compare December 16, 2024 10:06
@marcoandredinis
Copy link
Contributor Author

@zmb3 Can you please take another look?

@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 5634a35 to 1916b75 Compare December 17, 2024 09:44
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from c2b010f to 11523be Compare December 17, 2024 10:13
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-impl branch from 1916b75 to 087cbbd Compare December 17, 2024 15:05
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 11523be to 2530919 Compare December 17, 2024 15:09
@@ -985,6 +985,7 @@ func (h *Handler) bindDefaultEndpoints() {
h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to be a limitation of httprouter, unfortunately 😞 There are workarounds but they aren't great, so differentiating the routes with different methods seems to be the most straightforward solution. It's surprising that httprouter doesn't handle this case 🤔

Base automatically changed from marco/awsoidc-listdatabaseservices-impl to master December 18, 2024 09:35
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 2530919 to 82b34d7 Compare December 18, 2024 09:49
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from 82b34d7 to d5e4255 Compare December 19, 2024 19:17
This PR adds a new endpoint which returns the deployed database
services.

Calling the ECS APIs requires a region, so we had to iterate over the
following resources to collect the relevant regions:
- databases
- database services
- discovery configs
@marcoandredinis marcoandredinis force-pushed the marco/awsoidc-listdatabaseservices-httpapi branch from d5e4255 to 76b49a4 Compare December 19, 2024 21:24
@marcoandredinis marcoandredinis added this pull request to the merge queue Dec 20, 2024
Merged via the queue into master with commit dae0e0d Dec 20, 2024
41 checks passed
@marcoandredinis marcoandredinis deleted the marco/awsoidc-listdatabaseservices-httpapi branch December 20, 2024 09:45
@public-teleport-github-review-bot

@marcoandredinis See the table below for backport results.

Branch Result
branch/v17 Create PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/md
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants