Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] feat: External Audit Storage #34740

Merged
merged 10 commits into from
Nov 20, 2023
Merged

[v14] feat: External Audit Storage #34740

merged 10 commits into from
Nov 20, 2023

Conversation

nklaassen
Copy link
Contributor

This PR backports all External Audit Storage code already merged to master to branch/v14.

In case this is in a release before the feature is completely ready, the tctl commands remain hidden and the feature is not yet exposed in the web UI.

tobiaszheller and others added 8 commits November 17, 2023 13:54
@tobiaszheller @nklaassen
[v14] external cloud audit proto
77cbc92 
Backport #33022 to branch/v14
@tobiaszheller @nklaassen
[v14] external_cloud_audit: add resource layer
8b8cdf5 
Backport #32833 to branch/v14
@nklaassen
[v14] feat: IAM permissions for BYOBucket
1c69d4b 
Backport #33416 to branch/v14

This commit adds a one-off teleport command that configures the
necessary IAM permissions for the upcoming External Cloud Audit
(BYOBucket) feature.

An example command invocation looks like:
```
$ teleport integration configure externalcloudaudit-iam \
  --aws-region us-west-2 --role nic-byob-test --policy nic-byob \
  --session-recordings s3://nic-byob/sess-rec-v2 \
  --audit-events s3://nic-byob/events --athena-results s3://nic-byob/results \
  --athena-workgroup primary --glue-database nic_byob --glue-table nic_byob_table
```

In normal usage this command will be generated for the user so that they
can just copy a command from the Web UI and run it in AWS CloudShell.

The permissions generated here are based on
https://github.com/gravitational/cloud/blob/rfd/77-bring-your-own-bucket/rfd/0077-Bring-your-own-bucket.md,
but only include the permissions necessary for using the feature at
runtime and not any permissions necessary to bootstrap/create the
resources.
@nklaassen
[v14] feat: generate randomized ExternalCloudAudit config
052edfb 
Backport #33555 to branch/v14
@logand22 @nklaassen
[v14] BYOB: Bootstrap Athena Infrastructure
fbe0d39 
Backport #33272 to branch/v14
@nklaassen
[v14] feat: cached auto-refreshing AWS credentials for BYOBucket
6f02dad 
Backport #34380 to branch/v14

This commit implements a "Configurator" for the BYOBucket feature that
provides AWS credentials that can be used by the v1 or v2 AWS SDKs for
Go.
These credentials are generated via an AWS OIDC integration: auth signs
a JWT and we swap that with AWS STS for AWS credentials.
It also reports whether or not the BYOB feature `IsUsed()` currently,
and provides access to the current cluster ExternalCloudAudit spec.

This looks a bit weird because of a chicken-egg problem where the audit
log must be set up before the auth server can be created, but the auth
server must be created to provide the OIDC signing facilities.
This will be more clear in following PRs.
@nklaassen
[v14] fix: correct IAM policies for BYOB
6b77bcc 
Backport #34484 to branch/v14

This commit fixes the IAM policies generated by the oneoff
externalcloudaudit bootstrap command based on manual testing, and brings
them more in line with the original RFD
https://github.com/gravitational/cloud/blob/master/rfd/0077-Bring-your-own-bucket.md
@nklaassen
[v14] feat: enable External Cloud Audit backend
ae232e4 
Backport #34606 to branch/v14

This commit enables the External Cloud Audit (BYOBucket) feature with a
fully functional backend by setting up the Athena and S3 audit
components with the right AWS configurations and resource locations.
@nklaassen nklaassen added the no-changelog Indicates that a PR does not require a changelog entry label Nov 17, 2023
@github-actions github-actions bot added audit-log Issues related to Teleports Audit Log backport size/xl tctl tctl - Teleport admin tool labels Nov 17, 2023
@public-teleport-github-review-bot
Copy link

@nklaassen - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

@espadolini espadolini requested a review from r0mant November 20, 2023 10:39
@nklaassen nklaassen enabled auto-merge November 20, 2023 19:07
r0mant
r0mant approved these changes Nov 20, 2023
View reviewed changes
Copy link
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot.

@nklaassen nklaassen added this pull request to the merge queue Nov 20, 2023
Merged via the queue into branch/v14 with commit 048afdf Nov 20, 2023
@nklaassen nklaassen deleted the nklaassen/v14/eas branch November 20, 2023 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@justinas justinas justinas approved these changes

@espadolini espadolini espadolini approved these changes

Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log backport no-changelog Indicates that a PR does not require a changelog entry size/xl tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@nklaassen @r0mant @justinas @espadolini @tobiaszheller @logand22 @mcbattirola