[v16] display security group id rules

api/proto/teleport/integration/v1/awsoidc_service.proto

@@ -214,6 +214,15 @@ message SecurityGroupRuleCIDR {
   string description = 2;
 }
 
+// SecurityGroupRuleGroupID has an allowed security group ID and a description
+// for the rule.
+message SecurityGroupRuleGroupID {
+  // GroupID is the allowed security group ID.
+  string group_id = 1;
+  // Description contains a small text describing the allowed security group.
+  string description = 2;
+}
+
 // SecurityGroupRule is a representation of a SecurityGroupRule.
 // Either for Inbound or Outbound rules.
 message SecurityGroupRule {
@@ -228,6 +237,9 @@ message SecurityGroupRule {
   int32 to_port = 3;
   // CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
   repeated SecurityGroupRuleCIDR cidrs = 4;
+  // GroupIds is a list of rules that allow another security group referenced
+  // by ID.
+  repeated SecurityGroupRuleGroupID group_ids = 5;
 }
 
 // SecurityGroup is a representation of a SecurityGroup

lib/auth/integration/integrationv1/awsoidc.go

@@ -395,18 +395,33 @@ func (s *AWSOIDCService) ListSecurityGroups(ctx context.Context, req *integratio
 func convertSecurityGroupRulesToProto(inRules []awsoidc.SecurityGroupRule) []*integrationpb.SecurityGroupRule {
 	out := make([]*integrationpb.SecurityGroupRule, 0, len(inRules))
 	for _, r := range inRules {
-		cidrs := make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
+		var cidrs []*integrationpb.SecurityGroupRuleCIDR
+		if len(r.CIDRs) > 0 {
+			cidrs = make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
+		}
 		for _, cidr := range r.CIDRs {
 			cidrs = append(cidrs, &integrationpb.SecurityGroupRuleCIDR{
 				Cidr:        cidr.CIDR,
 				Description: cidr.Description,
 			})
 		}
+
+		var groupIDs []*integrationpb.SecurityGroupRuleGroupID
+		if len(r.Groups) > 0 {
+			groupIDs = make([]*integrationpb.SecurityGroupRuleGroupID, 0, len(r.Groups))
+		}
+		for _, group := range r.Groups {
+			groupIDs = append(groupIDs, &integrationpb.SecurityGroupRuleGroupID{
+				GroupId:     group.GroupId,
+				Description: group.Description,
+			})
+		}
 		out = append(out, &integrationpb.SecurityGroupRule{
 			IpProtocol: r.IPProtocol,
 			FromPort:   int32(r.FromPort),
 			ToPort:     int32(r.ToPort),
 			Cidrs:      cidrs,
+			GroupIds:   groupIDs,
 		})
 	}
 	return out

lib/integrations/awsoidc/list_security_groups.go

@@ -91,6 +91,19 @@ type SecurityGroupRule struct {
 
 	// CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
 	CIDRs []CIDR `json:"cidrs"`
+
+	// Groups is a list of rules that allow another security group referenced
+	// by ID.
+	Groups []GroupIDRule `json:"groups"`
+}
+
+// GroupIDRule is a security group rule that refers to another security group by
+// ID and has a description.
+type GroupIDRule struct {
+	// GroupId is the ID of the security group that is allowed by the rule.
+	GroupId string `json:"groupId"`
+	// Description contains a small text describing the CIDR.
+	Description string `json:"description"`
 }
 
 // CIDR has a CIDR (IP Range) and a description for the value.
@@ -187,14 +200,28 @@ func convertAWSIPPermissions(permissions []ec2Types.IpPermission) []SecurityGrou
 			ipProtocol = aws.ToString(permission.IpProtocol)
 		}
 
-		cidrs := make([]CIDR, 0, len(permission.IpRanges))
+		var cidrs []CIDR
+		if len(permission.IpRanges) > 0 {
+			cidrs = make([]CIDR, 0, len(permission.IpRanges))
+		}
 		for _, r := range permission.IpRanges {
 			cidrs = append(cidrs, CIDR{
 				CIDR:        aws.ToString(r.CidrIp),
 				Description: aws.ToString(r.Description),
 			})
 		}
 
+		var groupIDs []GroupIDRule
+		if len(permission.UserIdGroupPairs) > 0 {
+			groupIDs = make([]GroupIDRule, 0, len(permission.UserIdGroupPairs))
+		}
+		for _, pair := range permission.UserIdGroupPairs {
+			groupIDs = append(groupIDs, GroupIDRule{
+				GroupId:     aws.ToString(pair.GroupId),
+				Description: aws.ToString(pair.Description),
+			})
+		}
+
 		fromPort := int(aws.ToInt32(permission.FromPort))
 		toPort := int(aws.ToInt32(permission.ToPort))
 
@@ -203,6 +230,7 @@ func convertAWSIPPermissions(permissions []ec2Types.IpPermission) []SecurityGrou
 			FromPort:   fromPort,
 			ToPort:     toPort,
 			CIDRs:      cidrs,
+			Groups:     groupIDs,
 		})
 	}
 

lib/integrations/awsoidc/list_security_groups_test.go

@@ -284,6 +284,10 @@ func TestConvertSecurityGroup(t *testing.T) {
 							ToPort:     aws.Int32(22),
 							IpProtocol: aws.String("tcp"),
 							IpRanges:   []ec2Types.IpRange{{CidrIp: aws.String("0.0.0.0/0")}},
+							UserIdGroupPairs: []ec2Types.UserIdGroupPair{{
+								GroupId:     aws.String("sg-123"),
+								Description: aws.String("allowed from another sg"),
+							}},
 						},
 					},
 					IpPermissionsEgress: []ec2Types.IpPermission{
@@ -301,6 +305,10 @@ func TestConvertSecurityGroup(t *testing.T) {
 								CidrIp:      aws.String("0.0.0.0/0"),
 								Description: aws.String("Everything"),
 							}},
+							UserIdGroupPairs: []ec2Types.UserIdGroupPair{{
+								GroupId:     aws.String("sg-456"),
+								Description: aws.String("allowed to another sg"),
+							}},
 						},
 					},
 				},
@@ -333,6 +341,7 @@ func TestConvertSecurityGroup(t *testing.T) {
 							FromPort:   22,
 							ToPort:     22,
 							CIDRs:      []CIDR{{CIDR: "0.0.0.0/0"}},
+							Groups:     []GroupIDRule{{GroupId: "sg-123", Description: "allowed from another sg"}},
 						},
 					},
 					OutboundRules: []SecurityGroupRule{
@@ -352,6 +361,7 @@ func TestConvertSecurityGroup(t *testing.T) {
 								CIDR:        "0.0.0.0/0",
 								Description: "Everything",
 							}},
+							Groups: []GroupIDRule{{GroupId: "sg-456", Description: "allowed to another sg"}},
 						},
 					},
 				},

lib/web/integrations_awsoidc.go

@@ -695,18 +695,33 @@ func (h *Handler) awsOIDCListSecurityGroups(w http.ResponseWriter, r *http.Reque
 func awsOIDCSecurityGroupsRulesConverter(inRules []*integrationv1.SecurityGroupRule) []awsoidc.SecurityGroupRule {
 	out := make([]awsoidc.SecurityGroupRule, 0, len(inRules))
 	for _, r := range inRules {
-		cidrs := make([]awsoidc.CIDR, 0, len(r.Cidrs))
+		var cidrs []awsoidc.CIDR
+		if len(r.Cidrs) > 0 {
+			cidrs = make([]awsoidc.CIDR, 0, len(r.Cidrs))
+		}
 		for _, cidr := range r.Cidrs {
 			cidrs = append(cidrs, awsoidc.CIDR{
 				CIDR:        cidr.Cidr,
 				Description: cidr.Description,
 			})
 		}
+
+		var groupIDs []awsoidc.GroupIDRule
+		if len(r.GroupIds) > 0 {
+			groupIDs = make([]awsoidc.GroupIDRule, 0, len(r.GroupIds))
+		}
+		for _, group := range r.GroupIds {
+			groupIDs = append(groupIDs, awsoidc.GroupIDRule{
+				GroupId:     group.GroupId,
+				Description: group.Description,
+			})
+		}
 		out = append(out, awsoidc.SecurityGroupRule{
 			IPProtocol: r.IpProtocol,
 			FromPort:   int(r.FromPort),
 			ToPort:     int(r.ToPort),
 			CIDRs:      cidrs,
+			Groups:     groupIDs,
 		})
 	}
 	return out

web/packages/teleport/src/Discover/Database/DeployService/AutoDeploy/AutoDeploy.story.tsx

@@ -271,6 +271,13 @@ const securityGroupsResponse = [
         cidrs: [
           { cidr: '192.168.1.0/24', description: 'Subnet Mask 255.255.255.0' },
         ],
+        groups: [{ groupId: 'sg-123', description: 'Trusted other group' }],
+      },
+      {
+        ipProtocol: 'tcp',
+        fromPort: '8080',
+        toPort: '8080',
+        groups: [{ groupId: 'sg-456', description: 'Trusted other group' }],
       },
     ],
     outboundRules: [
@@ -286,13 +293,26 @@ const securityGroupsResponse = [
         toPort: '22',
         cidrs: [{ cidr: '0.0.0.0/0', description: 'Everything' }],
       },
+      {
+        ipProtocol: 'tcp',
+        fromPort: '8080',
+        toPort: '8080',
+        groups: [
+          {
+            groupId: 'sg-abcdef',
+            description:
+              'a trusted group on port 8080 for some reason and this description rambles a lot so the table better truncate it with ellipses but you should still see the full thing by hovering on it :D',
+          },
+        ],
+      },
       {
         ipProtocol: 'tcp',
         fromPort: '2000',
         toPort: '5000',
         cidrs: [
           { cidr: '10.0.0.0/16', description: 'Subnet Mask 255.255.0.0' },
         ],
+        groups: [{ groupId: 'sg-abc', description: 'some other group' }],
       },
     ],
   },

web/packages/teleport/src/Discover/Shared/SecurityGroupPicker/SecurityGroupPicker.tsx

@@ -212,12 +212,21 @@ type ExpandedSecurityGroupRule = {
 function expandSecurityGroupRule(
   rule: SecurityGroupRule
 ): ExpandedSecurityGroupRule[] {
-  return rule.cidrs.map(source => ({
+  return [
+    ...rule.cidrs.map(cidr => ({
+      source: cidr.cidr,
+      description: cidr.description,
+    })),
+    ...rule.groups.map(group => ({
+      source: group.groupId,
+      description: group.description,
+    })),
+  ].map(entry => ({
     ipProtocol: rule.ipProtocol,
     fromPort: rule.fromPort,
     toPort: rule.toPort,
-    source: source.cidr,
-    description: source.description,
+    source: entry.source,
+    description: entry.description,
   }));
 }
 

web/packages/teleport/src/Discover/Shared/SecurityGroupPicker/SecurityGroupRulesDialog.tsx

@@ -19,7 +19,7 @@
 import React from 'react';
 import styled from 'styled-components';
 
-import { Text, ButtonSecondary } from 'design';
+import { ButtonSecondary, Text } from 'design';
 import Table, { Cell } from 'design/DataTable';
 import Dialog, { DialogContent, DialogFooter } from 'design/DialogConfirmation';
 
@@ -67,7 +67,11 @@ export function SecurityGroupRulesDialog({
               headerText: 'Source',
               render: ({ source }) => {
                 if (source) {
-                  return <Cell>{source}</Cell>;
+                  return (
+                    <Cell>
+                      <Text title={source}>{source}</Text>
+                    </Cell>
+                  );
                 }
                 return null;
               },
@@ -77,7 +81,11 @@ export function SecurityGroupRulesDialog({
               headerText: 'Description',
               render: ({ description }) => {
                 if (description) {
-                  return <Cell>{description}</Cell>;
+                  return (
+                    <Cell>
+                      <Text title={description}>{description}</Text>
+                    </Cell>
+                  );
                 }
                 return null;
               },
@@ -104,6 +112,8 @@ const StyledTable = styled(Table)`
   & > tbody > tr > td {
     vertical-align: middle;
     text-align: left;
+    max-width: 200px;
+    text-wrap: nowrap;
   }
 
   & > thead > tr > th {

web/packages/teleport/src/services/integrations/integrations.ts

@@ -45,6 +45,7 @@ import {
   DeployEc2InstanceConnectEndpointRequest,
   DeployEc2InstanceConnectEndpointResponse,
   SecurityGroup,
+  SecurityGroupRule,
   ListEksClustersResponse,
   EnrollEksClustersResponse,
   EnrollEksClustersRequest,
@@ -469,8 +470,22 @@ function makeSecurityGroup(json: any): SecurityGroup {
     name,
     id,
     description,
-    inboundRules: inboundRules ?? [],
-    outboundRules: outboundRules ?? [],
+    inboundRules: inboundRules?.map(rule => makeSecurityGroupRule(rule)) ?? [],
+    outboundRules:
+      outboundRules?.map(rule => makeSecurityGroupRule(rule)) ?? [],
+  };
+}
+
+function makeSecurityGroupRule(json: any): SecurityGroupRule {
+  json = json ?? {};
+  const { ipProtocol, fromPort, toPort, cidrs, groups } = json;
+
+  return {
+    ipProtocol,
+    fromPort,
+    toPort,
+    cidrs: cidrs ?? [],
+    groups: groups ?? [],
   };
 }
 

web/packages/teleport/src/services/integrations/types.ts

@@ -595,12 +595,30 @@ export type SecurityGroupRule = {
   toPort: string;
   // CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
   cidrs: Cidr[];
+  // Groups is a list of rules that allow another security group referenced
+  // by ID.
+  groups: GroupIdRule[];
 };
 
 export type Cidr = {
-  // CIDR is the IP range using CIDR notation.
+  /**
+   * CIDR is the IP range using CIDR notation.
+   */
   cidr: string;
-  // Description contains a small text describing the CIDR.
+  /**
+   *  Description contains a small text describing the CIDR.
+   */
+  description: string;
+};
+
+export type GroupIdRule = {
+  /**
+   * GroupId is the ID of the security group that is allowed by the rule.
+   */
+  groupId: string;
+  /**
+   * Description contains a small text describing the rule.
+   */
   description: string;
 };