Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: identity center integration audit events #51302

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

feat: identity center integration audit events #51302

wants to merge 5 commits into from

Conversation

flyinghermit
Copy link
Contributor

@flyinghermit flyinghermit commented Jan 21, 2025
edited
Loading

Adds new event types, and codes for resource sync, principal provisioning and principal assignment events along with their proto types. Only "success" event types are added.

Event names are based on aws_identity_center and the codes are based on TAICxxxI format.

New events and respective codes:

  1. aws_identity_center.account.sync:TAIC001I
  2. aws_identity_center.account_assignment.sync:TAIC002I
  3. aws_identity_center.permission_set.sync:TAIC003I
  4. aws_identity_center.user_group.sync:TAIC004I
  5. aws_identity_center.principal_assignment.create:TAIC005I
  6. aws_identity_center.principal_assignment.delete:TAIC006I
  7. aws_identity_center.principal_provisioning.create:TAIC007I
  8. aws_identity_center.principal_provisioning.delete:TAIC008I
  9. aws_identity_center.principal_provisioning.update:TAIC009I

Events emitted from identity center service: https://github.com/gravitational/teleport.e/pull/5901
Web UI event formatter: #51309

Part of https://github.com/gravitational/teleport.e/issues/5513

changelog: Added audit events for AWS IAM Identity Center integration service.

@flyinghermit flyinghermit marked this pull request as ready for review January 22, 2025 01:54
@github-actions github-actions bot requested review from nklaassen and vapopov January 22, 2025 01:54
@github-actions github-actions bot added audit-log Issues related to Teleports Audit Log size/md labels Jan 22, 2025
@flyinghermit
Copy link
Contributor Author

Note: I am updating the PR with the following changes:

  • Batch the resource sync event into one and emit a single event
  • Make the SCIM events principal provisioning" a generic event type and code so they can be reused for different SCIM integration that may happen at the same time.

@flyinghermit flyinghermit marked this pull request as draft January 22, 2025 15:21
nklaassen
nklaassen reviewed Jan 23, 2025
View reviewed changes
api/proto/teleport/legacy/types/events/events.proto
Comment on lines +7975 to +7976
// TotalItems records total number of imported resources.
int32 total_items = 3 [(gogoproto.jsontag) = "total_items,omitempty"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this different from the length of items?

api/proto/teleport/legacy/types/events/events.proto
Comment on lines +7996 to +8003
// Account is the AWS account.
AWSICResourceSyncEvent account = 2 [(gogoproto.jsontag) = "account,omitempty"];
// AccountAssignment is a permission assignment record bound to AWS account and permission set.
AWSICResourceSyncEvent account_assignment = 3 [(gogoproto.jsontag) = "account_assignment,omitempty"];
// UserGroup is a user group available in the AWS IAM Identity Center instance.
AWSICResourceSyncEvent user_group = 4 [(gogoproto.jsontag) = "user_group,omitempty"];
// PermissionSet is the permission set configured in the AWS IAM Identity Center instance.
AWSICResourceSyncEvent permission_set = 5 [(gogoproto.jsontag) = "permission_set,omitempty"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to imagine how this type will evolve over time. Instead of 4 different fields with lists of synced resources, could it be easier to have 1 list of all synced resources? then we wouldn't need to change these even proto types if we start syncing new types of resources. just a thought

api/proto/teleport/legacy/types/events/events.proto
Comment on lines +7963 to +7967
string id = 1 [(gogoproto.jsontag) = "id, omitempty"];
// Name is a display name of the resource.
string name = 2 [(gogoproto.jsontag) = "name, omitempty"];
// ARN is the ARN of the resource.
string arn = 3 [(gogoproto.jsontag) = "arn,omitempty"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: inconsistent spacing before omitempty

api/proto/teleport/legacy/types/events/events.proto
Comment on lines +7969 to +7970
// Only used for an account assignment resource.
string assignedPermissionSetARN = 4 [(gogoproto.jsontag) = "assigned_permission_set_arn, omitempty"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Only used for account assignment resource" tells me this data model might not be the best fit, especially if we ever add more types or want more unique fields. You might consider using a oneof

api/types/events/events.go
Comment on lines +2438 to +2448
func (m *AWSICResourceSync) TrimToMaxSize(maxSize int) AuditEvent {
return m
}

func (m *AWSICPermissionAssignment) TrimToMaxSize(_ int) AuditEvent {
return m
}

func (m *AWSICPrincipalProvisioning) TrimToMaxSize(_ int) AuditEvent {
return m
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any of these that contain repeated fields seem like exactly the type of event that might end up being very big, where it should be mandatory to implement TrimToMaxSize. if the events don't fit in a gRPC message the event handler cannot handle them

api/types/plugin.go
Comment on lines -756 to +762
if c.CredentialsSource == AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_UNKNOWN {
c.CredentialsSource = AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_OIDC
}
// if c.CredentialsSource == AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_UNKNOWN {
// c.CredentialsSource = AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_OIDC
// }

if c.CredentialsSource == AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_OIDC && c.IntegrationName == "" {
return trace.BadParameter("AWS OIDC integration name must be set")
}
// if c.CredentialsSource == AWSICCredentialsSource_AWSIC_CREDENTIALS_SOURCE_OIDC && c.IntegrationName == "" {
// return trace.BadParameter("AWS OIDC integration name must be set")
// }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh i just noticed this is a draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nklaassen nklaassen nklaassen left review comments

@tcsc tcsc Awaiting requested review from tcsc

@smallinsky smallinsky Awaiting requested review from smallinsky

@vapopov vapopov Awaiting requested review from vapopov

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log backport/branch/v17 size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@flyinghermit @nklaassen