Merge pull request #9 from cruxstack/v14-support

feat: add support for tp v14

Author: sgtoj

.devcontainer/Dockerfile

@@ -1,15 +1,18 @@
 FROM mcr.microsoft.com/devcontainers/base:jammy
 
+RUN apt update && apt install -y \
+    vim
+
 # install aws
 RUN SYSTEM_ARCH=$(uname -m) \
-    && curl "https://awscli.amazonaws.com/awscli-exe-linux-${SYSTEM_ARCH}.zip" -o "awscliv2.zip" \
-    && unzip awscliv2.zip \
+    && curl "https://awscli.amazonaws.com/awscli-exe-linux-${SYSTEM_ARCH}-2.13.33.zip" -o "awscliv2.zip" \
+    && unzip -qq awscliv2.zip \
     && aws/install \
     && aws --version \
     && rm -rf aws
 
 # install terraform
-ENV TERRAFORM_VERSION=1.5.1
+ENV TERRAFORM_VERSION=1.6.3
 ENV TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache
 RUN mkdir -p $TF_PLUGIN_CACHE_DIR
 RUN SYSTEM_ARCH=$(dpkg --print-architecture) \
@@ -45,5 +48,5 @@ RUN python3 -m pip install \
     black
 
 # verify installs
-RUN terraform --version \
-    && aws --version
+RUN terraform --version
+

.devcontainer/devcontainer.json

@@ -2,7 +2,7 @@
   "name": "Terraform",
   "dockerFile": "Dockerfile",
   "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:2.5.0": {}
+    "ghcr.io/devcontainers/features/docker-in-docker:2.7.1": {}
   },
   "mounts": [
     "source=${localEnv:HOME}/.aws,target=/home/vscode/.aws,type=bind,consistency=cached",

README.md

@@ -2,7 +2,8 @@
 
 This Terraform module deploys a Teleport cluster in high availability (HA)
 configuration. [Teleport](https://github.com/gravitational/teleport) is a modern
-zero-trust solution by Gravitational.
+zero-trust solution by Gravitational. This module has been tested with Teleport
+version v10 and v14.
 
 ### Features
 
@@ -15,6 +16,8 @@ zero-trust solution by Gravitational.
   corresponding increase in complexity.
 - **Integrated**: Works well with your existing infrastructure by following
   CloudPosse's context and labeling patterns.
+- **Automation** to create teleport connection to resources on-demand via
+  included submodules.
 
 ## Usage
 
@@ -27,7 +30,7 @@ module "teleport_cluster" {
   version = "x.x.x"
 
   teleport_letsencrypt_email = "[email protected]"
-  teleport_runtime_version   = "10.3.15"
+  teleport_runtime_version   = "14.3.3"
   teleport_setup_mode        = false
   dns_parent_zone_id         = "Z0000000000000000000"
   dns_parent_zone_name       = "demo.example.com"

modules/teleport-db-login/README.md

@@ -20,8 +20,8 @@ module "teleport_db_login" {
   source  = "cruxstack/teleport-cluster/aws//modules/teleport-db-login"
   version = "x.x.x"
 
-  target_cluster = "your-target-cluster.teleport.example.com"
-  target_db      = "your-target-database"
+  tp_cluster = "your-target-cluster.teleport.example.com"
+  target_db  = "your-target-database"
 }
 
 # configure pgsql (eg, `cyrilgdn/postgresql`) provider to connect to the db
@@ -51,10 +51,13 @@ provider "postgresql" {
 
 ## Inputs
 
-| Name             | Description                                              | Type     | Default | Required |
-|------------------|----------------------------------------------------------|----------|---------|:--------:|
-| `target_cluster` | Domain to the Teleport cluster for database login.       | `string` | n/a     |   yes    |
-| `target_db`      | Name of the target database within the Teleport cluster. | `string` | n/a     |   yes    |
+| Name             | Description                                                       | Type     | Default | Required |
+|------------------|-------------------------------------------------------------------|----------|---------|:--------:|
+| `tp_proxy`       | Domain to the Teleport cluster proxy for database login.          | `string` | ""      |    no    |
+| `tp_cluster`     | Domain to the Teleport cluster for database login.                | `string` | n/a     |   yes    |
+| `target_db`      | Name of the target database resource within the Teleport cluster. | `string` | n/a     |   yes    |
+| `target_db_name` | Name of the database within the target database resource.         | `string` | ""      |    no    |
+| `target_db_user` | Name of the user to use when connecting to the database resource. | `string` | ""      |    no    |
 
 ## Outputs
 

modules/teleport-db-login/assets/tsh.sh

@@ -4,23 +4,29 @@ SCRIPT_EXIT_CODE=0
 # --------------------------------------------------------------------- main ---
 
 function db_login() {
-  TSH_TARGET_CLUSTER=${1:?}
-  TSH_TARGET_DB=${2:?}
-
-  tsh db login --cluster "${TSH_TARGET_CLUSTER}" "${TSH_TARGET_DB}" 1>/dev/null
-  tsh db config --cluster "${TSH_TARGET_CLUSTER}" --format=json "${TSH_TARGET_DB}"
+  TP_PROXY=${1:?}
+  TP_CLUSTER=${2:?}
+  TARGET_DB=${3:?}
+  TARGET_DB_NAME=${4}
+  TARGET_DB_USER=${5}
+
+  tsh db login --proxy "${TP_PROXY}" --cluster "${TP_CLUSTER}" "${TARGET_DB}" --db-name "${TARGET_DB_NAME:-"unset_db"}" --db-user "${TARGET_DB_USER:-"unset_user"}" 1>/dev/null
+  tsh db config --proxy "${TP_PROXY}" --cluster "${TP_CLUSTER}" "${TARGET_DB}" --format=json
 }
 
 # ------------------------------------------------------------------- script ---
 
 if [[ "${1}" == "db-login" && "${2}" == "stdin" ]]; then
 
     INPUT="$(dd 2>/dev/null)"
-    TSH_TARGET_CLUSTER=$(echo "${INPUT}" | jq -r .target_cluster)
-    TSH_TARGET_DB=$(echo "${INPUT}" | jq -r .target_db)
 
+    TP_PROXY=$(echo "${INPUT}" | jq -r .tp_proxy)
+    TP_CLUSTER=$(echo "${INPUT}" | jq -r .tp_cluster)
+    TARGET_DB=$(echo "${INPUT}" | jq -r .target_db)
+    TARGET_DB_NAME=$(echo "${INPUT}" | jq -r .target_db_name)
+    TARGET_DB_USER=$(echo "${INPUT}" | jq -r .target_db_user)
 
-    db_login "${TSH_TARGET_CLUSTER}" "${TSH_TARGET_DB}" | jq 'walk(if type =="number" then tostring else . end)' | jq -c .
+    db_login "${TP_PROXY}" "${TP_CLUSTER}" "${TARGET_DB}" "${TARGET_DB_NAME}" "${TARGET_DB_USER}" | jq 'walk(if type =="number" then tostring else . end)' | jq -c .
 
 else
 

modules/teleport-db-login/main.tf

@@ -15,7 +15,8 @@ data "external" "db_connection_info" {
   ]
 
   query = {
-    target_cluster = var.target_cluster
-    target_db      = var.target_db
+    tp_proxy   = coalesce(var.tp_proxy, var.tp_cluster)
+    tp_cluster = var.tp_cluster
+    target_db  = var.target_db
   }
 }

modules/teleport-db-login/variables.tf

@@ -1,9 +1,27 @@
-variable "target_cluster" {
+variable "tp_proxy" {
+  type        = string
+  description = "Domain to the Teleport cluster proxy for database login."
+  default     = ""
+}
+
+variable "tp_cluster" {
   type        = string
   description = "Domain to the Teleport cluster for database login."
 }
 
 variable "target_db" {
   type        = string
-  description = "Name of the target database within the Teleport cluster."
+  description = "Name of the target database resource within the Teleport cluster."
+}
+
+variable "target_db_name" {
+  type        = string
+  description = "Name of the database within the target database resource."
+  default     = ""
+}
+
+variable "target_db_user" {
+  type        = string
+  description = "Name of the user to use when connecting to the database resource."
+  default     = ""
 }

modules/teleport-node/main.tf

@@ -966,4 +966,3 @@ resource "aws_lb_listener" "proxy_web" {
     type             = "forward"
   }
 }
-

modules/teleport-ssh-tunnel/README.md

@@ -42,12 +42,13 @@ provider "redshift" {
 
 ## Inputs
 
-| Name                | Description              | Type     | Default | Required |
-|---------------------|--------------------------|----------|---------|:--------:|
-| `terraform_cluster` | Teleport cluster domain. | `string` | n/a     |   yes    |
-| `terraform_gateway` | Teleport gateway.        | `string` | n/a     |   yes    |
-| `target_host`       | Target host.             | `string` | n/a     |   yes    |
-| `target_port`       | Target port.             | `number` | n/a     |   yes    |
+| Name              | Description                                              | Type     | Default | Required |
+|-------------------|----------------------------------------------------------|----------|---------|:--------:|
+| `tp_proxy`        | Domain to the Teleport cluster proxy for database login. | `string` | ""      |    no    |
+| `tp_cluster`      | Domain to the Teleport cluster for database login.       | `string` | n/a     |   yes    |
+| `tp_gateway_node` | Teleport node to use as the gateway for the connection.  | `string` | n/a     |   yes    |
+| `target_host`     | Target user.                                             | `number` | n/a     |   yes    |
+| `target_port`     | Target port.                                             | `number` | n/a     |   yes    |
 
 ## Outputs
 

modules/teleport-ssh-tunnel/assets/tunneler.sh

@@ -25,37 +25,28 @@ function get_random_ephemeral_port() {
 }
 
 function get_gateway_address() {
-  TELEPORT_CLUSTER=${1:?}
-  TELEPORT_GATEWAY_NAME=${2:?}
-
-  NODE_HOST=$(
-    tsh ls --cluster "${TELEPORT_CLUSTER}" \
-    --query="labels[\"service\"] == \"${TELEPORT_GATEWAY_NAME}\"" \
+  TP_PROXY=${1:?}
+  TP_CLUSTER=${2:?}
+  TP_GATEWAY_NODE=${3:?}
+  TP_GATEWAY_USER=${4:-root}
+
+  TUNNEL_GATEWAY_HOST=$(
+    tsh ls --proxy "${TP_PROXY}" --cluster "${TP_CLUSTER}" \
+    --query="labels[\"service\"] == \"${TP_GATEWAY_NODE}\"" \
     --format names | head -n 1
   )
-  echo "root@${NODE_HOST}"
-}
-
-function open_tunnel() {
-  TSH_CLUSTER_NAME=${1:?}
-  TUNNEL_LOCAL_PORT=${2:?}
-  TUNNEL_TARGET_HOST=${3:?}
-  TUNNEL_TARGET_PORT=${4:?}
-  TUNNEL_GATEWAY_ADDRESS=${5:?}
-
-  tsh ssh --cluster "${TSH_CLUSTER_NAME}" \
-    -N -L "${TUNNEL_LOCAL_PORT}:${TUNNEL_TARGET_HOST}:${TUNNEL_TARGET_PORT}" \
-    "${TUNNEL_GATEWAY_ADDRESS}"
+  echo "${TP_GATEWAY_USER}@${TUNNEL_GATEWAY_HOST}"
 }
 
 function open_background_tunnel() {
-  TSH_CLUSTER_NAME=${1:?}
-  TUNNEL_LOCAL_PORT=${2:?}
-  TUNNEL_TARGET_HOST=${3:?}
-  TUNNEL_TARGET_PORT=${4:?}
-  TUNNEL_GATEWAY_ADDRESS=${5:?}
-
-  tsh ssh --cluster "${TSH_CLUSTER_NAME}" \
+  TP_PROXY=${1:?}
+  TP_CLUSTER=${2:?}
+  TUNNEL_LOCAL_PORT=${3:?}
+  TUNNEL_TARGET_HOST=${4:?}
+  TUNNEL_TARGET_PORT=${5:?}
+  TUNNEL_GATEWAY_ADDRESS=${6:?}
+
+  tsh ssh --proxy "${TP_PROXY}" --cluster "${TP_CLUSTER}" \
     -N -L "${TUNNEL_LOCAL_PORT}:${TUNNEL_TARGET_HOST}:${TUNNEL_TARGET_PORT}" \
     "${TUNNEL_GATEWAY_ADDRESS}" &
   TUNNEL_PID=$!
@@ -74,11 +65,12 @@ function open_background_tunnel() {
 }
 
 function open_background_tunnel_with_timeout() {
-  TSH_CLUSTER_NAME=${1:?}
-  TUNNEL_LOCAL_PORT=${2:?}
-  TUNNEL_TARGET_HOST=${3:?}
-  TUNNEL_TARGET_PORT=${4:?}
-  TUNNEL_GATEWAY_ADDRESS=${5:?}
+  TP_PROXY=${1:?}
+  TP_CLUSTER=${2:?}
+  TUNNEL_LOCAL_PORT=${3:?}
+  TUNNEL_TARGET_HOST=${4:?}
+  TUNNEL_TARGET_PORT=${5:?}
+  TUNNEL_GATEWAY_ADDRESS=${6:?}
   TUNNEL_TIMEOUT=${6:-$TUNNEL_TIMEOUT}
 
   PARENT_PROCESS_ID="$(ps -p "${PPID}" -o "ppid=")"
@@ -87,7 +79,8 @@ function open_background_tunnel_with_timeout() {
   nohup timeout "${TUNNEL_TIMEOUT}" \
     "${SCRIPT_ROOT}/tunneler.sh" \
     "open_background_tunnel" \
-    "${TSH_CLUSTER_NAME}" \
+    "${TP_PROXY}" \
+    "${TP_CLUSTER}" \
     "${TUNNEL_LOCAL_PORT}" \
     "${TUNNEL_TARGET_HOST}" \
     "${TUNNEL_TARGET_PORT}" \
@@ -109,16 +102,18 @@ function open_background_tunnel_with_timeout() {
 # --------------------------------------------------------------------- main ---
 
 function create() {
-  TELEPORT_CLUSTER=${1:?}
-  TELEPORT_GATEWAY_NAME=${2:?}
-  TUNNEL_TARGET_HOST=${3:?}
-  TUNNEL_TARGET_PORT=${4:?}
+  TP_PROXY=${1:?}
+  TP_CLUSTER=${2:?}
+  TP_GATEWAY_NODE=${3:?}
+  TUNNEL_TARGET_HOST=${4:?}
+  TUNNEL_TARGET_PORT=${5:?}
 
   TUNNEL_LOCAL_PORT=$(get_random_ephemeral_port)
-  TUNNEL_GATEWAY_ADDRESS=$(get_gateway_address "${TELEPORT_CLUSTER}" "${TELEPORT_GATEWAY_NAME}")
+  TUNNEL_GATEWAY_ADDRESS=$(get_gateway_address "${TP_PROXY}" "${TP_CLUSTER}" "${TP_GATEWAY_NODE}")
 
   open_background_tunnel_with_timeout \
-    "${TELEPORT_CLUSTER}" \
+    "${TP_PROXY}" \
+    "${TP_CLUSTER}" \
     "${TUNNEL_LOCAL_PORT}" \
     "${TUNNEL_TARGET_HOST}" \
     "${TUNNEL_TARGET_PORT}" \
@@ -134,22 +129,23 @@ if [[ "${1}" == "create" && "${2}" == "stdin" ]]; then
     # handler if input is stdin (e.g. from terraform)
 
     INPUT="$(dd 2>/dev/null)"
-    TELEPORT_CLUSTER=$(echo "${INPUT}" | jq -r .teleport_cluster)
-    TELEPORT_GATEWAY_NAME=$(echo "${INPUT}" | jq -r .teleport_gateway_name)
-    TUNNEL_TARGET_HOST=$(echo "${INPUT}" | jq -r .target_host)
-    TUNNEL_TARGET_PORT=$(echo "${INPUT}" | jq -r .target_port)
+    TP_PROXY=$(echo "${INPUT}" | jq -r .tp_proxy)
+    TP_CLUSTER=$(echo "${INPUT}" | jq -r .tp_cluster)
+    TP_GATEWAY_NODE=$(echo "${INPUT}" | jq -r .tp_gateway_node)
+    TARGET_HOST=$(echo "${INPUT}" | jq -r .target_host)
+    TARGET_PORT=$(echo "${INPUT}" | jq -r .target_port)
 
-    TUNNEL_LOCAL_PORT=$(create "${TELEPORT_CLUSTER}" "${TELEPORT_GATEWAY_NAME}" "${TUNNEL_TARGET_HOST}" "${TUNNEL_TARGET_PORT}")
-    echo "{\"host\":\"localhost\",\"port\":\"${TUNNEL_LOCAL_PORT}\"}"
+    LOCAL_PORT=$(create "${TP_PROXY}" "${TP_CLUSTER}" "${TP_GATEWAY_NODE}" "${TARGET_HOST}" "${TARGET_PORT}")
+    echo "{\"host\":\"localhost\",\"port\":\"${LOCAL_PORT}\"}"
 
 elif [[ "${1}" == "create" ]]; then
 
     # handler for normal cli calls
 
     shift
 
-    TUNNEL_LOCAL_PORT=$(create "${@}")
-    echo "localhost:${TUNNEL_LOCAL_PORT}"
+    LOCAL_PORT=$(create "${@}")
+    echo "localhost:${LOCAL_PORT}"
 
 else