Add IaC label and usertasks to integration stats

avatus · avatus · commit 6efe554bbbf1 · 2026-01-06T13:07:46.000-06:00
diff --git a/api/types/constants.go b/api/types/constants.go
@@ -779,6 +779,8 @@ const (
 	// ADLabel is a resource metadata label name used to identify if resource is part of Active Directory
 	ADLabel = TeleportNamespace + "/ad"
 
+	// CreatedByIaCLabel is a resource metadata label name used to identify if resource was created by IaC tooling.
+	CreatedByIaCLabel = TeleportNamespace + "/iac-tool"
 	// OriginDefaults is an origin value indicating that the resource was
 	// constructed as a default value.
 	OriginDefaults = common.OriginDefaults
diff --git a/lib/web/integrations.go b/lib/web/integrations.go
@@ -338,6 +338,12 @@ func collectIntegrationStats(ctx context.Context, req collectIntegrationStatsReq
 	}
 	ret.Integration = uiIg
 
+	if req.integration != nil {
+		if val, ok := req.integration.GetLabel(types.CreatedByIaCLabel); ok && val == ui.IaCTerraformLabel {
+			ret.IsManagedByTerraform = true
+		}
+	}
+
 	var nextPage string
 	for {
 		filters := &usertasksv1.ListUserTasksFilters{
@@ -349,7 +355,7 @@ func collectIntegrationStats(ctx context.Context, req collectIntegrationStatsReq
 			return nil, err
 		}
 
-		ret.UnresolvedUserTasks += len(userTasks)
+		ret.UserTasks = append(ret.UserTasks, ui.MakeUserTasks(userTasks)...)
 
 		for _, userTask := range userTasks {
 			switch userTask.GetSpec().GetTaskType() {
@@ -368,6 +374,8 @@ func collectIntegrationStats(ctx context.Context, req collectIntegrationStatsReq
 		nextPage = nextToken
 	}
 
+	ret.UnresolvedUserTasks = len(ret.UserTasks)
+
 	nextPage = ""
 	for {
 		discoveryConfigs, nextToken, err := req.discoveryConfigLister.ListDiscoveryConfigs(ctx, 0, nextPage)
diff --git a/lib/web/integrations_test.go b/lib/web/integrations_test.go
@@ -317,6 +317,13 @@ func TestCollectIntegrationStats(t *testing.T) {
 			userTasksList = append(userTasksList, &usertasksv1.UserTask{Spec: &usertasksv1.UserTaskSpec{State: usertasks.TaskStateResolved, TaskType: usertasks.TaskTypeDiscoverEC2}})
 		}
 
+		var openUserTasksList []*usertasksv1.UserTask
+		for _, ut := range userTasksList {
+			if ut.GetSpec().GetState() == usertasks.TaskStateOpen {
+				openUserTasksList = append(openUserTasksList, ut)
+			}
+		}
+
 		userTasksClient := &mockUserTasksLister{
 			defaultPageSize: 3,
 			userTasks:       userTasksList,
@@ -339,6 +346,7 @@ func TestCollectIntegrationStats(t *testing.T) {
 				AWSOIDC: &ui.IntegrationAWSOIDCSpec{RoleARN: "arn:role"},
 			},
 			UnresolvedUserTasks: ec2UserTasks + rdsUserTasks,
+			UserTasks:           ui.MakeUserTasks(openUserTasksList),
 			AWSEC2: ui.ResourceTypeSummary{
 				UnresolvedUserTasks: ec2UserTasks,
 			},
diff --git a/lib/web/ui/integration.go b/lib/web/ui/integration.go
@@ -118,6 +118,8 @@ type IntegrationWithSummary struct {
 	*Integration
 	// UnresolvedUserTasks contains the count of unresolved user tasks related to this integration.
 	UnresolvedUserTasks int `json:"unresolvedUserTasks"`
+	// UserTasks contains the list of unresolved user tasks related to this integration.
+	UserTasks []UserTask `json:"userTasks,omitempty"`
 	// AWSEC2 contains the summary for the AWS EC2 resources for this integration.
 	AWSEC2 ResourceTypeSummary `json:"awsec2"`
 	// AWSRDS contains the summary for the AWS RDS resources and agents for this integration.
@@ -127,6 +129,10 @@ type IntegrationWithSummary struct {
 
 	// RolesAnywhereProfileSync contains the summary for the AWS Roles Anywhere Profile Sync.
 	RolesAnywhereProfileSync *RolesAnywhereProfileSync `json:"rolesAnywhereProfileSync,omitempty"`
+
+	// IsManagedByTerraform indicates if this integration was created by Terraform.
+	// This is set when the label "teleport.dev/iac" has the value "terraform".
+	IsManagedByTerraform bool `json:"isManagedByTerraform"`
 }
 
 // ResourceTypeSummary contains the summary of the enrollment rules and found resources by the integration.
@@ -210,6 +216,8 @@ type Integration struct {
 	AWSRA *IntegrationAWSRASpec `json:"awsra,omitempty"`
 	// GitHub contains the fields for `github` subkind integration.
 	GitHub *IntegrationGitHub `json:"github,omitempty"`
+	// IsManagedByTerraform indicates if this integration was created by Terraform.
+	IsManagedByTerraform bool `json:"isManagedByTerraform"`
 }
 
 // CheckAndSetDefaults for the create request.
@@ -349,13 +357,17 @@ func MakeIntegrations(igs []types.Integration) ([]*Integration, error) {
 	return uiList, nil
 }
 
+const IaCTerraformLabel = "terraform"
+
 // MakeIntegration creates a UI Integration representation.
 func MakeIntegration(ig types.Integration) (*Integration, error) {
 	ret := &Integration{
 		Name:    ig.GetName(),
 		SubKind: ig.GetSubKind(),
 	}
-
+	if val, ok := ig.GetLabel(types.CreatedByIaCLabel); ok && val == IaCTerraformLabel {
+		ret.IsManagedByTerraform = true
+	}
 	switch ig.GetSubKind() {
 	case types.IntegrationSubKindAWSOIDC:
 		var s3Bucket string
diff --git a/lib/web/ui/integration_test.go b/lib/web/ui/integration_test.go
@@ -47,6 +47,19 @@ func TestMakeIntegration(t *testing.T) {
 	)
 	require.NoError(t, err)
 
+	terraformManagedIntegration, err := types.NewIntegrationAWSOIDC(
+		types.Metadata{
+			Name: "terraform-managed",
+			Labels: map[string]string{
+				types.CreatedByIaCLabel: IaCTerraformLabel,
+			},
+		},
+		&types.AWSOIDCIntegrationSpecV1{
+			RoleARN: "arn:aws:iam::123456789012:role/TerraformRole",
+		},
+	)
+	require.NoError(t, err)
+
 	testCases := []struct {
 		integration types.Integration
 		want        Integration
@@ -71,6 +84,17 @@ func TestMakeIntegration(t *testing.T) {
 				},
 			},
 		},
+		{
+			integration: terraformManagedIntegration,
+			want: Integration{
+				Name:    "terraform-managed",
+				SubKind: types.IntegrationSubKindAWSOIDC,
+				AWSOIDC: &IntegrationAWSOIDCSpec{
+					RoleARN: "arn:aws:iam::123456789012:role/TerraformRole",
+				},
+				IsManagedByTerraform: true,
+			},
+		},
 	}
 
 	for _, tc := range testCases {
