Refactor cloud instance watchers to use generic Fetcher interface (#62210)

* Refactor cloud instance watchers to use generic Fetcher interface

* Correct channel initialization order

* fix license corruption

* remove redundant channel initialization

* Refactor watcher to use utils.SyncMap

* Increase timeout duration

* Simplify setup

* remove TODO

* Update lib/srv/server/watcher.go

Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>

* document NewWatcher function in watcher.go

* Document SetFetchers and DeleteFetchers methods.

* Remove unused parameter from NewWatcher function in EC2 watcher test

* Update lib/srv/discovery/discovery_test.go

Co-authored-by: Chris Thach <chris.thach@protonmail.com>

* Update lib/srv/server/watcher.go

Co-authored-by: Chris Thach <chris.thach@protonmail.com>

* Update lib/srv/discovery/discovery_test.go

Co-authored-by: Chris Thach <chris.thach@protonmail.com>

* Use utils.SyncMap instead of *utils.SyncMap

* `AzureInstances` -> `*AzureInstances`

* `EC2Instances` -> `*EC2Instances`

* `GCPInstances` -> `*GCPInstances`

* Fix initialization race condition.

* post-merge fixes

---------

Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
Co-authored-by: Chris Thach <chris.thach@protonmail.com>

Author: 3 people

lib/srv/discovery/discovery.go

@@ -3231,15 +3231,19 @@ func TestAzureVMDiscovery(t *testing.T) {
 			emitter.t = t
 
 			if tc.discoveryConfig != nil {
+				sub := server.newDiscoveryConfigChangedSub()
+
 				_, err := tlsServer.Auth().DiscoveryConfigs.CreateDiscoveryConfig(ctx, tc.discoveryConfig)
 				require.NoError(t, err)
 
-				// Wait for the DiscoveryConfig to be added to the dynamic matchers
-				require.Eventually(t, func() bool {
-					server.muDynamicServerAzureFetchers.RLock()
-					defer server.muDynamicServerAzureFetchers.RUnlock()
-					return len(server.dynamicServerAzureFetchers) > 0
-				}, 1*time.Second, 50*time.Millisecond)
+				// wait for discovery config update
+				select {
+				case <-sub:
+				case <-time.After(3 * time.Second):
+					require.Fail(t, "timed out waiting for an update")
+				case <-t.Context().Done():
+					require.Fail(t, "test context done while waiting for an update")
+				}
 			}
 
 			require.NoError(t, server.Start())
@@ -3544,18 +3548,22 @@ func TestGCPVMDiscovery(t *testing.T) {
 			emitter.t = t
 
 			if tc.discoveryConfig != nil {
+				sub := server.newDiscoveryConfigChangedSub()
+
 				_, err := tlsServer.Auth().DiscoveryConfigs.CreateDiscoveryConfig(ctx, tc.discoveryConfig)
 				require.NoError(t, err)
 
-				// Wait for the DiscoveryConfig to be added to the dynamic matchers
-				require.Eventually(t, func() bool {
-					server.muDynamicServerGCPFetchers.RLock()
-					defer server.muDynamicServerGCPFetchers.RUnlock()
-					return len(server.dynamicServerGCPFetchers) > 0
-				}, 1*time.Second, 100*time.Millisecond)
+				// wait for discovery config update
+				select {
+				case <-sub:
+				case <-time.After(3 * time.Second):
+					t.Fatal("timed out waiting for channel update")
+				case <-t.Context().Done():
+					require.Fail(t, "test context done while waiting for an update")
+				}
 			}
 
-			go server.Start()
+			require.NoError(t, server.Start())
 			t.Cleanup(server.Stop)
 
 			if len(tc.wantInstalledInstances) > 0 {

lib/srv/discovery/discovery_test.go

@@ -22,12 +22,10 @@ import (
 	"context"
 	"log/slog"
 	"slices"
-	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6"
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
 
 	usageeventsv1 "github.com/gravitational/teleport/api/gen/proto/go/usageevents/v1"
 	"github.com/gravitational/teleport/api/types"
@@ -73,27 +71,9 @@ func (instances *AzureInstances) MakeEvents() map[string]*usageeventsv1.Resource
 
 type azureClientGetter func(ctx context.Context, integration string) (azure.Clients, error)
 
-// NewAzureWatcher creates a new Azure watcher instance.
-func NewAzureWatcher(ctx context.Context, fetchersFn func() []Fetcher, opts ...Option) (*Watcher, error) {
-	cancelCtx, cancelFn := context.WithCancel(ctx)
-	watcher := Watcher{
-		fetchersFn:    fetchersFn,
-		ctx:           cancelCtx,
-		cancel:        cancelFn,
-		pollInterval:  time.Minute,
-		clock:         clockwork.NewRealClock(),
-		triggerFetchC: make(<-chan struct{}),
-		InstancesC:    make(chan Instances),
-	}
-	for _, opt := range opts {
-		opt(&watcher)
-	}
-	return &watcher, nil
-}
-
 // MatchersToAzureInstanceFetchers converts a list of Azure VM Matchers into a list of Azure VM Fetchers.
-func MatchersToAzureInstanceFetchers(logger *slog.Logger, matchers []types.AzureMatcher, getClient azureClientGetter, discoveryConfigName string) []Fetcher {
-	ret := make([]Fetcher, 0)
+func MatchersToAzureInstanceFetchers(logger *slog.Logger, matchers []types.AzureMatcher, getClient azureClientGetter, discoveryConfigName string) []Fetcher[*AzureInstances] {
+	ret := make([]Fetcher[*AzureInstances], 0)
 	for _, matcher := range matchers {
 		for _, subscription := range matcher.Subscriptions {
 			for _, resourceGroup := range matcher.ResourceGroups {
@@ -147,7 +127,7 @@ func newAzureInstanceFetcher(cfg azureFetcherConfig) *azureInstanceFetcher {
 	}
 }
 
-func (*azureInstanceFetcher) GetMatchingInstances(_ context.Context, _ []types.Server, _ bool) ([]Instances, error) {
+func (*azureInstanceFetcher) GetMatchingInstances(_ context.Context, _ []types.Server, _ bool) ([]*AzureInstances, error) {
 	return nil, trace.NotImplemented("not implemented for azure fetchers")
 }
 
@@ -167,7 +147,7 @@ type resourceGroupLocation struct {
 }
 
 // GetInstances fetches all Azure virtual machines matching configured filters.
-func (f *azureInstanceFetcher) GetInstances(ctx context.Context, _ bool) ([]Instances, error) {
+func (f *azureInstanceFetcher) GetInstances(ctx context.Context, _ bool) ([]*AzureInstances, error) {
 	azureClients, err := f.AzureClientGetter(ctx, f.IntegrationName())
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -228,16 +208,16 @@ func (f *azureInstanceFetcher) GetInstances(ctx context.Context, _ bool) ([]Inst
 		instancesByRegionAndResourceGroup[batchGroup] = append(instancesByRegionAndResourceGroup[batchGroup], vm)
 	}
 
-	var instances []Instances
+	var instances []*AzureInstances
 	for batchGroup, vms := range instancesByRegionAndResourceGroup {
-		instances = append(instances, Instances{Azure: &AzureInstances{
+		instances = append(instances, &AzureInstances{
 			SubscriptionID:  f.Subscription,
 			Region:          batchGroup.location,
 			ResourceGroup:   batchGroup.resourceGroup,
 			Instances:       vms,
 			Integration:     f.Integration,
 			InstallerParams: f.InstallerParams,
-		}})
+		})
 	}
 
 	return instances, nil

lib/srv/server/azure_watcher.go

@@ -156,12 +156,15 @@ func TestAzureWatcher(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 			t.Cleanup(cancel)
-			watcher, err := NewAzureWatcher(ctx, func() []Fetcher {
-				return MatchersToAzureInstanceFetchers(logger, []types.AzureMatcher{tc.matcher}, func(ctx context.Context, integration string) (azure.Clients, error) {
-					return &clients, nil
-				}, "" /* discovery config */)
-			})
-			require.NoError(t, err)
+			watcher := NewWatcher[*AzureInstances](ctx)
+
+			const noDiscoveryConfig = ""
+			watcher.SetFetchers(noDiscoveryConfig,
+				MatchersToAzureInstanceFetchers(logger, []types.AzureMatcher{tc.matcher},
+					func(ctx context.Context, integration string) (azure.Clients, error) {
+						return &clients, nil
+					}, noDiscoveryConfig),
+			)
 
 			go watcher.Run()
 			t.Cleanup(watcher.Stop)
@@ -171,13 +174,13 @@ func TestAzureWatcher(t *testing.T) {
 			for len(vmIDs) < len(tc.wantVMs) {
 				select {
 				case results := <-watcher.InstancesC:
-					for _, vm := range results.Azure.Instances {
+					for _, vm := range results.Instances {
 						parsedResource, err := arm.ParseResourceID(*vm.ID)
 						require.NoError(t, err)
 						vmID := parsedResource.Name
 						vmIDs = append(vmIDs, vmID)
 					}
-					require.NotEqual(t, "*", results.Azure.ResourceGroup)
+					require.NotEqual(t, "*", results.ResourceGroup)
 				case <-ctx.Done():
 					require.Fail(t, "Expected %v VMs, got %v", tc.wantVMs, len(vmIDs))
 				}

lib/srv/server/azure_watcher_test.go

@@ -23,7 +23,6 @@ import (
 	"log/slog"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
@@ -32,7 +31,6 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
 
 	usageeventsv1 "github.com/gravitational/teleport/api/gen/proto/go/usageevents/v1"
 	"github.com/gravitational/teleport/api/types"
@@ -144,17 +142,6 @@ func (i *EC2Instances) ServerInfos() ([]types.ServerInfo, error) {
 	return serverInfos, nil
 }
 
-// Option is a functional option for the Watcher.
-type Option func(*Watcher)
-
-// WithPollInterval sets the interval at which the watcher will fetch
-// instances from AWS.
-func WithPollInterval(interval time.Duration) Option {
-	return func(w *Watcher) {
-		w.pollInterval = interval
-	}
-}
-
 // MakeEvents generates ResourceCreateEvents for these instances.
 func (instances *EC2Instances) MakeEvents() map[string]*usageeventsv1.ResourceCreateEvent {
 	resourceType := types.DiscoveredResourceNode
@@ -180,25 +167,6 @@ func (instances *EC2Instances) MakeEvents() map[string]*usageeventsv1.ResourceCr
 	return events
 }
 
-// NewEC2Watcher creates a new EC2 watcher instance.
-func NewEC2Watcher(ctx context.Context, fetchersFn func() []Fetcher, missedRotation <-chan []types.Server, opts ...Option) (*Watcher, error) {
-	cancelCtx, cancelFn := context.WithCancel(ctx)
-	watcher := Watcher{
-		fetchersFn:     fetchersFn,
-		ctx:            cancelCtx,
-		cancel:         cancelFn,
-		clock:          clockwork.NewRealClock(),
-		pollInterval:   time.Minute,
-		triggerFetchC:  make(<-chan struct{}),
-		InstancesC:     make(chan Instances),
-		missedRotation: missedRotation,
-	}
-	for _, opt := range opts {
-		opt(&watcher)
-	}
-	return &watcher, nil
-}
-
 // EC2ClientGetter gets an AWS EC2 client for the given region.
 type EC2ClientGetter func(ctx context.Context, region string, opts ...awsconfig.OptionsFn) (ec2.DescribeInstancesAPIClient, error)
 
@@ -231,8 +199,8 @@ type MatcherToEC2FetcherParams struct {
 }
 
 // MatchersToEC2InstanceFetchers converts a list of AWS EC2 Matchers into a list of AWS EC2 Fetchers.
-func MatchersToEC2InstanceFetchers(ctx context.Context, matcherParams MatcherToEC2FetcherParams) ([]Fetcher, error) {
-	ret := []Fetcher{}
+func MatchersToEC2InstanceFetchers(ctx context.Context, matcherParams MatcherToEC2FetcherParams) ([]Fetcher[*EC2Instances], error) {
+	var ret []Fetcher[*EC2Instances]
 	for _, matcher := range matcherParams.Matchers {
 		fetcher := newEC2InstanceFetcher(ec2FetcherConfig{
 			Matcher:                matcher,
@@ -400,7 +368,7 @@ func ssmRunCommandParameters(ctx context.Context, cfg ec2FetcherConfig) (map[str
 }
 
 // GetMatchingInstances returns a list of EC2 instances from a list of matching Teleport nodes
-func (f *ec2InstanceFetcher) GetMatchingInstances(ctx context.Context, nodes []types.Server, rotation bool) ([]Instances, error) {
+func (f *ec2InstanceFetcher) GetMatchingInstances(ctx context.Context, nodes []types.Server, rotation bool) ([]*EC2Instances, error) {
 	ssmRunParams, err := ssmRunCommandParameters(ctx, f.ec2FetcherConfig)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -459,12 +427,12 @@ func (f *ec2InstanceFetcher) GetMatchingInstances(ctx context.Context, nodes []t
 
 // chunkInstances splits instances into chunks of 50.
 // This is required because SSM SendCommand API calls only accept up to 50 instance IDs at a time.
-func chunkInstances(instancesByRegion map[string]EC2Instances) []Instances {
-	var instColl []Instances
+func chunkInstances(instancesByRegion map[string]EC2Instances) []*EC2Instances {
+	var instColl []*EC2Instances
 	for _, insts := range instancesByRegion {
 		for i := 0; i < len(insts.Instances); i += awsEC2APIChunkSize {
 			end := min(i+awsEC2APIChunkSize, len(insts.Instances))
-			inst := EC2Instances{
+			inst := &EC2Instances{
 				AccountID:           insts.AccountID,
 				Region:              insts.Region,
 				DocumentName:        insts.DocumentName,
@@ -474,7 +442,7 @@ func chunkInstances(instancesByRegion map[string]EC2Instances) []Instances {
 				Integration:         insts.Integration,
 				DiscoveryConfigName: insts.DiscoveryConfigName,
 			}
-			instColl = append(instColl, Instances{EC2: &inst})
+			instColl = append(instColl, inst)
 		}
 	}
 	return instColl
@@ -606,14 +574,14 @@ func (f *ec2InstanceFetcher) allAssumeRoles(ctx context.Context) ([]assumeRoleWi
 }
 
 // GetInstances fetches all EC2 instances matching configured filters.
-func (f *ec2InstanceFetcher) GetInstances(ctx context.Context, rotation bool) ([]Instances, error) {
+func (f *ec2InstanceFetcher) GetInstances(ctx context.Context, rotation bool) ([]*EC2Instances, error) {
 	ssmRunParams, err := ssmRunCommandParameters(ctx, f.ec2FetcherConfig)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
 	f.cachedInstances.clear()
-	var allInstances []Instances
+	var allInstances []*EC2Instances
 
 	accountRolesToAssume, err := f.allAssumeRoles(ctx)
 	if err != nil {
@@ -672,13 +640,13 @@ type getInstancesInRegionParams struct {
 }
 
 // getInstancesInRegion fetches all EC2 instances in a given region.
-func (f *ec2InstanceFetcher) getInstancesInRegion(ctx context.Context, params getInstancesInRegionParams) ([]Instances, error) {
+func (f *ec2InstanceFetcher) getInstancesInRegion(ctx context.Context, params getInstancesInRegionParams) ([]*EC2Instances, error) {
 	ec2Client, err := f.EC2ClientGetter(ctx, params.region, params.awsOpts...)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	var instances []Instances
+	var instances []*EC2Instances
 
 	paginator := ec2.NewDescribeInstancesPaginator(ec2Client, &ec2.DescribeInstancesInput{
 		Filters: f.Filters,
@@ -694,7 +662,7 @@ func (f *ec2InstanceFetcher) getInstancesInRegion(ctx context.Context, params ge
 			for i := 0; i < len(res.Instances); i += awsEC2APIChunkSize {
 				end := min(i+awsEC2APIChunkSize, len(res.Instances))
 				ownerID := aws.ToString(res.OwnerId)
-				inst := EC2Instances{
+				inst := &EC2Instances{
 					AccountID:           ownerID,
 					Region:              params.region,
 					DocumentName:        f.Matcher.SSM.DocumentName,
@@ -710,7 +678,7 @@ func (f *ec2InstanceFetcher) getInstancesInRegion(ctx context.Context, params ge
 				for _, ec2inst := range res.Instances[i:end] {
 					f.cachedInstances.add(ownerID, aws.ToString(ec2inst.InstanceId))
 				}
-				instances = append(instances, Instances{EC2: &inst})
+				instances = append(instances, inst)
 			}
 		}
 	}