Merge branch 'master' into tigrato/fix-terraform-pinned-version

.github/workflows/unit-tests.yaml

@@ -11,40 +11,7 @@ env:
   TELEPORT_ENTERPRISE_LICENSE: ${{ secrets.TELEPORT_ENTERPRISE_LICENSE }}
 
 jobs:
-# This test exists to ensure that we don't break compatibility of the event handler
-# when we merge the unstructured events support.
-# This is a temporary test and should be removed in Teleport 14.
-# Since unstructured events API was intoduced in 13.1.0, this test fallbacks to
-# the old SearchEvents and StreamSessionIDEvents API and should be able to complete
-# without errors.
-# DELETE IN 14.0.0
-  test-structured:
-    name: Plugins Tests (Go)
-    runs-on: ubuntu-22.04-16core
-
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout Teleport Plugins
-        uses: actions/checkout@v3
-
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.21.1'
-
-      - name: Install Teleport
-        uses: teleport-actions/setup@v1
-        with:
-          version: 14.0.0
-          enterprise: true
-
-      - name: Run unit tests
-        run: make test-unit
-
-# This test uses the new auditlog service that supports unstructured events.
-  test-unstructured:
+  test:
     name: Plugins Tests (Go)
     runs-on: ubuntu-22.04-16core
 

Makefile

@@ -44,13 +44,9 @@ access-msteams:
 access-pagerduty:
 	$(MAKE) -C access/pagerduty
 
-.PHONY: access-example
-access-example:
-	go build -o build/access-example ./access/example
-
 .PHONY: access-email
 access-email:
-	go build -o build/access-email ./access/email
+	$(MAKE) -C access/email
 
 # Build specific access plugin with docker
 .PHONY: docker-build-access-%
@@ -288,6 +284,7 @@ update-goversion:
 	$(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' access/pagerduty/Makefile
 	$(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' access/email/Makefile
 	$(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' event-handler/Makefile
+	$(SED) '2s/.*/GO_VERSION=$(GOVERSION)/' event-handler/build.assets/Makefile
 	$(SED) 's/^RUNTIME ?= go.*/RUNTIME ?= go$(GOVERSION)/' docker/Makefile
 	$(SED) 's/Setup Go .*/Setup Go $(GOVERSION)/g' .github/workflows/unit-tests.yaml
 	$(SED) 's/Setup Go .*/Setup Go $(GOVERSION)/g' .github/workflows/terraform-tests.yaml

README.md

@@ -1,67 +1,35 @@
-# Teleport Plugins and Example Applications
+# Teleport plugins and example applications
 
-A set of plugins for Teleport's for Access Workflows and example applications for Teleport Application Access.
-
-[![Build Status](https://drone.platform.teleport.sh/api/badges/gravitational/teleport-plugins/status.svg)](https://drone.platform.teleport.sh/gravitational/teleport-plugins/)
+Teleport plugins allow you to integrate the Teleport Access Platform and Teleport workflows with other tools you use to support your infrastructure.
 
+For example, Teleport Access Request plugins enable you to integrate access requests for resources protected by Teleport with your organization's existing messaging and project management solutions, such as Slack, JIRA, and Mattermost.
+If you have a self-hosted Teleport deployment, you can find information about configuring access request plugins in [Just-in-Time Access Request Plugins](https://goteleport.com/docs/access-controls/access-request-plugins/).
 
 ## Access API
 
 The [access](./access) package exposes a simple API for managing access requests
-which can be used for writing plugins. More info can be found in
-[access/README.md](./access/README.md), including instructions on how to
-properly provision necessary certificates.
-
-### API Example
-
-The [access/example](./access/example) plugin automatically approves access
-requests based on a user whitelist. This is a good place to start if you are
-trying to understand how to use the [`access`](./access) API.
-
-Use `make access-example` to build the plugin and
-`./build/access-example configure` to print out a sample configuration file.
-
-### Slack
-
-[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/)
-
-A basic slack plugin (WIP) can be found in [access/slack](./access/slack). The
-plugin can be built with `make access-slack` and instructions for configuring
-the plugin can be found in the plugin's [README](./access/slack/README.md).
-
-### JIRA
-
-[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-jira/)
-
-A basic Teleport / JIRA integration (WIP) can be found in
-[access/jira](./access/jira). The plugin can be built with `make access-jira`
-and instructions for configuring the plugin can be found in the plugin's
-[README](./access/jira/README.md).
-
-### Mattermost
-
-[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/)
-
-Mattermost is a private cloud messaging platform (think Slack for enterprise).
-Teleport provides a Mattermost integration that supports request flows similar
-to Slack integration above. The plugin can be built with
-`make access-mattermost`, and instructions for configuring the plugin can be
-found in the plugin's [README](./access/mattermost/README.md).
+that can be used for writing plugins. You can find the current Teleport Access API in the main [Teleport repository](https://github.com/gravitational/teleport). For
+more information, see [access/README.md](./access/README.md).
 
-### PagerDuty
+## Existing plugin guides
 
-[See setup instructions on Teleport's website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-pagerduty/)
+The Teleport documentation includes access request plugins guides for integration
+with the following solutions:
 
-A Teleport integration with Pagerduty that allows your team to treat Teleport
-permission requests as Pagerduty incidents, and provides Pagerduty special
-actions to approve or deny permission requests. Run `make teleport-pagerduty` to
-build it. More docs in the [README](./access/pagerduty/README.md).
+- [Discord](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/)
+- [Email](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-email/)
+- [JIRA](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-jira/)
+- [Mattermost](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/)
+- [Microsoft Teams](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-msteams/)
+- [PagerDuty](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-pagerduty/)
+- [Slack](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/)
 
 ## Event Handler
 
-The [Teleport Event Handler Plugin](./event-handler) is used to export audit log events to a fluentd service. For more information, visit the Fluentd setup guide at [goteleport.com](https://goteleport.com/docs/management/export-audit-events/fluentd/) or checkout the [README](./event-handler/README.md).
+The [Teleport Event Handler Plugin](./event-handler) is used to export audit log events to a `fluentd` service. 
+For more information, see [Fluentd](https://goteleport.com/docs/management/export-audit-events/fluentd/).
 
 ## Terraform Provider
 
-The [Teleport Terraform Provider](./terraform) makes it easy to create resources using
-Terraform. More info can be found in [terraform/README.md](./terraform/README.md).
+The [Teleport Terraform Provider](./terraform) makes it easy to create resources using Terraform. 
+For more information, see [Terraform Provider]((https://goteleport.com/docs/setup/guides/terraform-provider/).

access/README.md

@@ -1,11 +1,26 @@
-# Access Plugins
+# Access request plugins
 
-The various plugins within this directory allow teleport users the ability to intergrate access request notifications and approval workflows with third party technologies. They also serve as examples for building your own integration. For more information on the plugins available visit the `README.md` within each plugins respective directory.
+The access request plugins in this directory allow Teleport users to integrate access request notifications and approval workflows with third party messaging, project management, and scheduling solutions. These plugins also serve as examples for building your own integration.
+If you have a self-hosted Teleport deployment, you can find information for configuring these access
+request plugins in [Just-in-Time Access Request Plugins](https://goteleport.com/docs/access-controls/access-request-plugins/).
 
-For more information on Access Requests with Teleport, check out this [blog post](https://goteleport.com/blog/access-requests/)
+For an overview of the complete workflow for access requests and how messaging, project management, and scheduling solutions integrate with Teleport, see the [Access Requests for Cloud Infrastructure](https://goteleport.com/blog/access-requests/) blog post.
 
-### Access API
+## Access API
 
-The Teleport Access API has been moved into the main Teleport repo, and can be imported from `github.com/gravitational/teleport/api`. To see examples of how to get started with the Teleport API, take a look at our [go-client example](https://github.com/gravitational/teleport/tree/master/examples/go-client) or read the [API docs](https://goteleport.com/docs/api/introduction/).
+The Teleport Access API has been moved into the main Teleport repository.
+You can import it from `github.com/gravitational/teleport/api`. To see examples of how to get started with the Teleport API, see the [go-client example](https://github.com/gravitational/teleport/tree/master/examples/go-client) or read the [API docs](https://goteleport.com/docs/api/introduction/).
+For more specific examples of how to build a custom access request workflow with the Teleport API, see [How to Build an Access Request Plugin](https://goteleport.com/docs/api/access-plugin/).
 
-For more specific examples of how to manage workflows with the Teleport API, take a look at the [Plugin example](https://goteleport.com/docs/api/access-plugin/).
+## Existing plugin guides
+
+The Teleport documentation includes access request plugins guides for integration
+with the following solutions:
+
+- [Discord](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/)
+- [Email](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-email/)
+- [JIRA](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-jira/)
+- [Mattermost](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/)
+- [Microsoft Teams](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-msteams/)
+- [PagerDuty](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-pagerduty/)
+- [Slack](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/)

access/discord/Makefile

@@ -7,7 +7,7 @@ GITTAG=v$(VERSION)
 GITREF ?= $(shell git describe --dirty --long --tags --match '*discord*')
 ADDFLAGS ?=
 BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)"
-CGOFLAG ?= CGO_ENABLED=1
+CGOFLAG ?= CGO_ENABLED=0
 
 OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)

access/discord/README.md

@@ -1,162 +1,5 @@
-# Teleport Discord Plugin
+# Teleport Discord access request plugin
 
-This package implements a simple Discord plugin using the Teleport Access API. A discord channel receives an alert when an access request is created.
+The Teleport Access API provides a simple Discord access request plugin that sends an alert to a Discord channel when an access request is created. You can find the Teleport Access API in the main Teleport repository and the Discord access request plugin in `github.com/gravitational/teleport/api/integrations/access/discord`.
 
-## Setup
-
-[See setup instructions on Teleport's docs website](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/)
-
-## Install the plugin
-
-There are several methods to installing and using the Teleport Discord Plugin:
-
-1. Use a [precompiled binary](#precompiled-binary)
-
-2. Use a [docker image](#docker-image)
-
-3. Install from [source](#building-from-source)
-
-### Precompiled Binary
-
-Get the plugin distribution.
-
-```bash
-$ curl -L https://get.gravitational.com/teleport-access-discord-v7.0.2-linux-amd64-bin.tar.gz
-$ tar -xzf teleport-access-discord-v11.1.0-linux-amd64-bin.tar.gz
-$ cd teleport-access-discord
-$ ./install
-```
-
-### Docker Image
-```bash
-$ docker pull public.ecr.aws/gravitational/teleport-plugin-discord:11.1.0
-```
-
-```bash
-$ docker run public.ecr.aws/gravitational/teleport-plugin-discord:11.1.0 version
-teleport-discord v11.1.0 git:teleport-discord-v11.1.0-0-g9e149895 go1.19.1
-```
-
-For a list of available tags, visit [Amazon ECR Public Gallery](https://gallery.ecr.aws/gravitational/teleport-plugin-discord)
-
-### Building from source
-
-To build the plugin from source you need [Go](https://go.dev/) and `make`.
-
-```bash
-$ git clone https://github.com/gravitational/teleport-plugins.git
-$ cd teleport-plugins/access/discord
-$ make
-$ ./build/teleport-discord start
-```
-
-## Teleport User and Role
-
-Using Web UI or `tctl` CLI utility, create the role `access-discord` and the user `access-discord` belonging to the role `access-discord`. You may use the following YAML declarations.
-
-### Role
-
-```yaml
-kind: role
-metadata:
-  name: access-discord
-spec:
-  allow:
-    rules:
-      - resources: ['access_request']
-        verbs: ['list', 'read', 'update']
-version: v6
-```
-
-### User
-
-```yaml
-kind: user
-metadata:
-  name: access-discord
-spec:
-  roles: ['access-discord']
-version: v2
-```
-
-## Generate the certificate
-
-For the plugin to connect to Auth Server, it needs an identity file containing TLS/SSH certificates. This can be obtained with tctl:
-
-```bash
-$ tctl auth sign --auth-server=AUTH-SERVER:PORT --format=file --user=access-discord --out=/var/lib/teleport/plugins/discord/auth_id --ttl=8760h
-```
-
-Here, `AUTH-SERVER:PORT` could be `localhost:3025`, `your-in-cluster-auth.example.com:3025`, `your-remote-proxy.example.com:3080` or `your-teleport-cloud.teleport.sh:443`. For non-localhost connections, you might want to pass the `--identity=...` option to authenticate yourself to Auth Server.
-
-## Configuring Discord Plugin
-
-Discord Plugin uses a config file in TOML format. Generate a boilerplate config
-by running the following command:
-
-```
-$ teleport-discord configure > /etc/teleport-discord.yml
-```
-
-Then, edit the config as needed.
-
-```TOML
-# Example discord plugin configuration TOML file
-
-[teleport]
-# Teleport Auth/Proxy Server address.
-# addr = "example.com:3025"
-#
-# Should be port 3025 for Auth Server and 3080 or 443 for Proxy.
-# For Teleport Cloud, should be in the form "your-account.teleport.sh:443".
-
-# Credentials generated with `tctl auth sign`.
-#
-# When using --format=file:
-# identity = "/var/lib/teleport/plugins/discord/auth_id"    # Identity file
-#
-# When using --format=tls:
-# client_key = "/var/lib/teleport/plugins/discord/auth.key" # Teleport TLS secret key
-# client_crt = "/var/lib/teleport/plugins/discord/auth.crt" # Teleport TLS certificate
-# root_cas = "/var/lib/teleport/plugins/discord/auth.cas"   # Teleport CA certs
-
-[discord]
-token = "my-token"
-
-[role_to_recipients]
-# Map roles to recipients.
-#
-# Provide discord channelID recipients for access requests for specific roles. 
-# "*" must be provided to match non-specified roles.
-#
-# "dev" = ["1234567890","0987654321"]
-# "*" = ["1234567890"]
-
-[log]
-output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/teleport/discord.log"
-severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN".
-```
-
-## Running the plugin
-
-With the config above, you should be able to run the bot invoking
-
-```bash
-$ teleport-discord start
-```
-
-or with docker:
-
-```bash
-$ docker run -v <path/to/config>:/etc/teleport-discord.toml public.ecr.aws/gravitational/teleport-plugin-discord:11.1.0 start
-```
-
-## Usage
-
-Once your Discord plugin has been configured, you can verify that it's working
-correctly by using `tctl request create <user> --roles=<roles>` to simulate an
-access request. If everything is working as intended, a message should appear
-in the channel specified under `discord.channel`.
-
-Select `Deny` and verify that the request was indeed denied using
-`tctl request ls`.
+If you have a self-hosted Teleport deployment, you can find information for configuring this access request plugin in [Access Requests with Discord](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-discord/).

access/email/Makefile

@@ -7,7 +7,7 @@ GITTAG=v$(VERSION)
 GITREF ?= $(shell git describe --dirty --long --tags --match '*email*')
 ADDFLAGS ?=
 BUILDFLAGS ?= $(ADDFLAGS) -ldflags "-w -s -X main.Gitref=$(GITREF) -X main.Version=$(VERSION)"
-CGOFLAG ?= CGO_ENABLED=1
+CGOFLAG ?= CGO_ENABLED=0
 
 OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)