Adds Roles for IC resource access requests

gravitational · Dec 5, 2024 · 5efe41b · 5efe41b
1 parent a631cf1
commit 5efe41b
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 0 deletions.
diff --git a/constants.go b/constants.go
@@ -698,6 +698,21 @@ const (
 	// access to Okta resources. This will be used by the Okta requester role to
 	// search for Okta resources.
 	SystemOktaAccessRoleName = "okta-access"
+
+	// SystemIdentityCenterRequesterRoleName specifies the name of a system role
+	// that allows a user to request access to AWS Identity Center resources via
+	// Access Requests.
+	SystemIdentityCenterRequesterRoleName = "aws-ic-requester"
+
+	// SystemIdentityCenterReviewerRoleName specifies the name of a system role
+	// that grants a user the ability tp review Access Requests access for AWS
+	// Identity Center resources .
+	SystemIdentityCenterReviewerRoleName = "aws-ic-reviewer"
+
+	// SystemIdentityCenterRequesterRoleName specifies the name of a system role
+	// that grants a user access to AWS Identity Center resources via
+	// Access Requests.
+	SystemIdentityCenterAccessRoleName = "aws-ic-access"
 )
 
 var PresetRoles = []string{PresetEditorRoleName, PresetAccessRoleName, PresetAuditorRoleName}

diff --git a/lib/auth/init.go b/lib/auth/init.go
@@ -1033,6 +1033,9 @@ func GetPresetRoles() []types.Role {
 		services.NewSystemOktaAccessRole(),
 		services.NewSystemOktaRequesterRole(),
 		services.NewPresetTerraformProviderRole(),
+		services.NewSystemIdentityCenterAccessRole(),
+		services.NewSystemIdentityCenterRequesterRole(),
+		services.NewSystemIdentityCenterReviewerRole(),
 	}
 
 	// Certain `New$FooRole()` functions will return a nil role if the

diff --git a/lib/services/presets.go b/lib/services/presets.go
@@ -28,6 +28,7 @@ import (
 	"github.com/gravitational/teleport/api/constants"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/common"
 	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/modules"
 )
@@ -562,6 +563,111 @@ func NewSystemOktaRequesterRole() types.Role {
 	return role
 }
 
+// NewSystemIdentityCenterAccessRole creates a role that allows access to AWS
+// IdentityCenter resources via Access Requests
+func NewSystemIdentityCenterAccessRole() types.Role {
+	if modules.GetModules().BuildType() != modules.BuildEnterprise {
+		return nil
+	}
+
+	return &types.RoleV6{
+		Kind:    types.KindRole,
+		Version: types.V7,
+		Metadata: types.Metadata{
+			Name:        teleport.SystemIdentityCenterAccessRoleName,
+			Namespace:   apidefaults.Namespace,
+			Description: "Access AWS IdentityCenter resources",
+			Labels: map[string]string{
+				types.TeleportInternalResourceType: types.SystemResource,
+				types.OriginLabel:                  common.OriginAWSIdentityCenter,
+			},
+		},
+		Spec: types.RoleSpecV6{
+			Allow: types.RoleConditions{
+				AccountAssignmentLabels: types.Labels{
+					types.OriginLabel: []string{common.OriginAWSIdentityCenter},
+				},
+				Rules: []types.Rule{
+					types.NewRule(types.KindIdentityCenter, RO()),
+				},
+			},
+		},
+	}
+}
+
+// NewSystemIdentityCenterRequesterRole creates a role that allows a user to
+// request access to AWS IdentityCenter resources via Access Requests
+func NewSystemIdentityCenterRequesterRole() types.Role {
+	if modules.GetModules().BuildType() != modules.BuildEnterprise {
+		return nil
+	}
+
+	return &types.RoleV6{
+		Kind:    types.KindRole,
+		Version: types.V7,
+		Metadata: types.Metadata{
+			Name:        teleport.SystemIdentityCenterRequesterRoleName,
+			Namespace:   apidefaults.Namespace,
+			Description: "Request AWS IdentityCenter resources",
+			Labels: map[string]string{
+				types.TeleportInternalResourceType: types.SystemResource,
+				types.OriginLabel:                  common.OriginAWSIdentityCenter,
+			},
+		},
+		Spec: types.RoleSpecV6{
+			Allow: types.RoleConditions{
+				Request: &types.AccessRequestConditions{
+					Roles: []string{
+						teleport.SystemIdentityCenterAccessRoleName,
+					},
+					SearchAsRoles: []string{
+						teleport.SystemIdentityCenterAccessRoleName,
+					},
+				},
+			},
+		},
+	}
+}
+
+// NewSystemIdentityCenterReviewerRole creates a role that allows a user to
+// review Access Requests for AWS IdentityCenter resources via Access Requests
+func NewSystemIdentityCenterReviewerRole() types.Role {
+	if modules.GetModules().BuildType() != modules.BuildEnterprise {
+		return nil
+	}
+
+	return &types.RoleV6{
+		Kind:    types.KindRole,
+		Version: types.V7,
+		Metadata: types.Metadata{
+			Name:        teleport.SystemIdentityCenterReviewerRoleName,
+			Namespace:   apidefaults.Namespace,
+			Description: "Request AWS IdentityCenter resources",
+			Labels: map[string]string{
+				types.TeleportInternalResourceType: types.SystemResource,
+				types.OriginLabel:                  common.OriginAWSIdentityCenter,
+			},
+		},
+		Spec: types.RoleSpecV6{
+			Allow: types.RoleConditions{
+				Request: &types.AccessRequestConditions{
+					SearchAsRoles: []string{
+						teleport.SystemIdentityCenterAccessRoleName,
+					},
+				},
+				ReviewRequests: &types.AccessReviewConditions{
+					Roles: []string{
+						teleport.SystemIdentityCenterAccessRoleName,
+					},
+					PreviewAsRoles: []string{
+						teleport.SystemIdentityCenterAccessRoleName,
+					},
+				},
+			},
+		},
+	}
+}
+
 // NewPresetTerraformProviderRole returns a new pre-defined role for the Teleport Terraform provider.
 // This role can edit any Terraform-supported resource.
 func NewPresetTerraformProviderRole() types.Role {