gravitational · flyinghermit · Dec 10, 2024 · Dec 2, 2024 · Dec 5, 2024 · Dec 6, 2024
diff --git a/lib/web/ui/app.go b/lib/web/ui/app.go
@@ -36,7 +36,7 @@ type App struct {
 	Kind string `json:"kind"`
 	// SubKind is the subkind of the app resource. Used to differentiate different
 	// flavors of app.
-	SubKind string `json:"subkind,omitempty"`
+	SubKind string `json:"subKind,omitempty"`
 	// Name is the name of the application.
 	Name string `json:"name"`
 	// Description is the app description.
@@ -89,9 +89,9 @@ type IdentityCenterPermissionSet struct {
 	Name string `json:"name"`
 	// ARN is the AWS-assigned ARN of the permission set
 	ARN string `json:"arn"`
-	// AssignmentID is the assignment resource that will provision an Account
-	// Assignment for this Permission Set on the enclosing account
-	AssignmentID    string `json:"accountAssignment,omitempty"`
+	// AssignmentID is the assignment resource ID that will provision an Account
+	// assignment for this permission set on the enclosing account.
+	AssignmentID    string `json:"assignmentId,omitempty"`
 	RequiresRequest bool   `json:"requiresRequest,omitempty"`
 }
 

diff --git a/web/packages/shared/components/AccessRequests/NewRequest/CheckableOption.tsx b/web/packages/shared/components/AccessRequests/NewRequest/CheckableOption.tsx
@@ -24,7 +24,7 @@ import { Option as BaseOption } from 'shared/components/Select';
 
 export type Option = BaseOption & {
   isAdded?: boolean;
-  kind: 'app' | 'user_group' | 'namespace';
+  kind: 'app' | 'user_group' | 'namespace' | 'aws_ic_account_assignment';
 };
 
 export const CheckableOptionComponent = (

diff --git a/...ges/shared/components/AccessRequests/NewRequest/RequestCheckout/RequestCheckout.story.tsx b/...ges/shared/components/AccessRequests/NewRequest/RequestCheckout/RequestCheckout.story.tsx
@@ -241,6 +241,11 @@ const baseProps: RequestCheckoutWithSliderProps = {
       name: 'app-saml',
       id: 'app-name',
     },
+    {
+      kind: 'aws_ic_account_assignment',
+      name: 'account1',
+      id: 'admin-on-account1',
+    },
   ],
   clearAttempt: () => null,
   onClose: () => null,

diff --git a/web/packages/shared/components/AccessRequests/NewRequest/RequestCheckout/RequestCheckout.tsx b/web/packages/shared/components/AccessRequests/NewRequest/RequestCheckout/RequestCheckout.tsx
@@ -791,6 +791,8 @@ function getPrettyResourceKind(kind: RequestableResourceKind): string {
       return 'SAML Application';
     case 'namespace':
       return 'Namespace';
+    case 'aws_ic_account_assignment':
+      return 'AWS IAM Identity Center Account Assignment';
     default:
       kind satisfies never;
       return kind;

diff --git a/web/packages/shared/components/AccessRequests/NewRequest/resource.ts b/web/packages/shared/components/AccessRequests/NewRequest/resource.ts
@@ -45,5 +45,6 @@ export function getEmptyResourceState(): ResourceMap {
     role: {},
     saml_idp_service_provider: {},
     namespace: {},
+    aws_ic_account_assignment: {},
   };
 }
diff --git a/web/packages/shared/components/AccessRequests/Shared/utils.ts b/web/packages/shared/components/AccessRequests/Shared/utils.ts
@@ -41,6 +41,7 @@ export function getNumAddedResources(addedResources: ResourceMap) {
     Object.keys(addedResources.user_group).length +
     Object.keys(addedResources.windows_desktop).length +
     Object.keys(addedResources.saml_idp_service_provider).length +
-    Object.keys(addedResources.namespace).length
+    Object.keys(addedResources.namespace).length +
+    Object.keys(addedResources.aws_ic_account_assignment).length
   );
 }
diff --git a/web/packages/shared/components/AccessRequests/fixtures/index.ts b/web/packages/shared/components/AccessRequests/fixtures/index.ts
@@ -141,6 +141,16 @@ export const requestSearchPending: AccessRequest = {
         friendlyName: 'app-saml',
       },
     },
+    {
+      id: {
+        kind: 'aws_ic_account_assignment',
+        name: 'admin-on-account1',
+        clusterName: 'cluster-name',
+      },
+      details: {
+        friendlyName: 'account1',
+      },
+    },
   ],
 };
 

diff --git a/web/packages/teleport/src/Apps/fixtures/index.ts b/web/packages/teleport/src/Apps/fixtures/index.ts
@@ -187,6 +187,52 @@ export const apps = [
     ],
     clusterId: 'one',
   },
+  {
+    name: 'aws-iam-ic-account-1',
+    uri: 'https://console.aws.amazon.com',
+    publicAddr: 'console.aws.amazon.com',
+    subKind: 'aws-ic-account',
+    labels: [{ name: 'teleport.dev/origin', value: 'aws-identity-center' }],
+    description: 'This is an AWS IAM Identity Center account',
+    awsConsole: false,
+    permissionSets: [
+      {
+        name: 'Admin perm set',
+        arn: 'arn:aws:sso:::permissionSet/Admin',
+        display: 'Admin',
+      },
+      {
+        name: 'ReadOnly perm set',
+        arn: 'arn:aws:sso:::permissionSet/ReadOnly',
+        display: 'ReadOnly',
+      },
+    ],
+    clusterId: 'one',
+    fqdn: 'https://console.aws.amazon.com',
+  },
+  {
+    name: 'aws-iam-ic-account-2',
+    uri: 'https://console.aws.amazon.com',
+    publicAddr: 'console.aws.amazon.com',
+    subKind: 'aws-ic-account',
+    labels: [{ name: 'teleport.dev/origin', value: 'aws-identity-center' }],
+    description: 'This is an AWS IAM Identity Center account',
+    awsConsole: false,
+    permissionSets: [
+      {
+        name: 'Admin perm set',
+        arn: 'arn:aws:sso:::permissionSet/Admin',
+        display: 'Admin',
+      },
+      {
+        name: 'ReadOnly perm set',
+        arn: 'arn:aws:sso:::permissionSet/ReadOnly',
+        display: 'ReadOnly',
+      },
+    ],
+    clusterId: 'one',
+    fqdn: 'https://console.aws.amazon.com',
+  },
 ].map(makeApp);
 
 export const moreApps = [

diff --git a/web/packages/teleport/src/services/agents/types.ts b/web/packages/teleport/src/services/agents/types.ts
@@ -88,7 +88,8 @@ export type ResourceIdKind =
   | 'kube_cluster'
   | 'user_group'
   | 'windows_desktop'
-  | 'saml_idp_service_provider';
+  | 'saml_idp_service_provider'
+  | 'aws_ic_account_assignment';
 
 export type AccessRequestScope =
   | 'my_requests'

diff --git a/web/packages/teleport/src/services/apps/makeApps.ts b/web/packages/teleport/src/services/apps/makeApps.ts
@@ -37,6 +37,8 @@ export default function makeApp(json: any): App {
     requiresRequest,
     integration = '',
     samlAppPreset,
+    subKind,
+    permissionSets,
   } = json;
 
   const canCreateUrl = fqdn && clusterId && publicAddr;
@@ -69,6 +71,7 @@ export default function makeApp(json: any): App {
 
   return {
     kind: 'app',
+    subKind,
     id,
     name,
     description,
@@ -89,5 +92,6 @@ export default function makeApp(json: any): App {
     samlAppSsoUrl,
     requiresRequest,
     integration,
+    permissionSets,
   };
 }
diff --git a/web/packages/teleport/src/services/apps/types.ts b/web/packages/teleport/src/services/apps/types.ts
@@ -51,9 +51,35 @@ export interface App {
   // Integration is the integration name that must be used to access this Application.
   // Only applicable to AWS App Access.
   integration?: string;
+  /** subKind is subKind of an App. */
+  subKind?: AppSubKind;
+  /**
+   * permissionSets is a list of AWS IAM Identity Center permission sets
+   * available for this App. The value is only populated if the app SubKind is
+   * aws_ic_account.
+   */
+  permissionSets?: PermissionSet[];
 }
 
 export type UserGroupAndDescription = {
   name: string;
   description: string;
 };
+
+/** AppSubKind defines names of SubKind for App resource. */
+export enum AppSubKind {
+  AwsIcAccount = 'aws_ic_account',
+}
+
+/**
+ * PermissionSet defines an AWS IAM Identity Center permission set that
+ * is available to an App.
+ */
+export type PermissionSet = {
+  /** name is a permission set name */
+  name: string;
+  /** arn is a permission set ARN */
+  arn: string;
+  /** assignmentId is an account assignment ID. */
+  assignmentId: string;
+};
diff --git a/web/packages/teleterm/src/ui/AccessRequestCheckout/AccessRequestCheckout.tsx b/web/packages/teleterm/src/ui/AccessRequestCheckout/AccessRequestCheckout.tsx
@@ -170,6 +170,7 @@ export function AccessRequestCheckout() {
                       switch (c.kind) {
                         case 'app':
                         case 'saml_idp_service_provider':
+                        case 'aws_ic_account_assignment':
                           resource.Icon = Icon.Application;
                           break;
                         case 'node':

diff --git a/web/packages/teleterm/src/ui/AccessRequestCheckout/useAccessRequestCheckout.ts b/web/packages/teleterm/src/ui/AccessRequestCheckout/useAccessRequestCheckout.ts
@@ -476,6 +476,7 @@ type ResourceKind =
       | 'kube_cluster'
       | 'saml_idp_service_provider'
       | 'namespace'
+      | 'aws_ic_account_assignment'
     >
   | 'role';
 

diff --git a/web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts b/web/packages/teleterm/src/ui/services/workspacesService/accessRequestsService.ts
@@ -310,7 +310,8 @@ type SharedResourceAccessRequestKind =
   | 'db'
   | 'node'
   | 'kube_cluster'
-  | 'saml_idp_service_provider';
+  | 'saml_idp_service_provider'
+  | 'aws_ic_account_assignment';
 
 /**
  * Extracts `kind`, `id` and `name` from the resource request.
@@ -433,6 +434,18 @@ export function toResourceRequest({
         },
         kind: 'app',
       };
+    case 'aws_ic_account_assignment':
+      return {
+        resource: {
+          uri: routing.getAppUri({
+            rootClusterId,
+            leafClusterId,
+            appId: resourceId,
+          }),
+          samlApp: false,
+        },
+        kind: 'app',
+      };
     case 'db':
       return {
         resource: {