Remove EICE dead code (#51107)

* Remove EICE dead code Accessing EC2 instances using EC2 Instance Connect Endpoint was developed some releases ago. However, due to strict quotas put in place by amazon, we decide to remove this feature. Since a couple of releases ago we hide this feature from the UI. This PR removes dead code: - removes the UI bits used during the Discovery flow - removes the `teleport integrationn configure eice-iam` command - removes API endpoinst that are no longer used - deprecates the unused gRPC calls The following parts were kept, to ensure we don't break existing set ups: - auto discovery of ec2 instances using the EICE method - accessing Servers which have the ec2-ice subkind - kubernetes operator and terraform provider EICE resource management We might remove those in the future, but for now, they will be kept. * add delete version notice
gravitational · Jan 16, 2025 · 8f99076 · 8f99076
1 parent 70d70a2
commit 8f99076
Show file tree

Hide file tree

Showing 33 changed files with 487 additions and 4,693 deletions.
diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go
diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service_grpc.pb.go
diff --git a/api/proto/teleport/integration/v1/awsoidc_service.proto b/api/proto/teleport/integration/v1/awsoidc_service.proto
@@ -26,12 +26,18 @@ service AWSOIDCService {
   // An optional NextToken that can be used to fetch the next page.
   // It uses the following API:
   // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html
-  rpc ListEICE(ListEICERequest) returns (ListEICEResponse);
+  rpc ListEICE(ListEICERequest) returns (ListEICEResponse) {
+    // TODO(marco): DELETE IN v19.0.0
+    option deprecated = true;
+  }
 
   // CreateEICE creates multiple EC2 Instance Connect Endpoint using the provided Subnets and Security Group IDs.
   // It uses the following API:
   // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html
-  rpc CreateEICE(CreateEICERequest) returns (CreateEICEResponse);
+  rpc CreateEICE(CreateEICERequest) returns (CreateEICEResponse) {
+    // TODO(marco): DELETE IN v19.0.0
+    option deprecated = true;
+  }
 
   // ListDatabases calls the following AWS API:
   // https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html
@@ -69,7 +75,10 @@ service AWSOIDCService {
   // ListEC2 lists the EC2 instances of the AWS account per region.
   // It uses the following API:
   // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
-  rpc ListEC2(ListEC2Request) returns (ListEC2Response);
+  rpc ListEC2(ListEC2Request) returns (ListEC2Response) {
+    // TODO(marco): DELETE IN v19.0.0
+    option deprecated = true;
+  }
 
   // ListEKSClusters retrieves a paginated list of EKS clusters in the specified AWS region for a specific account.
   // It uses the following APIs:
@@ -86,6 +95,7 @@ service AWSOIDCService {
 
 // ListEICERequest is a request for a paginated list of AWS EC2 Instance Connect Endpoints.
 message ListEICERequest {
+  option deprecated = true;
   // Integration is the AWS OIDC Integration name.
   // Required.
   string integration = 1;
@@ -102,6 +112,7 @@ message ListEICERequest {
 
 // EC2InstanceConnectEndpoint is a representation of a Amazon VPC EC2 Instance Connect Endpoint.
 message EC2InstanceConnectEndpoint {
+  option deprecated = true;
   // Name is the endpoint name.
   string name = 1;
   // State is the endpoint state.
@@ -120,6 +131,7 @@ message EC2InstanceConnectEndpoint {
 
 // ListEICEResponse contains a page of AWS EC2 Instance Connect Endpoints.
 message ListEICEResponse {
+  option deprecated = true;
   // EC2ICEs contains the page of EC2 Instance Connect Endpoints.
   repeated EC2InstanceConnectEndpoint ec2ices = 1;
   // DashboardLink is the URL for AWS Web Console that lists all the Endpoints for the queries VPCs.
@@ -131,6 +143,7 @@ message ListEICEResponse {
 
 // CreateEICERequest contains the required fields to create an AWS EC2 Instance Connect Endpoint.
 message CreateEICERequest {
+  option deprecated = true;
   // Integration is the AWS OIDC Integration name.
   // Required.
   string integration = 1;
@@ -144,6 +157,7 @@ message CreateEICERequest {
 
 // EC2ICEndpoint contains the information for a single Endpoint to be created.
 message EC2ICEndpoint {
+  option deprecated = true;
   // Name is the endpoint name.
   string name = 1;
   // SubnetID is the Subnet where the Endpoint will be created.
@@ -155,6 +169,7 @@ message EC2ICEndpoint {
 
 // CreateEICEResponse is a request to create a VPC Endpoint of EC2 Instance Connect Endpoint type.
 message CreateEICEResponse {
+  option deprecated = true;
   // Name is the Endpoint ID.
   string name = 1;
   // CreatedEndpoints contains the name of created endpoints and their Subnet.
@@ -514,6 +529,7 @@ message EnrollEKSClustersResponse {
 
 // ListEC2Request is a request for a paginated list of AWS EC2 instances.
 message ListEC2Request {
+  option deprecated = true;
   // Integration is the AWS OIDC Integration name.
   // Required.
   string integration = 1;
@@ -527,6 +543,7 @@ message ListEC2Request {
 
 // ListEC2Response contains a page of AWS EC2 instances represented as Nodes.
 message ListEC2Response {
+  option deprecated = true;
   // Servers contains the page of EC2.
   repeated types.ServerV2 servers = 1;
   // NextToken is used for pagination.

diff --git a/lib/auth/integration/integrationv1/awsoidc.go b/lib/auth/integration/integrationv1/awsoidc.go
@@ -200,6 +200,8 @@ func (s *AWSOIDCService) awsClientReq(ctx context.Context, integrationName, regi
 }
 
 // ListEICE returns a paginated list of EC2 Instance Connect Endpoints.
+//
+// Deprecated: Marked as deprecated in teleport/integration/v1/awsoidc_service.proto.
 func (s *AWSOIDCService) ListEICE(ctx context.Context, req *integrationpb.ListEICERequest) (*integrationpb.ListEICEResponse, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -249,6 +251,8 @@ func (s *AWSOIDCService) ListEICE(ctx context.Context, req *integrationpb.ListEI
 }
 
 // CreateEICE creates multiple EC2 Instance Connect Endpoint using the provided Subnets and Security Group IDs.
+//
+// Deprecated: Marked as deprecated in teleport/integration/v1/awsoidc_service.proto.
 func (s *AWSOIDCService) CreateEICE(ctx context.Context, req *integrationpb.CreateEICERequest) (*integrationpb.CreateEICEResponse, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -661,6 +665,8 @@ func (s *AWSOIDCService) DeployService(ctx context.Context, req *integrationpb.D
 }
 
 // ListEC2 returns a paginated list of AWS EC2 instances.
+//
+// Deprecated: Marked as deprecated in teleport/integration/v1/awsoidc_service.proto.
 func (s *AWSOIDCService) ListEC2(ctx context.Context, req *integrationpb.ListEC2Request) (*integrationpb.ListEC2Response, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {

diff --git a/lib/auth/integration/integrationv1/awsoidc_test.go b/lib/auth/integration/integrationv1/awsoidc_test.go
@@ -240,18 +240,6 @@ func TestRBAC(t *testing.T) {
 		userCtx := authorizerForDummyUser(t, ctx, role, localClient)
 
 		for _, tt := range []endpointSubtest{
-			{
-				name: "ListEICE",
-				fn: func() error {
-					_, err := awsoidService.ListEICE(userCtx, &integrationv1.ListEICERequest{
-						Integration: integrationName,
-						Region:      "my-region",
-						VpcIds:      []string{"vpc-123"},
-						NextToken:   "",
-					})
-					return err
-				},
-			},
 			{
 				name: "ListDatabases",
 				fn: func() error {
@@ -347,18 +335,6 @@ func TestRBAC(t *testing.T) {
 		userCtx := authorizerForDummyUser(t, ctx, role, localClient)
 
 		for _, tt := range []endpointSubtest{
-			{
-				name: "ListEICE",
-				fn: func() error {
-					_, err := awsoidService.ListEICE(userCtx, &integrationv1.ListEICERequest{
-						Integration: integrationName,
-						Region:      "my-region",
-						VpcIds:      []string{"vpc-123"},
-						NextToken:   "",
-					})
-					return err
-				},
-			},
 			{
 				name: "ListDatabases",
 				fn: func() error {

diff --git a/lib/config/configuration.go b/lib/config/configuration.go
@@ -210,10 +210,6 @@ type CommandLineFlags struct {
 	// `teleport integration configure deployservice-iam` command
 	IntegrationConfDeployServiceIAMArguments IntegrationConfDeployServiceIAM
 
-	// IntegrationConfEICEIAMArguments contains the arguments of
-	// `teleport integration configure eice-iam` command
-	IntegrationConfEICEIAMArguments IntegrationConfEICEIAM
-
 	// IntegrationConfAWSAppAccessIAMArguments contains the arguments of
 	// `teleport integration configure aws-app-access-iam` command
 	IntegrationConfAWSAppAccessIAMArguments IntegrationConfAWSAppAccessIAM
@@ -329,19 +325,6 @@ type IntegrationConfDeployServiceIAM struct {
 	AutoConfirm bool
 }
 
-// IntegrationConfEICEIAM contains the arguments of
-// `teleport integration configure eice-iam` command
-type IntegrationConfEICEIAM struct {
-	// Region is the AWS Region used to set up the client.
-	Region string
-	// Role is the AWS Role associated with the Integration
-	Role string
-	// AccountID is the AWS account ID.
-	AccountID string
-	// AutoConfirm skips user confirmation of the operation plan if true.
-	AutoConfirm bool
-}
-
 // IntegrationConfAWSAppAccessIAM contains the arguments of
 // `teleport integration configure aws-app-access-iam` command
 type IntegrationConfAWSAppAccessIAM struct {