[v17] Backport Azure integration in Discovery Service to v17 (#51725)

* Adding Azure integration protobuf messages and gRPC methods (#48628)

* Adding Azure integration gRPC messages and RPC methods

* Make derive

* Update proto/accessgraph/v1alpha/azure.proto

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Update proto/accessgraph/v1alpha/azure.proto

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Update proto/accessgraph/v1alpha/azure.proto

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* More PR feedback and generating protobuf code

* Make derive

* Adding identities field to principals, condition to role assignments, and role name to role definitions

* Rebase conflicts

* Did not fully fetch from origin/master when rebasing

* Removing azure config field and keeping poll_interval as-is

* Correct from parent branch

* Apply suggestions from code review

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* Adding doc comments to access graph proto

* Adding object type to principals

* Adding location to Azure virtual machines

* Update proto/accessgraph/v1alpha/access_graph_service.proto

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Moving Azure Discovery protobuf config to the Azure Discovery PR

* Make grpc

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Post cherry-pick grpc

* Protobuf and configuration for Access Graph Azure Discovery (#50364)

* Protobuf and configuration for Access Graph Azure Discovery

* Adding godoc and removing Integration field from fileconf

* Adding the Azure sync module functions along with new cloud client functionality (#50366)

* Protobuf and configuration for Access Graph Azure Discovery

* Adding the Azure sync module functions along with new cloud client functionality

* Forgot to decouple role definitions fetching function from the fetcher

* Moving reconciliation to the upstream azure sync PR

* Moving reconciliation test to the upstream azure sync PR

* Updating go.sum

* Fixing rebase after protobuf gen

* Nolinting until upstream PRs

* Updating to use existing msgraph client

* Adding protection around nil values

* PR feedback

* Updating principal fetching to incorporate metadata from principal subtypes

* Updating opts to not leak URL parameters

* Conformant package name

* Using variadic options

* PR feedback

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* Also returning expanded principals for improved readability

* Removing ptrToList

* PR feedback

* Rebase go.sum stuff

* Go mod tidy

* Linting

* Linting

* Collecting errors from fetching memberships and using a WithContext error group

* Fixing go.mod

* Update lib/msgraph/paginated.go

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* e ref update

* e ref update

* Fixing method

* Fetching group members from groups rather than memberships of each principal

* Linting

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Adding Azure sync functionality which can be used by the Azure Fetcher (#50367)

* Protobuf and configuration for Access Graph Azure Discovery

* Adding the Azure sync module functions along with new cloud client functionality

* Moving reconciliation to the upstream azure sync PR

* Moving reconciliation test to the upstream azure sync PR

* Fixing rebase after protobuf gen

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* Go mod tidy

* Fixing go.mod

* Update lib/msgraph/paginated.go

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* e ref update

* Adding the Azure sync module functions along with new cloud client functionality

* Protobuf and configuration for Access Graph Azure Discovery

* Adding Azure sync functionality which can be called by the Azure fetcher

* Protobuf update

* Update sync process to use msgraph client

* Conformant package name

* Invoking membership expansion

* Setting principals before expansion

* Removing msgraphclient

* Update e ref

* Linting

* PR feedback

* Adding test names to reconciliation tests

* Adding channel buffer

* Going back to just reading from channel

* Linting

* PR feedback

* PR feedback

* PR feedback

* Apply suggestions from code review

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* Fixing flaky test

* Lint

* Fix imports

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Invoking the Azure fetcher in the Discovery service (#50369)

* Protobuf and configuration for Access Graph Azure Discovery

* Adding the Azure sync module functions along with new cloud client functionality

* Fixing rebase after protobuf gen

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* Go mod tidy

* Fixing go.mod

* Update lib/msgraph/paginated.go

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* Adding the Azure sync module functions along with new cloud client functionality

* Protobuf and configuration for Access Graph Azure Discovery

* Adding Azure sync functionality which can be called by the Azure fetcher

* Protobuf update

* Invoking membership expansion

* Setting principals before expansion

* Removing msgraphclient

* Linting

* PR feedback

* PR feedback

* Adding the Azure sync module functions along with new cloud client functionality

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* PR feedback

* Adding the Azure sync module functions along with new cloud client functionality

* Protobuf and configuration for Access Graph Azure Discovery

* Invoking the Azure fetcher in the Discovery service

* Protobuf gen fix

* Conformant package name

* Removing msgraphclient (again?)

* Rebase fixes

* More cleanup

* PR feedback

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Adding OIDC auth functionality to the Azure integration (#51219)

* Protobuf and configuration for Access Graph Azure Discovery

* Fixing rebase after protobuf gen

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* Go mod tidy

* Fixing go.mod

* Update lib/msgraph/paginated.go

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* Protobuf and configuration for Access Graph Azure Discovery

* Adding Azure sync functionality which can be called by the Azure fetcher

* Protobuf update

* Linting

* PR feedback

* PR feedback

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* PR feedback

* Protobuf and configuration for Access Graph Azure Discovery

* Protobuf gen fix

* Rebase fixes

* More cleanup

* e ref update

* Invoking token generation and returning the response

* Quick test with a message to make sure RPC is invoked

* Skeleton of new Azure OIDC RPC call

* Fetching the Azure OIDC token during fetcher creation and establishing a credential assertion approach

* PR feedback; restricting token requests to auth, discovery, and proxy roles.

* Lint

* Fixing mocks

* Fix imports

* Fix test

* Rebase fxes

* Adding back OIDC fetching, accidentally removed it during rebase

* e ref

* Lint

* Fix imports

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Azure integration status reporting (#51391)

* Protobuf and configuration for Access Graph Azure Discovery

* Fixing rebase after protobuf gen

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* Go mod tidy

* Fixing go.mod

* Update lib/msgraph/paginated.go

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* PR feedback

* Protobuf and configuration for Access Graph Azure Discovery

* Adding Azure sync functionality which can be called by the Azure fetcher

* Protobuf update

* Linting

* PR feedback

* PR feedback

* Updating to use existing msgraph client

* PR feedback

* Using variadic options

* Removing memberOf expansion

* Expanding memberships by calling memberOf on each user

* PR feedback

* Rebase go.sum stuff

* PR feedback

* Protobuf and configuration for Access Graph Azure Discovery

* Invoking the Azure fetcher in the Discovery service

* Protobuf gen fix

* Rebase fixes

* More cleanup

* PR feedback

* Invoking token generation and returning the response

* Fetching the Azure OIDC token during fetcher creation and establishing a credential assertion approach

* PR feedback; restricting token requests to auth, discovery, and proxy roles.

* Lint

* Rebase fxes

* Adding back OIDC fetching, accidentally removed it during rebase

* Initial refactoring to include Azure status reporting

* Converging status sync between AWS and Azure

* Fixing test

* Sending usage stats

* Fix imports

* Add godocs and correct a few comments

* Removing the usage events for now

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

* Post cherry-pick fixes

* Azure integration command (#47541)

* Initial command to create the managed identity and role

* Adding permissions and applying command params

* Adding graph permissions to the MSI

* Updating parameters

* Adding some details and cleaning up comments

* Fixing go.sum

* Linting

* License

* PR feedback

* Decoupling sync config with an interface for testing

* Tweaks to test mocking

* PR feedback

* Rebase adjustments

* PR feedback

* Switch to empty struct maps instead of bool maps for set representation

* Godocs

* Adding user agent to Azure SDK requests

* Linting

* Moving armcompute back to v3

* Post cherry-pick make grpc

* Post rebase make grpc

---------

Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

api/client/client.go

@@ -4835,6 +4835,18 @@ func (c *Client) GenerateAWSOIDCToken(ctx context.Context, integration string) (
 	return resp.GetToken(), nil
 }
 
+// GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+func (c *Client) GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error) {
+	resp, err := c.integrationsClient().GenerateAzureOIDCToken(ctx, &integrationpb.GenerateAzureOIDCTokenRequest{
+		Integration: integration,
+	})
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+
+	return resp.GetToken(), nil
+}
+
 // PluginsClient returns an unadorned Plugins client, using the underlying
 // Auth gRPC connection.
 // Clients connecting to non-Enterprise clusters, or older Teleport versions,

api/proto/teleport/integration/v1/integration_service.proto

@@ -46,6 +46,9 @@ service IntegrationService {
   // GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
   rpc GenerateAWSOIDCToken(GenerateAWSOIDCTokenRequest) returns (GenerateAWSOIDCTokenResponse);
 
+  // GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+  rpc GenerateAzureOIDCToken(GenerateAzureOIDCTokenRequest) returns (GenerateAzureOIDCTokenResponse);
+
   // GenerateGitHubUserCert signs a SSH certificate for GitHub integration.
   rpc GenerateGitHubUserCert(GenerateGitHubUserCertRequest) returns (GenerateGitHubUserCertResponse);
 
@@ -119,6 +122,20 @@ message GenerateAWSOIDCTokenResponse {
   string token = 1;
 }
 
+// GenerateAzureOIDCTokenRequest are the parameters used to request an Azure OIDC
+// Integration token.
+message GenerateAzureOIDCTokenRequest {
+  // Integration is the Azure OIDC Integration name.
+  // Required.
+  string integration = 1;
+}
+
+// GenerateAzureOIDCTokenResponse contains a signed Azure OIDC Integration token.
+message GenerateAzureOIDCTokenResponse {
+  // Token is the signed JWT ready to be used
+  string token = 1;
+}
+
 // GenerateGitHubUserCertRequest is a request to sign a client certificate used by
 // GitHub integration to authenticate with GitHub enterprise.
 message GenerateGitHubUserCertRequest {

api/proto/teleport/legacy/types/types.proto

@@ -8109,12 +8109,14 @@ message OktaOptions {
 message AccessGraphSync {
   // AWS is a configuration for AWS Access Graph service poll service.
   repeated AccessGraphAWSSync AWS = 1 [(gogoproto.jsontag) = "aws,omitempty"];
-  // PollInterval is the frequency at which to poll for AWS resources
+  // PollInterval is the frequency at which to poll for resources
   google.protobuf.Duration PollInterval = 2 [
     (gogoproto.jsontag) = "poll_interval,omitempty",
     (gogoproto.nullable) = false,
     (gogoproto.stdduration) = true
   ];
+  // Azure is a configuration for Azure Access Graph service poll service.
+  repeated AccessGraphAzureSync Azure = 3 [(gogoproto.jsontag) = "azure,omitempty"];
 }
 
 // AccessGraphAWSSync is a configuration for AWS Access Graph service poll service.
@@ -8126,3 +8128,11 @@ message AccessGraphAWSSync {
   // Integration is the integration name used to generate credentials to interact with AWS APIs.
   string Integration = 4 [(gogoproto.jsontag) = "integration,omitempty"];
 }
+
+// AccessGraphAzureSync is a configuration for Azure Access Graph service poll service.
+message AccessGraphAzureSync {
+  // SubscriptionID Is the ID of the Azure subscription to sync resources from
+  string SubscriptionID = 1 [(gogoproto.jsontag) = "subscription_id,omitempty"];
+  // Integration is the integration name used to generate credentials to interact with AWS APIs.
+  string Integration = 2 [(gogoproto.jsontag) = "integration,omitempty"];
+}