Adds edit support for IC plugin to tctl edit
#52243
Conversation
This patch expands the plugin resource unmarshaler in `tctl` to handle the heterogenous filters used by the Identity Center plugin settings. It also adds support for the IC status block. These changes allow a user to edit the plugin resource via `tctl edit` after installation.
tcsc
added
tctl
| settings := &types.PluginSpecV1_AwsIc{ | ||
| AwsIc: &types.PluginAWSICSettings{}, | ||
| } | ||
| p.PluginV1.Spec.Settings = settings | ||
|
|
||
| unmshallingWrapper := icSettingsWrapper{inner: settings.AwsIc} | ||
| if err := json.Unmarshal(value, &unmshallingWrapper); err != nil { | ||
| return trace.Wrap(err) | ||
| } |
There was a problem hiding this comment.
Can we use a proto jsonpb package where oneof marhsling/unmershaling is already implemented ?
|
|
||
| var settings struct { | ||
| AccountFilters []resourceFilter `json:"aws_accounts_filters"` | ||
| GroupFilters []resourceFilter `json:"group_sync_filters"` |
There was a problem hiding this comment.
The current AWS IC flow does not allow updating groups after the AWS IC plugin is enrolled. Groups are fetched only once during plugin installation, and even if a filter is updated afterward, the plugin skips the group sync.
For GroupFilters, we need to add additional logic to the enrollment flow. Also test the filter updates against corner cases. - for instance, what happens if the Account and Group filters further restrict the current configuration.
So if we want to proceed with this change:
- Backend code needs to be aligned to support GroupFilters update.
- Manually the flow agains corner cases.
- Add basic tests coverage for gorup/account ic plugin update flow
There was a problem hiding this comment.
So, if i'm reading you correctly, in the case of a changed group filters we would basically want to re-run the import?
There was a problem hiding this comment.
Yes, we discussed this in a 1vs1. The final update implementation should ensure that the backend allows updating GroupFilters once the initial AWS enrollment is completed.
Since this is not directly related to the tctl update flow, the backend alignment can be handled in a separate PR. However, we need to ensure that if we advise customers to use tctl edit plugin aws, the backend flow properly supports updating GroupFilters
| for k := range unknownPlugin.Status.Details { | ||
| switch k { | ||
| case settingsAWSIdentityCenter: | ||
| p.PluginV1.Status.Details = &types.PluginStatusV1_AwsIc{} |
There was a problem hiding this comment.
Does reseting plugin details is safe ? Does the Backend will allow overwrite this settings ?
Could you add a comment answering "Why" the PluginV1.Status.Details field is reseted for settingsAWSIdentityCenter plugin ?
This patch expands the plugin resource unmarshaler in
tctlto handle theheterogenous filters used by the Identity Center plugin settings. It also adds
support for the IC status block.
These changes allow a user to edit the plugin resource via
tctl editafterinstallation.
Changelog: Added
tctl editsupport for Identity Center plugin resources