Merge branch 'master' into lisa/app-labels-ui

gravitational · Jan 10, 2025 · 6b28e9f · 6b28e9f
2 parents a296cd1 + f63a099
commit 6b28e9f
Show file tree

Hide file tree

Showing 104 changed files with 1,885 additions and 2,010 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -235,7 +235,7 @@ jobs:
       - name: Check if Terraform resources are up to date
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
         # The protoc-gen-terraform version must match the version in integrations/terraform/Makefile
-        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform@c91cc3ef4d7d0046c36cb96b1cd337e466c61225 && make terraform-resources-up-to-date
+        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform/v3@v3.0.2 && make terraform-resources-up-to-date
 
   lint-rfd:
     name: Lint (RFD)

diff --git a/.golangci.yml b/.golangci.yml
@@ -115,14 +115,6 @@ linters-settings:
             desc: 'use "crypto" or "x/crypto" instead'
       # Prevent importing any additional logging libraries.
       logging:
-        files:
-          # Integrations are still allowed to use logrus becuase they haven't
-          # been converted to slog yet. Once they use slog, remove this exception.
-          - '!**/integrations/**'
-          # The log package still contains the logrus formatter consumed by the integrations.
-          # Remove this exception when said formatter is deleted.
-          - '!**/lib/utils/log/**'
-          - '!**/lib/utils/cli.go'
         deny:
           - pkg: github.com/sirupsen/logrus
             desc: 'use "log/slog" instead'

diff --git a/docs/pages/admin-guides/access-controls/access-monitoring.mdx b/docs/pages/admin-guides/access-controls/access-monitoring.mdx
@@ -17,7 +17,7 @@ Users are able to write their own custom access monitoring queries by querying t
 
 <Admonition type="notice">
   Access Monitoring is not currently supported with External Audit Storage
-  in Teleport Enterprise (cloud-hosted). This functionality will be
+  in Teleport Enterprise (Cloud). This functionality will be
   enabled in a future Teleport release.
 </Admonition>
 

diff --git a/docs/pages/admin-guides/management/external-audit-storage.mdx b/docs/pages/admin-guides/management/external-audit-storage.mdx
@@ -21,6 +21,12 @@ External Audit Storage is based on Teleport's
 available on Teleport Enterprise Cloud clusters running Teleport v14.2.1 or
 above.
 
+<Admonition type="notice">
+On Teleport Enterprise (Cloud), External Audit
+Storage is not currently supported for users who have Access Monitoring enabled.
+This functionality will be enabled in a future Teleport release.  
+</Admonition>
+
 ## Prerequisites
 
 1. A Teleport Enterprise Cloud account. If you do not have one, [sign

diff --git a/go.mod b/go.mod
@@ -179,7 +179,6 @@ require (
 	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/sigstore v1.8.11
 	github.com/sijms/go-ora/v2 v2.8.22
-	github.com/sirupsen/logrus v1.9.3
 	github.com/snowflakedb/gosnowflake v1.12.1
 	github.com/spf13/cobra v1.8.1
 	github.com/spiffe/go-spiffe/v2 v2.4.0
@@ -501,6 +500,7 @@ require (
 	github.com/sigstore/protobuf-specs v0.3.2 // indirect
 	github.com/sigstore/rekor v1.3.6 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect

diff --git a/integrations/access/accesslist/app.go b/integrations/access/accesslist/app.go
@@ -33,6 +33,7 @@ import (
 	"github.com/gravitational/teleport/integrations/lib"
 	"github.com/gravitational/teleport/integrations/lib/logger"
 	pd "github.com/gravitational/teleport/integrations/lib/plugindata"
+	logutils "github.com/gravitational/teleport/lib/utils/log"
 )
 
 const (
@@ -118,7 +119,7 @@ func (a *App) run(ctx context.Context) error {
 
 	log := logger.Get(ctx)
 
-	log.Info("Access list monitor is running")
+	log.InfoContext(ctx, "Access list monitor is running")
 
 	a.job.SetReady(true)
 
@@ -134,7 +135,7 @@ func (a *App) run(ctx context.Context) error {
 			}
 			timer.Reset(jitter(reminderInterval))
 		case <-ctx.Done():
-			log.Info("Access list monitor is finished")
+			log.InfoContext(ctx, "Access list monitor is finished")
 			return nil
 		}
 	}
@@ -146,7 +147,7 @@ func (a *App) run(ctx context.Context) error {
 func (a *App) remindIfNecessary(ctx context.Context) error {
 	log := logger.Get(ctx)
 
-	log.Info("Looking for Access List Review reminders")
+	log.InfoContext(ctx, "Looking for Access List Review reminders")
 
 	var nextToken string
 	var err error
@@ -156,21 +157,25 @@ func (a *App) remindIfNecessary(ctx context.Context) error {
 		accessLists, nextToken, err = a.apiClient.ListAccessLists(ctx, 0 /* default page size */, nextToken)
 		if err != nil {
 			if trace.IsNotImplemented(err) {
-				log.Errorf("access list endpoint is not implemented on this auth server, so the access list app is ceasing to run.")
+				log.ErrorContext(ctx, "access list endpoint is not implemented on this auth server, so the access list app is ceasing to run")
 				return trace.Wrap(err)
 			} else if trace.IsAccessDenied(err) {
-				log.Warnf("Slack bot does not have permissions to list access lists. Please add access_list read and list permissions " +
-					"to the role associated with the Slack bot.")
+				const msg = "Slack bot does not have permissions to list access lists. Please add access_list read and list permissions " +
+					"to the role associated with the Slack bot."
+				log.WarnContext(ctx, msg)
 			} else {
-				log.Errorf("error listing access lists: %v", err)
+				log.ErrorContext(ctx, "error listing access lists", "error", err)
 			}
 			break
 		}
 
 		for _, accessList := range accessLists {
 			recipients, err := a.getRecipientsRequiringReminders(ctx, accessList)
 			if err != nil {
-				log.WithError(err).Warnf("Error getting recipients to notify for review due for access list %q", accessList.Spec.Title)
+				log.WarnContext(ctx, "Error getting recipients to notify for review due for access list",
+					"error", err,
+					"access_list", accessList.Spec.Title,
+				)
 				continue
 			}
 
@@ -195,7 +200,7 @@ func (a *App) remindIfNecessary(ctx context.Context) error {
 	}
 
 	if len(errs) > 0 {
-		log.WithError(trace.NewAggregate(errs...)).Warn("Error notifying for access list reviews")
+		log.WarnContext(ctx, "Error notifying for access list reviews", "error", trace.NewAggregate(errs...))
 	}
 
 	return nil
@@ -213,7 +218,10 @@ func (a *App) getRecipientsRequiringReminders(ctx context.Context, accessList *a
 
 	// If the current time before the notification start time, skip notifications.
 	if now.Before(notificationStart) {
-		log.Debugf("Access list %s is not ready for notifications, notifications start at %s", accessList.GetName(), notificationStart.Format(time.RFC3339))
+		log.DebugContext(ctx, "Access list is not ready for notifications",
+			"access_list", accessList.GetName(),
+			"notification_start_time", notificationStart.Format(time.RFC3339),
+		)
 		return nil, nil
 	}
 
@@ -255,12 +263,17 @@ func (a *App) fetchRecipients(ctx context.Context, accessList *accesslist.Access
 	if err != nil {
 		// TODO(kiosion): Remove in v18; protecting against server not having `GetAccessListOwners` func.
 		if trace.IsNotImplemented(err) {
-			log.WithError(err).Warnf("Error getting nested owners for access list '%v', continuing with only explicit owners", accessList.GetName())
+			log.WarnContext(ctx, "Error getting nested owners for access list, continuing with only explicit owners",
+				"error", err,
+				"access_list", accessList.GetName(),
+			)
 			for _, owner := range accessList.Spec.Owners {
 				allOwners = append(allOwners, &owner)
 			}
 		} else {
-			log.WithError(err).Errorf("Error getting owners for access list '%v'", accessList.GetName())
+			log.ErrorContext(ctx, "Error getting owners for access list",
+				"error", err,
+				"access_list", accessList.GetName())
 		}
 	}
 
@@ -270,7 +283,7 @@ func (a *App) fetchRecipients(ctx context.Context, accessList *accesslist.Access
 	for _, owner := range allOwners {
 		recipient, err := a.bot.FetchRecipient(ctx, owner.Name)
 		if err != nil {
-			log.Debugf("error getting recipient %s", owner.Name)
+			log.DebugContext(ctx, "error getting recipient", "recipient", owner.Name)
 			continue
 		}
 		allRecipients[owner.Name] = *recipient
@@ -293,7 +306,10 @@ func (a *App) updatePluginDataAndGetRecipientsRequiringReminders(ctx context.Con
 		// Calculate days from start.
 		daysFromStart := now.Sub(notificationStart) / oneDay
 		windowStart = notificationStart.Add(daysFromStart * oneDay)
-		log.Infof("windowStart: %s, now: %s", windowStart.String(), now.String())
+		log.InfoContext(ctx, "calculating window start",
+			"window_start", logutils.StringerAttr(windowStart),
+			"now", logutils.StringerAttr(now),
+		)
 	}
 
 	recipients := []common.Recipient{}
@@ -304,7 +320,10 @@ func (a *App) updatePluginDataAndGetRecipientsRequiringReminders(ctx context.Con
 
 			// If the notification window is before the last notification date, then this user doesn't need a notification.
 			if !windowStart.After(lastNotification) {
-				log.Debugf("User %s has already been notified for access list %s", recipient.Name, accessList.GetName())
+				log.DebugContext(ctx, "User has already been notified for access list",
+					"user", recipient.Name,
+					"access_list", accessList.GetName(),
+				)
 				userNotifications[recipient.Name] = lastNotification
 				continue
 			}

diff --git a/integrations/access/accessmonitoring/access_monitoring_rules.go b/integrations/access/accessmonitoring/access_monitoring_rules.go
@@ -151,16 +151,18 @@ func (amrh *RuleHandler) RecipientsFromAccessMonitoringRules(ctx context.Context
 	for _, rule := range amrh.getAccessMonitoringRules() {
 		match, err := MatchAccessRequest(rule.Spec.Condition, req)
 		if err != nil {
-			log.WithError(err).WithField("rule", rule.Metadata.Name).
-				Warn("Failed to parse access monitoring notification rule")
+			log.WarnContext(ctx, "Failed to parse access monitoring notification rule",
+				"error", err,
+				"rule", rule.Metadata.Name,
+			)
 		}
 		if !match {
 			continue
 		}
 		for _, recipient := range rule.Spec.Notification.Recipients {
 			rec, err := amrh.fetchRecipientCallback(ctx, recipient)
 			if err != nil {
-				log.WithError(err).Warn("Failed to fetch plugin recipients based on Access monitoring rule recipients")
+				log.WarnContext(ctx, "Failed to fetch plugin recipients based on Access monitoring rule recipients", "error", err)
 				continue
 			}
 			recipientSet.Add(*rec)
@@ -176,8 +178,10 @@ func (amrh *RuleHandler) RawRecipientsFromAccessMonitoringRules(ctx context.Cont
 	for _, rule := range amrh.getAccessMonitoringRules() {
 		match, err := MatchAccessRequest(rule.Spec.Condition, req)
 		if err != nil {
-			log.WithError(err).WithField("rule", rule.Metadata.Name).
-				Warn("Failed to parse access monitoring notification rule")
+			log.WarnContext(ctx, "Failed to parse access monitoring notification rule",
+				"error", err,
+				"rule", rule.Metadata.Name,
+			)
 		}
 		if !match {
 			continue