Add support for hardened AMIs on arm64 (#36112)

This is only for the newer AL2023 AMIs, not the old AL2 AMIs (which are deprecated).

Depends on gravitational/cloud-terraform#3920.

`e` companion -- gravitational/teleport.e#3058

Ref #36110.

.drone.yml

@@ -2715,6 +2715,8 @@ depends_on:
 - clean-up-previous-build
 - build-linux-amd64
 - build-linux-amd64-fips
+- build-linux-arm64
+- build-linux-arm64-fips
 steps:
 - name: Check out code
   image: docker:git
@@ -12046,6 +12048,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: 4ebdea923dc76d4f2565d5462d5ee04db6dd9e9e273620fac44fcc34d3259808
+hmac: 6037e6bdee3255d8eebea41cf0536df554378778bc536aeaf075eb65dcda82ff
 
 ...

CHANGELOG.md

@@ -2,7 +2,18 @@
 
 ## 15.0.0 (xx/xx/24)
 
-### Breaking changes
+### New features
+
+#### FIPS now supported on ARM64
+
+Teleport 15 now provides FIPS-compliant Linux builds on ARM64. Users will now
+be able to run Teleport in FedRAMP/FIPS mode on ARM64.
+
+#### Hardened AMIs now produced for ARM64
+
+Teleport 15 now provides hardened AWS AMIs on ARM64.
+
+### Breaking changes and deprecations
 
 #### `tsh ssh`
 
@@ -36,7 +47,7 @@ has been out of support for many months.
 #### Container images
 
 Teleport 15 contains several breaking changes to improve the default security
-and usability of container images.
+and usability of Teleport-provided container images.
 
 ##### "Heavy" container images are discontinued
 
@@ -84,6 +95,20 @@ them elsewhere before July 2024. Following brownouts in May and June, Teleport
 will disable pulls from all Teleport quay.io repositories on Wednesday July 3,
 2024.
 
+#### Amazon AMIs
+
+Teleport 15 contains several breaking changes to improve the default security
+and usability of Teleport-provided Amazon AMIs.
+
+##### Hardened AMIs
+
+Teleport-provided Amazon Linux 2023 previously only supported x86_64/amd64.
+Starting with Teleport 15, arm64-based AMIs will be produced. However, the
+naming scheme for these AMIs has been changed to include the architecture.
+
+- Previous naming scheme: `teleport-oss-14.0.0-$TIMESTAMP`
+- New naming scheme: `teleport-oss-15.0.0-x86_64-$TIMESTAMP`
+
 ## 14.0.0 (09/20/23)
 
 Teleport 14 brings the following new major features and improvements:

assets/aws/cmd/make-public/main.go

@@ -79,39 +79,41 @@ func main() {
 
 		client := ec2.NewFromConfig(cfg)
 
-		for _, edition := range []string{"oss", "ent"} {
-			for _, fips := range []string{"false", "true"} {
-				// No such combination exists
-				if edition == "oss" && fips == "true" {
-					continue
-				}
-
-				ami, err := findLatestAMI(ctx, client, args.accountId, args.teleportVersion, edition, fips)
-				switch {
-				case err == nil:
-					break
-
-				case errors.Is(err, notFound):
-					continue
-
-				default:
-					log.Fatalf("Failed to find the latest AMI: %s", err)
-				}
-
-				// Mark the AMI as public
-				log.Printf("Marking %s as public", ami)
-				_, err = client.ModifyImageAttribute(ctx, &ec2.ModifyImageAttributeInput{
-					ImageId:   aws.String(ami),
-					Attribute: aws.String("launchPermission"),
-					LaunchPermission: &types.LaunchPermissionModifications{
-						Add: []types.LaunchPermission{
-							{Group: types.PermissionGroupAll},
+		for _, arch := range []string{"x86_64", "arm64"} {
+			for _, edition := range []string{"oss", "ent"} {
+				for _, fips := range []string{"false", "true"} {
+					// No such combination exists
+					if edition == "oss" && fips == "true" {
+						continue
+					}
+
+					ami, err := findLatestAMI(ctx, client, args.accountId, args.teleportVersion, arch, edition, fips)
+					switch {
+					case err == nil:
+						break
+
+					case errors.Is(err, notFound):
+						continue
+
+					default:
+						log.Fatalf("Failed to find the latest AMI: %s", err)
+					}
+
+					// Mark the AMI as public
+					log.Printf("Marking %s as public", ami)
+					_, err = client.ModifyImageAttribute(ctx, &ec2.ModifyImageAttributeInput{
+						ImageId:   aws.String(ami),
+						Attribute: aws.String("launchPermission"),
+						LaunchPermission: &types.LaunchPermissionModifications{
+							Add: []types.LaunchPermission{
+								{Group: types.PermissionGroupAll},
+							},
 						},
-					},
-				})
-				if err != nil {
-					log.Printf("WARNING: Failed to make ami %q public: %s", ami, err)
-					continue
+					})
+					if err != nil {
+						log.Printf("WARNING: Failed to make ami %q public: %s", ami, err)
+						continue
+					}
 				}
 			}
 		}
@@ -120,10 +122,11 @@ func main() {
 
 var notFound error = fmt.Errorf("not found")
 
-func findLatestAMI(ctx context.Context, client *ec2.Client, accountId, teleportVersion, edition, fips string) (string, error) {
+func findLatestAMI(ctx context.Context, client *ec2.Client, accountId, teleportVersion, arch, edition, fips string) (string, error) {
 	resp, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{
 		Filters: []types.Filter{
 			{Name: aws.String("name"), Values: []string{"teleport-*"}},
+			{Name: aws.String("tag:Architecture"), Values: []string{arch}},
 			{Name: aws.String("tag:TeleportVersion"), Values: []string{teleportVersion}},
 			{Name: aws.String("tag:TeleportEdition"), Values: []string{edition}},
 			{Name: aws.String("tag:TeleportFipsEnabled"), Values: []string{fips}},

assets/aws/single-ami.pkr.hcl

@@ -88,14 +88,19 @@ variable "ami_name" {
   default = ""
 }
 
+variable "ami_arch" {
+  type    = string
+  default = ""
+}
+
 variable "ami_destination_regions" {
   type    = string
   default = "us-west-2"
 }
 
 data "amazon-ami" "teleport-hardened-base" {
   filters = {
-    name                = "teleport-hardened-base-image-x86_64-al2023-*"
+    name                = "teleport-hardened-base-image-${var.ami_arch}-al2023-*"
     root-device-type    = "ebs"
     virtualization-type = "hvm"
   }
@@ -108,13 +113,13 @@ locals {
   # apply a default AMI name if no name was specified on the command line.
   unsafe_ami_name = var.ami_name != "" ? var.ami_name : "teleport-debug-ami-${var.teleport_type}-${var.teleport_version}"
 
-  # sanitise the AMI name so that its safe for use with AWS
+  # sanitize the AMI name so that it's safe for use with AWS
   ami_name = regex_replace(local.unsafe_ami_name, "[^a-zA-Z0-9\\- \\(\\).\\'[\\]@]", "-")
 
   # split the comma-separated region list out into a proper array
   destination_regions = [for s in split(",", var.ami_destination_regions) : trimspace(s)]
 
-  ami_description = "Teleport${var.teleport_fips ? " with FIPS support" : ""} using Hardened Amazon Linux 2023 AMI"
+  ami_description = "Teleport${var.teleport_fips ? " with FIPS support" : ""} using Hardened Amazon Linux 2023 (${var.ami_arch}) AMI"
   build_type      = "production${var.teleport_fips ? "-fips" : ""}"
 
   # Used in AWS access policies. Do not change without consulting the teleport-prod
@@ -167,6 +172,7 @@ source "amazon-ebs" "teleport-aws-linux" {
     BuildTimestamp      = var.ami_build_timestamp
     BuildType           = "production"
     Name                = local.ami_name
+    Architecture        = var.ami_arch
     TeleportVersion     = var.teleport_version
     TeleportEdition     = var.teleport_type
     TeleportFipsEnabled = var.teleport_fips

docs/pages/installation.mdx

@@ -352,8 +352,8 @@ from a trusted CA, e.g., Let's Encrypt.
 
 ## Amazon EC2
 
-We provide pre-built `amd64` Amazon Linux 2023 based EC2 AMIs with Teleport
-pre-installed.
+We provide pre-built `amd64` and `arm64` Amazon Linux 2023 based EC2 AMIs with
+Teleport pre-installed.
 
 These images are primarily intended for deploying a Teleport cluster using our
 [reference Terraform code](https://github.com/gravitational/teleport/tree/branch/v(=teleport.major_version=)/examples/aws/terraform).
@@ -367,14 +367,17 @@ the Teleport installation by setting configuration variables in the
 `/etc/teleport.d/conf` file on the EC2 instance. See the [Starter Cluster Configuration Template](https://github.com/gravitational/teleport/tree/branch/v(=teleport.major_version=)/examples/aws/terraform/starter-cluster/data.tpl)
 for a list of the available configuration options.
 
-The image names all include the build timestamp (shown as `$TIMESTAMP` in the table
-below), and are tagged for easier searching.
+The image names all include the build timestamp (shown as `$TIMESTAMP` in the
+table below), and are tagged for easier searching.
 
-| Image name | Edition | FIPS support | AMI Tags | Owner Account ID |
-| - | - | - | - | - |
-| `teleport-oss-(=teleport.version=)-$TIMESTAMP` | OSS | No | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: oss`, `TeleportFipsEnabled: false` | 146628656107 |
-| `teleport-ent-(=teleport.version=)-$TIMESTAMP` | Enterprise | No | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: ent`, `TeleportFipsEnabled: false` | 146628656107 |
-| `teleport-ent-(=teleport.version=)-fips-$TIMESTAMP` | Enterprise | Yes | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: ent`, `TeleportFipsEnabled: true` | 146628656107 |
+| Image name | Edition | Architecture | FIPS support | AMI Tags | Owner Account ID |
+| - | - | - | - | - | - |
+| `teleport-oss-(=teleport.version=)-x86_64-$TIMESTAMP` | OSS | amd64 | No | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: oss`, `TeleportFipsEnabled: false` | 146628656107 |
+| `teleport-oss-(=teleport.version=)-arm64-$TIMESTAMP` | OSS | arm64 | No | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: oss`, `TeleportFipsEnabled: false` | 146628656107 |
+| `teleport-ent-(=teleport.version=)-x86_64-$TIMESTAMP` | Enterprise | amd64 | No | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: ent`, `TeleportFipsEnabled: false` | 146628656107 |
+| `teleport-ent-(=teleport.version=)-arm64-$TIMESTAMP` | Enterprise | arm64 | No | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: ent`, `TeleportFipsEnabled: false` | 146628656107 |
+| `teleport-ent-(=teleport.version=)-x86_64-fips-$TIMESTAMP` | Enterprise | amd64 | Yes | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: ent`, `TeleportFipsEnabled: true` | 146628656107 |
+| `teleport-ent-(=teleport.version=)-arm64-fips-$TIMESTAMP` | Enterprise | arm64 | Yes | `TeleportVersion: (=teleport.version=)`, `TeleportEdition: ent`, `TeleportFipsEnabled: true` | 146628656107 |
 
 All images are based on Amazon Linux 2023 and have been hardened using the
 Amazon EC2 ImageBuilder [STIG](https://public.cyber.mil/stigs/) hardening

dronegen/tag.go

@@ -74,6 +74,8 @@ func tagPipelines() []pipeline {
 			tagCleanupPipelineName,
 			"build-linux-amd64",
 			"build-linux-amd64-fips",
+			"build-linux-arm64",
+			"build-linux-arm64-fips",
 		},
 		workflows: []ghaWorkflow{
 			{