From 16305761aca064c33f7044e14aa44ca00af2824c Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Tue, 30 Jan 2024 14:55:29 -0500
Subject: [PATCH] puppet: Use IAM join method, when possible.

---
 puppet/zulip_ops/manifests/teleport/db.pp           |  2 ++
 puppet/zulip_ops/manifests/teleport/node.pp         | 13 ++++++++-----
 .../templates/teleport_db.yaml.template.erb         |  9 +++++++++
 .../teleport_node.yaml.template.erb}                | 10 +++++++++-
 4 files changed, 28 insertions(+), 6 deletions(-)
 rename puppet/zulip_ops/{files/teleport_node.yaml => templates/teleport_node.yaml.template.erb} (84%)

diff --git a/puppet/zulip_ops/manifests/teleport/db.pp b/puppet/zulip_ops/manifests/teleport/db.pp
index b78edf5766..2127b4f49a 100644
--- a/puppet/zulip_ops/manifests/teleport/db.pp
+++ b/puppet/zulip_ops/manifests/teleport/db.pp
@@ -5,6 +5,8 @@
 class zulip_ops::teleport::db {
   include zulip_ops::teleport::base
 
+  $is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'
+  $join_token = zulipsecret('secrets', 'teleport_join_token', '')
   file { '/etc/teleport_db.yaml':
     ensure  => file,
     owner   => 'root',
diff --git a/puppet/zulip_ops/manifests/teleport/node.pp b/puppet/zulip_ops/manifests/teleport/node.pp
index fdb3e27034..3eaf73486c 100644
--- a/puppet/zulip_ops/manifests/teleport/node.pp
+++ b/puppet/zulip_ops/manifests/teleport/node.pp
@@ -1,10 +1,13 @@
 # @summary Provide Teleport SSH access to a node.
 #
-# https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster
-# details additional manual steps to allow a node to join the cluster.
+# EC2 nodes will automatically join the cluster; non-EC2 hosts will
+# need to set a teleport_join_token secret.  See
+# https://goteleport.com/docs/agents/join-services-to-your-cluster/join-token/#generate-a-token
 class zulip_ops::teleport::node {
   include zulip_ops::teleport::base
 
+  $is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'
+  $join_token = zulipsecret('secrets', 'teleport_join_token', '')
   concat { '/etc/teleport_node.yaml':
     ensure => present,
     owner  => 'root',
@@ -13,9 +16,9 @@ class zulip_ops::teleport::node {
     notify => Service['teleport_node'],
   }
   concat::fragment { 'teleport_node_base':
-    target => '/etc/teleport_node.yaml',
-    source => 'puppet:///modules/zulip_ops/teleport_node.yaml',
-    order  => '01',
+    target  => '/etc/teleport_node.yaml',
+    content => template('zulip_ops/teleport_node.yaml.template.erb'),
+    order   => '01',
   }
 
   zulip_ops::teleport::part { 'node': }
diff --git a/puppet/zulip_ops/templates/teleport_db.yaml.template.erb b/puppet/zulip_ops/templates/teleport_db.yaml.template.erb
index fd9274b50d..0e2fbb63b3 100644
--- a/puppet/zulip_ops/templates/teleport_db.yaml.template.erb
+++ b/puppet/zulip_ops/templates/teleport_db.yaml.template.erb
@@ -12,6 +12,15 @@ teleport:
     # Use the proxy address, to support running the db_service, which requires
     # a reverse tunnel.
     - teleport.zulipchat.net:443
+<% if @is_ec2 -%>
+  join_params:
+    method: iam
+    token_name: iam-token
+<% else -%>
+  join_params:
+    method: token
+    token_name: <%= @join_token %>
+<% end %>
 
 ssh_service:
   enabled: no
diff --git a/puppet/zulip_ops/files/teleport_node.yaml b/puppet/zulip_ops/templates/teleport_node.yaml.template.erb
similarity index 84%
rename from puppet/zulip_ops/files/teleport_node.yaml
rename to puppet/zulip_ops/templates/teleport_node.yaml.template.erb
index b5df2b2dde..96fd562cf9 100644
--- a/puppet/zulip_ops/files/teleport_node.yaml
+++ b/puppet/zulip_ops/templates/teleport_node.yaml.template.erb
@@ -5,7 +5,15 @@ teleport:
     # Use the proxy address, to support running the app_service, which requires
     # a reverse tunnel.
     - teleport.zulipchat.net:443
-
+<% if @is_ec2 -%>
+  join_params:
+    method: iam
+    token_name: iam-token
+<% else -%>
+  join_params:
+    method: token
+    token_name: <%= @join_token %>
+<% end %>
 ssh_service:
   enabled: "yes"
   commands: