[v17] Using discovery service poll_interval for access graph sync (#4…

…8846)

* Using discovery service poll_interval for access graph sync

* Adding a new poll_interval field to access graph sync config

* Update lib/srv/discovery/access_graph.go

Co-authored-by: Ryan Clark <[email protected]>

* Adding default poll interval

* Make fix-imports

* Updating derived functions for config

* Apply suggestions from code review

Co-authored-by: Tiago Silva <[email protected]>

* Followup from PR comments

* Applying protobuf tags to avoid conversion

* Removing conversion

* Regen grpc from rebase

* Adding warning message and checking for nil config

---------

Co-authored-by: Ryan Clark <[email protected]>
Co-authored-by: Tiago Silva <[email protected]>

api/proto/teleport/legacy/types/types.proto

@@ -6966,6 +6966,12 @@ message OktaOptions {
 message AccessGraphSync {
   // AWS is a configuration for AWS Access Graph service poll service.
   repeated AccessGraphAWSSync AWS = 1 [(gogoproto.jsontag) = "aws,omitempty"];
+  // PollInterval is the frequency at which to poll for AWS resources
+  google.protobuf.Duration PollInterval = 2 [
+    (gogoproto.jsontag) = "poll_interval,omitempty",
+    (gogoproto.nullable) = false,
+    (gogoproto.stdduration) = true
+  ];
 }
 
 // AccessGraphAWSSync is a configuration for AWS Access Graph service poll service.

lib/config/configuration.go

@@ -1723,6 +1723,9 @@ kubernetes matchers are present`)
 				AssumeRole: assumeRole,
 			})
 		}
+		if fc.Discovery.AccessGraph.PollInterval > 0 {
+			tMatcher.PollInterval = fc.Discovery.AccessGraph.PollInterval
+		}
 		cfg.Discovery.AccessGraph = &tMatcher
 	}
 

lib/config/fileconf.go

@@ -1531,6 +1531,8 @@ type GCPMatcher struct {
 type AccessGraphSync struct {
 	// AWS is the AWS configuration for the AccessGraph Sync service.
 	AWS []AccessGraphAWSSync `yaml:"aws,omitempty"`
+	// PollInterval is the frequency at which to poll for AWS resources
+	PollInterval time.Duration `yaml:"poll_interval,omitempty"`
 }
 
 // AccessGraphAWSSync represents the configuration for the AWS AccessGraph Sync service.

lib/srv/discovery/access_graph.go

@@ -48,6 +48,8 @@ const (
 	// batchSize is the maximum number of resources to send in a single
 	// request to the access graph service.
 	batchSize = 500
+	// defaultPollInterval is the default interval between polling for access graph resources
+	defaultPollInterval = 15 * time.Minute
 )
 
 // errNoAccessGraphFetchers is returned when there are no TAG fetchers.
@@ -354,9 +356,23 @@ func (s *Server) initializeAndWatchAccessGraph(ctx context.Context, reloadCh <-c
 		}
 	}()
 
+	// Configure the poll interval
+	tickerInterval := defaultPollInterval
+	if s.Config.Matchers.AccessGraph != nil {
+		if s.Config.Matchers.AccessGraph.PollInterval > defaultPollInterval {
+			tickerInterval = s.Config.Matchers.AccessGraph.PollInterval
+		} else {
+			s.Log.WarnContext(ctx,
+				"Access graph service poll interval cannot be less than the default",
+				"default_poll_interval",
+				defaultPollInterval)
+		}
+	}
+	s.Log.InfoContext(ctx, "Access graph service poll interval", "poll_interval", tickerInterval)
+
 	currentTAGResources := &aws_sync.Resources{}
-	ticker := time.NewTicker(15 * time.Minute)
-	defer ticker.Stop()
+	timer := time.NewTimer(tickerInterval)
+	defer timer.Stop()
 	for {
 		err := s.reconcileAccessGraph(ctx, currentTAGResources, stream, features)
 		if errors.Is(err, errNoAccessGraphFetchers) {
@@ -369,10 +385,17 @@ func (s *Server) initializeAndWatchAccessGraph(ctx context.Context, reloadCh <-c
 			}
 			return trace.Wrap(err)
 		}
+		if !timer.Stop() {
+			select {
+			case <-timer.C: // drain
+			default:
+			}
+		}
+		timer.Reset(tickerInterval)
 		select {
 		case <-ctx.Done():
 			return trace.Wrap(ctx.Err())
-		case <-ticker.C:
+		case <-timer.C:
 		case <-reloadCh:
 		}
 	}