Update AWS HA autoscale and starter cluster examples to use hardened …

…AMIs with Graviton/ARM64 (#35956)

AWS starter and HA autoscale cluster examples are outdated now that legacy AMIs
have been deprecated. Update them to use hardened AMIs and bump AWS terraform
provider to v5.x.

Graviton is the preferred (and cheaper) platform on EC2, so our documentation
/example code should use such instance types. This also means using ARM64
builds as well.

Remove the `monitor` role and associated infrastructure (as the new hardened
AMIs lack telegraf, influxdb, etc.).

s/letsencrypt/Let's Encrypt/

Ref #34282.
Ref #36110.
Closes #2734.
Closes #4756.
Closes #4572.

CHANGELOG.md

@@ -71,7 +71,7 @@ by `insecure-drop`, which still creates temporary users but does not create a
 home directory. Users who need home directory creation should either wrap `useradd`/`userdel`
 or use PAM.
 
-##### Packages no longer published to legacy Debian and RPM repos
+#### Packages no longer published to legacy Debian and RPM repos
 
 `deb.releases.teleport.dev` and `rpm.releases.teleport.dev` were deprecated in
 Teleport 11. Beginning in Teleport 15, Debian and RPM packages will no longer be
@@ -167,6 +167,15 @@ perform this step since it must be done by an administrator at installation
 time. As a result, Teleport's service account can use more restrictive
 permissions.
 
+#### Example AWS cluster deployments updated
+
+The AWS terraform examples for Teleport clusters have been updated to use the
+newer hardened Amazon Linux 2023 AMIs. Additionally, the default architecture
+and instance type has been changed to ARM64/Graviton.
+
+As a result of this modernization, the legacy monitoring stack configuration
+used with the legacy AMIs has been removed.
+
 ## 14.0.0 (09/20/23)
 
 Teleport 14 brings the following new major features and improvements:

assets/aws/files/bin/teleport-all-pre-start

@@ -1,5 +1,5 @@
 #!/bin/bash
-# This script prepares a Letsencrypt certificate before all-in-one Teleport starts for the first time (if needed)
+# This script prepares a Let's Encrypt certificate before all-in-one Teleport starts for the first time (if needed)
 set -e
 if [[ "${DEBUG:-false}" == "true" ]]; then
     set -x
@@ -10,11 +10,11 @@ if [ -f /etc/teleport.d/conf ]; then
     source /etc/teleport.d/conf
 fi
 
-# check for letsencrypt
+# check for Let's Encrypt
 if [[ "${USE_LETSENCRYPT}" != "true" ]]; then
-    echo "Not using Letsencrypt, exiting with success"
+    echo "Not using Let's Encrypt, exiting with success"
     exit 0
 fi
 
 # copy certificates into place
-/bin/aws s3 sync --exact-timestamps s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
+/bin/aws s3 sync --exact-timestamps s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport

assets/aws/files/bin/teleport-generate-config

@@ -215,7 +215,7 @@ fi
 touch ${USE_CONFIG_PATH}
 chmod 664 ${USE_CONFIG_PATH}
 
-# Use letsencrypt by default unless we are explicitly using ACM here
+# Use Let's Encrypt by default unless we are explicitly using ACM here
 if [[ "${USE_ACM}" != "true" ]]; then
     rm -f ${USE_CONFD_DIR}/role.all-acm
     echo "use-letsencrypt" > ${USE_CONFD_DIR}/use-letsencrypt
@@ -358,7 +358,7 @@ EOF
         write_ssh_and_tunnel_section 443
     fi
 
-    # if we are using letsencrypt (i.e. not ACM) then append config lines
+    # if we are using Let's Encrypt (i.e. not ACM) then append config lines
     if [[ "${USE_ACM}" != "true" ]]; then
         write_https_keypairs_section
     else
@@ -427,15 +427,6 @@ EOF
     systemctl_wrap enable teleport-node.service
     systemctl_wrap start --no-block teleport-node.service
 
-elif [[ "${TELEPORT_ROLE}" == "monitor" ]]; then
-    echo "monitor" > ${USE_CONFD_DIR}/role.monitor
-    # disable teleport service if this has the monitor role
-    systemctl_wrap disable teleport.service
-    # no teleport config needed
-    rm -f ${USE_CONFIG_PATH}
-    # run monitor setup as an independent service
-    systemctl_wrap start --no-block teleport-monitor-setup.service
-
 # starter cluster configuration
 elif [[ "${TELEPORT_ROLE}" == "auth,node,proxy" ]]; then
     echo "Teleport all-in-one configuration selected."
@@ -445,7 +436,7 @@ elif [[ "${TELEPORT_ROLE}" == "auth,node,proxy" ]]; then
         # always enable TLS routing when ACM is enabled
         USE_TLS_ROUTING=true
         sed -i 's/USE_TLS_ROUTING=false/USE_TLS_ROUTING=true/g' ${USE_CONFD_DIR}/conf
-        # remove letsencrypt config
+        # remove Let's Encrypt config
         rm -f ${USE_CONFD_DIR}/use-letsencrypt
         sed -i 's/USE_LETSENCRYPT=true/USE_LETSENCRYPT=false/g' ${USE_CONFD_DIR}/conf
         # enable ACM role to use alternative unit file
@@ -563,10 +554,10 @@ EOF
 
         systemctl_wrap enable teleport-acm.service
         systemctl_wrap start --no-block teleport-acm.service
-    # alternatively, if we are using letsencrypt, append config lines
+    # alternatively, if we are using Let's Encrypt, append config lines
     elif [[ "${USE_LETSENCRYPT}" == "true" ]] && [[ "${USE_ACM}" == "false" ]]; then
-        echo "Letsencrypt support enabled"
-        # these variables must all be set for letsencrypt to work
+        echo "Let's Encrypt support enabled"
+        # these variables must all be set for Let's Encrypt to work
         # it also needs the running instance to have permissions to read from/write to the S3 bucket
         if [[ "${TELEPORT_DOMAIN_ADMIN_EMAIL}" != "" && "${TELEPORT_DOMAIN_NAME}" != "" && "${TELEPORT_S3_BUCKET}" != "" ]]; then
             write_https_keypairs_section
@@ -662,10 +653,10 @@ EOF
         write_kubernetes_section TELEPORT_EXTERNAL_HOSTNAME
     fi
 
-    # if we are using letsencrypt, append config lines
+    # if we are using Let's Encrypt, append config lines
     if [[ "${USE_LETSENCRYPT}" == "true" ]]; then
-        echo "Letsencrypt support enabled"
-        # these variables must all be set for letsencrypt to work
+        echo "Let's Encrypt support enabled"
+        # these variables must all be set for Let's Encrypt to work
         # it also needs the running instance to have permissions to read from/write to the S3 bucket
         if [[ "${TELEPORT_DOMAIN_ADMIN_EMAIL}" != "" && "${TELEPORT_DOMAIN_NAME}" != "" && "${TELEPORT_S3_BUCKET}" != "" ]]; then
             write_https_keypairs_section
@@ -693,145 +684,8 @@ EOF
     fi
 fi
 
-# enable telegraf service if running in cluster mode
-if [[ "${TELEPORT_ROLE}" == "auth" || "${TELEPORT_ROLE}" == "node" || "${TELEPORT_ROLE}" == "proxy" ]]; then
-    # Install teleport telegraf configuration
-    # Telegraf will collect prometheus metrics and send to influxdb collector
-    cat >/etc/telegraf/telegraf.conf <<EOF
-# Configuration for telegraf agent
-[agent]
-  ## Default data collection interval for all inputs
-  interval = "10s"
-  ## Rounds collection interval to 'interval'
-  ## ie, if interval="10s" then always collect on :00, :10, :20, etc.
-  round_interval = true
-
-  ## Telegraf will send metrics to outputs in batches of at
-  ## most metric_batch_size metrics.
-  metric_batch_size = 1000
-  ## For failed writes, telegraf will cache metric_buffer_limit metrics for each
-  ## output, and will flush this buffer on a successful write. Oldest metrics
-  ## are dropped first when this buffer fills.
-  metric_buffer_limit = 10000
-
-  ## Collection jitter is used to jitter the collection by a random amount.
-  ## Each plugin will sleep for a random time within jitter before collecting.
-  ## This can be used to avoid many plugins querying things like sysfs at the
-  ## same time, which can have a measurable effect on the system.
-  collection_jitter = "0s"
-
-  ## Default flushing interval for all outputs. You shouldn't set this below
-  ## interval. Maximum flush_interval will be flush_interval + flush_jitter
-  flush_interval = "10s"
-  ## Jitter the flush interval by a random amount. This is primarily to avoid
-  ## large write spikes for users running a large number of telegraf instances.
-  ## ie, a jitter of 5s and interval 10s means flushes will happen every 10-15s
-  flush_jitter = "0s"
-
-  ## By default, precision will be set to the same timestamp order as the
-  ## collection interval, with the maximum being 1s.
-  ## Precision will NOT be used for service inputs, such as logparser and statsd.
-  precision = ""
-  ## Run telegraf in debug mode
-  debug = false
-  ## Run telegraf in quiet mode
-  quiet = false
-  ## Override default hostname, if empty use os.Hostname()
-  hostname = ""
-  ## If set to true, do no set the "host" tag in the telegraf agent.
-  omit_hostname = false
-
-###############################################################################
-#                            INPUT PLUGINS                                    #
-###############################################################################
-
-[[inputs.procstat]]
-  exe = "teleport"
-  prefix = "teleport"
-
-[[inputs.prometheus]]
-  # An array of urls to scrape metrics from.
-  urls = ["http://127.0.0.1:3000/metrics"]
-  # Add a metric name prefix
-  name_prefix = "teleport_"
-  # Add tags to be able to make beautiful dashboards
-  [inputs.prometheus.tags]
-    teleservice = "teleport"
-
-# Read metrics about cpu usage
-[[inputs.cpu]]
-  ## Whether to report per-cpu stats or not
-  percpu = true
-  ## Whether to report total system cpu stats or not
-  totalcpu = true
-  ## If true, collect raw CPU time metrics.
-  collect_cpu_time = false
-  ## If true, compute and report the sum of all non-idle CPU states.
-  report_active = false
-
-# Read metrics about disk usage by mount point
-[[inputs.disk]]
-  ## By default, telegraf gather stats for all mountpoints.
-  ## Setting mountpoints will restrict the stats to the specified mountpoints.
-  # mount_points = ["/"]
-
-  ## Ignore some mountpoints by filesystem type. For example (dev)tmpfs (usually
-  ## present on /run, /var/run, /dev/shm or /dev).
-  ignore_fs = ["tmpfs", "devtmpfs", "devfs"]
-
-# Read metrics about disk IO by device
-[[inputs.diskio]]
-
-# Get kernel statistics from /proc/stat
-[[inputs.kernel]]
-  # no configuration
-
-# Read metrics about memory usage
-[[inputs.mem]]
-  # no configuration
-
-# Read metrics about network usage
-[[inputs.net]]
-  # no configuration
-
-# Get the number of processes and group them by status
-[[inputs.processes]]
-  # no configuration
-
-# Read metrics about swap memory usage
-[[inputs.swap]]
-  # no configuration
-
-# Read metrics about system load & uptime
-[[inputs.system]]
-  # no configuration
-
-###############################################################################
-#                            OUTPUT PLUGINS                                   #
-###############################################################################
-
-# Configuration for influxdb server to send metrics to
-[[outputs.influxdb]]
-  ## The full HTTP or UDP endpoint URL for your InfluxDB instance.
-  ## Multiple urls can be specified as part of the same cluster,
-  ## this means that only ONE of the urls will be written to each interval.
-  urls = ["${TELEPORT_INFLUXDB_ADDRESS}"] # required
-  ## The target database for metrics (telegraf will create it if not exists).
-  database = "telegraf" # required
-
-  ## Retention policy to write to. Empty string writes to the default rp.
-  retention_policy = ""
-  ## Write consistency (clusters only), can be: "any", "one", "quorum", "all"
-  write_consistency = "any"
-
-  ## Write timeout (for the InfluxDB client), formatted as a string.
-  ## If not provided, will default to 5s. 0s means no timeout (not recommended).
-  timeout = "5s"
-EOF
-    systemctl_wrap enable telegraf.service
-    systemctl_wrap restart telegraf.service
 # handle configuration for agent mode
-elif [[ "${TELEPORT_ROLE}" == "agent" ]]; then
+if [[ "${TELEPORT_ROLE}" == "agent" ]]; then
     echo "agent" > ${USE_CONFD_DIR}/role.agent
     cat >${USE_CONFIG_PATH} <<EOF
 version: v3

assets/aws/files/bin/teleport-get-cert

@@ -1,7 +1,7 @@
 #!/bin/bash
 # This script uses DNS-01 challenge, which means that users
 # have to control route53 zone as it modifies zone records
-# to prove to letsencrypt that they own the domain.
+# to prove to Let's Encrypt that they own the domain.
 
 set -e
 if [[ "${DEBUG:-false}" == "true" ]]; then

assets/aws/files/bin/teleport-lock

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Locking service makes sure that there is only one auth server performing certain action,
-# for example renewing or getting letsencrypt certificates
+# for example renewing or getting Let's Encrypt certificates
 
 set -e
 if [[ "${DEBUG:-false}" == "true" ]]; then

assets/aws/files/tests/ha-auth-fips-tlsrouting.bats

@@ -9,7 +9,6 @@ [email protected]
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
 TELEPORT_DYNAMO_TABLE_NAME=gus-tftestkube4
 TELEPORT_DYNAMO_EVENTS_TABLE_NAME=gus-tftestkube4-events
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_LICENSE_PATH=/home/gus/downloads/teleport/license-gus.pem
 TELEPORT_LOCKS_TABLE_NAME=gus-tftestkube4-locks
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io

assets/aws/files/tests/ha-auth-fips.bats

@@ -9,7 +9,6 @@ [email protected]
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
 TELEPORT_DYNAMO_TABLE_NAME=gus-tftestkube4
 TELEPORT_DYNAMO_EVENTS_TABLE_NAME=gus-tftestkube4-events
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_LICENSE_PATH=/home/gus/downloads/teleport/license-gus.pem
 TELEPORT_LOCKS_TABLE_NAME=gus-tftestkube4-locks
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io
@@ -90,4 +89,4 @@ load fixtures/common
     load ${TELEPORT_CONFD_DIR?}/conf
     echo "${AUTH_BLOCK?}"
     echo "${AUTH_BLOCK?}" | grep -E "^  authentication:" -A3 | grep -q "second_factor:"
-}
+}

assets/aws/files/tests/ha-auth-oss.bats

@@ -8,7 +8,6 @@ [email protected]
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
 TELEPORT_DYNAMO_TABLE_NAME=gus-tftestkube4
 TELEPORT_DYNAMO_EVENTS_TABLE_NAME=gus-tftestkube4-events
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_LOCKS_TABLE_NAME=gus-tftestkube4-locks
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io
 USE_ACM=false

assets/aws/files/tests/ha-auth-tlsrouting.bats

@@ -9,7 +9,6 @@ [email protected]
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
 TELEPORT_DYNAMO_TABLE_NAME=gus-tftestkube4
 TELEPORT_DYNAMO_EVENTS_TABLE_NAME=gus-tftestkube4-events
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_LICENSE_PATH=/home/gus/downloads/teleport/license-gus.pem
 TELEPORT_LOCKS_TABLE_NAME=gus-tftestkube4-locks
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io
@@ -95,4 +94,4 @@ load fixtures/common
     load ${TELEPORT_CONFD_DIR?}/conf
     echo "${AUTH_BLOCK?}"
     echo "${AUTH_BLOCK?}" | grep -E "^  proxy_listener_mode: multiplex"
-}
+}

assets/aws/files/tests/ha-auth.bats

@@ -9,7 +9,6 @@ [email protected]
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
 TELEPORT_DYNAMO_TABLE_NAME=gus-tftestkube4
 TELEPORT_DYNAMO_EVENTS_TABLE_NAME=gus-tftestkube4-events
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_LICENSE_PATH=/home/gus/downloads/teleport/license-gus.pem
 TELEPORT_LOCKS_TABLE_NAME=gus-tftestkube4-locks
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io
@@ -89,4 +88,4 @@ load fixtures/common
     load ${TELEPORT_CONFD_DIR?}/conf
     echo "${AUTH_BLOCK?}"
     echo "${AUTH_BLOCK?}" | grep -E "^  authentication:" -A5 | grep -q "rp_id: ${TELEPORT_DOMAIN_NAME?}"
-}
+}

assets/aws/files/tests/ha-node.bats

@@ -4,7 +4,6 @@ TELEPORT_ROLE=node
 EC2_REGION=us-west-2
 TELEPORT_AUTH_SERVER_LB=gus-tftestkube4-auth-0f66dd17f8dd9825.elb.us-east-1.amazonaws.com
 TELEPORT_CLUSTER_NAME=gus-tftestkube4
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 USE_ACM=false
 EOF
 }

assets/aws/files/tests/ha-proxy-acm-alias.bats

@@ -5,7 +5,6 @@ EC2_REGION=us-west-2
 TELEPORT_AUTH_SERVER_LB=gus-tftestkube4-auth-0f66dd17f8dd9825.elb.us-east-1.amazonaws.com
 TELEPORT_CLUSTER_NAME=gus-tftestkube4
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
 TELEPORT_PROXY_SERVER_NLB_ALIAS=gus-tftestkube-nlb.gravitational.io
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io

assets/aws/files/tests/ha-proxy-acm-tlsrouting.bats

@@ -5,7 +5,6 @@ EC2_REGION=us-west-2
 TELEPORT_AUTH_SERVER_LB=gus-tftestkube4-auth-0f66dd17f8dd9825.elb.us-east-1.amazonaws.com
 TELEPORT_CLUSTER_NAME=gus-tftestkube4
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io
 TELEPORT_ENABLE_MONGODB=true
@@ -142,4 +141,4 @@ load fixtures/common
     load ${TELEPORT_CONFD_DIR?}/conf
     echo "${PROXY_BLOCK?}"
     echo "${PROXY_BLOCK?}" | grep -E "^  trust_x_forwarded_for: true"
-}
+}

assets/aws/files/tests/ha-proxy-acm.bats

@@ -5,7 +5,6 @@ EC2_REGION=us-west-2
 TELEPORT_AUTH_SERVER_LB=gus-tftestkube4-auth-0f66dd17f8dd9825.elb.us-east-1.amazonaws.com
 TELEPORT_CLUSTER_NAME=gus-tftestkube4
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io
 TELEPORT_ENABLE_MONGODB=true

assets/aws/files/tests/ha-proxy-mysql.bats

@@ -5,7 +5,6 @@ EC2_REGION=us-west-2
 TELEPORT_AUTH_SERVER_LB=gus-tftestkube4-auth-0f66dd17f8dd9825.elb.us-east-1.amazonaws.com
 TELEPORT_CLUSTER_NAME=gus-tftestkube4
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
 TELEPORT_PROXY_SERVER_NLB_ALIAS=""
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io

assets/aws/files/tests/ha-proxy-no-db.bats

@@ -5,7 +5,6 @@ EC2_REGION=us-west-2
 TELEPORT_AUTH_SERVER_LB=gus-tftestkube4-auth-0f66dd17f8dd9825.elb.us-east-1.amazonaws.com
 TELEPORT_CLUSTER_NAME=gus-tftestkube4
 TELEPORT_DOMAIN_NAME=gus-tftestkube4.gravitational.io
-TELEPORT_INFLUXDB_ADDRESS=http://gus-tftestkube4-monitor-ae7983980c3419ab.elb.us-east-1.amazonaws.com:8086
 TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
 TELEPORT_PROXY_SERVER_NLB_ALIAS=""
 TELEPORT_S3_BUCKET=gus-tftestkube4.gravitational.io