Add ability to differentiate auto-discovered databases #22438
Assignees
Labels
aws
Used for AWS Related Issues.
c-atb
Internal Customer Reference
c-btc
Internal Customer Reference
c-dc
Internal Customer Reference
c-mcl
Internal Customer Reference
c-ntr
Internal Customer Reference
c-upg
Internal Customer Reference
database-access
Database access related issues and PRs
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Comments
programmerq
added
feature-request
|
We've also run into this issue with identically named RDS instances in different regions within the same AWS account. Region tags, at least, are different in this scenario, but the name collision still occurs. |
|
It would be nice to have more elegant solution via databases configuration in teleport agent. |
|
@programmerq jfyi, the correct label is |
|
Added another customer c-mcl affected by the name collision when resources are deployed in different AWS regions. |
This was referenced Aug 2, 2023
Merged
This was referenced Aug 10, 2023
|
This is resolved in the upcoming v14 release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
Currently, if multiple database agents are doing auto-discovery in different aws accounts, it is possible for a name collision to occur. It should be possible to configure the agent in a way to guarantee name uniqueness across the cluster.
What problem does this solve?
Say two AWS accounts are in use-- staging and prod. They are built to have as much dev/prod parity as possible. This means that the RDS databases in each account may even have the same names and tags.
While it is possible to override the database name for a given database by explicitly setting a
teleport.dev/database-nameaws tag on the database, it would be ideal to have the ability to have the teleport agent be able to differentiate the resources without relying on external tagging conventions.Another scenario where a name/tag collision could happen is when restoring a database from one aws account to another. The restore target may not immediately have a unique
teleport.dev/database-nametag until after the restore is complete.To avoid this collision situation altogether, something like an opt-in name prefix, go template, or some other mechanism that can be set in the teleport.yaml file ahead of time would be fantastic.
Similar functionality for any cloud-discoverable resources would be ideal.
If a workaround exists, please include it.
Utilize the
teleport.dev/database_namefunctionality (documented here and here) -- has drawbacks and doesn't totally solve the concern.The text was updated successfully, but these errors were encountered: