From 42653c1c248ebc9cd475a3fbe1403ced778c7c2f Mon Sep 17 00:00:00 2001
From: Trent Clarke <trent@goteleport.com>
Date: Mon, 11 Nov 2024 11:01:15 +1100
Subject: [PATCH 1/4] Adds `KindIdentityCenter` umbrella resource kind

The Identity Center integration manages several resource types,
and specifying individal condition statements for each kind is
both unwieldy and unnecessary - anyone that can manipulate one
of these resources should be able to manilpate them all in the
same way.

In order to simplify things, this patch introduces an umbrella
`KindIdentityCenter` that will represent _any_ `KindIdentityCenter*`
resource in Role conditions and RBAC checks.
---
 api/types/constants.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/api/types/constants.go b/api/types/constants.go
index 9a5efafedd766..fe8d4a05b5c3e 100644
--- a/api/types/constants.go
+++ b/api/types/constants.go
@@ -573,6 +573,12 @@ const (
 	// KindStaticHostUser is a host user to be created on matching SSH nodes.
 	KindStaticHostUser = "static_host_user"
 
+	// KindIdentityCenter is an umbrella kind, representing all KindIdentityCenter*
+	// resource kinds in RBAC checks. This is to simplify Role condition statements
+	// so that they don't have to individually specify all of the Identity Center
+	// resource kinds.
+	KindIdentityCenter = "aws_ic"
+
 	// KindIdentityCenterAccount describes an Identity-Center managed AWS Account
 	KindIdentityCenterAccount = "aws_ic_account"
 

From fa40e112009458551b97e0ce6c6e68caee91b5d7 Mon Sep 17 00:00:00 2001
From: Trent Clarke <trent@goteleport.com>
Date: Mon, 11 Nov 2024 11:09:41 +1100
Subject: [PATCH 2/4] Update constants.go

---
 api/types/constants.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/types/constants.go b/api/types/constants.go
index fe8d4a05b5c3e..ba7785d2ff945 100644
--- a/api/types/constants.go
+++ b/api/types/constants.go
@@ -577,7 +577,7 @@ const (
 	// resource kinds in RBAC checks. This is to simplify Role condition statements
 	// so that they don't have to individually specify all of the Identity Center
 	// resource kinds.
-	KindIdentityCenter = "aws_ic"
+	KindIdentityCenter = "aws_identity_center"
 
 	// KindIdentityCenterAccount describes an Identity-Center managed AWS Account
 	KindIdentityCenterAccount = "aws_ic_account"

From e8a95b3ccb6bfc3caf70ed1631d924fe1b6c1cd3 Mon Sep 17 00:00:00 2001
From: Trent Clarke <trent@goteleport.com>
Date: Mon, 11 Nov 2024 11:37:24 +1100
Subject: [PATCH 3/4] Update Implicit role to use Umbrella kind

Updates the default implicit rules to refrence the new `KindIdentityCenter`
resource kind. Also updates comments on the covered  `KindIdentityCenter*`
kinds with a reminder to user `KindIdentityCenter` in RBAC checks.
---
 api/types/constants.go    |  4 ++++
 lib/services/presets.go   |  2 +-
 lib/services/role.go      |  2 +-
 lib/services/role_test.go | 24 ++++++++++++------------
 4 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/api/types/constants.go b/api/types/constants.go
index ba7785d2ff945..bcf2da7682b1d 100644
--- a/api/types/constants.go
+++ b/api/types/constants.go
@@ -580,17 +580,21 @@ const (
 	KindIdentityCenter = "aws_identity_center"
 
 	// KindIdentityCenterAccount describes an Identity-Center managed AWS Account
+	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterAccount = "aws_ic_account"
 
 	// KindIdentityCenterPermissionSet describes an AWS Identity Center Permission Set
+	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterPermissionSet = "aws_ic_permission_set"
 
 	// KindIdentityCenterPermissionSet describes an AWS Principal Assignment, representing
 	// a collection Account Assignments assigned to a Teleport User or AccessList
+	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterPrincipalAssignment = "aws_ic_principal_assignment"
 
 	// KindIdentityCenterAccountAssignment describes an AWS Account and Permission Set
 	// pair that can be requested by a Teleport User.
+	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterAccountAssignment = "aws_ic_account_assignment"
 
 	// MetaNameAccessGraphSettings is the exact name of the singleton resource holding
diff --git a/lib/services/presets.go b/lib/services/presets.go
index 1d6a4bfc5c6c1..a4b6fec68e70c 100644
--- a/lib/services/presets.go
+++ b/lib/services/presets.go
@@ -182,7 +182,7 @@ func NewPresetEditorRole() types.Role {
 					types.NewRule(types.KindNotification, RW()),
 					types.NewRule(types.KindStaticHostUser, RW()),
 					types.NewRule(types.KindUserTask, RW()),
-					types.NewRule(types.KindIdentityCenterAccount, RW()),
+					types.NewRule(types.KindIdentityCenter, RW()),
 				},
 			},
 		},
diff --git a/lib/services/role.go b/lib/services/role.go
index 2f36e26b575d7..16b1c79287e87 100644
--- a/lib/services/role.go
+++ b/lib/services/role.go
@@ -79,7 +79,7 @@ var DefaultImplicitRules = []types.Rule{
 	types.NewRule(types.KindVnetConfig, RO()),
 	types.NewRule(types.KindSPIFFEFederation, RO()),
 	types.NewRule(types.KindSAMLIdPServiceProvider, RO()),
-	types.NewRule(types.KindIdentityCenterAccount, RO()),
+	types.NewRule(types.KindIdentityCenter, RO()),
 }
 
 // DefaultCertAuthorityRules provides access the minimal set of resources
diff --git a/lib/services/role_test.go b/lib/services/role_test.go
index 8d6d529bf678d..d474585e58cbf 100644
--- a/lib/services/role_test.go
+++ b/lib/services/role_test.go
@@ -2505,25 +2505,25 @@ func TestDefaultImplicitRules(t *testing.T) {
 		checks []check
 	}{
 		{
-			name: "KindIdentityCenterAccount with NewPresetAccessRole",
+			name: "KindIdentityCenter with NewPresetAccessRole",
 			role: NewPresetAccessRole(),
 			checks: []check{
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
 			},
 		},
 		{
-			name: "KindIdentityCenterAccount with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount",
+			name: "KindIdentityCenter with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount",
 			role: newRole(func(r *types.RoleV6) {}),
 			checks: []check{
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
 			},
 		},
 		{

From a2fcdc654769aae69a04a98311eddbdd625e68e1 Mon Sep 17 00:00:00 2001
From: Trent Clarke <trent@goteleport.com>
Date: Tue, 12 Nov 2024 22:43:27 +1100
Subject: [PATCH 4/4] Update constants.go

---
 api/types/constants.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/api/types/constants.go b/api/types/constants.go
index bcf2da7682b1d..ba7785d2ff945 100644
--- a/api/types/constants.go
+++ b/api/types/constants.go
@@ -580,21 +580,17 @@ const (
 	KindIdentityCenter = "aws_identity_center"
 
 	// KindIdentityCenterAccount describes an Identity-Center managed AWS Account
-	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterAccount = "aws_ic_account"
 
 	// KindIdentityCenterPermissionSet describes an AWS Identity Center Permission Set
-	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterPermissionSet = "aws_ic_permission_set"
 
 	// KindIdentityCenterPermissionSet describes an AWS Principal Assignment, representing
 	// a collection Account Assignments assigned to a Teleport User or AccessList
-	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterPrincipalAssignment = "aws_ic_principal_assignment"
 
 	// KindIdentityCenterAccountAssignment describes an AWS Account and Permission Set
 	// pair that can be requested by a Teleport User.
-	// DO NOT USE THIS KIND IN RBAC CHECKS: use KindIdentityCenter instead
 	KindIdentityCenterAccountAssignment = "aws_ic_account_assignment"
 
 	// MetaNameAccessGraphSettings is the exact name of the singleton resource holding