From 0eb57fee0ce864c612a85eaf9dcd777b41afe3b1 Mon Sep 17 00:00:00 2001
From: Marco Dinis <marco.dinis@goteleport.com>
Date: Mon, 16 Sep 2024 12:22:05 +0100
Subject: [PATCH] Document AWS Tags used when using the AWS OIDC Integration

When the AWS OIDC Integration creates an AWS Resource it adds a couple
of tags.
Those can be used to group resources in AWS.
Even tho Teleport was doing it, it was not documented.

This PR adds the documentation to this, in both the Docs and Discover
flows.
---
 .../management/guides/awsoidc-integration.mdx |  8 ++++++++
 .../teleport/src/Discover/Shared/const.ts     |  3 +++
 .../Integrations/Enroll/AwsOidc/AwsOidc.tsx   | 20 +++++++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/docs/pages/admin-guides/management/guides/awsoidc-integration.mdx b/docs/pages/admin-guides/management/guides/awsoidc-integration.mdx
index 433f635d05789..42d05cb1ce1e9 100644
--- a/docs/pages/admin-guides/management/guides/awsoidc-integration.mdx
+++ b/docs/pages/admin-guides/management/guides/awsoidc-integration.mdx
@@ -28,6 +28,14 @@ The integration requires no extra configuration or services to run.
 Initially, no policy is added to the IAM role, but users are asked to add them the first time they are trying to use a given feature.
 For example, when setting up [External Audit Storage](../external-audit-storage.mdx), you will be asked to add the required policies to this IAM role.
 
+AWS Resources created by the integration are tagged so that you can search and export them using the [AWS Resource Groups / Tag Editor](https://console.aws.amazon.com/resource-groups/tag-editor/find-resources).
+The following tags are applied:
+```code
+teleport.dev/cluster      <Var name="cluster-name"/>
+teleport.dev/origin       integration_awsoidc
+teleport.dev/integration  <Var name="my-integration"/>
+```
+
 ## Prerequisites
 
 - A running Teleport cluster.
diff --git a/web/packages/teleport/src/Discover/Shared/const.ts b/web/packages/teleport/src/Discover/Shared/const.ts
index 3a942c739b667..d722bdbd87e67 100644
--- a/web/packages/teleport/src/Discover/Shared/const.ts
+++ b/web/packages/teleport/src/Discover/Shared/const.ts
@@ -20,3 +20,6 @@ export const WILD_CARD = '*';
 
 export const AWS_TAG_INFO_LINK =
   'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_roles.html#id_tags_roles_procs-console';
+
+export const AWS_RESOURCE_GROUPS_TAG_EDITOR_LINK =
+  'https://console.aws.amazon.com/resource-groups/tag-editor/find-resources';
\ No newline at end of file
diff --git a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx
index 4415fb646d5b2..9bea8a036f806 100644
--- a/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx
+++ b/web/packages/teleport/src/Integrations/Enroll/AwsOidc/AwsOidc.tsx
@@ -21,6 +21,7 @@ import { Link as InternalRouteLink } from 'react-router-dom';
 import { useLocation } from 'react-router';
 import styled from 'styled-components';
 import { Box, ButtonSecondary, Text, Link, Flex, ButtonPrimary } from 'design';
+import { P } from 'design/Text/Text';
 import * as Icons from 'design/Icon';
 import FieldInput from 'shared/components/FieldInput';
 import { requiredIamRoleName } from 'shared/components/Validation/rules';
@@ -34,8 +35,10 @@ import {
   userEventService,
 } from 'teleport/services/userEvent';
 import { Header } from 'teleport/Discover/Shared';
+import { AWS_RESOURCE_GROUPS_TAG_EDITOR_LINK } from 'teleport/Discover/Shared/const';
 import { DiscoverUrlLocationState } from 'teleport/Discover/useDiscover';
 import { TextSelectCopyMulti } from 'teleport/components/TextSelectCopy';
+import useStickyClusterId from 'teleport/useStickyClusterId';
 
 import {
   Integration,
@@ -54,6 +57,8 @@ export function AwsOidc() {
   const [createdIntegration, setCreatedIntegration] = useState<Integration>();
   const { attempt, run } = useAttempt('');
 
+  const { clusterId } = useStickyClusterId();
+
   const location = useLocation<DiscoverUrlLocationState>();
 
   const [eventData] = useState<IntegrationEnrollEventData>({
@@ -147,6 +152,21 @@ export function AwsOidc() {
           AWS RDS
         </RouteLink>{' '}
         instances during resource enrollment.
+        <P>
+          AWS Resources created by the integration are tagged so that you can search and export them using the{' '}
+          <Link target="_blank" href={AWS_RESOURCE_GROUPS_TAG_EDITOR_LINK}>
+            AWS Resource Groups / Tag Editor
+          </Link>. The following tags are applied:
+          <TextSelectCopyMulti
+            bash={false}
+            lines={[{
+              text:
+                `teleport.dev/cluster: `+clusterId+`\n` +
+                `teleport.dev/origin: integration_awsoidc\n` +
+                `teleport.dev/integration: `+integrationName,
+            }]}
+          />
+        </P>
       </Box>
 
       <Validation>