Merge remote-tracking branch 'upstream/master'

Author: felipeasantos

.gitattributes

@@ -9,3 +9,5 @@ docs/theme/js/theme.js linguist-vendored=false
 *_pb.ts linguist-generated
 *_pb.grpc-*.ts linguist-generated
 *_pb.client.ts linguist-generated
+
+*.golden -text

.github/CODEOWNERS

@@ -1 +1,27 @@
 *   @loadsmart/platform-operations
+# Merge rules are governed by logic in the Workflow Bot. Protect the
+# .github/workflows directory (and the merge logic) using CODEOWNERS.
+/.github/workflows/ @klizhentas @russjones @r0mant @zmb3 @fheinecke @camscale @doggydogworld @rosstimothy
+/.github/actions/ @klizhentas @russjones @r0mant @zmb3 @fheinecke @camscale @doggydogworld @rosstimothy
+/build.assets/tooling/cmd/difftest/ @klizhentas @russjones @r0mant @zmb3 @rosstimothy
+
+# Owners for JS dependency updates.
+/pnpm-lock.yaml @avatus @gzdunek @ravicious @zmb3 @r0mant
+/web/packages/teleterm/package.json @gzdunek @ravicious
+
+# Owners for Go dependency updates.
+/go.mod @russjones @r0mant @zmb3 @rosstimothy
+/api/go.mod @russjones @r0mant @zmb3 @rosstimothy
+/assets/aws/go.mod @russjones @r0mant @zmb3 @rosstimothy
+/assets/backport/go.mod @russjones @r0mant @zmb3 @rosstimothy
+/build.assets/tooling/go.mod @russjones @r0mant @zmb3 @rosstimothy @fheinecke @camscale @doggydogworld
+/integrations/terraform/go.mod @russjones @r0mant @zmb3 @rosstimothy @hugoShaka @tigrato
+/integrations/terraform-mwi/go.mod @russjones @r0mant @zmb3 @rosstimothy @hugoShaka @tigrato @strideynet
+/integrations/event-handler/go.mod @russjones @r0mant @zmb3 @rosstimothy @hugoShaka @tigrato
+
+# Owners for Rust dependency updates.
+/Cargo.toml @russjones @r0mant @zmb3 @rosstimothy @fspmarshall @espadolini
+/tool/fdpass-teleport/Cargo.toml @russjones @r0mant @zmb3 @rosstimothy @fspmarshall @espadolini
+/web/packages/shared/libs/ironrdp/Cargo.toml @russjones @r0mant @zmb3 @rosstimothy @fspmarshall @espadolini @probakowski
+/lib/srv/desktop/rdp/rdpclient/Cargo.toml @russjones @r0mant @zmb3 @rosstimothy @fspmarshall @espadolini @probakowski
+>>>>>>> upstream/master

.github/ISSUE_TEMPLATE/testplan.md

@@ -1009,6 +1009,10 @@ on the remote host. Note that the `--callback` URL must be able to resolve to th
 [Docs](https://goteleport.com/docs/enroll-resources/agents/gcp/)
 - [ ] Join a Teleport node running in a GCP VM.
 
+### Oracle Node Joining
+[Docs](https://goteleport.com/docs/enroll-resources/agents/oracle/)
+- [ ] Join a Teleport node running in an OCI VM.
+
 ### Cloud Labels
 - [ ] Create an EC2 instance with [tags in instance metadata enabled](https://goteleport.com/docs/admin-guides/management/guides/ec2-tags/)
 and with tag `foo`: `bar`. Verify that a node running on the instance has label
@@ -1180,6 +1184,8 @@ tsh ssh node-that-requires-device-trust
     - [ ] K8s Access
     - [ ] App Access NOT enforced in global mode
     - [ ] Desktop Access NOT enforced in global mode
+  - [ ] device_trust.mode="required-for-humans" enforces enrolled devices for
+        humans, but bots (e.g. `tbot`) function on any device
   - [ ] Role-based authz enforces enrolled devices
         (device_trust.mode="optional" and role.spec.options.device_trust_mode="required")
     - [ ] SSH
@@ -1491,8 +1497,9 @@ GODEBUG='inittrace=1' teleport version 2>&1 | rg '^init' | awk '{print $8 " byte
 - [ ] Verify [AWS console access](https://goteleport.com/docs/enroll-resources/application-access/cloud-apis/aws-console/).
   - [ ] Can log into AWS web console through the web UI.
   - [ ] Can interact with AWS using `tsh` commands.
-    - [ ] `tsh aws`
-    - [ ] `tsh aws --endpoint-url` (this is a hidden flag)
+    - [ ] `tsh aws sts get-caller-identity`
+    - [ ] `tsh aws s3 ls`
+    - [ ] `tsh aws s3 cp ./file s3://<bucket>/test`
 - [ ] Verify [Azure CLI access](https://goteleport.com/docs/enroll-resources/application-access/cloud-apis/azure/) with `tsh apps login`.
   - [ ] Can interact with Azure using `tsh az` commands.
   - [ ] Can interact with Azure using a combination of `tsh proxy az` and `az` commands.
@@ -1538,6 +1545,7 @@ manualy testing.
   - [ ] Amazon Redshift Serverless.
     - [ ] Verify connection to external AWS account works with `assume_role_arn: ""` and `external_id: "<id>"`
   - [ ] Amazon ElastiCache.
+  - [ ] Amazon ElastiCache Serverless.
   - [ ] Amazon MemoryDB.
   - [ ] Amazon OpenSearch.
   - [ ] Amazon Dynamodb.
@@ -1576,6 +1584,7 @@ manualy testing.
   - [ ] Amazon Redshift.
   - [ ] Amazon Redshift Serverless.
   - [ ] Amazon ElastiCache.
+  - [ ] Amazon ElastiCache Serverless.
   - [ ] Amazon MemoryDB.
   - [ ] Amazon OpenSearch.
   - [ ] Amazon Dynamodb.
@@ -1636,6 +1645,7 @@ manualy testing.
       - [x] Can detect and register Redshift clusters. (covered by E2E test)
       - [x] Can detect and register Redshift serverless workgroups, and their VPC endpoints. (covered by E2E test)
       - [ ] Can detect and register ElastiCache Redis clusters.
+      - [ ] Can detect and register ElastiCache Serverless Redis/Valkey clusters.
       - [ ] Can detect and register MemoryDB clusters.
       - [ ] Can detect and register OpenSearch domains.
       - [ ] Can detect and register DocumentDB clusters.
@@ -1660,6 +1670,8 @@ manualy testing.
     - [ ] Postgres
 - [ ] Verify database access via Web UI
   - [ ] Postgres
+  - [ ] CockroachDB
+  - [ ] MySQL
 - [ ] Verify database health checks
   - [ ] Dynamic `health_check_config` resource create, read, update, delete operations are supported using `tctl`
   - [ ] Database servers (`$ tctl get db_server`) include `db_server.status.target_health` info
@@ -2093,6 +2105,7 @@ Verify that SSH works, and that resumable SSH is not interrupted across a contro
   - [ ] New EC2 instances with matching AWS tags are discovered and added to the teleport cluster
     - [ ] Large numbers of EC2 instances (51+) are all successfully added to the cluster
   - [ ] Nodes that have been discovered do not have the install script run on the node multiple times
+  - [ ] EC2 instances can be discovered in multiple accounts
 
 ## Azure Discovery
 
@@ -2193,6 +2206,16 @@ Docs: [IP Pinning](https://goteleport.com/docs/admin-guides/access-controls/guid
     - [ ] Verify that manually deleting a nested Access List used as a member or owner does not break UserLoginState generation or listing Access Lists.
     - [ ] Verify that an Access List can be added as a member or owner of another Access List using `tctl`.
     - [ ] Verify that Access Lists added as members or owners of other Access Lists using `tctl` are validated (no circular references, no nesting > 10 levels).
+  - [ ] For Access Lists of "static" type:
+    - [ ] Verify that static Access List and its members (including nested list members) can be [created/modified/deleted with Terraform](../../docs/pages/identity-governance/access-lists/terraform.mdx) ([teleport_access_list_member ref](../../docs/pages/reference/terraform-provider/resources/access_list_member.mdx))
+    - [ ] Verify non-static Access List members cannot be imported to Terraform (Create an Access List in the web UI and add a member and try to import the member to Terraform)
+    - [ ] In Terraform: check if member's MEMBERSHIP_KIND_USER (1) is changed to MEMBERSHIP_KIND_LIST (2) forces re-creation
+    - [ ] Verify setting audit to past date/zero date doesn't create a review badge on the list in the UI
+    - [ ] Verify changing spec.type is forbidden
+    - [ ] Verify other lists cannot be converted to "static"
+    - [ ] Verify expiration and eligibility of members
+    - [ ] In the web UI: check if modifications/deletion of static lists are blocked
+    - [ ] In the web UI: check if the review is blocked (add `#review` at the end of the Access List URL)
 
 - [ ] Verify Okta Sync Service
   - [ ] Verify Okta Plugin configuration.

.github/dependabot.yml

@@ -18,6 +18,7 @@ updates:
       - dependency-name: github.com/microsoft/go-mssqldb
       - dependency-name: github.com/redis/go-redis/v9
       - dependency-name: github.com/vulcand/predicate
+      - dependency-name: github.com/hinshun/vt10x
     open-pull-requests-limit: 20
     groups:
       go:
@@ -238,15 +239,18 @@ updates:
       - 'ui'
       - 'no-changelog'
     groups:
+      # These packages are either directly involved in the process of building Teleport Connect or
+      # they make use of native dependencies. Verifying that updating them didn't break anything
+      # involves making a tag build.
       electron:
         patterns:
           - 'electron*'
+          - node-gyp
+          - node-pty
       ui:
         update-types:
           - 'minor'
           - 'patch'
-        exclude-patterns:
-          - 'electron*'
     open-pull-requests-limit: 20
   - package-ecosystem: github-actions
     directory: '/.github/workflows'

.github/workflows/assign.yaml

@@ -39,7 +39,7 @@ jobs:
         with:
           repository: gravitational/shared-workflows
           path: .github/shared-workflows
-          ref: 5213479ba6a7b41a0ee5e5adf72360e6ac4e9b93 # workflows/v0.0.1
+          ref: 664e788d45a7f56935cf63094b4fb52a41b12015 # workflows/v0.0.2
       - name: Installing Go
         uses: actions/setup-go@v5
         with:

.github/workflows/aws-e2e-tests-non-root.yaml

@@ -88,7 +88,7 @@ jobs:
         continue-on-error: true
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ env.GHA_ASSUME_ROLE }}

.github/workflows/backport.yaml

@@ -37,7 +37,7 @@ jobs:
         with:
           repository: gravitational/shared-workflows
           path: .github/shared-workflows
-          ref: 5213479ba6a7b41a0ee5e5adf72360e6ac4e9b93 # workflows/v0.0.1
+          ref: 664e788d45a7f56935cf63094b4fb52a41b12015 # workflows/v0.0.2
       - name: Installing Go
         uses: actions/setup-go@v5
         with:

.github/workflows/bloat.yaml

@@ -41,7 +41,7 @@ jobs:
         with:
           repository: gravitational/shared-workflows
           path: .github/shared-workflows
-          ref: 5213479ba6a7b41a0ee5e5adf72360e6ac4e9b93 # workflows/v0.0.1
+          ref: 664e788d45a7f56935cf63094b4fb52a41b12015 # workflows/v0.0.2
 
       - name: Setup base cache
         uses: actions/cache/restore@v3
@@ -93,7 +93,7 @@ jobs:
         with:
           repository: gravitational/shared-workflows
           path: .github/shared-workflows
-          ref: 5213479ba6a7b41a0ee5e5adf72360e6ac4e9b93 # workflows/v0.0.1
+          ref: 664e788d45a7f56935cf63094b4fb52a41b12015 # workflows/v0.0.2
 
       - name: Build Binaries
         id: build_branch

.github/workflows/build-ci-service-images.yaml

@@ -44,7 +44,7 @@ jobs:
 
       - name: Build etcd image
         id: docker_build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ github.workspace }}
           file: .github/services/Dockerfile.etcd

.github/workflows/build-macos.yaml

@@ -62,11 +62,7 @@ jobs:
           cache: false
           go-version: ${{ env.GOLANG_VERSION }}
 
-      - name: Configure Rust Toolchain
-        run: |
-          rustup override set ${{ env.RUST_VERSION }}
-
-      - name: Install wasm-pack
+      - name: Install wasm-deps
         run: make ensure-wasm-deps
 
       - name: Build