display security group id rules

api/proto/teleport/integration/v1/awsoidc_service.proto

@@ -214,6 +214,15 @@ message SecurityGroupRuleCIDR {
   string description = 2;
 }
 
+// SecurityGroupRuleGroupID has an allowed security group ID and a description
+// for the rule.
+message SecurityGroupRuleGroupID {
+  // GroupID is the allowed security group ID.
+  string group_id = 1;
+  // Description contains a small text describing the allowed security group.
+  string description = 2;
+}
+
 // SecurityGroupRule is a representation of a SecurityGroupRule.
 // Either for Inbound or Outbound rules.
 message SecurityGroupRule {
@@ -228,6 +237,9 @@ message SecurityGroupRule {
   int32 to_port = 3;
   // CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
   repeated SecurityGroupRuleCIDR cidrs = 4;
+  // GroupIds is a list of rules that allow another security group referenced
+  // by ID.
+  repeated SecurityGroupRuleGroupID group_ids = 5;
 }
 
 // SecurityGroup is a representation of a SecurityGroup

lib/auth/integration/integrationv1/awsoidc.go

@@ -395,18 +395,33 @@ func (s *AWSOIDCService) ListSecurityGroups(ctx context.Context, req *integratio
 func convertSecurityGroupRulesToProto(inRules []awsoidc.SecurityGroupRule) []*integrationpb.SecurityGroupRule {
 	out := make([]*integrationpb.SecurityGroupRule, 0, len(inRules))
 	for _, r := range inRules {
-		cidrs := make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
+		var cidrs []*integrationpb.SecurityGroupRuleCIDR
+		if len(r.CIDRs) > 0 {
+			cidrs = make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
+		}
 		for _, cidr := range r.CIDRs {
 			cidrs = append(cidrs, &integrationpb.SecurityGroupRuleCIDR{
 				Cidr:        cidr.CIDR,
 				Description: cidr.Description,
 			})
 		}
+
+		var groupIDs []*integrationpb.SecurityGroupRuleGroupID
+		if len(r.Groups) > 0 {
+			groupIDs = make([]*integrationpb.SecurityGroupRuleGroupID, 0, len(r.Groups))
+		}
+		for _, group := range r.Groups {
+			groupIDs = append(groupIDs, &integrationpb.SecurityGroupRuleGroupID{
+				GroupId:     group.GroupID,
+				Description: group.Description,
+			})
+		}
 		out = append(out, &integrationpb.SecurityGroupRule{
 			IpProtocol: r.IPProtocol,
 			FromPort:   int32(r.FromPort),
 			ToPort:     int32(r.ToPort),
 			Cidrs:      cidrs,
+			GroupIds:   groupIDs,
 		})
 	}
 	return out

lib/integrations/awsoidc/list_security_groups.go

@@ -91,6 +91,19 @@ type SecurityGroupRule struct {
 
 	// CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
 	CIDRs []CIDR `json:"cidrs"`
+
+	// Groups is a list of rules that allow another security group referenced
+	// by ID.
+	Groups []GroupIDRule `json:"groups"`
+}
+
+// GroupIDRule is a security group rule that refers to another security group by
+// ID and has a description.
+type GroupIDRule struct {
+	// GroupID is the ID of the security group that is allowed by the rule.
+	GroupID string `json:"groupID"`
+	// Description contains a small text describing the CIDR.
+	Description string `json:"description"`
 }
 
 // CIDR has a CIDR (IP Range) and a description for the value.
@@ -187,14 +200,28 @@ func convertAWSIPPermissions(permissions []ec2Types.IpPermission) []SecurityGrou
 			ipProtocol = aws.ToString(permission.IpProtocol)
 		}
 
-		cidrs := make([]CIDR, 0, len(permission.IpRanges))
+		var cidrs []CIDR
+		if len(permission.IpRanges) > 0 {
+			cidrs = make([]CIDR, 0, len(permission.IpRanges))
+		}
 		for _, r := range permission.IpRanges {
 			cidrs = append(cidrs, CIDR{
 				CIDR:        aws.ToString(r.CidrIp),
 				Description: aws.ToString(r.Description),
 			})
 		}
 
+		var groupIDs []GroupIDRule
+		if len(permission.UserIdGroupPairs) > 0 {
+			groupIDs = make([]GroupIDRule, 0, len(permission.UserIdGroupPairs))
+		}
+		for _, pair := range permission.UserIdGroupPairs {
+			groupIDs = append(groupIDs, GroupIDRule{
+				GroupID:     aws.ToString(pair.GroupId),
+				Description: aws.ToString(pair.Description),
+			})
+		}
+
 		fromPort := int(aws.ToInt32(permission.FromPort))
 		toPort := int(aws.ToInt32(permission.ToPort))
 
@@ -203,6 +230,7 @@ func convertAWSIPPermissions(permissions []ec2Types.IpPermission) []SecurityGrou
 			FromPort:   fromPort,
 			ToPort:     toPort,
 			CIDRs:      cidrs,
+			Groups:     groupIDs,
 		})
 	}
 

lib/integrations/awsoidc/list_security_groups_test.go

@@ -284,6 +284,10 @@ func TestConvertSecurityGroup(t *testing.T) {
 							ToPort:     aws.Int32(22),
 							IpProtocol: aws.String("tcp"),
 							IpRanges:   []ec2Types.IpRange{{CidrIp: aws.String("0.0.0.0/0")}},
+							UserIdGroupPairs: []ec2Types.UserIdGroupPair{{
+								GroupId:     aws.String("sg-123"),
+								Description: aws.String("allowed from another sg"),
+							}},
 						},
 					},
 					IpPermissionsEgress: []ec2Types.IpPermission{
@@ -301,6 +305,10 @@ func TestConvertSecurityGroup(t *testing.T) {
 								CidrIp:      aws.String("0.0.0.0/0"),
 								Description: aws.String("Everything"),
 							}},
+							UserIdGroupPairs: []ec2Types.UserIdGroupPair{{
+								GroupId:     aws.String("sg-456"),
+								Description: aws.String("allowed to another sg"),
+							}},
 						},
 					},
 				},
@@ -333,6 +341,7 @@ func TestConvertSecurityGroup(t *testing.T) {
 							FromPort:   22,
 							ToPort:     22,
 							CIDRs:      []CIDR{{CIDR: "0.0.0.0/0"}},
+							Groups:     []GroupIDRule{{GroupID: "sg-123", Description: "allowed from another sg"}},
 						},
 					},
 					OutboundRules: []SecurityGroupRule{
@@ -352,6 +361,7 @@ func TestConvertSecurityGroup(t *testing.T) {
 								CIDR:        "0.0.0.0/0",
 								Description: "Everything",
 							}},
+							Groups: []GroupIDRule{{GroupID: "sg-456", Description: "allowed to another sg"}},
 						},
 					},
 				},

lib/web/integrations_awsoidc.go

@@ -695,18 +695,33 @@ func (h *Handler) awsOIDCListSecurityGroups(w http.ResponseWriter, r *http.Reque
 func awsOIDCSecurityGroupsRulesConverter(inRules []*integrationv1.SecurityGroupRule) []awsoidc.SecurityGroupRule {
 	out := make([]awsoidc.SecurityGroupRule, 0, len(inRules))
 	for _, r := range inRules {
-		cidrs := make([]awsoidc.CIDR, 0, len(r.Cidrs))
+		var cidrs []awsoidc.CIDR
+		if len(r.Cidrs) > 0 {
+			cidrs = make([]awsoidc.CIDR, 0, len(r.Cidrs))
+		}
 		for _, cidr := range r.Cidrs {
 			cidrs = append(cidrs, awsoidc.CIDR{
 				CIDR:        cidr.Cidr,
 				Description: cidr.Description,
 			})
 		}
+
+		var groupIDs []awsoidc.GroupIDRule
+		if len(r.GroupIds) > 0 {
+			groupIDs = make([]awsoidc.GroupIDRule, 0, len(r.GroupIds))
+		}
+		for _, group := range r.GroupIds {
+			groupIDs = append(groupIDs, awsoidc.GroupIDRule{
+				GroupID:     group.GroupId,
+				Description: group.Description,
+			})
+		}
 		out = append(out, awsoidc.SecurityGroupRule{
 			IPProtocol: r.IpProtocol,
 			FromPort:   int(r.FromPort),
 			ToPort:     int(r.ToPort),
 			CIDRs:      cidrs,
+			Groups:     groupIDs,
 		})
 	}
 	return out

web/packages/teleport/src/Discover/Shared/SecurityGroupPicker/SecurityGroupPicker.tsx

@@ -211,12 +211,21 @@ type ExpandedSecurityGroupRule = {
 function expandSecurityGroupRule(
   rule: SecurityGroupRule
 ): ExpandedSecurityGroupRule[] {
-  return rule.cidrs.map(source => ({
+  return [
+    ...rule.cidrs.map(cidr => ({
+      source: cidr.cidr,
+      description: cidr.description,
+    })),
+    ...rule.groups.map(group => ({
+      source: group.groupID,
+      description: group.description,
+    })),
+  ].map(entry => ({
     ipProtocol: rule.ipProtocol,
     fromPort: rule.fromPort,
     toPort: rule.toPort,
-    source: source.cidr,
-    description: source.description,
+    source: entry.source,
+    description: entry.description,
   }));
 }
 

web/packages/teleport/src/Discover/Shared/SecurityGroupPicker/SecurityGroupRulesDialog.tsx

@@ -19,7 +19,7 @@
 import React from 'react';
 import styled from 'styled-components';
 
-import { ButtonSecondary, H2 } from 'design';
+import { ButtonSecondary, H2, Text } from 'design';
 import Table, { Cell } from 'design/DataTable';
 import Dialog, { DialogContent, DialogFooter } from 'design/DialogConfirmation';
 
@@ -67,7 +67,11 @@ export function SecurityGroupRulesDialog({
               headerText: 'Source',
               render: ({ source }) => {
                 if (source) {
-                  return <Cell>{source}</Cell>;
+                  return (
+                    <Cell>
+                      <Text title={source}>{source}</Text>
+                    </Cell>
+                  );
                 }
                 return null;
               },
@@ -77,7 +81,11 @@ export function SecurityGroupRulesDialog({
               headerText: 'Description',
               render: ({ description }) => {
                 if (description) {
-                  return <Cell>{description}</Cell>;
+                  return (
+                    <Cell>
+                      <Text title={description}>{description}</Text>
+                    </Cell>
+                  );
                 }
                 return null;
               },
@@ -104,6 +112,8 @@ const StyledTable = styled(Table)`
   & > tbody > tr > td {
     vertical-align: middle;
     text-align: left;
+    max-width: 200px;
+    text-wrap: nowrap;
   }
 
   & > thead > tr > th {

web/packages/teleport/src/services/integrations/types.ts

@@ -595,6 +595,9 @@ export type SecurityGroupRule = {
   toPort: string;
   // CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
   cidrs: Cidr[];
+  // Groups is a list of rules that allow another security group referenced
+  // by ID.
+  groups: GroupIdRule[];
 };
 
 export type Cidr = {
@@ -604,6 +607,13 @@ export type Cidr = {
   description: string;
 };
 
+export type GroupIdRule = {
+  // GroupID is the ID of the security group that is allowed by the rule.
+  groupID: string;
+  // Description contains a small text describing the rule.
+  description: string;
+};
+
 // IntegrationUrlLocationState define fields to preserve state between
 // react routes (eg. in External Audit Storage flow, it is required of user
 // to create a AWS OIDC integration which requires changing route