Fix Suggested Role Spec for Enrolling New Resources

[evanfreed]

I went to Enroll New Resource and for both EC2 Instance and RDS PostgresSQL I was given a suggested role:

# EC2 example
kind: role
spec:
  allow:
    rules:
    - resources:
      - integration
      verbs:
      - list
      - create
      - use
    - resources:
      - node
      verbs:
      - create
      - update
      - list
      - read

I copied this to my role but I got:

After review it looks like it's missing the read verb in the suggestion. Feel free to let me know if this is the correct place to change this.

changelog: Add read verb to suggested role spec when enrolling new resources.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[ibeckermayer]

Tagging @rudream in on this, is there any particular reason read wasn't added in the first place. Do you or @kimlisa recall running into this during testing?

[kimlisa]

wow... this was a major oversight on my part, thanks for the fix!

[kimlisa]

@evanfreed could you also add integrations.read on this line

like this:

integrationAccess.create && integrationAccess.list && integrationAccess.use && integrationAccess.read;

[rudream]

is there any particular reason read wasn't added in the first place.

@ibeckermayer not aware of any reason, seems to have just been an oversight and the RBAC for this wasn't properly tested.

[rudream]

LGTM once @kimlisa's comment is addressed

[evanfreed]

Should I backport this change? @rudream @kimlisa

[kimlisa]

@evanfreed yes it needs to be backported to branch/v13

[public-teleport-github-review-bot]

@evanfreed See the table below for backport results.

Branch	Result
branch/v13	Create PR
branch/v14	Create PR