access_monitoring_rules: Add timezone to schedules spec (#60067)

bernardjkim · web-flow · commit 10095ebfb948 · 2025-10-15T17:41:02.000Z
* Add timezone to AMR schedules

* Update documentation with accepted timezone values

* Address feedback

- Allow empty timezone value
- Reference IANA in error message
- Add additional timeonze test cases

* Fix test case
diff --git a/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go b/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go
diff --git a/api/proto/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto b/api/proto/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto
@@ -100,9 +100,16 @@ message Schedule {
 // TimeSchedule specifies an in-line schedule.
 message TimeSchedule {
   // Shifts contains a set of shifts that make up the schedule.
-  // Shifts are configured in UTC.
   repeated Shift shifts = 1;
 
+  // Timezone specifies the schedule timezone. This field is optional and defaults
+  // to "UTC". Accepted values use timezone locations as defined in the IANA
+  // Time Zone Database, such as "America/Los_Angeles", "Europe/Lisbon", or
+  // "Asia/Singapore".
+  //
+  // See https://data.iana.org/time-zones/tzdb/zone1970.tab for a list of supported values.
+  string timezone = 2;
+
   // Shift contains the weekday, start time, and end time of a shift.
   message Shift {
     // Weekday specifies the day of the week, e.g., "Sunday", "Monday", "Tuesday".
diff --git a/docs/pages/reference/infrastructure-as-code/terraform-provider/data-sources/access_monitoring_rule.mdx b/docs/pages/reference/infrastructure-as-code/terraform-provider/data-sources/access_monitoring_rule.mdx
@@ -76,7 +76,8 @@ Optional:
 
 Optional:
 
-- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. Shifts are configured in UTC. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `timezone` (String) Timezone specifies the schedule timezone. This field is optional and defaults to "UTC". Accepted values use timezone locations as defined in the IANA Time Zone Database, such as "America/Los_Angeles", "Europe/Lisbon", or "Asia/Singapore".  See https://data.iana.org/time-zones/tzdb/zone1970.tab for a list of supported values.
 
 ### Nested Schema for `spec.schedules.time.shifts`
 
diff --git a/docs/pages/reference/infrastructure-as-code/terraform-provider/resources/access_monitoring_rule.mdx b/docs/pages/reference/infrastructure-as-code/terraform-provider/resources/access_monitoring_rule.mdx
@@ -98,7 +98,8 @@ Optional:
 
 Optional:
 
-- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. Shifts are configured in UTC. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `timezone` (String) Timezone specifies the schedule timezone. This field is optional and defaults to "UTC". Accepted values use timezone locations as defined in the IANA Time Zone Database, such as "America/Los_Angeles", "Europe/Lisbon", or "Asia/Singapore".  See https://data.iana.org/time-zones/tzdb/zone1970.tab for a list of supported values.
 
 ### Nested Schema for `spec.schedules.time.shifts`
 
diff --git a/integrations/terraform/tfschema/accessmonitoringrules/v1/access_monitoring_rules_terraform.go b/integrations/terraform/tfschema/accessmonitoringrules/v1/access_monitoring_rules_terraform.go
diff --git a/lib/services/access_monitoring_rules.go b/lib/services/access_monitoring_rules.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"slices"
 	"time"
+	_ "time/tzdata"
 
 	"github.com/gravitational/trace"
 
@@ -156,6 +157,10 @@ func validateSchedules(schedules map[string]*accessmonitoringrulesv1.Schedule) e
 }
 
 func validateTimeSchedule(schedule *accessmonitoringrulesv1.TimeSchedule) error {
+	if _, err := time.LoadLocation(schedule.GetTimezone()); err != nil {
+		return trace.Wrap(err, "invalid timezone: refer to the IANA Time Zone Database for valid options")
+	}
+
 	if len(schedule.GetShifts()) == 0 {
 		return trace.BadParameter("at least one shift is required")
 	}
diff --git a/lib/services/access_monitoring_rules_test.go b/lib/services/access_monitoring_rules_test.go
@@ -249,6 +249,98 @@ func TestValidateSchedules(t *testing.T) {
 				require.ErrorContains(t, err, "at least one shift is require")
 			},
 		},
+		{
+			description: "valid timezone (UTC)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "UTC",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "valid timezone (America/Los_Angeles)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "America/Los_Angeles",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "valid timezone (Europe/Lisbon)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "Europe/Lisbon",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "valid timezone (Asia/Singapore)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "Asia/Singapore",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "invalid timezone",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "invalid",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: func(t require.TestingT, err error, _ ...interface{}) {
+				require.ErrorContains(t, err, "invalid timezone")
+			},
+		},
 		{
 			description: "start time is not before end time",
 			schedules: map[string]*accessmonitoringrulesv1.Schedule{
