Added notes on new account setup

AWS New Account Setup Notes.md

@@ -1,6 +1,6 @@
-XDR AWS New Account Setup Notes
+# XDR AWS New Account Setup Notes
 
-request new account from aws from AFS 
+## request new account from aws from AFS 
 AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services
 
 
@@ -9,4 +9,111 @@ P104 approver: jennifer.l.combs
 
 VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com
 
-New AWS accounts MDRAdmin MFA is stored in Vault. 
+## Bootstrap the Account
+
+AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).
+
+### Prerequisites
+
+Install aws-mfa utility via:
+```
+git clone https://github.com/duckfez/aws-mfa.git # This is a patched version to include govcloud support
+# do whatever your process is for making this executable... link to /usr/local/bin, copy to your path, etc.
+# Optional, change the #! line in aws-mfa to be /usr/bin/env python3
+```
+
+### Bootstrapping Step 1: Secure the Root Account
+
+1. Record all account information in [msoc-infrastructure-wiki `cloud-accounts.md`](https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts) doc
+1. Go to https://vault.mdr.defpoint.com
+1. Navigate to `engineering/cloud/aws/root-creds/`:
+  * Create new entry for the account alias.
+  * Copy json from existing entry - should contain both commercial and govcloud records
+  * Create a new version of the new secret and add the json.
+1. Login to the AWS account via web browser.
+1. Change password to something that does not include json characters and record in the vault.
+1. Follow instructions for ["Using Vault for TOTP things", section "Adding a new TOTP Code" in cloud-accounts.md](https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts#adding-a-new-totp-code---especially-for-an-aws-account) to configure and store the MFA token for the root account.
+1. Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
+1. Go back to IAM and create access tokens.
+
+Repeat for additional accounts
+
+## Step 2: Bootstrap the accounts
+
+1. Add the access and secret keys to your local `~/.aws/credentials` file as a temporary profile called `tmp-long-term`:
+```
+[tmp-long-term]
+aws_security_token = aws_access_key_id = <blah>
+aws_secret_access_key = <blah>
+aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdmin
+```
+1. Run `aws-mfa --profile tmp` ( Note: No `-long-term`, because script assumes it )
+1. Verify account number: `AWS_PROFILE=tmp aws sts get-caller-identity`
+1. Create a copy of the account skeleton
+```
+cd msoc-infrastructure/terraform-0.12/accounts/aws
+cp -rp 000-skeleton {account-alias}
+```
+1. Prepare the configuration for the new account
+```
+cd {account-alias}
+vim README.md
+# Add a description of the account.
+vim terragrunt.hcl
+# Fix all the lines marked "TODO"
+cd 005-iam
+rm -rf .terraform terraform.tfstate* # shouldn't be there if you copied from skeleton
+vim child-account.tf
+# Fix all the lines marked "TODO"
+```
+1. Apply the configuration:
+```
+saml2aws -a commercial login
+terragrunt validate
+terragrunt apply
+```
+1. Fix the profile
+```
+vim ../terragrunt.hcl
+# Delete the line with `profile=tmp` and uncomment the line with `profile=commercial`
+# Uncomment the `assume_role` section and fix the account number.
+```
+1. Validate that terragrunt can be applied
+```
+terragrunt apply
+# Should be no changes
+```
+
+### Repeat for GovCloud with slight changes
+The above steps need to be repeated for accounts in govcloud. Here are the steps (From "Step 2) in abbreviated format:
+
+```
+vim ~/.aws/credentials
+aws-mfa --profile tmp --region us-gov-east-1
+AWS_PROFILE=tmp aws --region us-gov-east-1 sts get-caller-identity
+
+cd msoc-infrastructure/terraform-0.12/accounts/aws-us-gov
+cp -rp 000-skeleton {account-alias}
+
+cd {account-alias}
+vim README.md
+# Add a description of the account.
+vim terragrunt.hcl
+# Fix all the lines marked "TODO"
+cd 005-iam
+rm -rf .terraform terraform.tfstate* # shouldn't be there if you copied from skeleton
+vim child-account.tf
+# Fix all the lines marked "TODO"
+
+saml2aws -a govcloud login
+terragrunt validate
+terragrunt apply
+
+vim ../terragrunt.hcl
+# Delete the line with `profile=tmp` and uncomment the line with `profile=govcloud`
+# Uncomment the `assume_role` section and fix the account number.
+
+terragrunt apply
+# Should be no changes
+```
+