Updates AWS config and Other notes

AWS New Account Setup Notes.md

@@ -29,19 +29,20 @@ git clone https://github.com/duckfez/aws-mfa.git # This is a patched version to
 
 ### Bootstrapping Step 1: Secure the Root Account
 
+For this step, you can do both Commerical account and GovCloud account at the same time. 
+
 1. Record all account information in [msoc-infrastructure-wiki `cloud-accounts.md`](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts) doc
-1. Go to https://vault.mdr.defpoint.com
+1. Go to https://vault.pvt.xdr.accenturefederalcyber.com/
 1. Navigate to `engineering/cloud/aws/root-creds/`:
   * Create new entry for the account alias. Use the naming scheme, mdr-prod-${CUSTOMERPREFIX}
   * Copy JSON from existing entry - should contain both commercial and govcloud records
   * Create a new version of the new secret and add the JSON
   * if needed, add a field for the MFA secret called commerical_mfa_secret and gov_mfa_secret
 1. Login to the AWS account via web browser.
-1. It's possible that CAMRS will make "our user" named `IAMAdmin`, but also possible it will be `MDRAdmin`.  We have
-things that expect it to be `MDRAdmin`.  If the account we get is `IAMAdmin` then we need to make `MDRAdmin`.
+1. It's possible that CAMRS will make "our user" named `IAMAdmin`, but also possible it will be `MDRAdmin`.  We have things that expect it to be `MDRAdmin`.  If the account we get is `IAMAdmin` then we need to make `MDRAdmin`.
    1. :warning: Setup MFA for IAMAdmin in your personal virtual authenticator and login with IAMAdmin and MFA
    2. Make the `MDRAdmin` user in AWS Console
-   3. Assign a Password
+   3. Assign a Password ( AWS Management Console access )
    4. Attach the policy `IAMUserChangePassword` directly to the user and create user
    5. After the user is created, Put the user in the `camrs-group-iam` group
    6. Log out of `IAMAdmin`, log in to `MDRAdmin` 
@@ -77,7 +78,7 @@ Region should be `us-gov-east-1` or `us-east-1`.
 ```
 CUSTOMERPREFIX=<customer-prefix>
 INITIALS=bp
-TICKET=MSOCI-1550
+TICKET=MSOCI-1726
 # cd to xdr-terraform-live folder
 git checkout master
 git fetch --all
@@ -140,7 +141,7 @@ terragrunt apply
 Repeat for the govcloud account. Be sure to update your ~/.aws/credentials. Both the govcloud and commercial accounts needs to be configued.
 `cd ../../../aws-us-gov/mdr-prod-${CUSTOMERPREFIX}`
 
-If everything is working correct, delete the AWS access keys from the MDRAdmin user in both Commercial and GovCloud as well as IAMAdmin user and personal MFA. Update `files/config` and add the new account to the shared AWS confiugration. The new configuration should match this format.
+Atempt to login to the new account via the browser Switch Role. Start from the Common Services account and switch to new account. If everything is working correct, delete the AWS access keys from the MDRAdmin user in both Commercial and GovCloud as well as IAMAdmin user and personal MFA, unless you already did. Update `files/config` and add the new account to the shared AWS confiugration. The new configuration should match this format.
 
 `vim ~/.aws/config`
 

Customer Decommision Notes.md

@@ -2,7 +2,7 @@
 
 Follow these steps to permently decommision a customer. 
 
-## These steps are to remove a customer POP
+## Remove the Customer POP/LCP Nodes
 5/18/2020
 
 Shutdown Splunk and disable to prevent new data going to the cluster. 
@@ -22,45 +22,102 @@ salt saf-splunk-syslog-* cmd.run 'systemctl disable syslog-ng'
 salt saf-splunk-dcn-* cmd.run 'docker stop mdr-syslog-ng'
 ```
 
-Update TF code and remove whitelisted SG IPs and/or rules to remove access from POP to C&C, Salt master, and splunk indexers.
 
 ## Follow these steps to terminate a customer slice
-05/18/2020
+05/3/2021
 
 See `Splunk SAF Offboarding Notes.md` for notes on pulled data off an indexer to give to the customer. 
 
-Don't just terminate the instance, run `terraform destroy` in the appropriate folder!
+### Terraform, Sensu, SFT Removal
 
+Update TF code and remove whitelisted SG IPs and/or rules to remove access from POP to C&C, Salt master, and splunk indexers. This is stored in globals.hcl or account.hcl
+
+- Destroy the instances with the `terraform destroy` command in the appropriate folders.
+- Create new git branch in XDR-Terraform-Live
+- Remove the appropriate folder (e.g. mdr-prod-CUSTOMERPREFIX )
+Remove references to LCP nodes in the globals.hcl file. 
+- Remove Terraform salt provision references ( LEGACY ) ( terraform/02-msoc_vpc/cloud-init/provision_salt_master.sh )
+- Terraform C&C IP whitelisting for salt master and reposerver ( terraform/02-msoc_vpc/security-groups.tf )
+ 11. Terraform customer folder ( terraform/102-saf/ )
+ 12. Terraform common variables ( terraform/common/variables.tf )
+
+- Remove Customer from Portal Lambda Env Var ( base/customer_portal_lambda/main.tf )
  1. Once sensu starts alerting, delete the sensu entities and resolve the alerts
  2. On the salt master, delete the salt minion keys
  3. On ScaleFT website, delete the servers and project
  4. In the redhat website, remove the entitlements
  5. Ensure the customer vpc is fully deleted and no dependencies remain
  6. Delete the customer folder from the TF and update develop and master branches
- 7. Email Asha (Compliance/ISSO) and inform her that the servers can be removed from the FedRAMP inventory
 
 
-Remove IPs SAF: 12.42.184.208
 
-## Remove the Customer from the Code
+### Remove the Customer from the Salt Code
 
 Remove references of the customer from these places:
 
- 1. Atlantis configs ( atlantis.yaml )
- 2. Splunk Monitoring Console ( salt/fileroots/splunk/monitoring_console/init.sls  - salt/fileroots/splunk/search_head/init.sls )
- 3. Salt master configs ( default_acl.conf )
- 4. Salt Splunk files (salt/fileroots/splunk/files/saf_variables.jinja)
+ 2. Splunk Monitoring Console 
+ - salt/pillar/mc_variables.sls
+  ( apply the changes here: salt/fileroots/splunk/monitoring_console/init.sls  - salt/fileroots/splunk/search_head/init.sls )
+ 3. Salt master configs ( salt/fileroots/salt_master/files/etc/salt/master.d/default_acl.conf )
+ 4. Delete Salt Splunk files ( salt/pillar/${CUSTOMERPREFIX}_variables.sls salt/pillar/${CUSTOMERPREFIX}_pop_settings.sls)
  5. Salt top.sls and pillar/top.sls ( salt/fileroots/top.sls - salt/pillar/top.sls )
  6. Salt global_variables.sls, os_settings.sls (salt/pillar/global_variables.sls - salt/pillar/os_settings.sls )
- 7. Salt Customer specific Pillars ( salt/pillar/saf_pop_settings.sls - salt/pillar/saf_variables.sls )
  8. Salt gitfs pillar ( salt/pillar/salt_master.sls )
- 9. Terraform salt provision references ( terraform/02-msoc_vpc/cloud-init/provision_salt_master.sh )
- 10. Terraform C&C IP whitelisting for salt master and reposerver ( terraform/02-msoc_vpc/security-groups.tf )
- 11. Terraform customer folder ( terraform/102-saf/ )
- 12. Terraform common variables ( terraform/common/variables.tf )
+
  
 Update salt master
 `salt salt* state.sls salt_master`
 
-## Report the Decommissioned Hosts to the AFCC Team
+### Report the Decommissioned Hosts to the ISSO/AFCC Team
+```
+afcc@accenturefederal.com;asha.a.nair@accenturefederal.com
+```
+
+SUBJECT: Decommissioned Devices
+
+```
+Hello,
+
+The below instances have been decommissioned from the environment and should be removed from any reports or inventories. 
+
+<list full splunk UF name of instances>
+
+Thanks,
+Brad
+```
+
+The SOC will edit this lookup 
+https://moose-splunk.pvt.xdr.accenturefederalcyber.com/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit?namespace=SA-IdentityManagement&transform=simple_asset_lookup
+
+
+### Salt Master Keys Removal
+
+### Deactivate OKTA Apps
+
+### Sensu Agent Cleanup
+
+### SFT Cleanup
+
+### RedHat Licence Cleanup
+
+### Qualys Cleanup
+Go to Qualys Dashboard -> Cloud Agent -> Activation Keys
+
+### Archive Customer Git Repos
+Do this after the Salt Master gitfs has been updated to avoid any error messages. 
+
+Git > Settings > Options > Archive this repository
+
+### Update the AWS Configuration
+files/config in infrastructure-notes 
+
+Remove the AWS Account if we don't have access anymore. 
+https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/Cloud-Accounts
+
+### Clean Up Vault Passwords
+Delete engineering/customer_slices/<customer-name>
+Disable onboarding-<customer-name>
+
+### Remove AMI Access to AWS Account
 
+### Refresh the Monitoring Console webpage

New Customer Setup Notes - GovCloud.md

@@ -513,7 +513,7 @@ Note from Brad: Donkey! ( see Shrek 2 Dinner scene. https://www.youtube.com/watc
 
 ## Portal Lambda Env Var
 
-TODO: improve these notes. 
+TODO: Add new customer to Customer Portal Lambda
 Add the customer to the portal lambda env vars. base/customer_portal_lambda/main.tf
 
 ## Splunk configuration
@@ -571,10 +571,6 @@ Note: Once the Legacy Monitoring Console has moved to GC, the SGs will need to b
 
 TODO: Add notes for adding a new customer to the FM Shared Search Head. 
 
-## Customer Portal Lambda 
-
-TODO: Add new customer to Customer Portal Lambda? 
-
 ## Create New Vault KV Engine for Customer for Feed Management
 1. Log into Vault
 1. Enable new engine of type KV
@@ -689,7 +685,7 @@ salt ${CUSTOMERPREFIX}-splunk-ds\* state.highstate --output-diff
 
 salt ${CUSTOMERPREFIX}-splunk-syslog-\* state.sls os_modifications
 
-## Configure the Customer POP Git Repository 
+## Configure the Customer LCP/POP Git Repository 
 
 Add DS ServerClass.conf and Apps
 

files/config

@@ -107,12 +107,6 @@ aws_account_id = afs-mdr-common-services-gov
 region = us-gov-east-1
 duration_seconds = 28800
 
-[profile mdr-common-services-gov]
-role_arn = arn:aws-us-gov:iam::701290387780:role/user/mdr_terraformer
-region = us-gov-east-1
-color = ff1a1a
-source_profile = govcloud
-
 [profile mdr-test-c2-gov]
 role_arn = arn:aws-us-gov:iam::738800754746:role/user/mdr_terraformer
 region = us-gov-east-1
@@ -131,6 +125,12 @@ region = us-gov-east-1
 color = 369e1a
 source_profile = govcloud
 
+[profile mdr-common-services-gov]
+role_arn = arn:aws-us-gov:iam::701290387780:role/user/mdr_terraformer
+region = us-gov-east-1
+color = ff1a1a
+source_profile = govcloud
+
 [profile mdr-prod-c2-gov]
 role_arn = arn:aws-us-gov:iam::721817724804:role/user/mdr_terraformer
 region = us-gov-east-1
@@ -179,6 +179,24 @@ region = us-gov-east-1
 color = ff1a1a
 source_profile = govcloud
 
+[profile mdr-prod-dc-c19-gov]
+role_arn = arn:aws-us-gov:iam::520742937262:role/user/mdr_terraformer
+region = us-gov-east-1
+color = ff1a1a
+source_profile = govcloud
+
+[profile mdr-prod-ma-c19-gov]
+role_arn = arn:aws-us-gov:iam::555457296585:role/user/mdr_terraformer
+region = us-gov-east-1
+color = ff1a1a
+source_profile = govcloud
+
+[profile mdr-prod-la-c19-gov]
+role_arn = arn:aws-us-gov:iam::520722177857:role/user/mdr_terraformer
+region = us-gov-east-1
+color = ff1a1a
+source_profile = govcloud
+
 ;
 ;CYBERRANGE
 ;