Latest notes.

GovCloud Notes.md

@@ -1,3 +1,4 @@
 What services are needed in GovCloud?
 ECR
-codebuild
+codebuild
+

Okta Notes.md

@@ -8,3 +8,14 @@ Password expiration report
 OKTA -> Reports -> Okta Password Health
 Open with Brackets Not excel
 
+## Okta and Terraform
+
+Fred ignored the above advice and created an okta API key for himself (Web UI: `Admin->Security->API->Create Token`)
+
+Then:
+```
+export OKTA_API_TOKEN=[token here]
+terragrunt apply
+```
+
+

Salt Notes.md

@@ -59,3 +59,14 @@ sudo salt-run fileserver.update # Refresh from git
 salt target saltutil.sync_all saltenv=mybranchname 
 salt target state.sls mytestsls saltenv=mybranchname 
 ```
+
+## Bringing on a new minion
+
+You probably want the grains synchronized before the minion is pushed to highstate.
+After accepting the key, run:
+```
+salt '*' saltutil.sync_grains
+salt '*' saltutil.sync_all
+```
+
+We can do this via a reactor. See https://docs.saltstack.com/en/latest/topics/reactor/index.html#minion-start-reactor

Terraform Notes.md

@@ -123,3 +123,4 @@ terraform apply -target=module.vpc_default_security_groups.aws_security_group_ru
 
 terraform apply -target=module.afs_cluster.module.vpc_default_security_groups.aws_security_group_rule.typical_host_outbound_to_sensu_5672 -target=module.afs_cluster.module.vpc_default_security_groups.aws_security_group_rule.typical_host_outbound_to_sensu_8081
 
+

Terragrunt Notes.md

@@ -0,0 +1,12 @@
+# Terragrunt Notes
+aka "how to develop the terraform 12 stuff"
+
+
+## Local cache of providers
+helpful tip, speed up cache by adding the following to your `~./bashrc`:
+```
+export TF_PLUGIN_CACHE_DIR=~/.terraform.d/plugin-cache
+[[ -d "$TF_PLUGIN_CACHE_DIR" ]] || mkdir -p $TF_PLUGIN_CACHE_DIR
+```
+
+

Vault Notes.md

@@ -170,3 +170,32 @@ entity_34d6c410 -< nothing in logs
 "entity_id":"c3c0b50b-9429-355d-8c8f-038e093c3e4b
 entity_ba27bb07 < - nothing in logs
 0c86fda6-1139-7914-fef5-6b7532e9fb5a
+
+## Vault with Terraform
+
+This simple tf will grab a secret from the vault. Note that the password is printed in plaintext and there is currently no way to avoid that short of putting the values in environment variables.
+
+And for some reason, this prompts 3 times.
+```
+variable login_username {}
+variable login_password {}
+
+provider "vault" {
+  address = "https://vault.mdr.defpoint.com"
+  auth_login {
+    path = "auth/okta/login/${var.login_username}"
+
+    parameters = {
+      password = var.login_password
+    }
+  }
+}
+
+data "vault_generic_secret" "palo_auth" {
+  path = "engineering/palo_alto/firewall_notes"
+}
+
+output "secret" {
+  value = data.vault_generic_secret.palo_auth.data
+}
+```

VirtualBox Build Notes.md

@@ -0,0 +1,92 @@
+# VirtualBox Build Notes.md
+
+## To get a local test network
+
+### Create the base OVF
+1. install virtualbox
+1. download the centos7-minimal dvd iso, and store in your copy of `msoc-infrastructure/packer` (suggestion: keep an ISOs directory and make a symbolic link into the packer directory)
+1. Edit `http/ks.local.cfg` and update with your username and password
+1. Run `make base-local` to create a local iso.
+
+### Create a new salt master
+1. In virtualbox, select "Import".
+1. Under `msoc-infrastructure/packer/output-virtualbox-iso`, select `packer-centos-7-local-x86_64.ova`
+1. Click 'Continue'
+1. Edit settings:
+  * name: salt-master
+  * Network: Set to paravirtualized network
+  * Virtual Disk Image: Rename to `salt-master.vmdk` or somethimg memorable
+  * Mac Address Policy: "Generate new MAC addresses for all network adapters."
+1. click "Import"
+1. Edit settings:
+  * Display: Video memory: set to 4MB
+  * Display: Remote display: Disable
+  * Storage: SATA Controller, check "Use Host I/O Cache"
+  * Network: Attached To: Set to "Bridged" with your wireless adapter (verify it's the paravirtualized adapter while you're there)
+  * Shared Folders -> Create a machine folder to point to your msoc-infrastructure directory (allows you to use the same git repo on the guest VM)
+1. Click 'Start' or 'Start (headless)'
+
+### Set up the guest tools
+1. ssh to local box (may need to look up ip address; i set a static lease)
+1. Change your password and the root password. (Default is 'changeme')
+1. Install guest additions:
+```
+sudo yum update && sudo yum upgrade
+sudo yum groupinstall "Development Tools"
+sudo yum install vim kernel-devel
+sudo yum --enablerepo=epel install dkms
+sudo mount /root/VBoxGuestAdditions.iso /mnt
+cd /mnt
+sudo ./VBoxLinuxAdditions.run
+```
+1. Add the shared folder mount point `mkdir ~/msoc-infrastructure`
+1. Add this to `/etc/fstab`:
+```
+msoc-infrastructure     /home/fdamstra/msoc-infrastructure      vboxsf  uid=fdamstra,gid=fdamstra       0 0
+```
+1. Reboot
+
+### Match the Salt AMI
+1. ssh to salt master
+1. Run the scripts in `rhel7_hardened_saltmaster_ami.json`:
+```
+cd msoc-infrastructure/packer/
+# Skipping add-rhel-subscription, cuz centos
+sudo scripts/add-saltstack-repo.sh
+# Skipping add-epel-repo, because how many times do we need to do this?
+sudo scripts/provision-salt-minion.sh
+# Have to do the "internal-configure-minion.sh" stuff ourselves, becuase
+# we don't match.
+sudo echo "master: salt-master.home.monkeybox.org" | tee /etc/salt/minion
+sudo scripts/provision-salt-master.sh
+# Skipping scripts/install-ssm-agent.sh because not in aws
+# Skipping scripts/cloud-init-resize-fs.sh becase not in aws
+# Skipping scripts/remove-machine-id.sh because not bulding more than one
+# Skipping scripts/remove-rhel-subscription.sh because not building more than one
+```
+1. Reboot
+
+### Get Salt Functional
+1. Run the cloud init script:
+```
+cd msoc-infrastructure/terraform/02-msoc_vpc/cloud-init/
+sudo bash provision_salt_master.sh
+```
+Errors about secrets are expected. Lots of amazon stuff just won't work.
+1. remove `/etc/salt/pki/master/master.{pem,pub}`
+1. fix the minion id: `echo salt-master.home.monkeybox.org > /etc/salt/minion_id`
+1. start salt-master service
+1. start salt-minion service
+1. Accept the key: `sudo salt-key -A`
+1. Create /etc/salt/master.d/file_roots.conf:
+```
+file_roots:
+  base:
+    # Used by the maxmind stuff, not in gitfs because we download
+    # this file by script every so often
+    - /var/opt/salt
+```
+1. Link to the file root (we don't use gitfs here):
+```
+ln -s /home/fdamstra/msoc-infrastructure/salt/fileroots /var/opt/salt
+```

dnsmasq.md

@@ -0,0 +1,15 @@
+# dnsmasq.md
+
+dnsmasq is a good idea.
+
+## Cacheing dns server config
+
+
+## Redirect DNS lookups for particular domains
+`/etc/dnsmasq.d/amazonaws.conf`
+
+```
+server=/amazonaws.com/169.254.169.253
+```
+
+