# XDR AWS New Account Setup Notes

## Timecode

You should be using the customer T&E charge code. If you don't have one you can put the time into a suspense code and switch it to the correct timecode when you get it. The suspense code is: SSPNS.500.001.001 Contract Civilian Sus Lbr.

## request new account from aws from AFS 
AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services


CFM approver: jordana.lang
P104 approver: jennifer.l.combs

VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com

## Bootstrap the Account

AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).

### Prerequisites

Install aws-mfa utility via:
```
git clone https://github.com/duckfez/aws-mfa.git # This is a patched version to include govcloud support
# do whatever your process is for making this executable... link to /usr/local/bin, copy to your path, etc.
# Optional, change the #! line in aws-mfa to be /usr/bin/env python3
`ln -s /path_to_repo/aws-mfa/aws-mfa /usr/local/bin/aws-mfa`
```

### Bootstrapping Step 1: Secure the Root Account

1. Record all account information in [msoc-infrastructure-wiki `cloud-accounts.md`](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts) doc
1. Go to https://vault.mdr.defpoint.com
1. Navigate to `engineering/cloud/aws/root-creds/`:
  * Create new entry for the account alias. Use the naming scheme, mdr-prod-${CUSTOMERPREFIX}
  * Copy JSON from existing entry - should contain both commercial and govcloud records
  * Create a new version of the new secret and add the JSON
  * if needed, add a field for the MFA secret called commerical_mfa_secret and gov_mfa_secret
1. Login to the AWS account via web browser.
1. It's possible that CAMRS will make "our user" named `IAMAdmin`, but also possible it will be `MDRAdmin`.  We have
things that expect it to be `MDRAdmin`.  If the account we get is `IAMAdmin` then we need to make `MDRAdmin`.
   1. :warning: Setup MFA for IAMAdmin in your personal virtual authenticator and login with IAMAdmin and MFA
   2. Make the `MDRAdmin` user in AWS Console
   3. Assign a Password
   4. Attach the policy `IAMUserChangePassword` directly to the user and create user
   5. After the user is created, Put the user in the `camrs-group-iam` group
   6. Log out of `IAMAdmin`, log in to `MDRAdmin` 
1. Change password to something that does not include JSON characters and record in the vault.
2. Follow instructions for ["Using Vault for TOTP things", section "Adding a new TOTP Code" in cloud-accounts.md](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts#adding-a-new-totp-code---especially-for-an-aws-account) to configure and store the MFA token for the root account.
3. Put the MFA secret key into the *_mfa_secret field in Vault. 
3. Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
4. Go back to IAM and create access keys for the MDRAdmin user. Store them for later use. 
5. Delete `IAMAdmin` from AWS and your personal virtual authenticator.

Repeat for additional accounts and retain the AWS Access Keys for later use. 

## Step 2: Bootstrap the account

1. Starting with the Commerical AWS account, if applicable, add the access and secret keys to your local `~/.aws/credentials` file as a temporary profile called `tmp-long-term`:
```
[tmp-long-term]
aws_access_key_id = <blah>
aws_secret_access_key = <blah>
aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdmin
```
Partition should be `aws` or `aws-us-gov`. 
Region should be `us-gov-east-1` or `us-east-1`.

1. Run `aws-mfa --profile tmp --region={region}` ( Note: No `-long-term`, because script assumes it ). To switch from gov to commerical use the `--force` flag. 
1. Verify account number: `AWS_PROFILE=tmp aws sts get-caller-identity --region={region}`
1. Update and branch xdr-terraform-live Git repo ( see below )
1. Name the branch feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}
1. This branch will be used in future steps
1. Create a copy of the account skeleton ( see below )
1. Change directories to where you have the xdr-terraform-live git repo and set the CUSTOMERPREFIX variable

```
CUSTOMERPREFIX=<customer-prefix>
INITIALS=bp
TICKET=MSOCI-1550
# cd to xdr-terraform-live folder
git checkout master
git fetch --all
git pull origin master
git checkout -b feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}
```

If the account is NOT GOING TO BE USED run these commands. NOTE: This would probably be only for the commercial account. This is done so the AWS account is properly managed and not forgotten about. 

```
cp -r 000-skeleton/ prod/aws/mdr-prod-${CUSTOMERPREFIX}
cd prod/aws/mdr-prod-${CUSTOMERPREFIX}
echo "This account is unused" > UNUSED.ACCOUNT
rm -rf 010-vpc-splunk/ 021-qualys-connector-role/ 025-test-instance/ 072-salt-master-inventory-role/ 140-splunk-frozen-bucket/ 150-splunk-cluster-master/ 160-splunk-indexer-cluster/ 170-splunk-searchhead/ 180-splunk-heavy-forwarder/
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later.
cd ../../../
```

For Accounts that will be used ( e.g. GovCloud ).

```
cp -r 000-skeleton/ prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
cd prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later.
```

These steps should be run on both Commerical and GovCloud accounts. Start with the Commerical account to use the AWS keys.  

1. cd into the IAM directory
`cd 005-iam`

1. Double-check / fix the profile

```
vim terragrunt.hcl
# Check TODO items, make sure the profile (tmp) listed is right / matches what you have in above step
```

1. Apply the configuration: 
```
saml2aws -a commercial login
saml2aws -a govcloud login
terragrunt init
terragrunt validate
terragrunt apply
```

If the `terragrunt apply` takes forever and doesn't do anything, you need to authenticate with aws-mfa again. 

1. Comment-out the provisioning provider block and validate that terragrunt can be applied with the normal xdr-terraformer roles from root account
```
vim terragrunt.hcl
# comment out the provider generation parts
terragrunt apply
# Should be no changes
```

Repeat for the govcloud account. Be sure to update your ~/.aws/credentials. Both the govcloud and commercial accounts needs to be configued.
`cd ../../../aws-us-gov/mdr-prod-${CUSTOMERPREFIX}`

If everything is working correct, delete the AWS access keys from the MDRAdmin user in both Commercial and GovCloud as well as IAMAdmin user and personal MFA. Update `files/config` and add the new account to the shared AWS confiugration. The new configuration should match this format.

`vim ~/.aws/config`

GovCloud Format
```
[profile mdr-prod-${CUSTOMERPREFIX}-gov]
role_arn = arn:aws-us-gov:iam::{account}:role/user/mdr_terraformer
region = us-gov-east-1
color = ff1a1a
source_profile = govcloud
```

Add the new AWS Config to your browser plugin, if applicable.