# XDR AWS New Account Setup Notes

## request new account from aws from AFS 
AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services


CFM approver: jordana.lang
P104 approver: jennifer.l.combs

VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com

## Bootstrap the Account

AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).

### Prerequisites

Install aws-mfa utility via:
```
git clone https://github.com/duckfez/aws-mfa.git # This is a patched version to include govcloud support
# do whatever your process is for making this executable... link to /usr/local/bin, copy to your path, etc.
# Optional, change the #! line in aws-mfa to be /usr/bin/env python3
```

### Bootstrapping Step 1: Secure the Root Account

1. Record all account information in [msoc-infrastructure-wiki `cloud-accounts.md`](https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts) doc
1. Go to https://vault.mdr.defpoint.com
1. Navigate to `engineering/cloud/aws/root-creds/`:
  * Create new entry for the account alias.
  * Copy json from existing entry - should contain both commercial and govcloud records
  * Create a new version of the new secret and add the json.
1. Login to the AWS account via web browser.
1. Change password to something that does not include json characters and record in the vault.
1. Follow instructions for ["Using Vault for TOTP things", section "Adding a new TOTP Code" in cloud-accounts.md](https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts#adding-a-new-totp-code---especially-for-an-aws-account) to configure and store the MFA token for the root account.
1. Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
1. Go back to IAM and create access tokens.

Repeat for additional accounts

## Step 2: Bootstrap the accounts

1. Add the access and secret keys to your local `~/.aws/credentials` file as a temporary profile called `tmp-long-term`:
```
[tmp-long-term]
aws_security_token = aws_access_key_id = <blah>
aws_secret_access_key = <blah>
aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdmin
```
1. Run `aws-mfa --profile tmp` ( Note: No `-long-term`, because script assumes it )
1. Verify account number: `AWS_PROFILE=tmp aws sts get-caller-identity`
1. Create a copy of the account skeleton
```
cd msoc-infrastructure/terraform-0.12/accounts/aws
cp -rp 000-skeleton {account-alias}
```
1. Prepare the configuration for the new account
```
cd {account-alias}
vim README.md
# Add a description of the account.
vim terragrunt.hcl
# Fix all the lines marked "TODO"
cd 005-iam
rm -rf .terraform terraform.tfstate* # shouldn't be there if you copied from skeleton
vim child-account.tf
# Fix all the lines marked "TODO"
```
1. Apply the configuration:
```
saml2aws -a commercial login
terragrunt validate
terragrunt apply
```
1. Fix the profile
```
vim ../terragrunt.hcl
# Delete the line with `profile=tmp` and uncomment the line with `profile=commercial`
# Uncomment the `assume_role` section and fix the account number.
```
1. Validate that terragrunt can be applied
```
terragrunt apply
# Should be no changes
```

### Repeat for GovCloud with slight changes
The above steps need to be repeated for accounts in govcloud. Here are the steps (From "Step 2) in abbreviated format:

```
vim ~/.aws/credentials
aws-mfa --profile tmp --region us-gov-east-1
AWS_PROFILE=tmp aws --region us-gov-east-1 sts get-caller-identity

cd msoc-infrastructure/terraform-0.12/accounts/aws-us-gov
cp -rp 000-skeleton {account-alias}

cd {account-alias}
vim README.md
# Add a description of the account.
vim terragrunt.hcl
# Fix all the lines marked "TODO"
cd 005-iam
rm -rf .terraform terraform.tfstate* # shouldn't be there if you copied from skeleton
vim child-account.tf
# Fix all the lines marked "TODO"

saml2aws -a govcloud login
terragrunt validate
terragrunt apply

vim ../terragrunt.hcl
# Delete the line with `profile=tmp` and uncomment the line with `profile=govcloud`
# Uncomment the `assume_role` section and fix the account number.

terragrunt apply
# Should be no changes
```