# XDR AWS New Account Setup Notes

## Timecode

You should be using the customer T&E charge code. If you don't have one you can put the time into a suspense code and switch it to the correct timecode when you get it. The suspense code is: SSPNS.500.001.001 Contract Civilian Sus Lbr.

## request new account from aws from AFS 
AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services


CFM approver: jordana.lang     
P104 approver: jennifer.l.combs

VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com

## Bootstrap the Account

AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).

### Prerequisites

Install `aws-mfa` utility via:
```
# This is a patched version to include govcloud support
git clone https://github.com/duckfez/aws-mfa.git 

# do whatever your process is for making this executable... 
link to /usr/local/bin, copy to your path, etc.

# Optional, change the #! line in aws-mfa to be /usr/bin/env python3
`ln -s /path_to_repo/aws-mfa/aws-mfa /usr/local/bin/aws-mfa`
```

### Bootstrapping Step 1: Secure the Root Account

For this step, you can do both Commerical account and GovCloud account at the same time. 

1. Record all account information in [msoc-infrastructure-wiki 'cloud-accounts.md`](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts) doc
1. Go to https://vault.pvt.xdr.accenturefederalcyber.com/
1. Navigate to `engineering/cloud/aws/root-creds/`:
  * Create new entry for the account alias. Use the naming scheme, `mdr-prod-${CUSTOMERPREFIX}`
  * Copy JSON from existing entry - should contain both commercial and govcloud records
  * Create a new version of the new secret and add the JSON
  * if needed, add a field for the MFA secret called `commerical_mfa_secret` and `gov_mfa_secret`
1. Login to the AWS account via web browser.
1. It's possible that CAMRS will make "our user" named `IAMAdmin`, but also possible it will be `MDRAdmin`.  We have things that expect it to be `MDRAdmin`.  If the account we get is `IAMAdmin` then we need to make `MDRAdmin`.
   1. :warning: Setup MFA for `IAMAdmin` in your personal virtual authenticator and login with `IAMAdmin` and MFA
   2. Make the `MDRAdmin` user in AWS Console
   3. Assign a Password ( AWS Management Console access )
   4. Attach the policy `IAMUserChangePassword` directly to the user and create user
   5. After the user is created, Put the user in the `camrs-group-iam` group
   6. Log out of `IAMAdmin`, log in to `MDRAdmin` 
1. Change password to something that does not include JSON characters and record in the vault.
2. Follow instructions for ["Using Vault for TOTP things", section "Adding a new TOTP Code" in `cloud-accounts.md`](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts#adding-a-new-totp-code---especially-for-an-aws-account) to configure and store the MFA token for the root account.
3. Put the MFA secret key into the `*_mfa_secret` field in Vault. 
3. Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
4. Go back to IAM and create access keys for the `MDRAdmin` user. Store them for later use. 
5. Delete `IAMAdmin` from AWS and your personal virtual authenticator.

Repeat for additional accounts and retain the AWS Access Keys for later use. 

## Step 2: Bootstrap the account

1. Starting with the Commerical AWS account, if applicable, add the access and secret keys to your local `vim ~/.aws/credentials` file as a temporary profile called `tmp-long-term`:
```
[tmp-long-term]
aws_access_key_id = <blah>
aws_secret_access_key = <blah>
aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdmin
```
Partition should be `aws` or `aws-us-gov`. 
Region should be `us-gov-east-1` or `us-east-1`.

1. Run `aws-mfa --profile tmp --region={region}` ( Note: No `-long-term`, because script assumes it ). To switch from gov to commerical use the `--force` flag. 
1. Verify account number: `AWS_PROFILE=tmp aws sts get-caller-identity --region={region}`
1. Update and branch `xdr-terraform-live` Git repo ( see below )
1. Name the branch `feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}`
1. This branch will be used in future steps
1. Create a copy of the account skeleton ( see below )
1. Change directories to where you have the `xdr-terraform-live` git repo and set the `CUSTOMERPREFIX` variable

```
CUSTOMERPREFIX=<customer-prefix>
INITIALS=bp
TICKET=MSOCI-<ticket number>
# cd to xdr-terraform-live folder
git checkout master
git fetch --all
git pull origin master
git checkout -b feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}
```

If the account is NOT GOING TO BE USED run these commands. NOTE: This would probably be only for the commercial account. This is done so the AWS account is properly managed and not forgotten about. 

```
cp -r 000-skeleton/ prod/aws/mdr-prod-${CUSTOMERPREFIX}
cd prod/aws/mdr-prod-${CUSTOMERPREFIX}
echo "This account is unused" > UNUSED.ACCOUNT
rm -rf 010-vpc-splunk/ 021-qualys-connector-role/ 025-test-instance/ 072-salt-master-inventory-role/ 140-splunk-frozen-bucket/ 150-splunk-cluster-master/ 160-splunk-indexer-cluster/ 170-splunk-searchhead/ 180-splunk-heavy-forwarder/
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later.
update_refs --newtag <LATEST TAG>
cd ../../../
```

For Accounts that will be used ( e.g. GovCloud ).

```
cp -r 000-skeleton/ prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
cd prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later. If you don't know the LCP IPs yet, comment out the splunk_data_sources cidr.  
update_refs --newtag <LATEST TAG>
# if needed cd to commerical dir for next steps
cd ../../../aws/mdr-prod-${CUSTOMERPREFIX}
```

These steps should be run on both Commerical and GovCloud accounts. Start with the Commerical account to use the AWS keys.  

cd into the IAM directory
`cd 005-iam`

Double-check / fix the profile
```
vim terragrunt.hcl
# Check TODO items, make sure the profile (tmp) listed is right / matches what you have in above step
```

Apply the configuration: 
```
saml2aws -a commercial login
saml2aws -a govcloud login
terragrunt init
terragrunt validate
terragrunt apply
```

If the `terragrunt apply` takes forever and doesn't do anything, you need to authenticate with aws-mfa again. 

Comment-out the provisioning provider block and validate that terragrunt can be applied with the normal `xdr-terraformer` roles from `root` account
```
vim terragrunt.hcl
# comment out the provider generation parts
terragrunt apply
# Should be no changes
```

Repeat for the govcloud account. Be sure to update your `~/.aws/credentials`. Both the govcloud and commercial accounts needs to be configued.
`cd ../../../aws-us-gov/mdr-prod-${CUSTOMERPREFIX}`

Atempt to login to the new account via the browser Switch Role. Start from the Common Services account and switch to new account using `user/mdr_terraformer` as the role. If everything is working correct, delete the AWS access keys from the `MDRAdmin` user in both Commercial and GovCloud as well as `IAMAdmin` user and personal MFA, unless you already did. Update `files/config` and add the new account to the shared AWS confiugration. The new configuration should match this format.

`vim ~/.aws/config`

GovCloud Format
```
[profile mdr-prod-${CUSTOMERPREFIX}-gov]
role_arn = arn:aws-us-gov:iam::{account}:role/user/mdr_terraformer
region = us-gov-east-1
color = ff1a1a
source_profile = govcloud
```

Add the new AWS Config to your browser plugin, if applicable.