AWS New Account Setup Notes.md 4.2 KB
XDR AWS New Account Setup Notes
request new account from aws from AFS
AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services
CFM approver: jordana.lang P104 approver: jennifer.l.combs
VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com
Bootstrap the Account
AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).
Prerequisites
Install aws-mfa utility via:
git clone https://github.com/duckfez/aws-mfa.git # This is a patched version to include govcloud support
# do whatever your process is for making this executable... link to /usr/local/bin, copy to your path, etc.
# Optional, change the #! line in aws-mfa to be /usr/bin/env python3
Bootstrapping Step 1: Secure the Root Account
- Record all account information in msoc-infrastructure-wiki
cloud-accounts.mddoc - Go to https://vault.mdr.defpoint.com
- Navigate to
engineering/cloud/aws/root-creds/:- Create new entry for the account alias.
- Copy json from existing entry - should contain both commercial and govcloud records
- Create a new version of the new secret and add the json.
- Login to the AWS account via web browser.
- Change password to something that does not include json characters and record in the vault.
- Follow instructions for "Using Vault for TOTP things", section "Adding a new TOTP Code" in cloud-accounts.md to configure and store the MFA token for the root account.
- Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
- Go back to IAM and create access tokens.
Repeat for additional accounts
Step 2: Bootstrap the accounts
Add the access and secret keys to your local
~/.aws/credentialsfile as a temporary profile calledtmp-long-term:[tmp-long-term] aws_security_token = aws_access_key_id = <blah> aws_secret_access_key = <blah> aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdminRun
aws-mfa --profile tmp( Note: No-long-term, because script assumes it )Verify account number:
AWS_PROFILE=tmp aws sts get-caller-identityCreate a copy of the account skeleton
cd msoc-infrastructure/terraform-0.12/accounts/aws cp -rp 000-skeleton {account-alias}Prepare the configuration for the new account
cd {account-alias} vim README.md # Add a description of the account. vim terragrunt.hcl # Fix all the lines marked "TODO" cd 005-iam rm -rf .terraform terraform.tfstate* # shouldn't be there if you copied from skeleton vim child-account.tf # Fix all the lines marked "TODO"Apply the configuration:
saml2aws -a commercial login terragrunt validate terragrunt applyFix the profile
vim ../terragrunt.hcl # Delete the line with `profile=tmp` and uncomment the line with `profile=commercial` # Uncomment the `assume_role` section and fix the account number.Validate that terragrunt can be applied
terragrunt apply # Should be no changes
Repeat for GovCloud with slight changes
The above steps need to be repeated for accounts in govcloud. Here are the steps (From "Step 2) in abbreviated format:
vim ~/.aws/credentials
aws-mfa --profile tmp --region us-gov-east-1
AWS_PROFILE=tmp aws --region us-gov-east-1 sts get-caller-identity
cd msoc-infrastructure/terraform-0.12/accounts/aws-us-gov
cp -rp 000-skeleton {account-alias}
cd {account-alias}
vim README.md
# Add a description of the account.
vim terragrunt.hcl
# Fix all the lines marked "TODO"
cd 005-iam
rm -rf .terraform terraform.tfstate* # shouldn't be there if you copied from skeleton
vim child-account.tf
# Fix all the lines marked "TODO"
saml2aws -a govcloud login
terragrunt validate
terragrunt apply
vim ../terragrunt.hcl
# Delete the line with `profile=tmp` and uncomment the line with `profile=govcloud`
# Uncomment the `assume_role` section and fix the account number.
terragrunt apply
# Should be no changes