Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: fe0c05d785
Branches Tags
infrastructure-...
/
AWS New Account Setup Notes.md

AWS New Account Setup Notes.md 5.8 KB
History Raw

XDR AWS New Account Setup Notes

Timecode

You should be using the customer T&E charge code. If you don't have one you can put the time into a suspense code and switch it to the correct timecode when you get it. The suspense code is: SSPNS.500.001.001 Contract Civilian Sus Lbr.

request new account from aws from AFS

AFS Help -> Submit a request -> non standard software and pre-approved project management tools -> cloud managed services

CFM approver: jordana.lang P104 approver: jennifer.l.combs

VERY Helpful Guy to fill out the AWS request: Osman Soofi. osman.soofi@accenturefederal.com

Bootstrap the Account

AFS Support will send you two login URLs and passwords per account (one for commercial, one for govcloud).

Prerequisites

Install aws-mfa utility via:

git clone https://github.com/duckfez/aws-mfa.git # This is a patched version to include govcloud support
# do whatever your process is for making this executable... link to /usr/local/bin, copy to your path, etc.
# Optional, change the #! line in aws-mfa to be /usr/bin/env python3

Bootstrapping Step 1: Secure the Root Account

  1. Record all account information in msoc-infrastructure-wiki cloud-accounts.md doc
  2. Go to https://vault.mdr.defpoint.com
  3. Navigate to engineering/cloud/aws/root-creds/:
    • Create new entry for the account alias. Use the naming scheme, mdr-prod-${CUSTOMERPREFIX}
    • Copy json from existing entry - should contain both commercial and govcloud records
    • Create a new version of the new secret and add the json
    • if needed, add a field for the MFA secret called commerical_mfa_secret and gov_mfa_secret
  4. Login to the AWS account via web browser.
  5. It's possible that CAMRS will make "our user" named IAMAdmin, but also possible it will be MDRAdmin. We have things that expect it to be MDRAdmin. If the account we get is IAMAdmin then we need to make MDRAdmin.
    1. :warning: Setup MFA for IAMAdmin in your personal virtual authenticator and login with IAMAdmin and MFA
    2. Make the MDRAdmin user in AWS Console
    3. Assign a Password
    4. Attach the policy IAMUserChangePassword directly to the user
    5. put the user in the camrs-group-iam group
    6. Log out of IAMAdmin, log in to MDRAdmin
  6. Change password to something that does not include json characters and record in the vault.
  7. Follow instructions for "Using Vault for TOTP things", section "Adding a new TOTP Code" in cloud-accounts.md to configure and store the MFA token for the root account.
  8. Put the MFA secret key into the *_mfa_secret field in Vault for both commerical and gov.
  9. Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
  10. Go back to IAM and create access keys.
  11. Delete IAMAdmin from AWS and your personal virtual authenticator.

Repeat for additional accounts

Step 2: Bootstrap the account

  1. Add the access and secret keys to your local ~/.aws/credentials file as a temporary profile called tmp-long-term:

    [tmp-long-term]
aws_access_key_id = <blah>
aws_secret_access_key = <blah>
aws_mfa_device = arn:{partition}:iam::{account}:mfa/MDRAdmin

    Partition should be aws or aws-us-gov. Region should be us-gov-east-1 or us-east-1.

  2. Run aws-mfa --profile tmp --region={region} ( Note: No -long-term, because script assumes it ). To switch from gov to commerical use the --force flag.

  3. Verify account number: AWS_PROFILE=tmp aws sts get-caller-identity --region={region}

  4. Update and branch xdr-terraform-live Git repo

  5. Name the branch feature/${INITIALS}_${TICKET}CustomerSetup${CUSTOMERPREFIX}

  6. This branch will be used in future steps

  7. Create a copy of the account skeleton

    cp -r ~/xdr-terraform-live/000-skeleton/ ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
cd ~/xdr-terraform-live/prod/aws-us-gov/mdr-prod-${CUSTOMERPREFIX}
vim README.md # Add a description of the account
vim account.hcl # Fill in all "TODO" items, but leave "LATER" items (such as qualys) to be completed later.

If the account is NOT GOING TO BE USED run these commands. NOTE: This would probably be only for the commercial account.

echo "This account is unused" > UNUSED.ACCOUNT
rm -rf 010-vpc-splunk/ 021-qualys-connector-role/ 025-test-instance/ 072-salt-master-inventory-role/ 140-splunk-frozen-bucket/ 150-splunk-cluster-master/ 160-splunk-indexer-cluster/ 170-splunk-searchhead/ 180-splunk-heavy-forwarder/

  1. cd into the IAM directory cd 005-iam

  2. Double-check / fix the profile

    vim terragrunt.hcl
# Check TODO items, make sure the profile (tmp) listed is right / matches what you have in above step

  3. Apply the configuration:

    saml2aws -a commercial login
saml2aws -a govcloud login
terragrunt init
terragrunt validate
terragrunt apply

If the terragrunt apply takes forever and doesn't do anything, you need to authenticate with aws-mfa again.

  1. Comment-out the provisioning provider block and validate that terragrunt can be applied with the normal xdr-terraformer roles from root account

    vim terragrunt.hcl
# comment out the provider generation parts
terragrunt apply
# Should be no changes

If necessary, repeat for the 'commercial' account. The commercial account needs to be configued.

If everything is working correct, delete the AWS access keys from the MDRAdmin user. Update AWS Notes.md and add the new account to the shared AWS confiugration. The new configuration should match this format.

vim ~/.aws/config

GovCloud Format

[profile mdr-prod-${CUSTOMERPREFIX}-gov]
role_arn = arn:aws-us-gov:iam::{account}:role/user/mdr_terraformer
region = us-gov-east-1
color = 369e1a
source_profile = govcloud