Skip to content

Setting UP new bastions

The oq-tools suite depends on a common package, nflx-oqcache, to maintain a local cache of AWS assets that the bastion can access. The cache is built by querying a dedicated Edda deployment for each AWS account. If you are creating bastions for a brand new account, the oqcache project will need to be updated with the appropriate Edda hostnames.

Update nflx-oqcache package

  1. Confirm with Insight Engineering that an Edda cluster has been deployed for the new account
    1. You can also check Spinnaker,
    2. Fork the oqcache repo at
  2. Update the /root/apps/aws/nflx-oqcache/nflx-oqcache.yml file with the new account info. If you’re creating a bastion for the ‘dmztest’ account, you would add the following under the accounts: section
      url: 'http://edda-{accountnumber}.{0}'
        - 'region'
  3. Update the /nflx-oqcache/oqcache/ to add the new account name(s) to the ACCOUNTS tuple
  4. Commit changes to the stash repo
  5. Submit a Pull Request to merge the changes into the master branch.
  6. Review and merge the pull request.

Prepare the bastion repo and your workstation


Gnu-sed, casserrole-get-keys and metatron packages are required and need to be installed in your local workstation. A pre-req install script is inluded in the tools directory of the bastion project folder. Install the pre-req using:


  • Create some temp folders to store the ssh-keys, encrypted metatron keys in your local system.

    mkdir /tmp/ssh-keys
    cd /tmp/ssh-keys
    mkdir -p root/metatron

  • Copy the SSH Keys from thesecret [go/secret] to temp folder. Search the keys by the account number. The keys are named like nf-keypair--region.pem

  • Save the keys to the temp directory. Make sure the key names are like: nf-keypair--region.pem. Rename the keys if required.

  • Encrypt the keys . For each key run the following command
    for i in $(ls nf*) ; do metatron encrypt -p bastion nf-keypair-<account_number>-region.pem ; done

  • The encrypted keys are copied to root/metatron/encrypted in the temp folder

  • Note down the location of temp folder. We need this location for the next command

  • From bastion_project_root folder, run tools/ script. Follow the instructions. This script will:

    • Modify all the Global files / bastion common files
    • Modify all the new account’s bastion specific files
    • Copy the encrypted ssh-keys from temp location to the bastion repo
  • Commit your changes to stash repo.

  • Submit a Pull Request to merge the changes into the master branch.

Cache the aws credentials

  • Create ~/.aws/default_roles file with following content.
        "awsmanagement_poweruser" : true,
        "awsprod_dns_admin" : true,
        "awstest_user" : true
  • Cache your aws credentials using casserole-get-keys command.
    $ casserole-get-keys

Create AWS resources:

  • Run the tools/ command. This script will:
    • Create the required NIC cards for each account
    • Tag the NICS with cluster name, hostname, etc..
    • Create required Route53 entries in MGMT, PROD and DEV accounts.
$ ./ --help
usage: [-h] --name NAME --prod-number PROD_NUMBER
                         --test-number TEST_NUMBER [--region REGION]
                         [--env ENV]

Create Network Cards and Route53 entries for Bastions

optional arguments:
  -h, --help            show this help message and exit
  --name NAME, -n NAME  AWS account Name
  --prod-number PROD_NUMBER, -p PROD_NUMBER
                        AWS Prod Account Number
  --test-number TEST_NUMBER, -t TEST_NUMBER
                        AWS test Account Number
  --region REGION, -r REGION
                        AWS region. Default is us-west-2
  --env ENV, -e ENV     Default value is [test, prod]


./ -n <account_name> -p <prod_account_number> \
-t <test_account_number> -e [test|prod] 

Launch the new bastions from Spinnaker