Skip to content

Setting UP new bastions

The oq-tools suite depends on a common package, nflx-oqcache, to maintain a local cache of AWS assets that the bastion can access. The cache is built by querying a dedicated Edda deployment for each AWS account. If you are creating bastions for a brand new account, the oqcache project will need to be updated with the appropriate Edda hostnames.

Update nflx-oqcache package

  1. Confirm with Insight Engineering that an Edda cluster has been deployed for the new account
    1. You can also check Spinnaker, https://spinnaker.prod.netflix.net/#/applications/edda/clusters
    2. Fork the oqcache repo at
      https://stash.corp.netflix.com/projects/IAE/repos/nflx-oqcache/browse
  2. Update the /root/apps/aws/nflx-oqcache/nflx-oqcache.yml file with the new account info. If you’re creating a bastion for the ‘dmztest’ account, you would add the following under the accounts: section
    dmztest:
      url: 'http://edda-{accountnumber}.{0}.test.netflix.net:7001/api/v2'
      url_format_params:
        - 'region'
    
  3. Update the /nflx-oqcache/oqcache/config.py to add the new account name(s) to the ACCOUNTS tuple
  4. Commit changes to the stash repo
  5. Submit a Pull Request to merge the changes into the master branch.
  6. Review and merge the pull request.

Prepare the bastion repo and your workstation

Note

Gnu-sed, casserrole-get-keys and metatron packages are required and need to be installed in your local workstation. A pre-req install script is inluded in the tools directory of the bastion project folder. Install the pre-req using:

$bastion_project_folder/tools/install_mac_prereq.sh

  • Create some temp folders to store the ssh-keys, encrypted metatron keys in your local system.

    mkdir /tmp/ssh-keys
    cd /tmp/ssh-keys
    mkdir -p root/metatron
    

  • Copy the SSH Keys from thesecret [go/secret] to temp folder. Search the keys by the account number. The keys are named like nf-keypair--region.pem

  • Save the keys to the temp directory. Make sure the key names are like: nf-keypair--region.pem. Rename the keys if required.

  • Encrypt the keys . For each key run the following command
    for i in $(ls nf*) ; do metatron encrypt -p bastion nf-keypair-<account_number>-region.pem ; done

  • The encrypted keys are copied to root/metatron/encrypted in the temp folder

  • Note down the location of temp folder. We need this location for the next command

  • From bastion_project_root folder, run tools/add_new_bastion.sh script. Follow the instructions. This script will:

    • Modify all the Global files / bastion common files
    • Modify all the new account’s bastion specific files
    • Copy the encrypted ssh-keys from temp location to the bastion repo
  • Commit your changes to stash repo.

  • Submit a Pull Request to merge the changes into the master branch.

Cache the aws credentials

  • Create ~/.aws/default_roles file with following content.
     {
        "awsmanagement_poweruser" : true,
        "awsprod_dns_admin" : true,
        "awstest_user" : true
    }
    
  • Cache your aws credentials using casserole-get-keys command.
    $ casserole-get-keys
    

Create AWS resources:

  • Run the tools/create_nic_r53.py command. This script will:
    • Create the required NIC cards for each account
    • Tag the NICS with cluster name, hostname, etc..
    • Create required Route53 entries in MGMT, PROD and DEV accounts.
$ ./create_nic_r53.py --help
usage: create_nic_r53.py [-h] --name NAME --prod-number PROD_NUMBER
                         --test-number TEST_NUMBER [--region REGION]
                         [--env ENV]

Create Network Cards and Route53 entries for Bastions

optional arguments:
  -h, --help            show this help message and exit
  --name NAME, -n NAME  AWS account Name
  --prod-number PROD_NUMBER, -p PROD_NUMBER
                        AWS Prod Account Number
  --test-number TEST_NUMBER, -t TEST_NUMBER
                        AWS test Account Number
  --region REGION, -r REGION
                        AWS region. Default is us-west-2
  --env ENV, -e ENV     Default value is [test, prod]

Eg: 

./create_nic_r53.py -n <account_name> -p <prod_account_number> \
-t <test_account_number> -e [test|prod] 

Launch the new bastions from Spinnaker

https://spinnaker.prod.netflix.net/#/applications/bastion/executions