Setting UP new bastions

The oq-tools suite depends on a common package, nflx-oqcache, to maintain a local cache of AWS assets that the bastion can access. The cache is built by querying a dedicated Edda deployment for each AWS account. If you are creating bastions for a brand new account, the oqcache project will need to be updated with the appropriate Edda hostnames.

Update nflx-oqcache package

1. Confirm with Insight Engineering that an Edda cluster has been deployed for the new account
   1. You can also check Spinnaker, https://spinnaker.prod.netflix.net/#/applications/edda/clusters
   2. Fork the oqcache repo at
      https://stash.corp.netflix.com/projects/IAE/repos/nflx-oqcache/browse
2. Update the /root/apps/aws/nflx-oqcache/nflx-oqcache.yml file with the new account info. If you’re creating a bastion for the ‘dmztest’ account, you would add the following under the accounts: section

   dmztest:
     url: 'http://edda-{accountnumber}.{0}.test.netflix.net:7001/api/v2'
     url_format_params:
       - 'region'
   

3. Update the /nflx-oqcache/oqcache/config.py to add the new account name(s) to the ACCOUNTS tuple
4. Commit changes to the stash repo
5. Submit a Pull Request to merge the changes into the master branch.
6. Review and merge the pull request.

Prepare the bastion repo and your workstation

• Fork bastion repo and clone it to your local workstation
  https://stash.corp.netflix.com/projects/IAE/repos/bastion/browse
• Install pre-req to your workstation.

Note

Gnu-sed, casserrole-get-keys and metatron packages are required and need to be installed in your local workstation. A pre-req install script is inluded in the tools directory of the bastion project folder. Install the pre-req using:

$bastion_project_folder/tools/install_mac_prereq.sh

• Create some temp folders to store the ssh-keys, encrypted metatron keys in your local system.

  mkdir /tmp/ssh-keys
  cd /tmp/ssh-keys
  mkdir -p root/metatron
  

• Copy the SSH Keys from thesecret [go/secret] to temp folder. Search the keys by the account number. The keys are named like nf-keypair--region.pem

• Save the keys to the temp directory. Make sure the key names are like: nf-keypair--region.pem. Rename the keys if required.

• Encrypt the keys . For each key run the following command
  for i in $(ls nf*) ; do metatron encrypt -p bastion nf-keypair-<account_number>-region.pem ; done

• The encrypted keys are copied to root/metatron/encrypted in the temp folder

• Note down the location of temp folder. We need this location for the next command

• From bastion_project_root folder, run tools/add_new_bastion.sh script. Follow the instructions. This script will:

  • Modify all the Global files / bastion common files
  • Modify all the new account’s bastion specific files
  • Copy the encrypted ssh-keys from temp location to the bastion repo

• Commit your changes to stash repo.

• Submit a Pull Request to merge the changes into the master branch.

Cache the aws credentials

• Create ~/.aws/default_roles file with following content.

   {
      "awsmanagement_poweruser" : true,
      "awsprod_dns_admin" : true,
      "awstest_user" : true
  }
  

• Cache your aws credentials using casserole-get-keys command.

  $ casserole-get-keys
  

Create AWS resources:

• Run the tools/create_nic_r53.py command. This script will:
  • Create the required NIC cards for each account
  • Tag the NICS with cluster name, hostname, etc..
  • Create required Route53 entries in MGMT, PROD and DEV accounts.

$ ./create_nic_r53.py --help
usage: create_nic_r53.py [-h] --name NAME --prod-number PROD_NUMBER
                         --test-number TEST_NUMBER [--region REGION]
                         [--env ENV]

Create Network Cards and Route53 entries for Bastions

optional arguments:
  -h, --help            show this help message and exit
  --name NAME, -n NAME  AWS account Name
  --prod-number PROD_NUMBER, -p PROD_NUMBER
                        AWS Prod Account Number
  --test-number TEST_NUMBER, -t TEST_NUMBER
                        AWS test Account Number
  --region REGION, -r REGION
                        AWS region. Default is us-west-2
  --env ENV, -e ENV     Default value is [test, prod]

Eg: 

./create_nic_r53.py -n <account_name> -p <prod_account_number> \
-t <test_account_number> -e [test|prod] 

Launch the new bastions from Spinnaker

https://spinnaker.prod.netflix.net/#/applications/bastion/executions