Create new Bastion Machines for Shyft Network internal users

Bastions should be set-up per environment: test, dev, staging, or prod. Replace <env> in the commands below with the relevant environment value.

a) Clone, Install, Configure

  • Clone the Veriscope Bastion repo: github.com/Paycase/veriscope_bastions

  • Configure backend.<env>.tfvars file(s)

  • Add the Bastion Machines that you want to create to the relevant <env>.tfvars file(s)

b) Run Terraform commands (init, validate, plan, apply)

terraform init -backend-config="backend.<env>.tfvars" 2>&1 | tee -a <yyyy-mm-dd>-tf.log
terraform validate 2>&1 | tee -a <yyyy-mm-dd>-tf.log
terraform plan -var-file <env>-env.tfvars -out=<yyyy-mm-dd>-<env>-bastions.tfplan 2>&1 | tee -a <yyyy-mm-dd>-tf.log
terraform apply "<yyyy-mm-dd>-<env>-bastions.tfplan" 2>&1 | tee -a <yyyy-mm-dd>-tf.log
If you encounter an error at this point (during the apply operation), you will need to run terraform plan followed by terraform apply again after the error/issue has been resolved.

c) Upload Terraform plans and logs to AWS S3

Uploading the Terraform plans and logs to AWS S3 is just for record keeping purposes. 
aws s3 cp ./yyyy-mm-dd-<env>-bastions-001.tfplan s3://<env>-veriscope-us-east-1-terraform/deployment/plans/yyyy-mm-dd/ --sse AES256
aws s3 cp ./yyyy-mm-dd-tf.log s3://<env>-veriscope-us-east-1-terraform/deployment/plans/yyyy-mm-dd/ --sse AES256

d) Prepare the Bastions with required software

Update the inventory file ansible/inventory/bastions.yaml to comment out the vars and enter appropriate values in the hosts section.

cd ~/source/Paycase/veriscope_bastions/ansible/inventory
nano bastions.yaml

  • fqdn (e.g username-dev-bastion.veriscope.org)

  • ssh_priv_key_secret_name

Then run the following commands:

ansible-playbook -i ansible/inventory/bastions.yaml ansible/playbooks/bastion-initial-configure.yaml
ansible-playbook infra/configure/playbooks/prep/seed-prep.yaml
ansible-playbook infra/configure/playbooks/prep/prepare-for-iac.yaml

When the last playbook finishes running, it will have installed all the required software pre-requisites for using the Bastion. For example, Ansible, Terraform, awscli2, boto3 etc.