Access / SSH onto your Bastion Machine
a) Get SSH Private Key
The SSH Private Key for your Bastion can be obtained by running the below commands from your terminal from the root of the this repository.
Configure AWS credentials by running:
aws configure| Contact your infrastructure administrator if you are unsure what the AWS values are. |
From the root of the repository, run the following playbook:
ansible-playbook ansible/playbooks/1.seed-prep.yamlSample output
$ ansible-playbook ansible/playbooks/1.seed-prep.yaml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
PLAY [Prepare ansible controller (localhost)] **********************************
TASK [Install community.general ansible-galaxy collection] *********************
changed: [localhost]
PLAY RECAP *********************************************************************
localhost : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0Run the following playbook:
ansible-playbook ansible/playbooks/2.prepare-to-jump.yamlSample output
$ ansible-playbook ansible/playbooks/2.prepare-to-jump.yaml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Prepare ansible controller (localhost)] ***********************************************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************************************
ok: [localhost]
TASK [Install community.general ansible-galaxy collection] **********************************************************************************************************************************************************************
changed: [localhost]
...
...
...
TASK [Invoke modify security group lambda function] *****************************************************************************************************************************************************************************
changed: [localhost]
TASK [Print lambda response] ****************************************************************************************************************************************************************************************************
ok: [localhost] => {
"lambda_response.result": {
"logs": "START RequestId: b55a654a-2993-4bd0-9b27-2f18c361da77 Version: $LATEST\nEvent: %s {'action': 'create', 'cidr': '103.156.49.37/32', 'port': '22', 'sg_id_ssm_param_name': '/dev/bastions/sg-id'}\nEND RequestId: b55a654a-2993-4bd0-9b27-2f18c361da77\nREPORT RequestId: b55a654a-2993-4bd0-9b27-2f18c361da77\tDuration: 707.32 ms\tBilled Duration: 1338 ms\tMemory Size: 128 MB\tMax Memory Used: 83 MB\tInit Duration: 630.59 ms\t\n",
"output": {
"api_response": {
"ResponseMetadata": {
"HTTPHeaders": {
"cache-control": "no-cache, no-store",
"content-length": "1095",
"content-type": "text/xml;charset=UTF-8",
"date": "Tue, 20 Dec 2022 14:59:33 GMT",
"server": "AmazonEC2",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"x-amzn-requestid": "547f12e3-46ed-4be1-b1d6-8cf063236859"
},
"HTTPStatusCode": 200,
"RequestId": "547f12e3-46ed-4be1-b1d6-8cf063236859",
"RetryAttempts": 0
},
"Return": true,
"SecurityGroupRules": [
{
"CidrIpv4": "103.156.49.37/32",
"FromPort": 2233,
"GroupId": "sg-1536c48e023e95d5d",
"GroupOwnerId": "354316668884",
"IpProtocol": "tcp",
"IsEgress": false,
"SecurityGroupRuleId": "sgr-90dff0b36c0b3112f",
"Tags": [
{
"Key": "Purpose",
"Value": "Allow TA DB cluster access from outside the VPC"
},
{
"Key": "AddedBy",
"Value": "modify-sg-on-demand-lambda-function"
}
],
"ToPort": 22
}
]
},
"detail": null,
"result": "success"
},
"status": 200
}
}
PLAY RECAP ***********************************************************************************************************************************************************************
localhost : ok=6 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0|
If you see an error that reads something like |
|
The above playbook gets the SSH private key and stores on your local machine in the
|
If your public IP changes, then follow the steps in the Open firewall into the Bastion from your host.
Open firewall into the Bastion from your host
You will need to open the firewall into the Bastion security group to be able to SSH onto the Bastion from your host machine. This has already been done by the 2.prepare-to-jump.yaml playbook that you ran above. However, if your host’s public IP changes, you’ll need to open the firewall to allow the new IP.
| You will need to run this playbook every time your host’s public IP address changes. |
ansible-playbook ansible/playbooks/open-firewall-to-bastion.yamlb) SSH into Bastion
Run the below command to SSH into your Bastion Machine:
ssh -i ~/.ssh/<your-priv-key>.pem ubuntu@<your-fqdn>For example,
ssh -i ~/.ssh/bastionuserdevbastion.pem [email protected]| If you cannot SSH into your Bastion, please contact your infrastructure administrator. |