Access / SSH onto your Bastion Machine

a) Get SSH Private Key

The SSH Private Key for your Bastion can be obtained by running the below commands from your terminal from the root of the this repository.

Configure AWS credentials by running:

aws configure
Contact your infrastructure administrator if you are unsure what the AWS values are.

From the root of the repository, run the following playbook:

ansible-playbook ansible/playbooks/1.seed-prep.yaml
Sample output
$ ansible-playbook ansible/playbooks/1.seed-prep.yaml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

PLAY [Prepare ansible controller (localhost)] **********************************

TASK [Install community.general ansible-galaxy collection] *********************
changed: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Run the following playbook:

ansible-playbook ansible/playbooks/2.prepare-to-jump.yaml
Sample output
$ ansible-playbook ansible/playbooks/2.prepare-to-jump.yaml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Prepare ansible controller (localhost)] ***********************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [Install community.general ansible-galaxy collection] **********************************************************************************************************************************************************************
changed: [localhost]
...
...
...
TASK [Invoke modify security group lambda function] *****************************************************************************************************************************************************************************
changed: [localhost]

TASK [Print lambda response] ****************************************************************************************************************************************************************************************************
ok: [localhost] => {
    "lambda_response.result": {
        "logs": "START RequestId: b55a654a-2993-4bd0-9b27-2f18c361da77 Version: $LATEST\nEvent: %s {'action': 'create', 'cidr': '103.156.49.37/32', 'port': '22', 'sg_id_ssm_param_name': '/dev/bastions/sg-id'}\nEND RequestId: b55a654a-2993-4bd0-9b27-2f18c361da77\nREPORT RequestId: b55a654a-2993-4bd0-9b27-2f18c361da77\tDuration: 707.32 ms\tBilled Duration: 1338 ms\tMemory Size: 128 MB\tMax Memory Used: 83 MB\tInit Duration: 630.59 ms\t\n",
        "output": {
            "api_response": {
                "ResponseMetadata": {
                    "HTTPHeaders": {
                        "cache-control": "no-cache, no-store",
                        "content-length": "1095",
                        "content-type": "text/xml;charset=UTF-8",
                        "date": "Tue, 20 Dec 2022 14:59:33 GMT",
                        "server": "AmazonEC2",
                        "strict-transport-security": "max-age=31536000; includeSubDomains",
                        "x-amzn-requestid": "547f12e3-46ed-4be1-b1d6-8cf063236859"
                    },
                    "HTTPStatusCode": 200,
                    "RequestId": "547f12e3-46ed-4be1-b1d6-8cf063236859",
                    "RetryAttempts": 0
                },
                "Return": true,
                "SecurityGroupRules": [
                    {
                        "CidrIpv4": "103.156.49.37/32",
                        "FromPort": 2233,
                        "GroupId": "sg-1536c48e023e95d5d",
                        "GroupOwnerId": "354316668884",
                        "IpProtocol": "tcp",
                        "IsEgress": false,
                        "SecurityGroupRuleId": "sgr-90dff0b36c0b3112f",
                        "Tags": [
                            {
                                "Key": "Purpose",
                                "Value": "Allow TA DB cluster access from outside the VPC"
                            },
                            {
                                "Key": "AddedBy",
                                "Value": "modify-sg-on-demand-lambda-function"
                            }
                        ],
                        "ToPort": 22
                    }
                ]
            },
            "detail": null,
            "result": "success"
        },
        "status": 200
    }
}

PLAY RECAP ***********************************************************************************************************************************************************************
localhost                  : ok=6    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

If you see an error that reads something like Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug. then set the following environment variable in your shell and run the playbooks again.

export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES

The above playbook gets the SSH private key and stores on your local machine in the ~/.ssh directory. If you run ls -al ~/.ssh on your machine, you should see <your-first-name>bastion.pem file or something similar based on the value of ssh_priv_key_secret_name. For example,

  • If your ssh_priv_key_secret_name is /bastionuser/dev/bastion, then your ssh key file would be bastionuserdevbastion.pem.

  • If your ssh_priv_key_secret_name is /bastionuser/dev/bastion2, then your ssh key file would be bastionuserdevbastion2.pem.

If your public IP changes, then follow the steps in the Open firewall into the Bastion from your host.

Open firewall into the Bastion from your host

You will need to open the firewall into the Bastion security group to be able to SSH onto the Bastion from your host machine. This has already been done by the 2.prepare-to-jump.yaml playbook that you ran above. However, if your host’s public IP changes, you’ll need to open the firewall to allow the new IP.

You will need to run this playbook every time your host’s public IP address changes.
ansible-playbook ansible/playbooks/open-firewall-to-bastion.yaml

b) SSH into Bastion

Run the below command to SSH into your Bastion Machine:

ssh -i ~/.ssh/<your-priv-key>.pem ubuntu@<your-fqdn>

For example,

ssh -i ~/.ssh/bastionuserdevbastion.pem [email protected]
If you cannot SSH into your Bastion, please contact your infrastructure administrator.