Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 01:18:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 84

More sandbox docs (#7272)

Browse source 
* Add "Environment Access" to Sandbox Readme

* Add spacing in sandbox readme

* Additional Documentation
This commit is contained in:
Robert Fairburn 2022-08-17 14:26:55 -05:00 committed by GitHub
parent 953fc895ff
commit 402585476e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 60 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
infrastructure/sandbox/readme.md
View file

@ -16,6 +16,56 @@ unclaimed means its ready for a customer. claimed means its already in use by a
1. If errors happen, see if applying again will fix it
1. There is a secret for apple signing whos values are not provided by this code. If you destroy/apply this secret, then it will have to be filled in manually.
### Environment Access
#### AWS SSO Console
1. You will need to be in the group "AWS Sandbox Prod Admins" in the Fleet Google Workspace
1. From Google Apps, select "AWS SSO"
1. Under "AWS Account" select "Fleet Cloud Sandbox Prod"
1. Choose "Management console" under "SandboxProdAdmins"
#### AWS CLI Access
1. Add the following to your `~/.aws/config`:
```
[profile sandbox_prod]
region = us-east-2
sso_start_url = https://d-9a671703a6.awsapps.com/start
sso_region = us-east-2
sso_account_id = 411315989055
sso_role_name = SandboxProdAdmins
```
1. Login to sso on the cli via `aws sso login --profile=sandbox_prod`
1. To automatically use this profile, `export AWS_PROFILE=sandbox_prod`
1. For more help with AWS SSO Configuration see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
#### VPN Access
You will need to be in the proper group in the Fleet Google Workspace to access this environment. Access to this environment will "just work" once added.
#### Database Access
If you need to access the MySQL database backing Fleet Cloud Sandbox, do the following:
1. Obtain database hostname
```bash
aws rds describe-db-clusters --filter Name=db-cluster-id,Values=sandbox-prod --query "DBClusters[0].Endpoint" --output=text
```
1. Obtain database master username
```bash
aws rds describe-db-clusters --filter Name=db-cluster-id,Values=sandbox-prod --query "DBClusters[0].MasterUsername" --output=text
```
1. Obtain database master password secret name (terraform adds a secret pet name, so we can obtain it from state data)
```bash
terraform show -json | jq -r '.values.root_module.child_modules[].resources | flatten | .[] | select(.address == "module.shared-infrastructure.aws_secretsmanager_secret.database_password_secret").values.name'
```
1. Obtain database master password
```bash
aws secretsmanager get-secret-value --secret-id "$(terraform show -json | jq -r '.values.root_module.child_modules[].resources | flatten | .[] | select(.address == "module.shared-infrastructure.aws_secretsmanager_secret.database_password_secret").values.name')" --query "SecretString" --output text
```
1. TL;DR -- Put it all together to get into MySQL. Just copy-paste the part below if you just want the credentials without understanding where they come from.
```bash
DBPASSWORD="$(aws secretsmanager get-secret-value --secret-id "$(terraform show -json | jq -r '.values.root_module.child_modules[].resources | flatten | .[] | select(.address == "module.shared-infrastructure.aws_secretsmanager_secret.database_password_secret").values.name')" --query "SecretString" --output text)"
aws rds describe-db-clusters --filter Name=db-cluster-id,Values=sandbox-prod --query "DBClusters[0].[Endpoint,MasterUsername]" --output=text | read DBHOST DBUSER
mysql -h"${DBHOST}" -u"${DBUSER}" -p"${DBPASSWORD}"
```
### Maintenance commands
#### Referesh fleet instances
```bash
@ -40,7 +90,16 @@ Make sure you set the workgroup to sandbox-prod-logs otherwise you won't be able
You can also see errors via the target groups here: https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#TargetGroups:
#### Fleet Logs
Fleet logs can be accessed via kubectl. Setup kubectl by following thexe instructions: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html#create-kubeconfig-automatically
Fleet logs can be accessed via kubectl. Setup kubectl by following these instructions: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html#create-kubeconfig-automatically
Examples:
```bash
# Obtain kubeconfig
aws eks update-kubeconfig --region us-east-2 --name sandbox-prod
# List pods (We currently use the default namespace)
kubectl get pods # Search in there which one it is. There will be 2 instances + a migrations one
# Obtain Logs. You can also use `--previous` to obtain logs from a previous pod crash if desired.
kubectl logs <id for the pod here>
```
We do not use eksctl since we use terraform managed resources.
#### Database debugging