diff --git a/infrastructure/sandbox/readme.md b/infrastructure/sandbox/readme.md index 3192ffaa28..f2ca2a9b8b 100644 --- a/infrastructure/sandbox/readme.md +++ b/infrastructure/sandbox/readme.md @@ -16,6 +16,56 @@ unclaimed means its ready for a customer. claimed means its already in use by a 1. If errors happen, see if applying again will fix it 1. There is a secret for apple signing whos values are not provided by this code. If you destroy/apply this secret, then it will have to be filled in manually. +### Environment Access +#### AWS SSO Console +1. You will need to be in the group "AWS Sandbox Prod Admins" in the Fleet Google Workspace +1. From Google Apps, select "AWS SSO" +1. Under "AWS Account" select "Fleet Cloud Sandbox Prod" +1. Choose "Management console" under "SandboxProdAdmins" + +#### AWS CLI Access +1. Add the following to your `~/.aws/config`: + ``` + [profile sandbox_prod] + region = us-east-2 + sso_start_url = https://d-9a671703a6.awsapps.com/start + sso_region = us-east-2 + sso_account_id = 411315989055 + sso_role_name = SandboxProdAdmins + ``` +1. Login to sso on the cli via `aws sso login --profile=sandbox_prod` +1. To automatically use this profile, `export AWS_PROFILE=sandbox_prod` +1. For more help with AWS SSO Configuration see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html + +#### VPN Access +You will need to be in the proper group in the Fleet Google Workspace to access this environment. Access to this environment will "just work" once added. + +#### Database Access +If you need to access the MySQL database backing Fleet Cloud Sandbox, do the following: + +1. Obtain database hostname + ```bash + aws rds describe-db-clusters --filter Name=db-cluster-id,Values=sandbox-prod --query "DBClusters[0].Endpoint" --output=text + ``` +1. Obtain database master username + ```bash + aws rds describe-db-clusters --filter Name=db-cluster-id,Values=sandbox-prod --query "DBClusters[0].MasterUsername" --output=text + ``` +1. Obtain database master password secret name (terraform adds a secret pet name, so we can obtain it from state data) + ```bash + terraform show -json | jq -r '.values.root_module.child_modules[].resources | flatten | .[] | select(.address == "module.shared-infrastructure.aws_secretsmanager_secret.database_password_secret").values.name' + ``` +1. Obtain database master password + ```bash + aws secretsmanager get-secret-value --secret-id "$(terraform show -json | jq -r '.values.root_module.child_modules[].resources | flatten | .[] | select(.address == "module.shared-infrastructure.aws_secretsmanager_secret.database_password_secret").values.name')" --query "SecretString" --output text + ``` +1. TL;DR -- Put it all together to get into MySQL. Just copy-paste the part below if you just want the credentials without understanding where they come from. + ```bash + DBPASSWORD="$(aws secretsmanager get-secret-value --secret-id "$(terraform show -json | jq -r '.values.root_module.child_modules[].resources | flatten | .[] | select(.address == "module.shared-infrastructure.aws_secretsmanager_secret.database_password_secret").values.name')" --query "SecretString" --output text)" + aws rds describe-db-clusters --filter Name=db-cluster-id,Values=sandbox-prod --query "DBClusters[0].[Endpoint,MasterUsername]" --output=text | read DBHOST DBUSER + mysql -h"${DBHOST}" -u"${DBUSER}" -p"${DBPASSWORD}" + ``` + ### Maintenance commands #### Referesh fleet instances ```bash @@ -40,7 +90,16 @@ Make sure you set the workgroup to sandbox-prod-logs otherwise you won't be able You can also see errors via the target groups here: https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#TargetGroups: #### Fleet Logs -Fleet logs can be accessed via kubectl. Setup kubectl by following thexe instructions: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html#create-kubeconfig-automatically +Fleet logs can be accessed via kubectl. Setup kubectl by following these instructions: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html#create-kubeconfig-automatically +Examples: +```bash +# Obtain kubeconfig +aws eks update-kubeconfig --region us-east-2 --name sandbox-prod +# List pods (We currently use the default namespace) +kubectl get pods # Search in there which one it is. There will be 2 instances + a migrations one +# Obtain Logs. You can also use `--previous` to obtain logs from a previous pod crash if desired. +kubectl logs +``` We do not use eksctl since we use terraform managed resources. #### Database debugging