From 8226ecce427aedb8affb15ed49d79876fa07403d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Mat=C3=ADas=20Kungfoo=20de=20la=20C=C3=A1mara=20Beo?= =?UTF-8?q?vide?= Date: Mon, 3 Apr 2023 10:45:38 -0300 Subject: [PATCH] ISSUE-173 added documentation on ssh-agent usage (#156) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ISSUE-173 added documentation on ssh-agent usage * Update docs/user-guide/leverage-cli/reference/private-repos.md Co-authored-by: Angelo Fenoglio * Update docs/user-guide/leverage-cli/reference/private-repos.md Co-authored-by: Angelo Fenoglio * Update docs/user-guide/leverage-cli/reference/private-repos.md Co-authored-by: Angelo Fenoglio * Update docs/user-guide/leverage-cli/shell.md Co-authored-by: Angelo Fenoglio * ISSUE-173 Added example * ISSUE-173 Improved example * ISSUE-173 Added notes on reconfiguring terraform creds * Update docs/user-guide/leverage-cli/reference/private-repos.md Co-authored-by: Francisco Rivera * cambios new landing page (#160) * new langing page * se agrega tipografias telegraphs, textos en un mismo tamaño y btn en tamaño grande --------- Co-authored-by: polijt223 * ISSUE-173 added documentation on ssh-agent usage --------- Co-authored-by: Angelo Fenoglio Co-authored-by: Francisco Rivera Co-authored-by: Pablo Tulian Co-authored-by: polijt223 --- docs/first-steps/post-deployment.md | 6 +++ .../leverage-cli/reference/private-repos.md | 37 +++++++++++++++++++ docs/user-guide/leverage-cli/shell.md | 2 +- mkdocs.yml | 1 + 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 docs/user-guide/leverage-cli/reference/private-repos.md diff --git a/docs/first-steps/post-deployment.md b/docs/first-steps/post-deployment.md index 28226c27..0fa4954d 100644 --- a/docs/first-steps/post-deployment.md +++ b/docs/first-steps/post-deployment.md @@ -75,6 +75,9 @@ leverage credentials configure --type MANAGEMENT # or `SECURITY` depending on th !!! note Both of these credentials (management and security) require an MFA device to be enabled. Once either credential is configured, the next step ([Enable MFA](#enable-mfa)) becomes mandatory. If MFA is not enabled, any action on the project will be executed using the bootstrap credentials. +!!! note + If a layer was already set with BOOTSTRAP credentials, when changing the credential type Terraform has to be reconfigured: `leverage tf init -reconfigure`. + ## Enable MFA The last step is to enable Multi Factor Authentication locally. The procedure is slightly different for a `management` IAM user and `security` IAM user, so we'll walk through both of them. @@ -170,6 +173,9 @@ leverage credentials configure --fetch-mfa-device --type SECURITY [10:11:23.185] INFO Account profiles configured in: /home/user/.aws/me/config +!!! note + If a layer was already set with BOOTSTRAP credentials, when changing the credential type Terraform has to be reconfigured: `leverage tf init -reconfigure`. + ## Next steps Now you not only have a fully functional landing zone configuration deployed, but also the users to interact with it are correctly configured in both the AWS and local environment. diff --git a/docs/user-guide/leverage-cli/reference/private-repos.md b/docs/user-guide/leverage-cli/reference/private-repos.md new file mode 100644 index 00000000..95b4ebc1 --- /dev/null +++ b/docs/user-guide/leverage-cli/reference/private-repos.md @@ -0,0 +1,37 @@ +# Working with Terraform modules in private repos + +If it is the case that the layer is using a module from a private repository read the following. + +E.g.: + +```yaml +module "themodule" { + source = "git@gitlab.com:some-org/some-project/the-private-repo.git//modules/the-module?ref=v0.0.1" + ... +} +``` +where `gitlab.com:some-org/some-project/the-private-repo.git` is a private repo. + + +## SSH accessed repository + +To source a Terraform module from a private repository in a layer via an SSH connection these considerations have to be kept in mind. + +Leverage CLI will mount the host's SSH-Agent socket into the Leverage Toolbox container, this way your keys are accessed in a secure way. + +So, if an SSH private repo has to be reached, the keys for such repo should be loaded in the SSH-Agent. + +If the agent is automatically started and the needed keys added in the host system, it should work as it is. + +These steps should be followed otherwise: + +- start the SSH-Agent: +```shell +$ eval "$(ssh-agent -s)" +``` + +- add the keys to it +```shell +$ ssh-add ~/.ssh/ +``` +(replace `private_ssh_key_file` with the desired file, the process can request the passphrase if it was set on key creation step) diff --git a/docs/user-guide/leverage-cli/shell.md b/docs/user-guide/leverage-cli/shell.md index afe4a760..e7621b49 100644 --- a/docs/user-guide/leverage-cli/shell.md +++ b/docs/user-guide/leverage-cli/shell.md @@ -4,7 +4,7 @@ When launching a Terraform shell, Leverage provides the user with a completely i The whole project is mounted on a directory named after the value for `project_long` in the global configuration file, or simply named `"project"` if this value is not defined. A project named `myexample`, would be mounted in `/myexample`. -The user's `~/.ssh` directory and `.gitconfig` file are also mounted on `/root/.ssh` and `/etc/gitconfig` respectively for convenience. Also, the credentials files (`credentials` and `config`) found in the project AWS credentials directory (`~/.aws/myexample`), are mapped to the locations given by the environment variables `AWS_SHARED_CREDENTIALS_FILE` and `AWS_CONFIG_FILE` respectively within the container. +The `.gitconfig` user's file is also mounted on `/etc/gitconfig` for convenience, while (if `ssh-agent` is running), the socket stated in `SSH_AUTH_SOCK` is mounted on `/ssh-agent`. Also, the credentials files (`credentials` and `config`) found in the project AWS credentials directory (`~/.aws/myexample`), are mapped to the locations given by the environment variables `AWS_SHARED_CREDENTIALS_FILE` and `AWS_CONFIG_FILE` respectively within the container. ## Authentication Determining which credentials are needed to operate on a layer, and retrieving those credentials, may prove cumbersome for many complex layer definitions. In addition to that, correctly configuring them can also become a tedious an error prone process. For that reason Leverage automates this process upon launching the shell if requested by the user via the [`shell` command options](./reference/terraform.md#shell). diff --git a/mkdocs.yml b/mkdocs.yml index 07f58c60..631c0557 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -271,6 +271,7 @@ nav: - tfautomv: "user-guide/leverage-cli/reference/tfautomv.md" - run: "user-guide/leverage-cli/reference/run.md" - kubectl: "user-guide/leverage-cli/reference/kubectl.md" + - Private repos: "user-guide/leverage-cli/reference/private-repos.md" - Extending Leverage: - Overview: "user-guide/leverage-cli/extending-leverage/index.md" - build.env : "user-guide/leverage-cli/extending-leverage/build.env.md"