Final draft of documentation and scripts.

ND-510
ministryofjustice · Sep 19, 2024 · 77dc6bd · 77dc6bd
1 parent 7852b11
commit 77dc6bd
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 59 deletions.
diff --git a/documentation/rds-bastion.md b/documentation/rds-bastion.md
@@ -8,14 +8,22 @@ The routine is
 
 - Enable
 
-  - Enable the bastion via an "enable" flag set in AWS SSM Parameter Store to `true`.
-  - Deploy by running the CI pipeline.
-  - Create an SSM Session.
-  - Carry out required procedure
+  - Spin up a bastion
+    - Enable the bastion via an "enable" flag set in AWS SSM Parameter Store to `true`.
+    - Deploy by running the CI pipeline.
+
 
 - Configure
+  - Prepare Terraform locally for the environment.
+
+
+- Action
+  - Create an SSM Session.
+  - Retrieve connection details.
+  - Carry out required procedure.
+    - Get DB Dump.
+    - Query DB.
 
-  - Simple set up to enable assuming a role
 
 - Removal
   - Disallow the bastion via an "enable" flag set in AWS SSM Parameter Store to `false`.
@@ -26,13 +34,18 @@ The routine is
 ### Spin up a bastion
 
 Navigate to the ssm parameter store in the Shared Services AWS account.
-Set the boolean value for /staff-device/dns-dhcp/{environment}/enable_rds_admin_bastion in parameter store to `true`
-Run the Staff-Device-DNS-DHCP-Infrastructure pipeline to create the bastion instance.
+Set the boolean value for 
+  - Admin DB: `/staff-device/dns-dhcp/{environment}/enable_rds_admin_bastion` in [AWS SSM Parameter Store](https://eu-west-2.console.aws.amazon.com/systems-manager/parameters/?region=eu-west-2&tab=Table) to `true`
+  - DHCP Server DB: `/staff-device/dns-dhcp/{environment}/enable_rds_admin_bastion` in [AWS SSM Parameter Store](https://eu-west-2.console.aws.amazon.com/systems-manager/parameters/?region=eu-west-2&tab=Table) to `true`
+  - Run the `Staff-Device-DNS-DHCP-Infrastructure` [pipeline](https://eu-west-2.console.aws.amazon.com/codesuite/codepipeline/pipelines/Staff-Device-DNS-DHCP-Infrastructure/view?region=eu-west-2) to create the bastion instance.
+
+
+## Configure
 
-### Get environment details for the target env
+### Prepare Terraform locally for the environment.
 
 We will need to query the Terraform state for the environment we need to run the init command, which will get then necessary env vars and terraform providers and modules.
-For development we do need to add an ENV_ARGUMENT
+For the `development` environment we do not need to add an ENV_ARGUMENT
 
 ```
 make clean
@@ -48,6 +61,9 @@ make init ENV_ARGUMENT=production
 make init ENV_ARGUMENT=production
 ```
 
+
+## Action
+
 ### run the script to identify the bastion instance id
 
 ```
@@ -60,18 +76,6 @@ Then identify the running bastion host
 i-019174128cf7b4563|  t3a.small  |  None           |  running |  mojo-production-rds-admin-bastion
 ```
 
-Alternatively there is another make target that will return the bastion's instance_id if it exists.
-
-```shell
-make instanceid-bastion-rds-admin
-```
-
-or
-
-```shell
-make instanceid-bastion-rds-server
-```
-
 ### Start session on bastion
 
 Run make command with instance id
@@ -80,9 +84,13 @@ Run make command with instance id
 make aws_ssm_start_session INSTANCE_ID=i-019174128cf7b4563
 ```
 
-## Configure
+When the SSM session starts issue `sudo su -` command.
+
+### Configure
 
-First we need to enable an AWS role to transfer files to (or from) an S3 transfer bucket.
+The bastions are now configured at deployment time with the following AWS role to transfer files to (or from) an S3 transfer bucket.
+
+Should this not be the case for any reason here is how 
 
 ```
 #######################
@@ -107,35 +115,33 @@ aws sts get-caller-identity
 then access to the s3 bucket
 
 ```
-aws s3 ls s3://mojo-file-transfer/ --profile s3-role;
+aws s3 ls s3://mojo-file-transfer/ --profile s3-role
 ```
 
-## Get a DB dump
+
 
 from another terminal window in the root of the project run
 
-```shell
-make shell
-```
+## Get a DB dump
 
-the issue a terraform command to get the database details
+In order to connect to the database the following items will be needed.
 
-Admin (dhcp & dns)
+- fqdn e.g. `"fqdn": "dhcp-dns-admin-dhcp-db.dev.staff.service.justice.gov.uk",`
+- username e.g. `"username": "adminuser"`
+- password
 
-```shell
-terraform output -json terraform_outputs | jq '.admin.db'
-```
+### Retrieve connection details
 
-DHCP
+Connection strings for testing connectivity and accessing the DBs are described below, however you can obtain ready baked dynamically created versions by running:
 
 ```shell
-terraform output -json terraform_outputs | jq '.dhcp.db'
+make rds-admin
 ```
 
-Admin (NAC)\* note: NAC code used `rds` as module name.
+or
 
 ```shell
-terraform output -json terraform_outputs | jq '.admin.rds'
+make rds-server
 ```
 
 To get the password run
@@ -150,28 +156,12 @@ or
 make rds-server-password
 ```
 
-## DHCP Database Backup and Restore
-
-In order to connect to the database the following items will be needed.
-
-- fqdn e.g. `"fqdn": "dhcp-dns-admin-dhcp-db.dev.staff.service.justice.gov.uk",`
-- username e.g. `"username": "adminuser"`
-- password
-
-Connection strings for testing connectivity and accessing the DBs are described below, however you can obtain ready baked dynamically created versions by running:
-
-```shell
-make rds-admin
-```
-
-or
+A  file will be created and shown on the terminal with all the correct details retrieved from Terraform outputs for the environment. You can view that file at any time it will be named `.db_connection.{ENV}.admin|server`.
 
 ```shell
-make rds-server-password
+cat .db_connection.{ENV}.admin
 ```
 
-A file will be created and shown on the terminal with all the correct details for the environment, examples are below.
-
 ### Test connection
 
 ```shell
@@ -183,7 +173,7 @@ fqdn=dhcp-dns-admin-db.dev.staff.service.justice.gov.uk && curl -v telnet://${fq
 ```shell
 fqdn=dhcp-dns-admin-db.dev.staff.service.justice.gov.uk
 admin_db_username=adminuser
-mysql -u ${admin_db_username} -p -h ${fqdn} --ssl
+mysql -u ${admin_db_username} -p -h ${fqdn}
 
 ## enter password when prompted
 Enter password:
@@ -226,8 +216,9 @@ show tables;
 
 ### Get a DB dump
 
-Create a timestamped database dump and upload it to S3 transfer bucket (copy and paste as below, update variable values as required.)
+Create a timestamped database dump and upload it to S3 transfer bucket (copy and paste from your local `.db_connection.{env}.admin` file).
 
+Example below for illustration only.
 ```shell
 env="DEVELOPMENT"; \
 db_name="staffdevicedevelopmentdhcpadmin"; \
@@ -237,7 +228,6 @@ admin_db_username="adminuser"; \
 mysqldump \
 	-u "${admin_db_username}" \
 	-p \
-	--ssl \
 	--set-gtid-purged=OFF \
 	--triggers --routines --events \
 	-h "${fqdn}"  \

diff --git a/scripts/create_db_connection_details.sh b/scripts/create_db_connection_details.sh
@@ -66,7 +66,7 @@ curl -v telnet://${dhcp_db_fqdn}:${dhcp_db_port} --output rds.dhcp.txt
 Connect to DB with MySQL client:
 Copy command below to test RDS DB access from Servers RDS Bastion.
 -----
-mysql --user=${dhcp_db_username} --host=${dhcp_db_fqdn} --port=${dhcp_db_port} --ssl --password
+mysql --user=${dhcp_db_username} --host=${dhcp_db_fqdn} --port=${dhcp_db_port} --password
 
 
 Create DB dump and push to S3