Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


datecomment
2021/08/23Reviewed. No change.
2017/12/01Created


This page attempts to explain things in Bridge server setup that is not included in the REAME of the individual repos.

Bridge Server Code:

Repos:

  1. Bridge-infra
  2. BridgePF-infra & BridgePF
  3. BridgeWorkerPlatform-infra & BridgeWorkerPlatform
  4. Bridge-Exporter-infra & Bridge-Exporter

Most things regarding the repo is explained in the repo's REAME file.

Bridge AWS FAQ

How many AWS accounts are there?

Bridge has two AWS accounts a dev (4207-8677-6710) and a prod (6492-3225-0620) account.  The purpose of having two accounts is to allow us to isolate our production environment.  We deploy apps to our aws dev account when code is committed to develop and uat branches.  When code is merged to prod branch it gets correspondingly deployed to the aws prod account.  We deploy to the accounts with the same code therefore both accounts should be identical.   


How are IAM users organized?

We have eliminated the Admins group, there is no user that has admin privileges by default.  Instead there is an Admin Role which trusted users are allowed to assume.  View the CF template for the list of trusted users.

What's up with multi factor authentication (MFA)?

Every account that has console access is required to setup MFA otherwise they will not have access to view any AWS resources.  The first thing you need to do when given an AWS account is to reset your password and setup MFA.

How do I use AWS CLI with MFA?

When you use the AWS CLI you must also authenticate with MFA.  There's a few ways to go about this but I've found that using awsmfa tool is probably the easiest way to get the aws_session_token.  It's pretty straight forward just install and follow the instructions.

...

Code Block
aws --profile joe@bridgeprod --region us-east-1 s3 ls s3://org.sagebridge.bridgepf.deploy/
or 
awslogs get --profile joe@bridgeprod --aws-region us-east-1 /aws/elasticbeanstalk/bridgepf-develop/var/log/web-1.log ALL --start='1h ago'|grep -i 'ERROR'

Why don't I have access to IAM?

For security reasons changes to IAM is restricted even to power users.  If you need to make IAM changes you will need to be vetted then added to the trusted user list.  Once you are a trusted user you will need to assume the Admin Role to make changes.  Instructions to setup assume role.

...

Code Block
aws --profile bridge.prod.admin iam list-groups

Which IAM account should I use to run my local Bridge tests?

We have setup a service account for testing.  It's called "bridgepf-develop-AWSIAMBridgepfLocalServiceUser-1DC352B9NX54V", you can find the key and secret key for it in Lastpass.

Which IAM account should I with CI/CD?

We have setup a Travis service account for deployments.  It's called "bootstrap-AWSIAMTravisUser-1WXNQ7I3FLHEI", you can find the key and secret key for it in Lastpass.

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@75459789
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "ci" , "aws" , "bridge" ) and type = "page" and space = "BRIDGE"
labelsaws bridge ci

...