Document toolboxDocument toolbox

Bridge Server CI Setup

Owned by Khai Do
Last updated: Dec 16, 2021 by Xavier Schildwachter
2 min read
datecomment
2021/08/23Reviewed. No change.
2017/12/01Created


This page attempts to explain things in Bridge server setup that is not included in the REAME of the individual repos.

Bridge Server Code:

Repos:

  1. Bridge-infra
  2. BridgePF-infra & BridgePF
  3. BridgeWorkerPlatform-infra & BridgeWorkerPlatform
  4. Bridge-Exporter-infra & Bridge-Exporter

Most things regarding the repo is explained in the repo's REAME file.

Bridge AWS FAQ

How many AWS accounts are there?

Bridge has two AWS accounts a dev (4207-8677-6710) and a prod (6492-3225-0620) account.  The purpose of having two accounts is to allow us to isolate our production environment.  We deploy apps to our aws dev account when code is committed to develop and uat branches.  When code is merged to prod branch it gets correspondingly deployed to the aws prod account.  We deploy to the accounts with the same code therefore both accounts should be identical.   


How are IAM users organized?

We have eliminated the Admins group, there is no user that has admin privileges by default.  Instead there is an Admin Role which trusted users are allowed to assume.  View the CF template for the list of trusted users.

What's up with multi factor authentication (MFA)?

Every account that has console access is required to setup MFA otherwise they will not have access to view any AWS resources.  The first thing you need to do when given an AWS account is to reset your password and setup MFA.

How do I use AWS CLI with MFA?

When you use the AWS CLI you must also authenticate with MFA.  There's a few ways to go about this but I've found that using awsmfa tool is probably the easiest way to get the aws_session_token.  It's pretty straight forward just install and follow the instructions.

add profile to ~/.aws/credentials file:

[default]
region = us-east-1
[bridge.prod.joe]
aws_access_key_id = ...
aws_secret_access_key = ...

run command to get aws_session_token

awsmfa --identity-profile bridge.prod.joe --target-profile joe@bridgeprod --token $YOUR_MFA_CODE 

which will create a new profile called joe@bridgeprod in ~/.aws/credentials file with the aws_session_token

now you can use joe@bridgeprod profile for your aws command

aws --profile joe@bridgeprod --region us-east-1 s3 ls s3://org.sagebridge.bridgepf.deploy/
or 
awslogs get --profile joe@bridgeprod --aws-region us-east-1 /aws/elasticbeanstalk/bridgepf-develop/var/log/web-1.log ALL --start='1h ago'|grep -i 'ERROR'

Why don't I have access to IAM?

For security reasons changes to IAM is restricted even to power users.  If you need to make IAM changes you will need to be vetted then added to the trusted user list.  Once you are a trusted user you will need to assume the Admin Role to make changes.  Instructions to setup assume role.

Setup ~/.aws/config file

[default]
region = us-east-1
[profile bridge.prod.admin]
role_arn = arn:aws:iam::649232250620:role/bridge-AWSIAMAdminRole-OPL793UBV57T
mfa_serial = arn:aws:iam::649232250620:mfa/joe@sagebase.org
source_profile = bridge.prod.joe

NOTE- source_profile needs to match the profile in ~/.aws/credentials file

now you can assume the admin role to do stuff

aws --profile bridge.prod.admin iam list-groups

Which IAM account should I use to run my local Bridge tests?

We have setup a service account for testing.  It's called "bridgepf-develop-AWSIAMBridgepfLocalServiceUser-1DC352B9NX54V", you can find the key and secret key for it in Lastpass.

Which IAM account should I with CI/CD?

We have setup a Travis service account for deployments.  It's called "bootstrap-AWSIAMTravisUser-1WXNQ7I3FLHEI", you can find the key and secret key for it in Lastpass.