govukcli was introduced in 2017 to help people run 'assume-role' and 'ssh' commands against AWS machines on GOV.UK. Since that time, we've seen a divergence in the approaches people use in practice and in our docs, which is duplicated effort and confusing for new starters. The naming 'govukcli' also belies the fact that it is not an agreed or actual CLI for running all GOV.UK tools.

We would like to replace govukcli with other tooling, and this issue is a precursor to an RFC for the SSH sub-command specifically.

govukcli aws

Usage: govukcli aws [options]

Gets a temporary session for the requested context, including asking for
your MFA token if needed. By default, passes arguments to the "aws" CLI tool. Use the "invoke" command to set up the credentials then invoke another tool. Requires your AWS credentials to be set up as in the GOV.UK Developer Docs:

https://docs.publishing.service.gov.uk/manual/user-management-in-aws.html#storing-credentials-on-disk

We believe this can be replaced with gds-cli, which means we benefit for using standard GDS tooling to meet a non-GOV.UK-specific need. Our approach to making this change will be:

• Change govukcli aws to output migration instructions to use gds-cli
• Update and consolidate the GOV.UK Developer docs for AWS (tooling)
  • https://docs.publishing.service.gov.uk/manual/govuk-in-aws.html
  • https://docs.publishing.service.gov.uk/manual/aws-cli-access.html
  • https://docs.publishing.service.gov.uk/manual/aws-console-access.html
  • https://docs.publishing.service.gov.uk/manual/concept-of-stacks.html
  • https://docs.publishing.service.gov.uk/manual/set-up-aws-account.html
  • https://docs.publishing.service.gov.uk/manual/deploying-terraform.html

@issyl0 will be leading on this.

govukcli ssh

Usage: govukcli ssh [options]

By default it will expect a Puppet node class (eg backend, frontend), and will attempt to SSH to a random instance within that class. If only a single instance exists, then it will SSH to that instance (eg puppetmaster, jenkins).

Options:

set-user Set a different username to SSH with than the default shell user ($(whoami)).

node-types List the types of instances available to connect to.

node-list List the machines for a particular node. Try node-list whitehall_backend.

Phase 1

We believe this can be replaced with govuk-connect. Our approach to making this change will be to create a prototype repo that will help people understand the subsequent RFC:

• Extract govuk-connect into a new, dedicated, prototype repo
• Ensure the prototype repo has setup and usage instructions

@cbaines will be leading on this.

Phase 2

We know there are a variety of preferences for SSH tooling among GOV.UK developers and we're conscious we need to consult people before making further changes:

• Update and consolidate the GOV.UK Developer docs for setting up SSH
  • https://docs.publishing.service.gov.uk/manual/ssh-config.html
  • https://docs.publishing.service.gov.uk/manual/get-ssh-access.html
  • https://docs.publishing.service.gov.uk/manual/howto-ssh-to-machines-in-aws.html
  • https://docs.publishing.service.gov.uk/manual/ssh-from-vm.html
  • https://docs.publishing.service.gov.uk/manual/get-started.html
• Signpost installing the govuk-connect tool as part of the initial SSH setup
• Add further documentation about how to do SSH without govuk-connect
• Update all other GOV.UK Developer docs to refer to govuk-connect only
• Update gds-cli to work with the new govuk-connect repo (for those using it)

Hi so I've been browsing this repository and noticed that you're currently exposing PII of some of your engineers in some files.

One example of this is 87f6435 as well as the entire history of this file (and potentially others) giving outsiders complete insight into people's full names, email addresses (sometimes personal as well as governmental) and the rough idea of when they left/joined the teams based on when SSH keys were added.

Sorry for reaching out via a github issue but I wasn't sure how else to raise this to you.

Thanks,

Veil.

The Terraform module aws_db_instance provides an argument of storage_encrypted which is defaulted to off when not specified. I think it would be a good idea if the https://github.com/alphagov/govuk-aws/blob/master/terraform/modules/aws/rds_instance/main.tf module here; specified this argument and defaulted to true.

Setting the storage_encrypted argument will require a kms_key_id to be used as mentioned here: https://www.terraform.io/docs/providers/aws/r/db_instance.html

Encrypted RDS instances shows an improved security posture in the event that the vender's RDS service is compromised. Additionally, AWS don't provide a easy solution for encrypting already unencrypted RDS instances without wiping data, as a default an RDS instance should be encrypted.

Two extra changes need to be made when provisioning a new environment:

The production AWS account route53 hosted zones must be updated:

• the production DNS entries must be updated manually for .<environment>.govuk-internal.digital and .<environment>.govuk.digital to work.
• one can do the same for *.<environment>.publishing.service.gov.uk to work, but using the dns-config repo: https://github.com/alphagov/govuk-dns-config/blob/master/publishing.service.gov.uk.yaml#L618-L621

It's on the RFC 0015 diagram, but these tasks should be added to the steps one should take when provisioning a new environment.

There's a part on updating the NS records, but this doesn't say what actions one should take.

Hello there,

I was reading through your decision documents and I found the following mistake:
ADR 10 has a note "Amended by 13. Terraform Data Structure". The actual document is in fact ADR 15. The text and the link aren't correct.

Also you seem to have two documents ADR 15:

• ADR 15 DNS Infrastructure, the title is currently "14. DNS Infrastructure", that's confusing because the ADR 14 is another document 😬.
• ADR 15 Terraform Data Structure that I mentioned before.

Btw, thank you for sharing publicly those documents 👍