Step 1 - Creating AWS organization under Blotout SSO

The first step is to create the organization under Blotout SSO in Terraform Cloud. For this, a pipeline is already created and we just need to trigger it with right variables.

1. A terraform organization with name blotout-admin is already created. This organiztaion is responsible for all the admin task which fall under the Blotout Infrastructure strategy.
2. We need to set up terraform workspace in blotout-admin organization. Let's assume the name of the organization as example for the entire deployment
   • Create a workspace with name of the client's organization. The workspace should be named as the organization name with the environment-type as the prefix, for e.g. if name of organization is example and env type is prod then name of the workspace will be prod-example. To know more about this, check how to create a workspace.
   • Choose /admin in the terraform github repository for version control with default branch pointing to master.
   • Configure the following variables for the workspace. To know more, check how to create variables in a workspace
     1. organization_name - preferred name of the client
     2. organization_mail - mail ID of the client
     3. organization_region - chosen region of the client
     4. environment - env type chosen by the client
     5. iam_user - name of the user through which we will create the resource in the client account. (default: blotout-k8s)
     6. role_name - name of the role with restrictive permission that will get created in the client account and will be attached to iam_user user (default: self-serve-role)

3. A variable set is already created in the blotout-admin terraform organization with name of admin-varset. We need to attach the client organization example if Apply to specific workspaces option is selected in the Workspaces section of the variable set. This variable set consists of 4 variables. To know more, check how to attach a variable set

   • aws_access_key - (secret) Access key of our blotout parent account.
   • aws_secret_key - (secret) Secret key of our blotout parent account.
   • aws_region - AWS region (default: us-east-1)
   • public_key - public key to encrypt the iam_user credentials.

   Note: - These variables are set with their static values. Changing this is not recommended.

4. Run the pipeline. If needed, check how to run a pipeline

   • Once the pipeline successfully finishes we will get the following variables as output
     1. account_arn - arn of the new client's account
     2. account_id - account ID
     3. iam_user_details - (sensitive) credentials of the iam_user encrypted by public_key
5. If we go to Blotout SSO we will be able to see the organization now.
6. To obtain the credentials for the AWS organization we need to first obtain the token and the workspace ID.
   • Token is used to authenticate to the terraform cloud. To obtain Token
     1. click on your profile in terraform cloud
     2. click on User settings
     3. click on Tokens
     4. click on Create an API token.
   • Workspace ID is the unique ID of the workspace.
     1. go inside blotout-admin terraform organization.
     2. Enter your workspace (here: example)
     3. Just below the name of the workspace you will find your workspace ID starting with ws.

7. To obtain the access key and secret key, you must have the private key corresponding to the public key used in the public_key variable (above) with its password to decrypt the output.

   # token and workspace ID here
   export TF_TOKEN="xxx"
   export WORKSPACE_ID="xxx"
   
   # for access key
   export ACCESS_KEY=$(curl --silent --header "Authorization: Bearer ${TF_TOKEN}" --header "Content-Type: application/vnd.api+json" https://app.terraform.io/$(curl --silent --header "Authorization: Bearer ${TF_TOKEN}" --header "Content-Type: application/vnd.api+json" https://app.terraform.io/api/v2/workspaces/${WORKSPACE_ID}/current-state-version-outputs | jq -r '.data[] | select(.attributes.name=="iam_user_details") | .links.self') | jq '.data.attributes.value["access-key"]' --raw-output)
   
   # for secret key (you must have the private key loaded in gpg)
   # enter the password for private key to decrypt
   export SECRET_KEY=$(curl --silent --header "Authorization: Bearer ${TF_TOKEN}" --header "Content-Type: application/vnd.api+json" https://app.terraform.io/$(curl --silent --header "Authorization: Bearer ${TF_TOKEN}" --header "Content-Type: application/vnd.api+json" https://app.terraform.io/api/v2/workspaces/${WORKSPACE_ID}/current-state-version-outputs | jq -r '.data[] | select(.attributes.name=="iam_user_details") | .links.self') | jq '.data.attributes.value["secret-key"]' --raw-output | base64 -d | gpg --decrypt)
   

8. You have your keys in the environment variable ACCESS_KEY and SECRET_KEY.

Next step

Creating the terraform organization

Links

• Terraform organization
• Workspace in terraform organization
• Variable sets
• Workspace variables
• Starting new run
• Output
• Public Key