In the previous section, you saw how to use Monitoring, Alerting, and Logging to
diagnose issues. Sometimes, that's not enough, and you need to connect directly to your servers using:
When you launch an EC2 Instance in AWS, you can specify an EC2 Key Pair that can be used to SSH into the EC2 Instance.
This suffers from an important problem: usually more than one person needs access to the EC2 Instance, which means
you have to share this key with others. Sharing secrets of this sort is a security risk. Moreover, if someone leaves the
company, to ensure they no longer have access, you'd have to change the Key Pair, which requires redeploying all of your
servers.
The better way: ssh-grunt
To solve the "key sharing" problem, Gruntwork implemented ssh-grunt, a tool that enables each member of your
team to log in to every EC2 Instance with their own IAM user name and their own SSH key. Here's how it works:
One-Time Setup
Log in to the AWS Web Console with your IAM User account.
Go to your IAM User profile page, select the Security credentials tab, and click Upload SSH public key.
Now upload your public SSH key (e.g. ~/.ssh/id_rsa.pub). Do NOT upload your private key.
Now make sure your IAM User account is a member of either the ssh-grunt-users or ssh-grunt-sudo-users group.
By being a member of one of these IAM Groups, any EC2 Instance configured to use these IAM Groups will permit
you to login as either a non-sudo user or sudo user, depending on which IAM Group you're in.
Note that your linux username is based on your IAM User name according to the ssh-grunt guidelines. For example:
The IAM User name josh will be the linux username josh.
The IAM User name josh@gruntwork.io will be the linux username josh
The IAM User name _gruntwork.josh.padnick will be the linux username gruntwork_josh_padnick.
You've uploaded your public SSH key to your IAM User profile.
Your private key is located at /Users/josh/.ssh/id_rsa on your local machine.
Your EC2 Instance's IP address is 1.2.3.4.
Then you can SSH to the EC2 Instance as follows:
# Do this once to load your SSH Key into the SSH Agent
ssh-add /Users/josh/.ssh/id_rsa
# Every time you want to login to an EC2 Instance, use this command
ssh josh@1.2.3.4
VPN
For security reasons, just about all of your EC2 Instances run in private subnets, which means they do not have a
public IP address, and cannot be reached directly from the public Internet. This reduces the "surface area" that
attackers can reach. Of course, we still need access into the VPCs, so we expose a single entrypoint into the network:
an OpenVPN server.
The idea is that you use an OpenVPN client to connect to the OpenVPN server, which gets you "in" to the network, and
you can then connect to other resources in the account as if you were making requests from the OpenVPN server itself.
Linux: apt-get install openvpn or yum install openvpn.
Join the OpenVPN IAM group
To get access to the OpenVPN server, you must be a member of the openvpn-server-Users IAM group. You or an admin can
add your IAM user to this group in the IAM page.
Use openvpn-admin to generate a configuration file
To connect to an OpenVPN server, you need an OpenVPN configuration file, which includes a certificate that you can use
to authenticate. To generate this configuration file, do the following:
Set up your AWS credentials using any of the options supported by AWS CLI
tools. Typically, environment
variables are the easiest and most secure.
Run openvpn-admin request --aws-region us-east-1.
This will create your OpenVPN configuration file in the current folder.
Load this configuration file into your OpenVPN client.
Connect to the OpenVPN server
To connect to the OpenVPN server, simply click the "Connect" button next to your configuration file in the OpenVPN
client! After a few seconds, you should be connected.
Connect to other resources
Now that you're connected to VPN, you can connect to other resources in your AWS account. For example, if you followed
the ssh-grunt setup instructions above, you can SSH to an EC2 Instance with private IP address 1.2.3.4 as follows:
Similarly, non-production resources, such as a load balancer in the staging environment, or Jenkins in the mgmt
environment, should now be accessible to you.
Note: we run OpenVPN in "split tunnel" mode. That means that only the IP addresses we have explicitly opted into
(namely, the private IP addresses in your AWS account) will be routed over VPN. Other IP addresses, such as requests
you make from your computer to YouTube, GMail, Spotify, etc, are NOT routed over VPN. This dramatically reduces the
load on your OpenVPN server and your bandwidth usage in AWS.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".gitignore","path":".gitignore","sha":"1c27fc6013cba46cd301a7c8bf951694670153a3"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"6bddb3ff6e1b3dfaba7cf180e56bca12c245be56"},{"name":"README.md","path":"README.md","sha":"74507349a9d5cd784540410365adc61ba68000f1"},{"name":"_docs","children":[{"name":"01-architecture-overview.md","path":"_docs/01-architecture-overview.md","sha":"fa091294c3f4cfb2e7bd1d7df78907faf076996b"},{"name":"02-whats-deployed.md","path":"_docs/02-whats-deployed.md","sha":"8bf4519132e2ea43cbcf1e1d67eff3f961471af2"},{"name":"03-security-compliance-compatibility.md","path":"_docs/03-security-compliance-compatibility.md","sha":"9342617f42adb28e440cc2161f3fee56205c150e"},{"name":"04-how-code-is-organized.md","path":"_docs/04-how-code-is-organized.md","sha":"64b9396f54fb0b791d39b93919a6416ab8215f0d"},{"name":"05-dev-environment.md","path":"_docs/05-dev-environment.md","sha":"9209da466b0f9afee5e1afb36f01a2ba8149012f"},{"name":"06-ci-cd.md","path":"_docs/06-ci-cd.md","sha":"0685cbe746fa0271357db34ebd39d76397ea19c4"},{"name":"07-monitoring-alerting-logging.md","path":"_docs/07-monitoring-alerting-logging.md","sha":"619c810c6e60418b3a46fa3d903bc76dc6d48e41"},{"name":"08-ssh-vpn.md","path":"_docs/08-ssh-vpn.md","sha":"0f526549f4b0d08cf2a914def239f8ff872ec2d1","toggled":true},{"name":"09-accounts-and-auth.md","path":"_docs/09-accounts-and-auth.md","sha":"9e6d2c1f8b9a7cc7c5b3ce3386eea22daac6cc17"},{"name":"10-gruntwork-tools.md","path":"_docs/10-gruntwork-tools.md","sha":"d08b1fe7cfbb9ad91155bfff9e3a05525c39c127"},{"name":"11-deploying-a-docker-service.md","path":"_docs/11-deploying-a-docker-service.md","sha":"d2123b688287557c1c38cd415a729b3a445a45ad"},{"name":"12-migration.md","path":"_docs/12-migration.md","sha":"6e46bf752f330de978a8927858a716f04db13f60"},{"name":"13-deploying-the-reference-architecture-from-scratch.md","path":"_docs/13-deploying-the-reference-architecture-from-scratch.md","sha":"9eb702bb6da48a97b2c9eead594a3474a1ee6703"},{"name":"14-undeploying-the-reference-architecture.md","path":"_docs/14-undeploying-the-reference-architecture.md","sha":"3ed0569cdd0e3d32079ab537e1697fbcb3ee27d8"},{"name":"15-adding-new-environments-regions-and-accounts.md","path":"_docs/15-adding-new-environments-regions-and-accounts.md","sha":"6a0372a843a9245570379e1beaad452e67d234c3"},{"name":"README.md","path":"_docs/README.md","sha":"785d2b0b36b10e75c96e4eaa7414c1c71d78e222"},{"name":"_images","children":[{"name":"cw-logs-1.png","path":"_docs/_images/cw-logs-1.png","sha":"84c86f014751844fbd777b5139ed61f749b5ed32"},{"name":"cw-logs-2.png","path":"_docs/_images/cw-logs-2.png","sha":"9a0a80b20490fdc1b9014040cc0bbc87c9cf6f68"},{"name":"cw-logs-3.png","path":"_docs/_images/cw-logs-3.png","sha":"bda49dc4e947658e0ceb9ba592b4e314d9db61e9"},{"name":"cw-logs-4.png","path":"_docs/_images/cw-logs-4.png","sha":"54bcc44c4b0701620b7f20c4e6fc0a9fd8f38049"},{"name":"ecs-console-1.png","path":"_docs/_images/ecs-console-1.png","sha":"afe452278d5f107e6ec225a235c587de7cb53510"},{"name":"ecs-console-2.png","path":"_docs/_images/ecs-console-2.png","sha":"40609b98015d781b9e1de801c131fadc323337ae"},{"name":"ecs-console-3.png","path":"_docs/_images/ecs-console-3.png","sha":"87ad40d291b7e9e6f6caa0389b846392bdb93ee0"},{"name":"ref-arch-full.png","path":"_docs/_images/ref-arch-full.png","sha":"8c17eef52be06757553a1f3ee4e387e6dc820016"},{"name":"ref-arch-icon.png","path":"_docs/_images/ref-arch-icon.png","sha":"05876962e6877df911674237ca1b793d9f4f04b3"},{"name":"terraform-code-provenance.png","path":"_docs/_images/terraform-code-provenance.png","sha":"e2a9d6bfbd8b963b057d4341dd0ec93e3823d834"}]}],"toggled":true},{"name":"main","children":[{"name":"_global","children":[{"name":"README.md","path":"main/_global/README.md","sha":"d1b8a96c00211751f079fa13cac1b3417d29bf09"},{"name":"cloudtrail","children":[{"name":"README.md","path":"main/_global/cloudtrail/README.md","sha":"7bf54b13e60f80416bbe3ee5b22328ee47a2532a"},{"name":"terragrunt.hcl","path":"main/_global/cloudtrail/terragrunt.hcl","sha":"5d4953cb81dc711c1f5641e26b54b2de8dedf62e"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"main/_global/iam-groups/README.md","sha":"b6797c786d3c914257fc0e0bb4680e9fc861ab38"},{"name":"terragrunt.hcl","path":"main/_global/iam-groups/terragrunt.hcl","sha":"f14f3f59fb104ffc4f9925dd8565f43d665600c7"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"main/_global/iam-user-password-policy/README.md","sha":"1ddbc02253cb2fb3971fdbf1b3e09758f8eede9a"},{"name":"terragrunt.hcl","path":"main/_global/iam-user-password-policy/terragrunt.hcl","sha":"482cdc172a7e5f033acf9d808bef3e8bd3ef8f1e"}]},{"name":"machine-user","children":[{"name":"README.md","path":"main/_global/machine-user/README.md","sha":"0d676a50c24d954dab8a57794e6790eb03d03e4e"},{"name":"terragrunt.hcl","path":"main/_global/machine-user/terragrunt.hcl","sha":"50b845d531ee85c0a109c6abba695a3fe7d5b89e"}]},{"name":"region.yaml","path":"main/_global/region.yaml","sha":"18b7823ed017b97431d58da7bcb9a4e31299272a"},{"name":"route53-public","children":[{"name":"README.md","path":"main/_global/route53-public/README.md","sha":"4757db7a8adde3d4af6a86f3ea20e050ae946a08"},{"name":"terragrunt.hcl","path":"main/_global/route53-public/terragrunt.hcl","sha":"06c315b032005358d2a3e6c5774f5b99ab64e681"}]},{"name":"service-linked-roles","children":[{"name":"README.md","path":"main/_global/service-linked-roles/README.md","sha":"45c1919cc5667b8d8ae25f09b3baf3078a7b36f9"},{"name":"terragrunt.hcl","path":"main/_global/service-linked-roles/terragrunt.hcl","sha":"398538ac8d92ed0160f303b029720592f81af280"}]}]},{"name":"empty.yaml","path":"main/empty.yaml","sha":"5aa66daa40faeaef37eccb7b4b0fcc792233cd7b"},{"name":"terragrunt.hcl","path":"main/terragrunt.hcl","sha":"3f362bb353e2d6e02f59294d7f7044da3a62b565"},{"name":"us-east-1","children":[{"name":"_global","children":[{"name":"README.md","path":"main/us-east-1/_global/README.md","sha":"37b828b038945a50e2e571ef1e755c4f9170e7cf"},{"name":"ecr-repos","children":[{"name":"README.md","path":"main/us-east-1/_global/ecr-repos/README.md","sha":"e7215127ffcf141002796e83ed1b9e9647ddbe22"},{"name":"terragrunt.hcl","path":"main/us-east-1/_global/ecr-repos/terragrunt.hcl","sha":"20c8ae6bd26f8cfd8fddcb8676cc109201bc49eb"}]},{"name":"sns-topics","children":[{"name":"README.md","path":"main/us-east-1/_global/sns-topics/README.md","sha":"05eb8a853eccf6465dc558bb9c57637fb4e9ccd3"},{"name":"terragrunt.hcl","path":"main/us-east-1/_global/sns-topics/terragrunt.hcl","sha":"81c92f821daf7077881a43678c717d485fc36401"}]}]},{"name":"mgmt","children":[{"name":"README.md","path":"main/us-east-1/mgmt/README.md","sha":"8a131a11632b97fec18a5e344d5c721fce24b652"},{"name":"env.yaml","path":"main/us-east-1/mgmt/env.yaml","sha":"b514ab3187ebfb5bf467c632f27a21f5a9611bfc"},{"name":"kms-master-key","children":[{"name":"README.md","path":"main/us-east-1/mgmt/kms-master-key/README.md","sha":"2affa3417a1b76f670e407330cb9dc62d01a521e"},{"name":"terragrunt.hcl","path":"main/us-east-1/mgmt/kms-master-key/terragrunt.hcl","sha":"5e24ee41d1565d3e026354e71a5ae7a362a206ea"}]},{"name":"openvpn-server","children":[{"name":"README.md","path":"main/us-east-1/mgmt/openvpn-server/README.md","sha":"93a2465ed5c720dd30b434aa36a2d28c4e0c7fcf"},{"name":"terragrunt.hcl","path":"main/us-east-1/mgmt/openvpn-server/terragrunt.hcl","sha":"aaf206a2c80987a888872ef7812bb93984cf26d1"}]},{"name":"vpc","children":[{"name":"README.md","path":"main/us-east-1/mgmt/vpc/README.md","sha":"495e2b8828a490c03ea7e153e695239f2bb92512"},{"name":"terragrunt.hcl","path":"main/us-east-1/mgmt/vpc/terragrunt.hcl","sha":"d6fad3a7e2397ea7bc62fa77ea6e138ec27e4335"}]}]},{"name":"prod","children":[{"name":"README.md","path":"main/us-east-1/prod/README.md","sha":"f15da18661ef3624d5f63deb288bad072e93df57"},{"name":"cloudwatch-dashboard","children":[{"name":"README.md","path":"main/us-east-1/prod/cloudwatch-dashboard/README.md","sha":"766cff97af8b2bbbdb90c2262c150b4d0bc88c62"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/cloudwatch-dashboard/terragrunt.hcl","sha":"ff055251d5427c0116d0e382f38c537b09db96ee"}]},{"name":"data-stores","children":[{"name":"elasticsearch","children":[{"name":"README.md","path":"main/us-east-1/prod/data-stores/elasticsearch/README.md","sha":"de10ddf77c3ae0b341ebbd7152f8d3c086d7ba20"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/data-stores/elasticsearch/terragrunt.hcl","sha":"736a4bdbdcc1b54dcd909671a76f09988c226436"}]},{"name":"kafka","children":[{"name":"README.md","path":"main/us-east-1/prod/data-stores/kafka/README.md","sha":"3681db5950b18676e92d6f00df190ff553c06404"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/data-stores/kafka/terragrunt.hcl","sha":"89d57ee0e689e1f28141c383924b03937b46fb3b"}]},{"name":"mysql","children":[{"name":"README.md","path":"main/us-east-1/prod/data-stores/mysql/README.md","sha":"3ff802dea2beeb94b34a9d2087fa1ce332702ba0"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/data-stores/mysql/terragrunt.hcl","sha":"681f993523ec8336c4f6be26a41ab1148b127ce8"}]},{"name":"redis","children":[{"name":"README.md","path":"main/us-east-1/prod/data-stores/redis/README.md","sha":"7f5426659066280ce18fad93eb14dd573e3de1b0"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/data-stores/redis/terragrunt.hcl","sha":"e7d7171695ad1ca039db9171ac31f1fb210f51f5"}]},{"name":"zookeeper","children":[{"name":"README.md","path":"main/us-east-1/prod/data-stores/zookeeper/README.md","sha":"3aa643354b946d75610e3a8d10e616e1080717bc"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/data-stores/zookeeper/terragrunt.hcl","sha":"ed94a3d0277beb71cd9500f1d29053e2f5b99f28"}]}]},{"name":"env.yaml","path":"main/us-east-1/prod/env.yaml","sha":"90e2d18e481b6e35ddc57391f752874ffc0058cf"},{"name":"kms-master-key","children":[{"name":"README.md","path":"main/us-east-1/prod/kms-master-key/README.md","sha":"7bf1a8da34427b8314d99904b01c20937604e1e0"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/kms-master-key/terragrunt.hcl","sha":"fb4afa8978a7b719c852756ac51883c5e87f5ab8"}]},{"name":"lambda","children":[{"name":"long-running-scheduled","children":[{"name":"README.md","path":"main/us-east-1/prod/lambda/long-running-scheduled/README.md","sha":"a6a7503b1168dd015618028f30b74aeb1ba7baf3"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/lambda/long-running-scheduled/terragrunt.hcl","sha":"c05243749ec7d3bd386c0563936b0f5e0b4bbbe6"}]},{"name":"s3-image-processing","children":[{"name":"README.md","path":"main/us-east-1/prod/lambda/s3-image-processing/README.md","sha":"1b149a62078c71549d77e59b0ea995f7181a7d8b"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/lambda/s3-image-processing/terragrunt.hcl","sha":"68b62dc42154055b1eaf522fd2240992df4d7814"}]}]},{"name":"networking","children":[{"name":"alb-internal","children":[{"name":"README.md","path":"main/us-east-1/prod/networking/alb-internal/README.md","sha":"5880e9468a3bf336b613dc7132b052ea89a0f99a"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/networking/alb-internal/terragrunt.hcl","sha":"7ad684cfd8fc90140bf149e0f7fa689a2bd6ace0"}]},{"name":"alb-public","children":[{"name":"README.md","path":"main/us-east-1/prod/networking/alb-public/README.md","sha":"5880e9468a3bf336b613dc7132b052ea89a0f99a"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/networking/alb-public/terragrunt.hcl","sha":"ad8fd584b78fdd026ac76554e60653f2c23cf765"}]},{"name":"route53-private","children":[{"name":"README.md","path":"main/us-east-1/prod/networking/route53-private/README.md","sha":"9160c66a0b04a407981db7bf9ee40dad8c5d9434"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/networking/route53-private/terragrunt.hcl","sha":"df4f82c4dc568fbe251eef10adbc28f1b1ccc263"}]}]},{"name":"services","children":[{"name":"ecs-cluster","children":[{"name":"README.md","path":"main/us-east-1/prod/services/ecs-cluster/README.md","sha":"560d730485383f188833313b77599681d146bdd7"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/ecs-cluster/terragrunt.hcl","sha":"38c41c4c8583f8569c2d37e51321acf4a0af6f5f"}]},{"name":"eks-cluster","children":[{"name":"README.md","path":"main/us-east-1/prod/services/eks-cluster/README.md","sha":"84d53a02559d844d8c62ee9d11a558265b3ae5b5"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/eks-cluster/terragrunt.hcl","sha":"e80ff0c733463d17c33d8c7062121e985d1cd1e8"}]},{"name":"eks-core-services","children":[{"name":"README.md","path":"main/us-east-1/prod/services/eks-core-services/README.md","sha":"298969aaf6db9c7e972cd735cef2d43cda899e3f"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/eks-core-services/terragrunt.hcl","sha":"1e8a88f4c8330f10848fea04daa719ab92c74d53"}]},{"name":"k8s-applications-namespace","children":[{"name":"README.md","path":"main/us-east-1/prod/services/k8s-applications-namespace/README.md","sha":"5e0a3640be89e96aece9e4ac8f8b7967e4d57056"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/k8s-applications-namespace/terragrunt.hcl","sha":"120cab356ca4590c262bd3b727d60f6c8294792b"}]},{"name":"k8s-sample-app-backend-acme","children":[{"name":"README.md","path":"main/us-east-1/prod/services/k8s-sample-app-backend-acme/README.md","sha":"4737c31d75b6d6c7565fa3d391177c9d3d022a5e"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/k8s-sample-app-backend-acme/terragrunt.hcl","sha":"c4e9d2aaad8a61ebcb1148800e50858e1023d959"}]},{"name":"k8s-sample-app-frontend-acme","children":[{"name":"README.md","path":"main/us-east-1/prod/services/k8s-sample-app-frontend-acme/README.md","sha":"43161374e0c977f15e8af04913e3554894ed2a82"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/k8s-sample-app-frontend-acme/terragrunt.hcl","sha":"9ab415e18bdf994e3b78f9a6ade6cd3b0fb87e5f"}]},{"name":"sample-app-backend-acme-asg","children":[{"name":"README.md","path":"main/us-east-1/prod/services/sample-app-backend-acme-asg/README.md","sha":"90c4b69a937239b4b51e99c4404360f4aba4edde"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/sample-app-backend-acme-asg/terragrunt.hcl","sha":"940d42befd46a394d63124cfd0d5830c6cea44b2"}]},{"name":"sample-app-backend-acme","children":[{"name":"README.md","path":"main/us-east-1/prod/services/sample-app-backend-acme/README.md","sha":"db3e1635aae0577080a9e2518633d4b5830a259a"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/sample-app-backend-acme/terragrunt.hcl","sha":"c2f4509348ff2f45c10901bbd06f7e409b888e14"}]},{"name":"sample-app-beanstalk","children":[{"name":"README.md","path":"main/us-east-1/prod/services/sample-app-beanstalk/README.md","sha":"27f6c3930f0621262b5dd0400f59e1122631da65"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/sample-app-beanstalk/terragrunt.hcl","sha":"2eaf051ae2cb3f4871be2cb78d3c9edec2da212e"}]},{"name":"sample-app-frontend-acme-asg","children":[{"name":"README.md","path":"main/us-east-1/prod/services/sample-app-frontend-acme-asg/README.md","sha":"ab9db3714676828cb0b766b5a3329f37115b1729"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/sample-app-frontend-acme-asg/terragrunt.hcl","sha":"2d6811f17d17c94bdf9f06c74bf74a3424555c3b"}]},{"name":"sample-app-frontend-acme","children":[{"name":"README.md","path":"main/us-east-1/prod/services/sample-app-frontend-acme/README.md","sha":"c0bc1f93aef1ab1bcf3e22aaec14a1744da74dfb"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/sample-app-frontend-acme/terragrunt.hcl","sha":"84c663da537b9e7485f4e3eff18ffaabfc90ff4b"}]},{"name":"static-website","children":[{"name":"README.md","path":"main/us-east-1/prod/services/static-website/README.md","sha":"16d262eab6ca158ae60d84010bc4804a948673cf"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/services/static-website/terragrunt.hcl","sha":"bb0530a96785e00136cb13da4dd2aca6583ba393"}]}]},{"name":"vpc","children":[{"name":"README.md","path":"main/us-east-1/prod/vpc/README.md","sha":"eb0cfd86345b2983b4a9c9572501728493bfcde4"},{"name":"terragrunt.hcl","path":"main/us-east-1/prod/vpc/terragrunt.hcl","sha":"5a5f20f83d3935f43b48c71b88c0f44443eb11ed"}]}]},{"name":"region.yaml","path":"main/us-east-1/region.yaml","sha":"d56afa3d82e6cea0d792e84748de56dafb0bad70"},{"name":"stage","children":[{"name":"README.md","path":"main/us-east-1/stage/README.md","sha":"b24ba21bf01baf19ff84a2de457697a757d905c5"},{"name":"cloudwatch-dashboard","children":[{"name":"README.md","path":"main/us-east-1/stage/cloudwatch-dashboard/README.md","sha":"766cff97af8b2bbbdb90c2262c150b4d0bc88c62"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/cloudwatch-dashboard/terragrunt.hcl","sha":"feb471fd97d340798fd7ea565195faf4c4328f82"}]},{"name":"data-stores","children":[{"name":"elasticsearch","children":[{"name":"README.md","path":"main/us-east-1/stage/data-stores/elasticsearch/README.md","sha":"de10ddf77c3ae0b341ebbd7152f8d3c086d7ba20"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/data-stores/elasticsearch/terragrunt.hcl","sha":"b65b647edff6298b3a5a010d8ebe13f022b7c54d"}]},{"name":"kafka","children":[{"name":"README.md","path":"main/us-east-1/stage/data-stores/kafka/README.md","sha":"3681db5950b18676e92d6f00df190ff553c06404"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/data-stores/kafka/terragrunt.hcl","sha":"5ba7184e22ee433462c2d05c97ad6bb47c13786b"}]},{"name":"mysql","children":[{"name":"README.md","path":"main/us-east-1/stage/data-stores/mysql/README.md","sha":"3ff802dea2beeb94b34a9d2087fa1ce332702ba0"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/data-stores/mysql/terragrunt.hcl","sha":"d5d7ac741e73afbce47d99af1cbb16219e8af208"}]},{"name":"redis","children":[{"name":"README.md","path":"main/us-east-1/stage/data-stores/redis/README.md","sha":"7f5426659066280ce18fad93eb14dd573e3de1b0"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/data-stores/redis/terragrunt.hcl","sha":"224dc41a716053b231af5c557d7fe95a67af6d51"}]},{"name":"zookeeper","children":[{"name":"README.md","path":"main/us-east-1/stage/data-stores/zookeeper/README.md","sha":"3aa643354b946d75610e3a8d10e616e1080717bc"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/data-stores/zookeeper/terragrunt.hcl","sha":"c084625c9b909a6e5c7cc45995752645e1a9a577"}]}]},{"name":"env.yaml","path":"main/us-east-1/stage/env.yaml","sha":"5767506e27e978f52524dadbbd8fb9f8ad115599"},{"name":"kms-master-key","children":[{"name":"README.md","path":"main/us-east-1/stage/kms-master-key/README.md","sha":"0fc848e518ff6551caae5f234b89f3f2c2a3b015"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/kms-master-key/terragrunt.hcl","sha":"49762d286ee1ed5b999973a5f82688c01bdcf679"}]},{"name":"lambda","children":[{"name":"long-running-scheduled","children":[{"name":"README.md","path":"main/us-east-1/stage/lambda/long-running-scheduled/README.md","sha":"a6a7503b1168dd015618028f30b74aeb1ba7baf3"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/lambda/long-running-scheduled/terragrunt.hcl","sha":"c05243749ec7d3bd386c0563936b0f5e0b4bbbe6"}]},{"name":"s3-image-processing","children":[{"name":"README.md","path":"main/us-east-1/stage/lambda/s3-image-processing/README.md","sha":"1b149a62078c71549d77e59b0ea995f7181a7d8b"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/lambda/s3-image-processing/terragrunt.hcl","sha":"2ab4fe1b159bfe0797662dee0c24aba8b9b3e106"}]}]},{"name":"networking","children":[{"name":"alb-internal","children":[{"name":"README.md","path":"main/us-east-1/stage/networking/alb-internal/README.md","sha":"c1c8edd637ebd686cc5d7675013d750b8ca4ad52"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/networking/alb-internal/terragrunt.hcl","sha":"d90749b2f63ce2187c0fb1ee95723a57fb7e4097"}]},{"name":"alb-public","children":[{"name":"README.md","path":"main/us-east-1/stage/networking/alb-public/README.md","sha":"c1c8edd637ebd686cc5d7675013d750b8ca4ad52"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/networking/alb-public/terragrunt.hcl","sha":"fc8f137af22da522f85614dc22de19f962bdb285"}]},{"name":"route53-private","children":[{"name":"README.md","path":"main/us-east-1/stage/networking/route53-private/README.md","sha":"9160c66a0b04a407981db7bf9ee40dad8c5d9434"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/networking/route53-private/terragrunt.hcl","sha":"df4f82c4dc568fbe251eef10adbc28f1b1ccc263"}]}]},{"name":"services","children":[{"name":"ecs-cluster","children":[{"name":"README.md","path":"main/us-east-1/stage/services/ecs-cluster/README.md","sha":"94916a4be4208e4c1e1e7b7ee0d6dfa2fbfaf38c"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/ecs-cluster/terragrunt.hcl","sha":"744840965cbe10f02eb8d363ee2407201be2baf9"}]},{"name":"eks-cluster","children":[{"name":"README.md","path":"main/us-east-1/stage/services/eks-cluster/README.md","sha":"6db608bd68f9b1d4ee2741d72b2949d0dcf3e33d"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/eks-cluster/terragrunt.hcl","sha":"40da930fe85423d42896eac63f0a084847d85f53"}]},{"name":"eks-core-services","children":[{"name":"README.md","path":"main/us-east-1/stage/services/eks-core-services/README.md","sha":"0311f74f5aca78b831407ac5396907ae792d2297"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/eks-core-services/terragrunt.hcl","sha":"b8d6845c4bbca33df0a3cde51cbe1ef597095050"}]},{"name":"k8s-applications-namespace","children":[{"name":"README.md","path":"main/us-east-1/stage/services/k8s-applications-namespace/README.md","sha":"c96645baedf7aba16fc04d003608c61f9353ff4a"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/k8s-applications-namespace/terragrunt.hcl","sha":"dbd60d465e5cbb46c8a9d21620dca06f9b70dd63"}]},{"name":"k8s-sample-app-backend-acme","children":[{"name":"README.md","path":"main/us-east-1/stage/services/k8s-sample-app-backend-acme/README.md","sha":"430e8d870a1f1895093df8cb4e88e0bf2bb82bc1"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/k8s-sample-app-backend-acme/terragrunt.hcl","sha":"479f85df9855c21e4f095d6251ce4ca6d127b08c"}]},{"name":"k8s-sample-app-frontend-acme","children":[{"name":"README.md","path":"main/us-east-1/stage/services/k8s-sample-app-frontend-acme/README.md","sha":"3efad94b3379996e29355319fbe2de5c426c71dc"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/k8s-sample-app-frontend-acme/terragrunt.hcl","sha":"e0035433fce291da1ce64e77370c20790a4f063d"}]},{"name":"sample-app-backend-acme-asg","children":[{"name":"README.md","path":"main/us-east-1/stage/services/sample-app-backend-acme-asg/README.md","sha":"e2d00c960fa47118b3010550ecddf1133518d5fa"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/sample-app-backend-acme-asg/terragrunt.hcl","sha":"91940573b9a659202289c6815bd9871e50ac4d20"}]},{"name":"sample-app-backend-acme","children":[{"name":"README.md","path":"main/us-east-1/stage/services/sample-app-backend-acme/README.md","sha":"4d0bc076e9d8a51bde996c7c9f77e91bcc3e6125"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/sample-app-backend-acme/terragrunt.hcl","sha":"e240269caa4c5e60e932ebed487cf688a4c22227"}]},{"name":"sample-app-beanstalk","children":[{"name":"README.md","path":"main/us-east-1/stage/services/sample-app-beanstalk/README.md","sha":"1b3f68cb5baac277414f45585221f7048b801c26"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/sample-app-beanstalk/terragrunt.hcl","sha":"4deb3dbc95ed927e33211e473868915c1f86b5b3"}]},{"name":"sample-app-frontend-acme-asg","children":[{"name":"README.md","path":"main/us-east-1/stage/services/sample-app-frontend-acme-asg/README.md","sha":"c4df19131aafdf152f08998a2d1121ccd58c4207"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/sample-app-frontend-acme-asg/terragrunt.hcl","sha":"1d8aaccc8608aa1c2b46338c592a10f27e5b3aea"}]},{"name":"sample-app-frontend-acme","children":[{"name":"README.md","path":"main/us-east-1/stage/services/sample-app-frontend-acme/README.md","sha":"20e39909320df4775e21dd2cea70f3dabdd94c1e"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/sample-app-frontend-acme/terragrunt.hcl","sha":"2597d32b7c9d865e9f3701aa7c02a30ee4deeb01"}]},{"name":"static-website","children":[{"name":"README.md","path":"main/us-east-1/stage/services/static-website/README.md","sha":"16d262eab6ca158ae60d84010bc4804a948673cf"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/services/static-website/terragrunt.hcl","sha":"9a9cb3c9830902ef05fd497bfd21028a7fac38df"}]}]},{"name":"vpc","children":[{"name":"README.md","path":"main/us-east-1/stage/vpc/README.md","sha":"d1e3f82de82c4b8f4eaca81b3a8ec63ed040a0b5"},{"name":"terragrunt.hcl","path":"main/us-east-1/stage/vpc/terragrunt.hcl","sha":"c2429ca5412fd6f0ff00e89dc4a1541e46b07d00"}]}]}]}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"ssh-and-vpn\">SSH and VPN</h1><div class=\"preview__body--border\"></div><p>In the previous section, you saw how to use <a href=\"/repos/v0.0.1-01172020/infrastructure-live-acme/_docs/07-monitoring-alerting-logging.md\" class=\"preview__body--description--blue\">Monitoring, Alerting, and Logging</a> to\ndiagnose issues. Sometimes, that's not enough, and you need to connect directly to your servers using:</p>\n<ul>\n<li><a href=\"#ssh\" class=\"preview__body--description--blue\">SSH</a></li>\n<li><a href=\"#vpn\" class=\"preview__body--description--blue\">VPN</a></li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"ssh\">SSH</h2>\n<p>You can use SSH to connect to any of your EC2 Instances as follows:</p>\n<ul>\n<li><a href=\"#the-traditional-way-ec2-key-pairs\" class=\"preview__body--description--blue\">The traditional way: EC2 Key Pairs</a></li>\n<li><a href=\"#the-better-way-ssh-grunt\" class=\"preview__body--description--blue\">The better way: ssh-grunt</a></li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"the-traditional-way-ec-2-key-pairs\">The traditional way: EC2 Key Pairs</h3>\n<p>When you launch an EC2 Instance in AWS, you can specify an <a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html\" class=\"preview__body--description--blue\" target=\"_blank\">EC2 Key Pair</a> that can be used to SSH into the EC2 Instance.\nThis suffers from an important problem: usually more than one person needs access to the EC2 Instance, which means\nyou have to share this key with others. Sharing secrets of this sort is a security risk. Moreover, if someone leaves the\ncompany, to ensure they no longer have access, you'd have to change the Key Pair, which requires redeploying all of your\nservers.</p>\n<h3 class=\"preview__body--subtitle\" id=\"the-better-way-ssh-grunt\">The better way: ssh-grunt</h3>\n<p>To solve the "key sharing" problem, Gruntwork implemented <a href=\"/repos/module-security/modules/ssh-grunt\" class=\"preview__body--description--blue\">ssh-grunt</a>, a tool that enables each member of your\nteam to log in to every EC2 Instance with their own IAM user name and their own SSH key. Here's how it works:</p>\n<h4 id=\"one-time-setup\">One-Time Setup</h4>\n<ol>\n<li>\n<p>Log in to the AWS Web Console with your IAM User account.</p>\n</li>\n<li>\n<p>Go to your IAM User profile page, select the <strong>Security credentials</strong> tab, and click <strong>Upload SSH public key</strong>.\nNow upload your <em>public</em> SSH key (e.g. <code>~/.ssh/id_rsa.pub</code>). Do NOT upload your private key.</p>\n</li>\n<li>\n<p>Now make sure your IAM User account is a member of either the <code>ssh-grunt-users</code> or <code>ssh-grunt-sudo-users</code> group.\nBy being a member of one of these IAM Groups, any EC2 Instance configured to use these IAM Groups will permit\nyou to login as either a non-<code>sudo</code> user or <code>sudo</code> user, depending on which IAM Group you're in.</p>\n</li>\n<li>\n<p>Note that your linux username is based on your IAM User name according to the <a href=\"/repos/module-security/modules/ssh-grunt#syncing-users-from-iam\" class=\"preview__body--description--blue\">ssh-grunt guidelines</a>. For example:</p>\n<ul>\n<li>The IAM User name <code>josh</code> will be the linux username <code>josh</code>.</li>\n<li>The IAM User name <code>josh@gruntwork.io</code> will be the linux username <code>josh</code></li>\n<li>The IAM User name <code>_gruntwork.josh.padnick</code> will be the linux username <code>gruntwork_josh_padnick</code>.</li>\n</ul>\n</li>\n</ol>\n<p>For more information, see the <a href=\"/repos/module-security/modules/ssh-grunt#how-it-works\" class=\"preview__body--description--blue\">ssh-grunt documentation</a></p>\n<h4 id=\"ssh-to-an-ec-2-instance\">SSH to an EC2 Instance</h4>\n<p>As an example, suppose that:</p>\n<ul>\n<li>Your IAM User name is <code>josh</code>.</li>\n<li>You've uploaded your public SSH key to your IAM User profile.</li>\n<li>Your private key is located at <code>/Users/josh/.ssh/id_rsa</code> on your local machine.</li>\n<li>Your EC2 Instance's IP address is <code>1.2.3.4</code>.</li>\n</ul>\n<p>Then you can SSH to the EC2 Instance as follows:</p>\n<pre><span class=\"hljs-comment\"># Do this once to load your SSH Key into the SSH Agent</span>\nssh-add /Users/josh/.ssh/id_rsa\n\n<span class=\"hljs-comment\"># Every time you want to login to an EC2 Instance, use this command</span>\nssh josh@<span class=\"hljs-number\">1.2</span>.<span class=\"hljs-number\">3.4</span>\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"vpn\">VPN</h2>\n<p>For security reasons, just about all of your EC2 Instances run in private subnets, which means they do not have a\npublic IP address, and cannot be reached directly from the public Internet. This reduces the "surface area" that\nattackers can reach. Of course, we still need access into the VPCs, so we expose a single entrypoint into the network:\nan <a href=\"https://openvpn.net/\" class=\"preview__body--description--blue\" target=\"_blank\">OpenVPN server</a>.</p>\n<p>The idea is that you use an OpenVPN client to connect to the OpenVPN server, which gets you "in" to the network, and\nyou can then connect to other resources in the account as if you were making requests from the OpenVPN server itself.</p>\n<p>Here are the steps you'll need to take:</p>\n<ul>\n<li><a href=\"#vpn-one-time-setup\" class=\"preview__body--description--blue\">One-time setup</a></li>\n<li><a href=\"#connect-to-the-openvpn-server\" class=\"preview__body--description--blue\">Connect to the OpenVPN server</a></li>\n<li><a href=\"#connect-to-other-resources\" class=\"preview__body--description--blue\">Connect to other resources</a></li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"vpn-one-time-setup\">VPN one-time setup</h3>\n<p>The very first time you want to use OpenVPN, you need to:</p>\n<ul>\n<li><a href=\"#install-an-openvpn-client\" class=\"preview__body--description--blue\">Install an OpenVPN client</a></li>\n<li><a href=\"#join-the-openvpn-iam-group\" class=\"preview__body--description--blue\">Join the OpenVPN IAM group</a></li>\n<li><a href=\"#use-openvpn-admin-to-generate-a-configuration-file\" class=\"preview__body--description--blue\">Use openvpn-admin to generate a configuration file</a></li>\n</ul>\n<h4 id=\"install-an-open-vpn-client\">Install an OpenVPN client</h4>\n<p>There are free and paid OpenVPN clients available for most major operating systems:</p>\n<ul>\n<li><strong>OS X</strong>: <a href=\"https://tunnelblick.net/\" class=\"preview__body--description--blue\" target=\"_blank\">Tunnelblick</a> or <a href=\"https://www.sparklabs.com/viscosity/\" class=\"preview__body--description--blue\" target=\"_blank\">Viscosity</a>.</li>\n<li><strong>Windows</strong>: <a href=\"https://openvpn.net/index.php/open-source/downloads.html\" class=\"preview__body--description--blue\" target=\"_blank\">official client</a>.</li>\n<li><strong>Linux</strong>: <code>apt-get install openvpn</code> or <code>yum install openvpn</code>.</li>\n</ul>\n<h4 id=\"join-the-open-vpn-iam-group\">Join the OpenVPN IAM group</h4>\n<p>To get access to the OpenVPN server, you must be a member of the <code>openvpn-server-Users</code> IAM group. You or an admin can\nadd your IAM user to this group in the <a href=\"https://console.aws.amazon.com/iam/home?region=us-east-1#/groups/openvpn-server-Users\" class=\"preview__body--description--blue\" target=\"_blank\">IAM page</a>.</p>\n<h4 id=\"use-openvpn-admin-to-generate-a-configuration-file\">Use openvpn-admin to generate a configuration file</h4>\n<p>To connect to an OpenVPN server, you need an OpenVPN configuration file, which includes a certificate that you can use\nto authenticate. To generate this configuration file, do the following:</p>\n<ol>\n<li>\n<p>Install the latest <a href=\"#open_modal\" class=\"preview__body--description--blue\">openvpn-admin binary</a> for your OS.</p>\n</li>\n<li>\n<p>Set up your AWS credentials using any of the options supported by <a href=\"http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html\" class=\"preview__body--description--blue\" target=\"_blank\">AWS CLI\ntools</a>. Typically, environment\nvariables are the easiest and most secure.</p>\n</li>\n<li>\n<p>Run <code>openvpn-admin request --aws-region us-east-1</code>.</p>\n</li>\n<li>\n<p>This will create your OpenVPN configuration file in the current folder.</p>\n</li>\n<li>\n<p>Load this configuration file into your OpenVPN client.</p>\n</li>\n</ol>\n<h3 class=\"preview__body--subtitle\" id=\"connect-to-the-open-vpn-server\">Connect to the OpenVPN server</h3>\n<p>To connect to the OpenVPN server, simply click the "Connect" button next to your configuration file in the OpenVPN\nclient! After a few seconds, you should be connected.</p>\n<h3 class=\"preview__body--subtitle\" id=\"connect-to-other-resources\">Connect to other resources</h3>\n<p>Now that you're connected to VPN, you can connect to other resources in your AWS account. For example, if you followed\nthe ssh-grunt setup instructions above, you can SSH to an EC2 Instance with private IP address <code>1.2.3.4</code> as follows:</p>\n<pre>ssh <your_username>@<span class=\"hljs-number\">1.2</span>.<span class=\"hljs-number\">3.4</span>\n\n<span class=\"hljs-comment\"># Example:</span>\nssh josh@<span class=\"hljs-number\">1.2</span>.<span class=\"hljs-number\">3.4</span>\n</pre>\n<p>Similarly, non-production resources, such as a load balancer in the staging environment, or Jenkins in the mgmt\nenvironment, should now be accessible to you.</p>\n<p>Note: we run OpenVPN in "split tunnel" mode. That means that only the IP addresses we have explicitly opted into\n(namely, the private IP addresses in your AWS account) will be routed over VPN. Other IP addresses, such as requests\nyou make from your computer to YouTube, GMail, Spotify, etc, are NOT routed over VPN. This dramatically reduces the\nload on your OpenVPN server and your bandwidth usage in AWS.</p>\n<h2 class=\"preview__body--subtitle\" id=\"next-steps\">Next steps</h2>\n<p>Now that you know how to connect to your servers, let's talk about <a href=\"/repos/v0.0.1-01172020/infrastructure-live-acme/_docs/09-accounts-and-auth.md\" class=\"preview__body--description--blue\">auth for your AWS account(s)</a>.</p>\n","repoName":"infrastructure-live-acme","repoRef":"v0.0.1-01172020","serviceDescriptor":{"serviceName":"Single-account Reference Architecture","serviceRepoName":"infrastructure-live-acme","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"End-to-end tech stack designed to deploy into a single AWS account. Includes VPCs, EKS, ALBs, CI / CD, monitoring, alerting, VPN, DNS, and more.","imageUrl":"grunt.png","licenseType":"subscriber","technologies":["Terraform","Go","Bash","Python"],"compliance":[],"tags":[""]},"serviceCategoryName":"Reference Architecture","fileName":"08-ssh-vpn.md","filePath":"/_docs/08-ssh-vpn.md","title":"Repo Browser: Single-account Reference Architecture","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
_docs
.gitignore
