...
- override usernames in roles/housekeeping/defaults/main.yml
- determine / document how to write and execute a one-off ansible script
- determine / document which variables to change for creating staging, as opposed to production, and how to do this.
- I would recommend logging into the console and adding EC2 tags to differentiate your staging from your production instances.
- Investigate using an Elastic IP for your production instance, so you can keep your DNS settings (oursite.chemheritage.com points to 111.22.3333.44) when you switch out the instance that’s serving as production.
- add add'l keys for ubuntu user
- Note: do this with a small script, with an ssh connection open to the instance. test the new connection before closing the open one. This will ensure you don't get locked out.
- delete all instances (but keep backups)
- create virtual hosts stanza for 443
- generate self-signed cert, store it in ansible-vault, manage it via ansible
- check log rotation for tomcat, solr.
- set up log rotation for application logs.
- Look into the setting on Volumes to delete on terminate. Although there may be cases where that is not what we want?
- Instance type (m3.medium) is probably a little small. Look at the other options and consider bumping up.
- create google doc from alicia's report, integrate these notes into that!
...
- issue and revoke access keys
- ansible_access policy is copied from a full access policy.
- Need to disallow some things –
- anything that allows termination of services (destroy. note: stopping is okay)
- "describe" commands also not great
- The user can't create users, manage policies, etc, so that's a good start.
- Need to disallow some things –
- delete snapshot, volume are useful for backups management (note: Alicia says there is no cost associated with snapshots)
- These can also be made more granular, e.g. under 'Resource' -> that's the entire account but can be broken into individual machines or groups
...