- Ansible playbook to deploy this server.
- Terraform configuration to create AWS resources.
- Instance metrics (only available to infra team members).
Logging into servers through the bastion
To improve the security of our infrastructure it's not possible to connect directly to a production server with SSH. Instead, all connections must come from a small server called the "bastion", which only allows connections from a few whitelisted networks and logs any connection attempt.
To log into a server through the bastion you can use SSH's
ssh -J bastion.infra.rust-lang.org servername.infra.rust-lang.org
It's also possible to configure SSH to always jump through the bastion when
connecting to a host. Add this snippet to your SSH configuration file (usually
Host servername.infra.rust-lang.org ProxyJump bastion.infra.rust-lang.org
Please remember the bastion server only allows connections from a small list of IP addresses. Infra team members with AWS access can change the whitelist, but it's good practice to either have your own bastion server or a static IP address.
The SSH keys authorized to log into each account are stored in the simpleinfra repository. Additionally, people with sensitive 1password access can use the master key stored in the vault to log into every account, provided their connection comes from any whitelisted IP.
Common maintenance procedures
Adding a new user to the bastion server
To add a new user to the bastion you need to add its key to a file named
ansible/roles/common/files/ssh-keys, and change
the Ansible playbook adding the user to the list of unprivileged
users. Please leave a comment clarifying which servers the user will have
Updating the whitelisted IPs
Due to privacy reasons, all the static IP addresses of team members with access
to the bastion are stored on AWS SSM Parameter Store instead of public
git repositories. To add or update an IP address you can run this command
(taking care of replacing
IP_ADDRESS with the proper values):
aws ssm put-parameter --type String --name "/prod/bastion/allowed-ips/USERNAME" --value "IP_ADDRESS/32"
If you're adding an IP address instead of updating it, you'll also need to add
the username to the list in
allowed_users in the
Once you made all the needed changes you wanted you need to apply the Terraform configuration.