Starting up a new AWSible environment
-------------------------------------

* initialize CA for environment

	env="myAwsibleEnvironment"
	region="us-east-1"

	curl -fOL https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
	mkdir "${env}_ca"
	tar -C "${env}_ca" --strip-components 1 -x -f EasyRSA-3.0.1.tgz

	pushd "${env}_ca"
		# create CA cert
		./easyrsa init-pki
		./easyrsa build-ca
			cn: ${env}

		# create openVPN region server cert
		./easyrsa build-server-full ${region}.${env} nopass
	
		# create CRL
		./easyrsa gen-crl

		pushd "pki"
			openvpn --genkey --secret ta.key
		popd
	popd

* generate ansible variables for VPN

	./generate-ansible-vpcaccess-vars.sh ${env} ${region}

* create ssh keypair as keys/management{,.pub}

* configure group_vars/all with:
  - ACCT_ID   aws acct id
  - DEFAULT_AMI  ami of amazon linux in chosen region
  - vpc variables

* install managed policies by hand
    for f in roles/aws-infrastructure/files/*-policy.json
    do
        n=$(basename "$f" .json)
        aws --region "{{ vpc_region }}" iam create-policy --policy-name "$n" --description "{{ get this from somewhere }}" --policy-document file://"$f"
    done

* ansible-playbook init_vpc.yml

* add IGW to VPC Main route table

* change pub-subnets to auto-assign external IPs

* bootstrap vpcaccess from external system
	ansible-playbook init_vpcaccess.yml
	aws --region ${region} iam create-policy --policy-name vpcaccess-policy --description vpcaccess --policy-document file://../roles/vpcaccess-infrastructure/files/vpcaccess-policy.json
	# attach policy to role
	INVENTORY_PUBLIC=1 ansible-playbook vpcaccess-d0stage

* configure group_vars/all with chosen MANAGEMENT_SUBNET

* ansible-playbook init_management.yml

* add base and management policies to management IAM role

* create persistant management data volume
    * attach and format
      mkfs -t ext4 -j -m 0 -L /media/data /dev/xvdf
    * add to /etc/fstab
      mkdir /media/data && chown ec2-user:ec2-user /media/data
      LABEL=/media/data /media/data    ext4    defaults 0   2
      mount -a
    * install AWSible repo in /data/management/

* bootstrap management server from external system
    ansible-playbook management.yml