From 94c69fcd1cc401dacc1654114b6e472d880fdfff Mon Sep 17 00:00:00 2001
From: Brandon Kurtz <brandon.kurtz@airbnb.com>
Date: Thu, 2 Jun 2022 15:54:53 -0700
Subject: [PATCH 1/3] readme fixes

---
 .gitignore                           |  2 +-
 README.md                            | 25 +++++++++++++++++--------
 scripts/depot.sh                     | 10 ++++++++++
 terraform/example_tfvars/_backend.tf | 24 ++++++++++++++++++++++++
 4 files changed, 52 insertions(+), 9 deletions(-)
 create mode 100755 scripts/depot.sh
 create mode 100644 terraform/example_tfvars/_backend.tf

diff --git a/.gitignore b/.gitignore
index 125fa58..0e9cd12 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,7 +14,7 @@ package
 *.tfstate
 *.tfstate.backup
 *.terraform.tfstate.lock.info
-*backend.tf
+backend.tf
 
 # MacOS
 .DS_Store
diff --git a/README.md b/README.md
index 923342e..d520d64 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,8 @@
 
     > :warning: You can alternatively give the IAM credentials `AdministratorAccess` but this is not recommended.
 
+### Generate APNS Certificate
+
 1. Generate an APNS Certificate. Checkout https://github.com/micromdm/micromdm/blob/main/docs/user-guide/quickstart.md#configure-an-apns-certificate and https://micromdm.io/blog/certificates/ for info about this step.
 
 ## Getting started
@@ -15,10 +17,8 @@
 1. `brew install tfenv`
 1. Generate SCEP default CA files which outputs to a `depot` folder. This is required for the SCEP and NanoMDM containers
     ```bash
-    curl https://github.com/micromdm/scep/releases/download/v2.1.0/scepserver-darwin-amd64-v2.1.0.zip -o scepserver-darwin-amd64
-    ./scepserver-darwin-amd64 ca -init
+    sh scripts/depot.sh
     ```
-1. Save this `depot` folder within `docker/config/certs/depot`
 1. Install Terraform 1.1.9 
 
     `tfenv install 1.1.9`
@@ -27,11 +27,12 @@
         ```bash
         cp terraform/example_tfvars/config.auto.tfvars.json terraform/config.auto.tfvars.json
         cp terraform/example_tfvars/example-secrets.auto.tfvar.json terraform/secrets.auto.tfvars.json
+        cp terraform/example_tfvars/_backend.tf terraform/backend.tf
         ```
 1. Fill in the secrets:
     1. `public_inbound_cidr_blocks_ipv4`
-    1. `domain_name`, which should be `acme.co`. The Terraform will create a `mdm-infra` subdomain.
-    1. `public_key` <-- used for sshing to the ec2 instance which is pre-configured with access to the mysql rds instance where you need to run
+    1. `domain_name`, which should be `acme.co` (replace with your real domain name). Later, when you do `make tf-apply` a `mdm-infra` subdomain will be created: `mdm-infra.acme.co`.
+    1. `public_key` <-- used for sshing to the ec2 instance which is pre-configured with access to the mysql rds instance where you need to later upload the mysql schema.
 1. Activate Terraform 1.1.9 within tfenv
     ```bash
     tfenv use 1.1.9
@@ -48,14 +49,22 @@
 
 1. Create the TF remote state. You don't have to use S3 backend and can use whatever you want but this project recommends an S3 bucket for ease of collaboration while working on Terraform.
     ```bash
-    make tf-remote-state-init AWS_ACCOUNT_ID=$ACCOUNT_ID AWS=$AWS_REGION
+    make tf-remote-state-init
     ```
+1. Copy outputted `bucket_name` to the corresponding filed in `terraform/backend.tf`.
+
+1. Copy your `mdm_push_cert.pem` into place. See [Generate APNS Certificate](#generate-apns-certificate) for more info.
+
+```shell
+cp /path/to/mdm_push_cert.pem docker/config/certs/mdm_push_cert.pem
+```
 
 1. Now the "first run" stuff can be launched. Among other things, this creates proper Route53 NS associations that can be used to manage all sub-domain or root domain operations for any of the required Route53 records within the module. 
     ```bash
-    make tf-first-run AWS_ACCOUNT_ID=$ACCOUNT_ID AWS=$AWS_REGION
+    make tf-first-run
     ```
-1. Point domain at your nameservers that were just created - this is external to AWS and will be specific to your registrar.
+1. Make note of the nameservers that were just created. Navigate to https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones# and then click on your domain name.
+1. Point domain at these nameservers that you just noted. This process is external to AWS and will be specific to your registrar.
 1. **WAIT FOR DNS PROPAGATION**. This will take a while... go grab yourself a nice dinner.
 1. Run the plan
     ```
diff --git a/scripts/depot.sh b/scripts/depot.sh
new file mode 100755
index 0000000..db2739e
--- /dev/null
+++ b/scripts/depot.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+curl -RL https://github.com/micromdm/scep/releases/download/v2.1.0/scepserver-darwin-amd64-v2.1.0.zip -o scepserver-darwin-amd64.zip
+unzip scepserver-darwin-amd64.zip -d .
+chmod +x scepserver-darwin-amd64; ./scepserver-darwin-amd64 ca -init
+mkdir -p docker/config/certs/depot
+cp -r depot/* docker/config/certs/depot
+rm scepserver-darwin-amd64.zip
+rm scepserver-darwin-amd64
+rm -rf depot
\ No newline at end of file
diff --git a/terraform/example_tfvars/_backend.tf b/terraform/example_tfvars/_backend.tf
new file mode 100644
index 0000000..bee6140
--- /dev/null
+++ b/terraform/example_tfvars/_backend.tf
@@ -0,0 +1,24 @@
+terraform {
+  required_version = ">= 1.1.9"
+  backend "s3" {
+    bucket = ""
+    key    = "global/s3/production-nanomdm-terraform.tfstate"
+    region = "us-east-1"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.12.1"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+  default_tags {
+    tags = {
+      App_Name = "nanomdm"
+    }
+  }
+}

From eb0e23103f9e378145a0660a03c9f4155d9961cc Mon Sep 17 00:00:00 2001
From: Brandon Kurtz <brandon.kurtz@airbnb.com>
Date: Thu, 2 Jun 2022 17:22:06 -0700
Subject: [PATCH 2/3] how to check dns propagation

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index d520d64..b3274b0 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,13 @@ cp /path/to/mdm_push_cert.pem docker/config/certs/mdm_push_cert.pem
 1. Make note of the nameservers that were just created. Navigate to https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones# and then click on your domain name.
 1. Point domain at these nameservers that you just noted. This process is external to AWS and will be specific to your registrar.
 1. **WAIT FOR DNS PROPAGATION**. This will take a while... go grab yourself a nice dinner.
+1. Confirm that the DNS has propagated by digging against various DNS providers like Google and CloudFlare. 
+
+```shell
+dig @8.8.8.8 +short NS INSERT_YOUR_DOMAIN_HERE
+dig @1.1.1.1 +short NS INSERT_YOUR_DOMAIN_HERE
+```
+
 1. Run the plan
     ```
     make tf-plan

From f43596f461717ce00ad3edb6f58fa59f39c56184 Mon Sep 17 00:00:00 2001
From: Brandon Kurtz <brandon.kurtz@airbnb.com>
Date: Thu, 2 Jun 2022 18:24:46 -0700
Subject: [PATCH 3/3] git ignore stuff

---
 .gitignore | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 0e9cd12..608ecd6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,7 +20,9 @@ backend.tf
 .DS_Store
 
 # vscode
-.vscode/vendor
+.vscode/*
+!.vscode/extensions.json
+!.vscode/settings.json
 
 # python
 __pycache__