Merge pull request #11 from mdr-engineering/feature/ftd_MSOCI-1277_palo_alto_vpcs

Security VPCs, Palo Altos, and Supporting Structure

000-skeleton/account.hcl

@@ -9,4 +9,8 @@ locals {
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "TODO/TODO"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "TODO" # The key with which to provision the test instance
 }

common/aws-us-gov/afs-mdr-common-services-gov/001-iam/okta_saml.tf

@@ -0,0 +1,23 @@
+module "okta_saml" {
+  source = "../../../../modules/iam/okta_saml_roles/0.1"
+  account_alias = "afs-mdr-common-services"
+  okta_app      = "AWS - GovCloud"
+}
+
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}
+
+provider "aws" {
+  region  = "us-gov-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    701290387780
+  ]
+}
+
+provider "okta" {
+  org_name = "mdr-multipass"
+  base_url = "okta.com"
+}

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.3.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

common/aws-us-gov/afs-mdr-common-services-gov/015-security-vpc/README.md

@@ -0,0 +1,3 @@
+# Security VPC
+
+Creates a VPC for security related infrastructure such as firewalls and interconnects.

common/aws-us-gov/afs-mdr-common-services-gov/015-security-vpc/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/security_vpc?ref=v0.3.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Security VPC"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws-us-gov/afs-mdr-common-services-gov/016-panorama/README.md

@@ -0,0 +1,39 @@
+# 016-panorama
+
+Creates an HA pair of panarama nodes to manage the palo altos.
+
+Note: Post install configuration is required.
+
+## Post-install
+For each instance:
+```
+ssh -l admin <eip>
+configure
+set mgt-config users admin password
+<password>
+<password>
+commit
+```
+
+Then follow these steps:
+
+Step 1: Log in to the web interface of the primary Panorama server.
+Step 2: Accept the browser certificate warning.
+Step 3: On the There are no device groups dialog box, click OK.
+Step 4: On the Retrieve Panorama License dialog box, click OK.
+Step 5: On the Retrieve Panorama License dialog box, click Complete Manually.
+Step 6: On the Offline Licensing Information dialog box, click OK.
+Step 7: In Panorama > Setup > Management > General Settings, click the gear icon.
+Step 8: In the Hostname box, enter xdr-panorama-0 (or xdr-panorama-1 on the standby)
+Step 9: In the Time Zone list, choose the appropriate time zone (Example: US/Pacific).
+Step 10: In the Serial Number box, enter the serial number found in the customer support portal, and then click OK. 
+Step 11: In Panorama > Setup > Services, click the gear icon.
+Step 12: In the Primary DNS Server box, enter 169.254.169.253. This address is the DNS address for AWS.
+Step 13: In the Secondary DNS Server box, enter 8.8.8.8.
+Step 14: On the NTP tab, in the Primary NTP Server section, in the NTP Server Address box, enter 169.254.169.123
+Step 15: In the Secondary NTP Server section, in the NTP Server Address box, enter 0.pool.ntp.org, and then click OK.
+Step 16: On the Commit menu, select Commit to Panorama, and then click Commit.
+Step 17: In Panorama > Licenses, click Retrieve license keys from license server.
+Step 18: Verify in the status pane that Device Management License is active and has the correct device count.
+Step 19: If you are deploying Panorama as a HA pair, repeat this procedure on the secondary Panorama server. In Step 8, enter the name of the secondary Panorama server, Panorama-secondary. You must have a unique serial number for the secondary Panorama system.
+

common/aws-us-gov/afs-mdr-common-services-gov/016-panorama/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/panorama?ref=v0.3.0"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Panorama"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  azs = dependency.security_vpc.outputs.azs
+  panorama_security_group_ids = [ 
+    dependency.security_vpc.outputs.security_groups["allow_trusted"],
+    dependency.security_vpc.outputs.security_groups["allow_all_intravpc"]
+  ] 
+  subnet_id_map = dependency.security_vpc.outputs.subnet_id_map
+  subnet_cidr_map = dependency.security_vpc.outputs.subnet_cidr_map
+  ebs_key = dependency.security_vpc.outputs.ebs_kms_arn
+}

common/aws-us-gov/afs-mdr-common-services-gov/017-palo-alto-bootstrap/README.md

@@ -0,0 +1 @@
+# Creates the palo alto bootstrap S3 bucket

common/aws-us-gov/afs-mdr-common-services-gov/017-palo-alto-bootstrap/terragrunt.hcl

@@ -0,0 +1,42 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/bootstrap?ref=v0.3.0"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+dependency "panorama" {
+  config_path = "../016-panorama"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Firewalls"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  panorama_servers = dependency.panorama.outputs.management_private_ips
+}

common/aws-us-gov/afs-mdr-common-services-gov/018-palo-alto-firewalls/README.md

@@ -0,0 +1,20 @@
+# Palo Alto Firewalls
+
+Creates PA firewall nodes spread across the AZs and Subnets in the security VPC. Requires that panorama nodes are already created and running and that S3 buckets for bootstrapping have been created.
+
+*NOTE*
+
+A node may get a license even if it does not successfully bootstrap. If so, it needs to be released through the web interface or the the palo alto support website (support.paloalto.com) before it can be recreated!
+
+## Post Installation
+
+You still need to set an admin password on the nodes via:
+```
+ssh -l admin <managementip>
+configure
+set mgt-config users admin password
+<password>
+<password>
+commit
+```
+

common/aws-us-gov/afs-mdr-common-services-gov/018-palo-alto-firewalls/terragrunt.hcl

@@ -0,0 +1,48 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/firewall_nodes?ref=v0.3.0"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+dependency "palo_alto_bootstrap" {
+  config_path = "../017-palo-alto-bootstrap"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Firewalls"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  azs = dependency.security_vpc.outputs.azs
+  management_security_group_ids = [ dependency.security_vpc.outputs.security_groups["allow_trusted"] ]
+  untrusted_security_group_ids = [ dependency.security_vpc.outputs.security_groups["allow_all"] ]
+  subnet_id_map = dependency.security_vpc.outputs.subnet_id_map
+  subnet_cidr_map = dependency.security_vpc.outputs.subnet_cidr_map
+  bucket_ids = dependency.palo_alto_bootstrap.outputs.bucket_ids
+  instance_profile_names = dependency.palo_alto_bootstrap.outputs.instance_profile_names
+}

common/aws-us-gov/afs-mdr-common-services-gov/account.hcl

@@ -4,7 +4,7 @@ locals {
   account_name   = "afs-mdr-common-services-gov"
   account_alias  = "afs-mdr-common-services-gov"
   aws_account_id = "701290387780"
-  instance_termination_protection = false # set to true for production!
+  instance_termination_protection = true # set to true for production!
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.1.132.0/22"
@@ -15,4 +15,34 @@ locals {
 
   # Account Specific Module Variables
   security_vpc_cidr = "10.1.128.0/22"
+
+  # Panorama / Palo Alto information
+  panorama_serial_numbers = [
+    "000702891433",
+    "000702138816"
+  ]
+  panorama_count = 2 # We need a second serial number for 2
+  panorama_instance_type = "m5.2xlarge"
+  #panorama_instance_type = "t3.xlarge"
+  panorama_key_name = "fdamstra" # DO NOT CHANGE
+  palo_alto_count = 2 # should be divisible by 2
+  palo_alto_instance_type = "m5.xlarge"
+  palo_alto_key_name = "fdamstra" # DO NOT CHANGE
+
+  # To generate auth keys, log in to the panorama cli and run:
+  #   request bootstrap vm-auth-key generate lifetime 720
+  # where 720 is the validity period in hours (720 is 30 days)
+  # (Should only need to be valid when you stand up the firewall)
+  palo_alto_auth_keys = [
+    "866071457115248", #Expires at: 2020/07/31 15:01:33
+    "165273115818468", #Expires at: 2020/07/31 15:01:34
+  ]
+  palo_alto_license_keys = [ # one per count
+    "32836999",
+    "65202677"
+  ]
+  palo_alto_feature_auth_keys = [ # one per count, not yet implemented
+    "28341453",
+    "62158825"
+  ]
 }

common/aws/mdr-common-services/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

common/aws/mdr-common-services/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

common/aws/mdr-common-services/015-security-vpc/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

common/aws/mdr-common-services/015-security-vpc/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/security_vpc?ref=v0.3.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Security VPC"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-common-services/account.hcl

@@ -7,5 +7,38 @@ locals {
   instance_termination_protection = true # set to true for production!
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
-  #standard_vpc_cidr = "TBD"
+  standard_vpc_cidr = "10.1.1.0/22"
+  
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "fdamstra" # The key with which to provision the test instance
+
+#  # Account Specific Module Variables
+  security_vpc_cidr = "10.1.0.0/22"
+
+# Palo Alto moved to govcloud
+#  panorama_count = 2 # We need a second serial number for 2
+#  #panorama_instance_type = "m5.2xlarge"
+#  panorama_instance_type = "t3.xlarge"
+#  panorama_key_name = "fdamstra" # DO NOT CHANGE
+#  palo_alto_count = 2 # should be divisible by 2
+#  palo_alto_instance_type = "m5.xlarge"
+#  palo_alto_key_name = "fdamstra" # DO NOT CHANGE
+#  
+#  # To generate auth keys, log in to the panorama cli and run:
+#  #   request bootstrap vm-auth-key generate lifetime 720
+#  # where 720 is the validity period in hours (720 is 30 days)
+#  # (Should only need to be valid when you stand up the firewall)
+#  palo_alto_auth_keys = [
+#    "919502713609312", # Expires at: 2020/07/30 21:32:44
+#    "655051814206833", # Expires at: 2020/07/30 21:32:45
+#  ]
+#  palo_alto_license_keys = [ # one per count
+#    "32836999",
+#    "65202677"
+#  ]
+#  palo_alto_feature_auth_keys = [ # one per count, not yet implemented
+#    "28341453",
+#    "62158825"
+#  ]
 }

globals.hcl

@@ -10,7 +10,7 @@ locals {
     #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
   }
 
-  portal_test_whitelist = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
+  trusted_ips = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
     "12.245.107.250/32",   # DPS Office Legato
     "12.204.167.162/32",   # DPS Office San Antonio
     "54.86.98.62/32",      # DPS AWS User VPN
@@ -25,6 +25,7 @@ locals {
     "173.71.212.4/32",     # Ryan Howard
     "99.56.213.129/32",    # Fred Damstra
   ]
+  portal_test_whitelist = local.trusted_ips # for now, an alias
 
   key_pairs = {
     # Should be your username -> key pair

test/aws-us-gov/mdr-test-modelclient/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

test/aws-us-gov/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

test/aws-us-gov/mdr-test-modelclient/account.hcl

@@ -4,4 +4,12 @@ locals {
   account_name   = "afs-mdr-test-modelclient-gov"
   account_alias  = "afs-mdr-test-modelclient-gov"
   aws_account_id = "701341250728"
+  instance_termination_protection = false # set to true for production!
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  standard_vpc_cidr = "TODO/TODO"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "TODO" # The key with which to provision the test instance
 }