Merge pull request #29 from mdr-engineering/feature/ftd_MSOCI-1314_bring_prod_up

Brings Prod up to Standards

common/aws/mdr-cyber-range/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.2"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-cyber-range/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.2"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,4 +34,5 @@ inputs = {
   tags = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

common/aws/mdr-cyber-range/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.4.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.5.2"
 }
 
 include {

common/aws/mdr-cyber-range/account.hcl

@@ -5,8 +5,14 @@ locals {
   account_name   = "afs-mdr-prod-cyber-range"
   account_alias  = "afs-mdr-prod-cyber-range"
   aws_account_id = "952430311316"
+  instance_termination_protection = true
   
   account_tags = { } 
+  c2_account_standards_path = "../../../../prod/aws/mdr-prod-c2/005-account-standards-c2"
 
   iam_additional_trusted_arns = [ "arn:aws:iam::471284459109:role/user/mdr_developer_readonly" ]
+
+  extra_ebs_key_admins = [ ]
+  extra_ebs_key_users = [ ]
+  extra_ebs_key_attachers = [ ]
 }

common/aws/partition.hcl

@@ -38,6 +38,10 @@ locals {
     ],
     "common" = [
       "471284459109", # mdr-common-services
+      "350838957895", # MDR Service Root
+      "035764279020", # MDR Playground / "Duane Test"
+      "228011623757", # mdr-dev-ai
+      "952430311316", # mdr-cyber-range
     ],
   }
   # flatten the map into a single list

prod/aws-us-gov/mdr-prod-c2/005-account-standards-c2/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

prod/aws-us-gov/mdr-prod-c2/005-account-standards-c2/terragrunt.hcl

@@ -0,0 +1,34 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_c2?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,4 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

prod/aws-us-gov/mdr-prod-c2/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-c2/006-account-standards/README.md

@@ -1,3 +1,11 @@
 # Account Standards
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

prod/aws-us-gov/mdr-prod-c2/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.1"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,10 +31,8 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
-  #name = "vpc_primary_${local.account_vars.locals.account_name}"
-  #cidr = local.account_vars.locals.standard_vpc_cidr
-  #tags = {
-  #  Purpose = "Malware Detonation"
-  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  #}
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

prod/aws-us-gov/mdr-prod-c2/008-transit-gateway-hub/terragrunt.hcl

@@ -15,7 +15,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-c2/010-standard-vpc/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,7 +34,7 @@ inputs = {
   name = "vpc_primary_${local.account_vars.locals.account_name}"
   cidr = local.account_vars.locals.standard_vpc_cidr
   tags = {
-    Purpose = "Malware Detonation"
+    Purpose = "Standard VPC"
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
 }

prod/aws-us-gov/mdr-prod-c2/015-security-vpc/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Security VPC"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-c2/018-interconnect-instances/README.md

@@ -0,0 +1,49 @@
+# XDR Interconnect Instances
+
+Instances to interconnect govcloud with commercial
+
+## Testing Performance
+
+Easiest way to test performance is via iperf. One instance needs to act as a server. The security group should allow inbound port tcp/5001.
+```
+iperf -s
+```
+
+The second server will act as a client.
+```
+# test single connection performance
+iperf -c 10.20.10.8 -w 2m -t 300s -i 1 --parallel 2 --enhanced
+
+# test multithread performance
+iperf -c 10.20.10.8 -w 2m -t 300s -i 1 --parallel 10 --enhanced | grep SUM
+```
+
+Notes:
+* AWS ipsec VPNs have an aggregate throughput limit of 1.25Gbps
+* Initial testing showed that multithread performance far exceeds single thread.
+
+## Full Connectivity Update
+
+There will be a brief (30s-90s) interruption to existing connections. It may be possible to 
+
+1. Verify that nothing would be rebuilt
+```
+terragrunt plan
+```
+1. Make changes that would cause a rebuild, or taint one instance if you just want to replace it.
+```
+terragrunt taint aws_instance.interconnects[0]
+```
+1. Rebuild just one instance
+```
+terragrunt apply -target=aws_instance.interconnects[0]
+```
+1. Validate routing has come back up. 
+```
+# On interconnection node
+sudo vtysh
+sh ip bgp summary
+# The Up/Down column should have times in all 5 entries
+```
+1. Repeat for other instances.
+

prod/aws-us-gov/mdr-prod-c2/018-interconnect-instances/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/interconnects?ref=v0.5.1"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Firewalls"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  security_vpc = dependency.security_vpc.outputs.vpc_id
+  azs = dependency.security_vpc.outputs.azs
+  subnet_id_map = dependency.security_vpc.outputs.subnet_id_map
+}

prod/aws-us-gov/mdr-prod-c2/019-attach-transit-gateway-to-hub-account/terragrunt.hcl

@@ -24,7 +24,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-c2/020-transit-gateway-interconnect-vpn/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_interconnect_vpn?ref=v0.5.1"
+}
+
+dependency "transit-gateway-hub" {
+  config_path = "../008-transit-gateway-hub"
+}
+
+dependency "interconnect-instances" {
+  config_path = local.account_vars.locals.interconnect_instances_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+  tags = {
+    Purpose = "Transit Gateway VPN"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  interconnect_public_ips = dependency.interconnect-instances.outputs.public_ips
+  interconnect_private_ips = dependency.interconnect-instances.outputs.private_ips
+  transit_gateway_id = dependency.transit-gateway-hub.outputs.tgw_id
+}

prod/aws-us-gov/mdr-prod-c2/025-test-instance/terragrunt.hcl

@@ -19,7 +19,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-c2/account.hcl

@@ -7,6 +7,7 @@ locals {
   instance_termination_protection = true # set to true for production!
   
   account_tags = { } 
+  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.40.0.0/22"
@@ -17,4 +18,13 @@ locals {
 
   # AS Number used for various resources, but not every account needs one.
   asn = 64810
+
+  security_vpc_cidr = "10.179.0.0/22"
+
+  # Interconnects
+  interconnect_asn = 64888
+  interconnects_instance_type = "t3a.micro"
+  interconnects_key_name = "fdamstra" # DO NOT CHANGE
+  interconnects_count = 2
+  interconnect_instances_path = "../018-interconnect-instances"
 }

prod/aws-us-gov/mdr-prod-malware/UNUSED.ACCOUNT

@@ -0,0 +1 @@
+This account is unused

prod/aws-us-gov/mdr-prod-modelclient/UNUSED.ACCOUNT

@@ -0,0 +1 @@
+This account is unused

prod/aws/legacy-mdr-prod/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.2"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/legacy-mdr-prod/006-account-standards/README.md

@@ -0,0 +1,11 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

prod/aws/legacy-mdr-prod/006-account-standards/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.2"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
+}

prod/aws/legacy-mdr-prod/021-attach-transit-gateway-to-legacy-main_infrastructure/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/021-attach-transit-gateway-to-legacy-main_infrastructure/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = true # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["main_infrastructure"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-afs/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-afs/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["afs"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["afs"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["afs"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["afs"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-customer-portal/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-customer-portal/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["customer-portal"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["customer-portal"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["customer-portal"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["customer-portal"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-dc-c19/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-dc-c19/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["dc-c19"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["dc-c19"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["dc-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["dc-c19"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-la-c19/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-la-c19/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["la-c19"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["la-c19"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["la-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["la-c19"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-ma-c19/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-ma-c19/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["ma-c19"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["ma-c19"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["ma-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["ma-c19"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-mo-c19/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-mo-c19/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["mo-c19"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["mo-c19"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["mo-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["mo-c19"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-nga/README.md

@@ -0,0 +1,3 @@
+# Attaches the legacy VPCs to the transit gateway
+
+

prod/aws/legacy-mdr-prod/022-attach-transit-gateway-to-legacy-nga/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.2"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first attachment
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id =  local.account_vars.locals.legacy_vpcs["nga"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["nga"]["private_subnets"]
+  route_tables = concat(local.account_vars.locals.legacy_vpcs["nga"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["nga"]["private_route_tables"])
+}

prod/aws/legacy-mdr-prod/account.hcl

@@ -4,6 +4,97 @@ locals {
   account_name   = "legacy-mdr-prod"
   account_alias  = "" # No alias for legacy accounts
   aws_account_id = "477548533976"
+  instance_termination_protection = true
   
   account_tags = { } 
+  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2"
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  standard_vpc_cidr = "TODO"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "TODO" # They with which to provision the test instance
+
+  # Legacy accounts have some extra key users
+  is_legacy = true
+  extra_ebs_key_admins = [
+    "arn:aws:iam::477548533976:root",
+    "arn:aws:iam::477548533976:role/mdr_iam_admins",
+    "arn:aws:iam::477548533976:role/mdr_powerusers"
+  ]
+  extra_ebs_key_users  = [
+    "arn:aws:iam::477548533976:role/mdr_powerusers",
+    "arn:aws:iam::477548533976:role/msoc-default-instance-role",
+    "arn:aws:iam::477548533976:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
+    "arn:aws:iam::477548533976:role/portal-instance-role",
+    "arn:aws:iam::477548533976:role/mdr_iam_admins"
+  ]
+  extra_ebs_key_attachers = [
+    "arn:aws:iam::477548533976:role/mdr_powerusers",
+    "arn:aws:iam::477548533976:role/msoc-default-instance-role",
+    "arn:aws:iam::477548533976:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
+    "arn:aws:iam::477548533976:role/portal-instance-role",
+  ]
+
+  # Legacy information 
+  # legacy_vpc information is required to connect the VPCs to the transit gateway.
+  legacy_vpcs = {
+    afs = {
+      id = "vpc-03f17331ab2b493f5",
+      private_subnets = [ "subnet-0007c218c485f3d0f", "subnet-0346f2ee70d39a142", "subnet-0c0368b6e268834c3" ]
+      public_subnets  = [ "subnet-076eb05d9bc9a8a20", "subnet-07f7725107205e7dd", "subnet-09a74633747a9ef6c" ]
+      private_route_tables = [ "rtb-0352c8ce520de1d61", "rtb-0b339f3969ce017ba", "rtb-0d31e13b39ef8e2a2" ]
+      public_route_tables  = [ "rtb-0b89de1eb2618f940" ]
+    }
+    customer-portal = {
+      id = "vpc-0f45bf3132d4e25f3",
+      private_subnets = [ "subnet-0de23b03ea0a6bf1d", "subnet-0c173d841b5b59a24", "subnet-0adca60b13a5f5c56" ]
+      public_subnets  = [ "subnet-023a7c273a6ec1eba", "subnet-0928304e16b212356", "subnet-0dd15211a7c34bd43" ]
+      private_route_tables = [ "rtb-0b74df8eeb34c9d2b", "rtb-0779d8a3e10b1f030", "rtb-01f7b786b1e5bad9a" ]
+      public_route_tables  = [ "rtb-01a25eb54e5fc5009" ]
+    }
+    dc-c19 = {
+      id = "vpc-09319e71920e6eceb",
+      private_subnets = [ "subnet-02f67ef6891e1cf03", "subnet-05dca9dc7daec7f55", "subnet-09e153213a1574574" ]
+      public_subnets  = [ "subnet-0f0081c667e8f7692", "subnet-0730266c5fde7e4d1", "subnet-0ec26dace38052008" ]
+      private_route_tables = [ "rtb-01c736a552f8bceca", "rtb-01c50d290882d7c3a", "rtb-0b73afea1f62061d2" ]
+      public_route_tables  = [ "rtb-00741cf8fb5e29ae4" ]
+    }
+    la-c19 = {
+      id = "vpc-09cd6c187c2edc2f6",
+      private_subnets = [ "subnet-0987546fd6690acd0", "subnet-0da0bf814d20f28de", "subnet-045cbc297915ecc1a" ]
+      public_subnets  = [ "subnet-0b08ebaf3dde344c8", "subnet-0126b9793b9518a4f", "subnet-0f34803c0a61b98fd" ]
+      private_route_tables = [ "rtb-0b20adc9d4996e25f", "rtb-0744d3253991f357b", "rtb-088fb78039b870da0" ]
+      public_route_tables  = [ "rtb-076a0ecf5dd7a71f2" ]
+    }
+    ma-c19 = {
+      id = "vpc-01edd85069b6b3715",
+      private_subnets = [ "subnet-054507f8e3a49aac4", "subnet-0e926f86ff242b1e3", "subnet-013cf369199d22c25" ]
+      public_subnets  = [ "subnet-0383d7430aa9898cc", "subnet-0a01bd202760aac9c", "subnet-03c8394da2648fc3f" ]
+      private_route_tables = [ "rtb-029cd593f6b397ac3", "rtb-0484bd5b7b0c1bb2a", "rtb-07214c4a8693b813a" ]
+      public_route_tables  = [ "rtb-0ff55720f7142c022" ]
+    }
+    main_infrastructure = {
+      id = "vpc-0b676c4efd7fad548",
+      private_subnets = [ "subnet-04234672a4720a7ab", "subnet-0ff1d78804cbcbf3c", "subnet-0294e3b191e651e48" ]
+      public_subnets  = [ "subnet-0be578dbe9818a0f3", "subnet-0faeebd324c47a670", "subnet-0cc124793a04f3382" ]
+      private_route_tables = [ "rtb-0a45aa54a80e89c48", "rtb-08ff0d423f57fbf0c", "rtb-0481035a575c11af7" ]
+      public_route_tables  = [ "rtb-09c2e1f7572807386" ]
+    }
+    mo-c19 = {
+      id = "vpc-0c18a9f0060e74f9c",
+      private_subnets = [ "subnet-0dffc27e7186356d6", "subnet-0fc531536fd7d802f", "subnet-0f0c40ebb8812b4ff" ]
+      public_subnets  = [ "subnet-02989bfa03a94a6af", "subnet-01ddfc5f441af7dc3", "subnet-0574aeccfca93a1bd" ]
+      private_route_tables = [ "rtb-0d916e79a295bc3e3", "rtb-0091361ae86be17e2", "rtb-0ceb2d70ae66f5045" ]
+      public_route_tables  = [ "rtb-020d0cd847a775c74" ]
+    }
+    nga = {
+      id = "vpc-05e0cf38982e048db",
+      private_subnets = [ "subnet-0065a8d0e2e3e3fe2", "subnet-04e8ba3db254147b2", "subnet-077dd32d6e0f86218" ]
+      public_subnets  = [ "subnet-0f022b1ebf155d1f9", "subnet-07ca3ac05830b104d", "subnet-0a2384bce743cf303" ]
+      private_route_tables = [ "rtb-01a71e67e123fcfd3", "rtb-0898516d5a7e7a091", "rtb-09922a5baece66a32" ]
+      public_route_tables  = [ "rtb-084bab4d4acc400fc" ]
+    }
+  }
 }

prod/aws/mdr-prod-c2/005-account-standards-c2/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

prod/aws/mdr-prod-c2/005-account-standards-c2/terragrunt.hcl

@@ -0,0 +1,34 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_c2?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws/mdr-prod-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,4 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

prod/aws/mdr-prod-c2/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws/mdr-prod-c2/006-account-standards/README.md

@@ -1,3 +1,11 @@
 # Account Standards
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

prod/aws/mdr-prod-c2/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.1"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,10 +31,8 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
-  #name = "vpc_primary_${local.account_vars.locals.account_name}"
-  #cidr = local.account_vars.locals.standard_vpc_cidr
-  #tags = {
-  #  Purpose = "Malware Detonation"
-  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  #}
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

prod/aws/mdr-prod-c2/008-transit-gateway-hub/terragrunt.hcl

@@ -15,7 +15,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/mdr-prod-c2/010-standard-vpc/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,7 +34,7 @@ inputs = {
   name = "vpc_primary_${local.account_vars.locals.account_name}"
   cidr = local.account_vars.locals.standard_vpc_cidr
   tags = {
-    Purpose = "Malware Detonation"
+    Purpose = "Standard VPC"
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
 }

prod/aws/mdr-prod-c2/019-attach-transit-gateway-to-hub-account/terragrunt.hcl

@@ -24,7 +24,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/mdr-prod-c2/020-transit-gateway-interconnect-vpn/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_interconnect_vpn?ref=v0.5.1"
+}
+
+dependency "transit-gateway-hub" {
+  config_path = "../008-transit-gateway-hub"
+}
+
+dependency "interconnect-instances" {
+  config_path = local.account_vars.locals.interconnect_instances_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+  tags = {
+    Purpose = "Transit Gateway VPN"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  interconnect_public_ips = dependency.interconnect-instances.outputs.public_ips
+  interconnect_private_ips = dependency.interconnect-instances.outputs.private_ips
+  transit_gateway_id = dependency.transit-gateway-hub.outputs.tgw_id
+}

prod/aws/mdr-prod-c2/025-test-instance/terragrunt.hcl

@@ -19,7 +19,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/mdr-prod-c2/account.hcl

@@ -7,6 +7,7 @@ locals {
   instance_termination_protection = true # set to true for production!
   
   account_tags = { } 
+  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.32.0.0/22"
@@ -17,4 +18,13 @@ locals {
 
   # AS Number used for various resources, but not every account needs one.
   asn = 64800
+
+  security_vpc_cidr = "10.179.4.0/22"
+
+  # Interconnects
+  interconnect_asn = 64888
+  interconnects_instance_type = "t3a.micro"
+  interconnects_key_name = "fdamstra" # DO NOT CHANGE
+  interconnects_count = 2
+  interconnect_instances_path = "../../../aws-us-gov/mdr-prod-c2/018-interconnect-instances"
 }

prod/aws/mdr-prod-malware/UNUSED.ACCOUNT

@@ -0,0 +1 @@
+This account is unused

prod/aws/mdr-prod-modelclient/UNUSED.ACCOUNT

@@ -0,0 +1 @@
+This account is unused

test/aws/legacy-mdr-test/account.hcl

@@ -38,6 +38,7 @@ locals {
   ] 
 
   # Legacy information
+  # legacy_vpc information is required to connect the VPCs to the transit gateway.
   legacy_vpcs = {
     main_infrastructure = {
       id = "vpc-0b455a7f22a13412b",