Updates shared ami and account standards for ASG compatibility

* Removed duane's playground from the managed accounts list
* Updates `common` provider to be the mdr-terraformer role
* Adds a note to the README about an invalid principals issue

000-skeleton/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

000-skeleton/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws-us-gov/afs-mdr-common-services-gov/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.9.8"
 }
 
 include {

common/aws/legacy-mdr-root/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws/legacy-mdr-root/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-common-services/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws/mdr-common-services/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-common-services/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.9.8"
 }
 
 include {

common/aws/mdr-cyber-range/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws/mdr-cyber-range/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-cyber-range/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.9.8"
 }
 
 dependency "account_standards" {

common/aws/partition.hcl

@@ -39,7 +39,7 @@ locals {
     "common" = [
       "471284459109", # mdr-common-services
       "350838957895", # MDR Service Root
-      "035764279020", # MDR Playground / "Duane Test"
+#      "035764279020", # MDR Playground / "Duane Test"
       "228011623757", # mdr-dev-ai
       "952430311316", # mdr-cyber-range
     ],

prod/aws-us-gov/mdr-prod-c2/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws-us-gov/mdr-prod-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/legacy-mdr-prod/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws/legacy-mdr-prod/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/mdr-prod-c2/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws/mdr-prod-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/partition.hcl

@@ -39,7 +39,7 @@ locals {
     "common" = [
       "471284459109", # mdr-common-services
       "350838957895", # MDR Service Root
-      "035764279020", # MDR Playground / "Duane Test"
+#      "035764279020", # MDR Playground / "Duane Test"
       "228011623757", # mdr-dev-ai
       "952430311316", # mdr-cyber-range
     ],

terragrunt.hcl

@@ -73,7 +73,7 @@ provider "aws" {
 
   assume_role {
     role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
-    session_name = "terraform"
+    session_name = "terraform-default"
   }
   
   profile = "${local.common_profile}"
@@ -89,6 +89,11 @@ provider "aws" {
   allowed_account_ids = [ "471284459109", "701290387780" ]
   profile = "${local.common_profile}"
   alias   = "common"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.common_services_account}:role/user/mdr_terraformer"
+    session_name = "terraform-common"
+  }
 }
 
 # The "mdr-common-services-commercial" provider is used for public DNS entries
@@ -101,7 +106,7 @@ provider "aws" {
 
   assume_role {
     role_arn = "arn:aws:iam::471284459109:role/user/mdr_terraformer"
-    session_name = "terraform"
+    session_name = "terraform-mdr-common-services-commercial"
   }
 }
 
@@ -115,7 +120,7 @@ provider "aws" {
 
   assume_role {
     role_arn = "arn:aws-us-gov:iam::${ local.environment_vars.locals.c2_accounts["aws-us-gov"] }:role/user/mdr_terraformer"
-    session_name = "terraform"
+    session_name = "terraform-c2"
   }
 }
 EOF

test/aws-us-gov/mdr-test-c2/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

test/aws-us-gov/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

test/aws-us-gov/mdr-test-malware/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

test/aws-us-gov/mdr-test-malware/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

test/aws-us-gov/mdr-test-modelclient/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

test/aws-us-gov/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

test/aws/legacy-mdr-test/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

test/aws/legacy-mdr-test/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

test/aws/mdr-test-c2/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

test/aws/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

test/aws/mdr-test-modelclient/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

test/aws/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.4"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

test/aws/partition.hcl

@@ -39,7 +39,7 @@ locals {
     "common" = [
       "471284459109", # mdr-common-services
       "350838957895", # MDR Service Root
-      "035764279020", # MDR Playground / "Duane Test"
+#      "035764279020", # MDR Playground / "Duane Test"
       "228011623757", # mdr-dev-ai
       "952430311316", # mdr-cyber-range
     ],