Merge branch 'master' into feature/dw_MSOCI-1481_ebs_key_for_lcp

Old branch been sitting around a long time, pulling in master to
get it up to date with current.

.tfswitch.toml

@@ -1 +1 @@
-version = "0.13.3"
+version = "0.13.5"

000-skeleton/005-iam/terragrunt.hcl

@@ -6,19 +6,44 @@ locals {
   # e.g. inherited variables:
   #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
   #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
-  #account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
   #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 
   # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  #env            = local.environment_vars.locals.environment
+  aws_region     = local.region_vars.locals.aws_region
+  account_id     = local.account_vars.locals.aws_account_id
+  
+}
+
+# TODO: For provisioning only. Comment out after provisioning
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "template" {
+  version = "~> 2.1"
+}
+
+provider "aws" {
+  version = "~> 3.0"
+  region = "${local.aws_region}"
+
+  # TODO: make sure you have a profile matching this
+  profile = "tmp"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.7.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v1.10.17"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -20,7 +20,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v1.0.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

000-skeleton/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.17"
 }
 
 dependency "c2_account_standards" {

000-skeleton/010-vpc-splunk/terragrunt.hcl

@@ -4,11 +4,11 @@ locals {
   # below.
 
   # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 
   # Extract out common variables for reuse
   #env = local.environment_vars.locals.environment
@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.8.0"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v1.21.0"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -26,14 +26,22 @@ include {
   path = find_in_parent_folders()
 }
 
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  accept_tgw_invitation = true # Should we accept the Transit GT invitation? Should only be true for the first vpc
+  tgw_share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
   vpc_info = local.account_vars.locals.vpc_info["vpc-splunk"]
   tags = {
     #Purpose # grabbed from vpc_info
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
+  accept_tgw_invitation = true
 }

000-skeleton/020-attach-transit-gateway-to-vpc-splunk/README.md

@@ -1,5 +0,0 @@
-# Attaches this account's standard VPCs to the transit gateway
-
-You can reuse this module to attach additional VPCs by updating
-either the dependencies or the inputs, as appropriate.
-

000-skeleton/021-qualys-connector-role/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_connector_role?ref=v0.5.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_connector_role?ref=v1.10.17"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/025-test-instance/terragrunt.hcl

@@ -19,7 +19,7 @@ dependency "vpc_splunk" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.7.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v1.10.17"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/072-salt-master-inventory-role/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v0.8.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v1.10.17"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/140-splunk-frozen-bucket/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/frozen_s3_bucket?ref=v1.10.17"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Frozen Data"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

000-skeleton/150-splunk-cluster-master/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/cluster_master?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Cluster Master"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-cm"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

000-skeleton/160-splunk-indexer-cluster/README.md

@@ -0,0 +1,7 @@
+# Creates the Indexer Cluster
+
+* 3x indexer ASGs
+* NLB for splunk data
+* ALB for hec without ack
+* ELB classic for HEC with ack
+* Security Groups for all of the above

000-skeleton/160-splunk-indexer-cluster/terragrunt.hcl

@@ -0,0 +1,44 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/indexer_cluster?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Indexer Cluster"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-indexer"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  private_subnets = dependency.vpc.outputs.private_subnets
+  public_subnets  = dependency.vpc.outputs.public_subnets
+}

000-skeleton/170-splunk-searchhead/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/searchhead?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Searchhead"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-sh"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

000-skeleton/180-splunk-heavy-forwarder/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/heavy_forwarder?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Heavy Forwarder"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-hf"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

000-skeleton/account.hcl

@@ -6,23 +6,103 @@ locals {
   account_alias  = "TODO"
   aws_account_id = "TODO"
   instance_termination_protection = TODO # set to true for production!
+  splunk_prefix = "TODO"
+  splunk_private_hec = TODO # True if the customer needs a private HTTP Event Collector such as for ALSI
+
+  splunk_data_sources = [
+    "x.x.x.x/32", # TODO: Add customer's public IP addresses
+  ]
+  splunk_legacy_cidr = [ ] # Should not be needed for new customers
+  splunk_asg_sizes   = [ 1, 1, 1 ] # How many indexers in each site
+  
   
-  account_tags = { } 
-  c2_account_standards_path = "../../mdr-TODO-c2/005-account-standards-c2"
+  account_tags = {
+    "Client": local.splunk_prefix,
+  } 
+  c2_account_standards_path = "../../mdr-TODO-c2/005-account-standards-c2" # TODO: Subsitute with test or prod
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   vpc_info = { 
     "vpc-splunk" = {
        "name" = "vpc-splunk",
-       "purpose" = "Splunk Systems",
-       "cidr" = "TODO"
+       "purpose" = "Splunk Systems (TODO)", # TODO: Substitute with Customer Name
+       "cidr" = "TODO",
+       "tgw_attached" = true
     }
   } 
 
   # For testing
   create_test_instance = false
-  test_instance_key_name = "TODO" # The key with which to provision the test instance
 
-  # Qualys Connector
-  qualys_connector_externalid = "TODO" # Needs to come from the qualys console
+  # Qualys Connector - See https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/Qualys
+  qualys_connector_externalid = "LATER" # Needs to come from the qualys console
+
+  # End of TODO
+
+  # Splunk instance sizes can be customized
+  # TODO: Set these appropriately in the skeleton for prod
+  instance_types = {
+    "alsi-master"    = "t3a.small",
+    "alsi-worker"    = "t3a.small",
+    "splunk-cm"      = "t3a.small",  # legacy: t2.small
+    "splunk-indexer" = "i3en.large", # legacy: t2.small, but whats the point if we don't have instance storage.
+    "splunk-hf"      = "t3a.small", # legacy: t2.medium
+    "splunk-sh"      = "t3a.small", # legacy: ? not sure
+  }
+
+  # Splunk Volume Sizes are probably fine at defaults
+  splunk_volume_sizes = {
+    "cluster_master" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "indexer" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "searchhead" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "heavy_forwarder" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+  }
+
+  # ALSI - Aggregated Log Source Ingestion
+  #
+  # If cribl is being used for log ingestion, remember to turn on splunk_private_hec, too.
+  alsi_workers = 0 # how many cribl workers
+  alsi_splunk_nlb = false # splunk://moose-alsi-splunk.xdr{,test}.accenturefederalcyber.com:9997 and 9998
+  alsi_elastic_alb = false # https://moose-alsi-elastic.xdr{,test}.accenturefederalcyber.com -> 9200
+  alsi_hec_alb = false # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8080
 }

bin/aws_scheduler_configure.everywhere.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+echo
+echo Updating GovCloud Accounts\' Schedules
+echo
+for profile in mdr-test-c2-gov mdr-test-malware-gov mdr-test-modelclient-gov
+do
+  echo
+  echo Setting/Updating Schedule for $profile
+  aws_scheduler_configure.sh $profile us-gov-east-1
+done
+
+echo
+echo Updating Commercial Accounts\' Schedules
+echo
+for profile in mdr-test-modelclient mdr-test-c2
+do
+  echo
+  echo Setting/Updating Schedule for $profile
+  aws_scheduler_configure.sh $profile us-east-1
+done

bin/aws_scheduler_configure.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+STACK=aws-scheduler
+PROFILE=$1
+REGION=$2
+
+echo
+echo \*\*\* Step 1 of 2: Creating periods and schedules in case they don\'t already exist. Ignore errors.
+scheduler-cli create-period --name "weekdays" --begintime 08:00 --endtime 18:00 --weekdays mon-fri --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli create-period --name "business-hours" --begintime 07:30 --endtime 20:00 --weekdays mon-fri --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli create-period --name "extended" --begintime 08:00 --endtime 23:59 --weekdays mon-fri --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli create-period --name "saturday" --begintime 12:00 --endtime 18:00 --weekdays sat  --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli create-schedule --name MSOC --periods business-hours --timezone "US/Eastern" --stack $STACK --region $REGION --profile-name $PROFILE
+#scheduler-cli create-schedule --enforced=true --name non-prod --periods weekdays --timezone "US/Eastern" --stack $STACK --region $REGION --profile-name $PROFILE
+#scheduler-cli create-schedule --enforced=true --name non-prod-extended --periods extended --timezone "US/Eastern" --stack $STACK --region $REGION --profile-name $PROFILE
+
+echo
+echo \*\*\* Step 2 of 2:  Updating periods and schedules to our standards
+scheduler-cli update-period --name "weekdays" --begintime 08:00 --endtime 18:00 --weekdays mon-fri --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli update-period --name "business-hours" --begintime 07:30 --endtime 20:00 --weekdays mon-fri --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli update-period --name "extended" --begintime 08:00 --endtime 23:59 --weekdays mon-fri --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli update-period --name "saturday" --begintime 12:00 --endtime 18:00 --weekdays sat  --stack $STACK --region $REGION --profile-name $PROFILE
+scheduler-cli update-schedule --name MSOC --periods business-hours --timezone "US/Eastern" --stack $STACK --region $REGION --profile-name $PROFILE
+#scheduler-cli update-schedule --enforced=true --name non-prod --periods weekdays --timezone "US/Eastern" --stack $STACK --region $REGION --profile-name $PROFILE
+#scheduler-cli update-schedule --enforced=true --name non-prod-extended --periods extended --timezone "US/Eastern" --stack $STACK --region $REGION --profile-name $PROFILE
+
+

bin/clean_old_amis.sh

@@ -0,0 +1,22 @@
+#! /bin/bash
+#
+# Requires amicleaner:
+# ```
+#  pip3 install aws-amicleaner
+# ```
+VERSIONS_TO_KEEP=3
+
+for profile in mdr-common-services-gov mdr-common-services; do
+  echo 
+  echo ==== Cleaning $profile
+  echo
+  AWS_PROFILE=${profile} amicleaner --full-report --keep-previous ${VERSIONS_TO_KEEP} --mapping-key tags --mapping-values Description Release --check-orphans
+  echo =========== Done
+  echo
+done
+
+echo 
+echo AMIs listed under \'no-tags\' were likely orphaned by packer via ctrl-c. Clean them up via:
+echo \ \ aws ec2 deregister-image --image-id ami-xxxxxxx --profile mdr-common-services-gov
+echo and then rerun $0
+echo

bin/terragrunt-apply-all

@@ -7,7 +7,7 @@ function argparse {
   while (( "$#" )); do
     case "$1" in
       -h|--help)
-        echo Usage: $0 '[-l|--local] [-t|--test] [-d|--debug]'
+        echo Usage: $0 '[-l|--local] [-t|--test] [-s|--skipqualys] [-d|--debug]'
         exit 0
         ;;
       -t|--test)
@@ -18,11 +18,19 @@ function argparse {
         LOCAL="1"
         shift
         ;;
+      -n|--notlocal)
+        NOTLOCAL="1"
+        shift
+        ;;
       -d|--debug)
         >&2 echo debug: Enabling debugging..
         DEBUG=1
         shift
         ;;
+      -s|--skipqualys)
+        SKIPQUALYS=1
+        shift
+        ;;
 #      -p|--only-path)
 #        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
 #          ONLY_PATH=$2
@@ -45,15 +53,25 @@ function argparse {
   # set positional arguments in their proper place
   eval set -- "$PARAMS"
 
+  if [[ $LOCAL && $NOTLOCAL ]]; then
+    echo ""
+    echo "ERROR: Cannot specify both '--local' and '--nonlocal'. Pick one."
+    exit 1
+  fi
+
   if [[ $LOCAL ]]; then
     TERRAGRUNT_BIN=`which terragrunt-local`
   else
-    read -p "Local not specified. Are you sure? [Y/n]? " -n 1 -r
-    echo ""
-    if [[ $REPLY =~ ^[Nn]$ ]]
-    then
-        echo Exiting...
-        exit 0
+    if [[ $NOTLOCAL ]]; then
+      [[ $DEBUG == 1 ]] && >&2 echo debug: Not local specified, not prompting.
+    else
+      read -p "Local not specified. Specify '--notlocal' to skip this question. Are you sure? [Y/n]? " -n 1 -r
+      echo ""
+      if [[ $REPLY =~ ^[Nn]$ ]]
+      then
+          echo Exiting...
+          exit 1
+      fi
     fi
     TERRAGRUNT_BIN=`which terragrunt`
   fi
@@ -88,11 +106,19 @@ if [[ ! $PARENT_PWD =~ ^aws ]]; then
 fi
 
 for i in `seq -f "%g*" 0 9 | sort -n`; do
+  EXITCODE=1 # Assume error
   MODULE=$( basename $i )
   if [[ -d $MODULE ]]; then
     echo "====================================================================================="
     echo "Processing module $MODULE..."
     echo "====================================================================================="
+    if [[ $SKIPQUALYS == 1 && $MODULE =~ qualys ]]; then
+      echo "Skipping due to skipqualys flag"
+      echo ""
+      continue
+    else
+     [[ $DEBUG == 1 ]] && echo  "Not qualys - SKIPQUALYS = ${SKIPQUALYS}; Module = ${MODULE}"
+    fi
     pushd . > /dev/null
     cd $MODULE
     if [[ $(basename $(pwd)) =~ regional ]]; then
@@ -105,29 +131,37 @@ for i in `seq -f "%g*" 0 9 | sort -n`; do
           [[ $TESTING ]] && ${TERRAGRUNT_BIN} plan  # Run a plan if testing
           [[ $TESTING ]] || ${TERRAGRUNT_BIN} init  # Run an init and apply
           [[ $TESTING ]] || ${TERRAGRUNT_BIN} apply
+          EXITCODE=$?
           popd > /dev/null
           echo "========== Region completed: $i"
         fi
       done
+    elif [[ -f DISABLED ]]; then
+      echo Skipping module due to \"DISABLED\" file.
+      EXITCODE=0
     else
       [[ $TESTING ]] && ${TERRAGRUNT_BIN} plan  # Run a plan if testing
       [[ $TESTING ]] || ${TERRAGRUNT_BIN} init  # Run an init and apply otherwise
       [[ $TESTING ]] || ${TERRAGRUNT_BIN} apply
+      EXITCODE=$?
     fi
     popd > /dev/null
     echo "=======================================DONE=========================================="
     echo ""
     echo ""
 
-    # Prompt to continue after each module. Easier than ctrl-c...
-    read -p "Terragrunt completed. Continue to next module [Y/n]? " -n 1 -r
-    echo ""
-    if [[ $REPLY =~ ^[Nn]$ ]]
-    then
-        echo Exiting...
-        exit 0
+    if [[ $EXITCODE != 0 ]]; then
+      # Prompt to continue after each module. Easier than ctrl-c...
+      read -p "Terragrunt completed. Continue to next module [Y/n]? " -n 1 -r
+      echo ""
+      if [[ $REPLY =~ ^[Nn]$ ]]
+      then
+          echo Exiting...
+          exit 1
+      fi
     fi
   fi
 done
 
 echo Finished.
+exit 0

bin/terragrunt-apply-all-everywhere

@@ -0,0 +1,132 @@
+#! /bin/bash
+# 
+# Do a more sane apply-all via terragrunt
+
+function argparse {
+  PARAMS=""
+  while (( "$#" )); do
+    case "$1" in
+      -h|--help)
+        echo Usage: $0 '[-l|--local] [-t|--test] [-s|--skipqualys] [-d|--debug]'
+        exit 1
+        ;;
+      -t|--test)
+        TESTING="/bin/echo TESTING: "
+        shift
+        ;;
+      -l|--local)
+        LOCAL="--local"
+        shift
+        ;;
+      -n|--notlocal)
+        NOTLOCAL="--notlocal"
+        shift
+        ;;
+      -d|--debug)
+        >&2 echo debug: Enabling debugging..
+        DEBUG=1
+        debugstr="--debug"
+        shift
+        ;;
+      -s|--skipqualys)
+        SKIPQUALYS="--skipqualys"
+        shift
+        ;;
+#      -p|--only-path)
+#        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+#          ONLY_PATH=$2
+#          shift 2
+#        else
+#          echo "Error: Argument for $1 is missing" >&2
+#          exit 1
+#        fi
+#        ;;
+      -*|--*=) # unsupported flags
+        echo "Error: Unsupported flag $1" >&2
+        exit 1
+        ;;
+      *) # preserve positional arguments
+        PARAMS="$PARAMS $1"
+        shift
+        ;;
+    esac
+  done
+  # set positional arguments in their proper place
+  eval set -- "$PARAMS"
+}
+
+# Main
+argparse $*
+
+SHORT_PWD=$( basename ${PWD}  )
+PARENT_PWD=$( basename $( cd .. && pwd ) )
+[[ $DEBUG == 1 ]] && >&2 echo debug: PWD=$PWD
+[[ $DEBUG == 1 ]] && >&2 echo debug: SHORT_PWD=$SHORT_PWD
+
+# Sanity Checking
+if [[ $SHORT_PWD != "xdr-terraform-live" ]]; then
+  read -p "WARNING! Not running from 'xdr-terraform-live'. PWD is $SHORT_PWD. Continue anyway? [Y/n]? " -n 1 -r
+  echo ""
+  if [[ $REPLY =~ ^[Nn]$ ]]
+  then
+    echo Exiting...
+    exit 1
+  fi
+fi
+
+for e in test common prod; do
+  pushd $e > /dev/null
+  for p in aws aws-us-gov; do
+    pushd $p > /dev/null
+    for a in $(find . -type d -mindepth 1 -maxdepth 1); do
+      pushd $a > /dev/null
+
+      echo ""
+      echo ""
+      echo "*************************************************************************************"
+      echo "Beginning environment '$e', partition '$p', account '$a'"
+      echo "*************************************************************************************"
+      echo ""
+      echo ""
+
+      if [[ -f UNUSED.ACCOUNT ]]; then
+        echo -- This account is marked as unused. Skipping...
+        popd > /dev/null
+        continue
+      fi
+
+      if [[ -f UNMANAGED.ACCOUNT ]]; then
+        echo -- This account is marked as unmanaged. Skipping...
+        popd > /dev/null
+        continue
+      fi
+
+      EXITCODE=1 # Assume error
+      if [[ $DEBUG == 1 ]]; then
+        echo debug: Would run: terragrunt-apply-all $TESTING $LOCAL $NOTLOCAL $debugstr $SKIPQUALYS
+        EXITCODE=$?
+      else
+        terragrunt-apply-all $TESTING $LOCAL $NOTLOCAL $DEBUG $SKIPQUALYS
+        EXITCODE=$?
+      fi
+
+      if [[ $EXITCODE != 0 ]]; then
+        # Prompt to continue after each module. Easier than ctrl-c...
+        read -p "Terragrunt failed for environment '$e', partition '$p', account '$a'.. Continue to next account [Y/n]? " -n 1 -r
+        echo ""
+        if [[ $REPLY =~ ^[Nn]$ ]]
+        then
+            echo Exiting...
+            exit 1
+        fi
+      fi
+
+      popd > /dev/null
+    done
+    popd > /dev/null
+  done
+  popd > /dev/null
+done
+
+echo Finished.
+exit 0

bin/update-ami-accounts

@@ -0,0 +1,209 @@
+#!/usr/bin/env python3
+"""
+CLI tool to help with AMI sharing.  What I was doing before in bash
+hit its reasonable limit of complexity, and was getting hard to read
+because it was in bash.
+
+Some notes:
+
+    [1]  Specifying an AMI filter is mandatory, but regions and accounts are not.
+    [2]  Standard AWS_PROFILE environment variables are supported (because boto3 supports)
+    [3]  AWS_REGION environment variable (as used by the AWS CLI) is not supported because
+         boto3 does not use it.  It uses AWS_DEFAULT_REGION instead.  If your
+         $HOME/.aws/config lists a region for a given profile this is not needed.
+
+
+Example 1: Let's just run a report of all AMIs matching '*Duane*' in all regions that the
+profile has access to.  Notice the wildcards in quotes so bash won't try to expand them
+out to filenames.
+
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py '*Duane*'
+Looking for AMIs matching "*Duane*" in the following regions:
+    us-gov-east-1
+    us-gov-west-1
+
+AMIs matching the filter:
+region         |ami id                |ami name
+===============|======================|========================================
+us-gov-east-1  |ami-069f3e239427365b6 |Duane_Testing_20201124233617
+us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617
+
+
+Example 2: Regions can be specified with a list or wildcard.  This is just a report too:
+
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py --region us-gov-east-1 --region '*west*' '*Duane*'
+Looking for AMIs matching "*Duane*" in the following regions:
+    us-gov-east-1
+    us-gov-west-1
+
+AMIs matching the filter:
+region         |ami id                |ami name
+===============|======================|========================================
+us-gov-east-1  |ami-069f3e239427365b6 |Duane_Testing_20201124233617
+us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617
+
+Example 3: If we list one or more accounts then sharing is updated
+
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py --region '*1' '*Duane*' 738800754746 721817724804
+Looking for AMIs matching "*Duane*" in the following regions:
+ us-gov-east-1
+ us-gov-west-1
+
+Sharing AMIs with these accounts:
+ 738800754746
+ 721817724804
+
+AMIs matching the filter:
+region         |ami id                |ami name                                |status
+===============|======================|========================================|==========
+us-gov-east-1  |ami-069f3e239427365b6 |Duane_Testing_20201124233617            |success
+us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617            |success
+
+Example 4: Sharing updates are atomic so if you could get a failure because
+one of several accounts you listed does not exist:
+
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py --region '*1' '*Duane*' 738800754746 72181772480
+Looking for AMIs matching "*Duane*" in the following regions:
+ us-gov-east-1
+ us-gov-west-1
+
+Sharing AMIs with these accounts:
+ 738800754746
+ 72181772480
+
+AMIs matching the filter:
+region         |ami id                |ami name                                |status
+===============|======================|========================================|==========
+us-gov-east-1  |ami-069f3e239427365b6 |Duane_Testing_20201124233617            |error
+us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617            |error
+
+Notice one of the account numbers is missing a digit.  You don't get a clear
+message as to which one caused the error.  Maybe one day I'll improve that...
+
+"""
+
+import argparse
+import boto3
+import botocore
+from botocore.config import Config
+
+
+def list_matching_regions(region_filter):
+    """
+    Return the list of regions matching a wildcard.
+    """
+    ec2 = boto3.client('ec2')
+    regions = ec2.describe_regions(
+                Filters=[
+                    {
+                        'Name': 'region-name',
+                        'Values': [ region_filter ]
+                    }
+                ],
+                AllRegions = False
+            )
+    return [ x.get('RegionName') for x in regions.get('Regions',[]) ]
+
+def find_amis_matching_filter(ami_filter,region=None):
+    """
+    Return a list of AMIs matching a given wildcard by name
+    """
+
+    if region is not None:
+        ec2 = boto3.client('ec2',config=Config(region_name=region))
+    else:
+        ec2 = boto3.client('ec2')
+    images = ec2.describe_images(
+                Owners=['self'],
+                Filters=[
+                    {
+                        'Name': 'name',
+                        'Values': [ ami_filter ]
+                    }
+                ]
+            )
+
+    fields_of_interest = { 'ImageId', 'Name' }
+    for entry in images.get('Images',[]):
+        newentry = { k: entry[k] for k in entry.keys() & fields_of_interest }
+        yield newentry
+
+def share_ami(ami,region,accounts):
+    """
+    Share a specific AMI (by id) with a list of AWS account IDs
+    within a specific region
+    """
+
+    launchparam = { }
+    launchparam['Add'] = []
+
+    for account in accounts:
+        launchparam['Add'].extend([{'UserId': account}])
+
+    ec2 = boto3.resource('ec2',config=Config(region_name=region))
+
+    # expecting to possibly raise something here
+    image = ec2.Image(ami)
+    image.modify_attribute(Attribute='launchPermission', LaunchPermission=launchparam)
+
+def runmain(ami_filter,accounts,region_filters):
+    """
+    main
+    """
+
+    region_list = []
+    if region_filters is None:
+        region_list.extend(list_matching_regions('*'))
+    else:
+        for filt in region_filters:
+            region_list.extend(list_matching_regions(filt))
+
+    region_list=list(sorted(set(region_list)))
+
+    print('Looking for AMIs matching "{0}" in the following regions:'.format(ami_filter))
+    for region in region_list:
+        print(" {0}".format(region))
+    print("")
+
+    # Shorter format for when we're just doing a report of matching AMIs
+    # No accounts means just report mode
+    if len(accounts) > 0:
+
+        print("Sharing AMIs with these accounts:")
+        for account in accounts:
+            print(" {0}".format(account))
+        print("")
+
+        print("AMIs matching the filter:")
+        report_format="{0:<15}|{1:<22}|{2:<40}|{3:<10}"
+        print(report_format.format('region','ami id','ami name','status'))
+        print(report_format.format('='*15,'='*22,'='*40,'='*10))
+    else:
+        print("AMIs matching the filter:")
+        report_format="{0:<15}|{1:<22}|{2:<40}"
+        print(report_format.format('region','ami id','ami name'))
+        print(report_format.format('='*15,'='*22,'='*40))
+
+    for region in region_list:
+        for ami in find_amis_matching_filter(ami_filter,region):
+            if len(accounts) > 0:
+                try:
+                    share_ami(ami.get('ImageId'),region,accounts)
+                    print(report_format.format(region,ami.get('ImageId'),ami.get('Name'),"success"))
+                except botocore.exceptions.ClientError:
+                    print(report_format.format(region,ami.get('ImageId'),ami.get('Name'),"error"))
+            # No accounts we're just making a report ...
+            else:
+                print(report_format.format(region,ami.get('ImageId'),ami.get('Name')))
+
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--region',action='append',required=False,
+            help='Region to add sharing in (can specify multiple)')
+    parser.add_argument('ami_filter',help='AMI Filter to apply')
+    parser.add_argument('accounts',nargs='*',help='list of AWS accounts to add AMIs to')
+    args = parser.parse_args()
+
+    runmain(args.ami_filter,args.accounts,args.region)

bin/update-ami-accounts.old

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+AMIS=$( aws ec2 describe-images \
+  --owners self			\
+  --query 'Images[*].[ImageId]' \
+  --output text			\
+  --filters "Name=name,Values=MSOC*" )
+
+LIST=""
+
+while [[ "$1" != "" ]]; do
+	if [[ "$LIST" == "" ]]; then
+		LIST="{UserId=$1}"
+	else
+		LIST="$LIST,{UserId=$1}"
+	fi
+	shift
+done
+
+ADDOPERATION="Add=[$LIST]"
+echo "Operation=$ADDOPERATION"
+
+for AMI in $AMIS; do
+	NAME=$( aws ec2 describe-images --image-ids $AMI --query 'Images[*].[Name]' --output text)
+	echo "Updating AMI sharing for $AMI ($NAME)"
+
+	aws ec2 modify-image-attribute		\
+	   --image-id $AMI		 	\
+	   --launch-permission "$ADDOPERATION"
+done

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/DISABLED

@@ -0,0 +1 @@
+Terraform only. Disabled for terragrunt-apply-all

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/DISABLED

@@ -0,0 +1 @@
+Terraform only. Disabled for terragrunt-apply-all

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -20,7 +20,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws-us-gov/afs-mdr-common-services-gov/008-xdr-binaries/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v1.0.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v1.10.0"
 }
 
 include {

common/aws-us-gov/afs-mdr-common-services-gov/015-security-vpc/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.8.5"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v1.20.8"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/019-qualys-service-account/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_iam_baseaccount?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_iam_baseaccount?ref=v0.9.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/021-qualys-connector-role/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_connector_role?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_connector_role?ref=v0.9.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/072-salt-master-inventory-role/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/072-salt-master-inventory-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v0.9.4"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Inventory for FedRAMP Compliance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws-us-gov/afs-mdr-common-services-gov/075-codebuild-ecr-base/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/075-codebuild-ecr-base/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_ecr_base?ref=v1.10.8"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Base module for Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws-us-gov/afs-mdr-common-services-gov/080-codebuild-ecr-sample/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/080-codebuild-ecr-sample/DISABLED

@@ -0,0 +1 @@
+Proof of concept code that we may need in the future.

common/aws-us-gov/afs-mdr-common-services-gov/080-codebuild-ecr-sample/terragrunt.hcl

@@ -0,0 +1,74 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_ecr_project?ref=v1.10.8"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "mdr-engineering"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+#Provider block for Github MDR Content. 
+#provider "github" {
+#  version      = "~> 4.1.0"
+#  organization = "MDR-Content"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build Sample Docker Container with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                  = "xdr-container-sample"
+  service_role          = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key               = dependency.codebuild-ecr-base.outputs.kms_key
+  codebuild_image       = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image      = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  #codebuild_image      = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket    = ""
+  #artifact_s3_bucket   = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+  webhook_branch_filter = "release/.*"
+}

common/aws-us-gov/afs-mdr-common-services-gov/081-codebuild-rpm-collectd/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/081-codebuild-rpm-collectd/DISABLED

@@ -0,0 +1 @@
+Proof of concept code that we may need in the future.

common/aws-us-gov/afs-mdr-common-services-gov/081-codebuild-rpm-collectd/terragrunt.hcl

@@ -0,0 +1,72 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_artifact?ref=v1.10.8"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "mdr-engineering"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+#Provider block for Github MDR Content. 
+#provider "github" {
+#  version      = "~> 4.2.0"
+#  organization = "MDR-Content"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build RPM with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                = "collectd-rpm"
+  service_role        = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key             = dependency.codebuild-ecr-base.outputs.kms_key
+  #codebuild_image     = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+}

common/aws-us-gov/afs-mdr-common-services-gov/085-codebuild-ecr-customer-portal/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/085-codebuild-ecr-customer-portal/terragrunt.hcl

@@ -0,0 +1,74 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_ecr_customer_portal?ref=v1.10.10"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+#provider "github" {
+#  version      = "~> 4.2.0"
+#  organization = "mdr-engineering"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+#Provider block for Github MDR Content. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "MDR-Content"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build Docker Container with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                  = "customer_portal"
+  service_role          = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key               = dependency.codebuild-ecr-base.outputs.kms_key
+  codebuild_image       = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image      = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  #codebuild_image      = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket    = ""
+  #artifact_s3_bucket   = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+  webhook_branch_filter = "release/.*"
+}

common/aws-us-gov/afs-mdr-common-services-gov/090-codebuild-rpm-tmux/DISABLED

@@ -0,0 +1 @@
+Proof of concept code that we may need in the future.

common/aws-us-gov/afs-mdr-common-services-gov/090-codebuild-rpm-tmux/terragrunt.hcl

@@ -0,0 +1,72 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_artifact?ref=v1.10.8"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "mdr-engineering"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+#Provider block for Github MDR Content. 
+#provider "github" {
+#  version      = "~> 4.2.0"
+#  organization = "MDR-Content"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build RPM with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                = "tmux-rpm"
+  service_role        = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key             = dependency.codebuild-ecr-base.outputs.kms_key
+  #codebuild_image     = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+}

common/aws-us-gov/afs-mdr-common-services-gov/095-codebuild-rpm-aws-efs-utils/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/095-codebuild-rpm-aws-efs-utils/DISABLED

@@ -0,0 +1 @@
+Proof of concept code that we may need in the future.

common/aws-us-gov/afs-mdr-common-services-gov/095-codebuild-rpm-aws-efs-utils/terragrunt.hcl

@@ -0,0 +1,72 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_artifact?ref=v1.10.8"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "mdr-engineering"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+#Provider block for Github MDR Content. 
+#provider "github" {
+#  version      = "~> 4.2.0"
+#  organization = "MDR-Content"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build RPM with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                = "aws-efs-utils"
+  service_role        = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key             = dependency.codebuild-ecr-base.outputs.kms_key
+  #codebuild_image     = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+}

common/aws-us-gov/afs-mdr-common-services-gov/100-codebuild-rpm-syslog-ng/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/100-codebuild-rpm-syslog-ng/DISABLED

@@ -0,0 +1 @@
+Proof of concept code that we may need in the future.

common/aws-us-gov/afs-mdr-common-services-gov/100-codebuild-rpm-syslog-ng/terragrunt.hcl

@@ -0,0 +1,72 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_artifact?ref=v1.10.8"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "mdr-engineering"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+#Provider block for Github MDR Content. 
+#provider "github" {
+#  version      = "~> 4.2.0"
+#  organization = "MDR-Content"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build RPM with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                = "syslog-ng-rpm"
+  service_role        = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key             = dependency.codebuild-ecr-base.outputs.kms_key
+  #codebuild_image     = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  codebuild_image    = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+}

common/aws-us-gov/afs-mdr-common-services-gov/105-codebuild-ecr-mcas-container/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../../.tfswitch.toml

common/aws-us-gov/afs-mdr-common-services-gov/105-codebuild-ecr-mcas-container/DISABLED

@@ -0,0 +1 @@
+Proof of concept code that we may need in the future.

common/aws-us-gov/afs-mdr-common-services-gov/105-codebuild-ecr-mcas-container/terragrunt.hcl

@@ -0,0 +1,73 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/codebuild_ecr_project?ref=v1.10.10"
+}
+
+dependency "codebuild-ecr-base" {
+  config_path = "../075-codebuild-ecr-base"
+}
+
+#Github specific provider
+generate "github-provider" {
+  path      = "github-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+      version = "4.2.0"
+    }
+  }
+}
+#Provider block for Github engineering. 
+provider "github" {
+  version      = "~> 4.2.0"
+  organization = "mdr-engineering"
+  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+}
+#Provider block for Github MDR Content. 
+#provider "github" {
+#  version      = "~> 4.2.0"
+#  organization = "MDR-Content"
+#  base_url     = "https://github.xdr.accenturefederalcyber.com/"
+#}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Build Docker Container with Codebuild"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  name                  = "mcas-agent-container"
+  service_role          = dependency.codebuild-ecr-base.outputs.service_role
+  kms_key               = dependency.codebuild-ecr-base.outputs.kms_key
+  #codebuild_image       = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+  #codebuild_image      = dependency.codebuild-ecr-base.outputs.codebuild_image_centos7
+  codebuild_image      = dependency.codebuild-ecr-base.outputs.codebuild_image_rhel7
+  artifact_s3_bucket    = ""
+  #artifact_s3_bucket   = dependency.codebuild-ecr-base.outputs.artifact_s3_bucket
+}

common/aws-us-gov/afs-mdr-common-services-gov/account.hcl

@@ -5,8 +5,11 @@ locals {
   account_alias  = "afs-mdr-common-services-gov"
   aws_account_id = "701290387780"
   instance_termination_protection = true # set to true for production!
-  
-  account_tags = { } 
+  splunk_prefix = "moose"
+
+  account_tags = {
+    "Client": local.splunk_prefix
+  }
   c2_account_standards_path = "../../../../prod/aws-us-gov/mdr-prod-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation

common/aws-us-gov/afs-mdr-common-services-gov/disabled/016-panorama/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/panorama?ref=v0.5.2"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/panorama?ref=v0.5.2"
 }
 
 dependency "security_vpc" {

common/aws-us-gov/afs-mdr-common-services-gov/disabled/017-palo-alto-bootstrap/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/bootstrap?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/bootstrap?ref=v0.8.3"
 }
 
 dependency "security_vpc" {

common/aws-us-gov/afs-mdr-common-services-gov/disabled/018-palo-alto-firewalls/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/firewall_nodes?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/firewall_nodes?ref=v0.8.3"
 }
 
 dependency "security_vpc" {

common/aws-us-gov/partition.hcl

@@ -29,6 +29,10 @@ locals {
       "721817724804", # mdr-prod-c2
       "738736370544", # mdr-prod-modelclient
       "876865127438", # mdr-prod-malware
+      "022090475570", # mdr-prod-nihors
+      "081915784976", # mdr-prod-bas
+      "137793331041", # mdr-prod-doed
+      "237704155425", # mdr-prod-frtib
     ],
     "test" = [
       "738800754746", # mdr-test-c2

common/aws/legacy-mdr-root/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.9.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/legacy-mdr-root/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -20,7 +20,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/legacy-mdr-root/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws/legacy-mdr-root/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws/legacy-mdr-root/072-salt-master-inventory-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v0.9.4"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Inventory for FedRAMP Compliance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/legacy-mdr-root/account.hcl

@@ -4,7 +4,10 @@ locals {
   account_name   = "legacy-mdr-root"
   account_alias  = ""
   aws_account_id = "350838957895"
-  
-  account_tags = { } 
+  splunk_prefix = "moose"
+
+  account_tags = {
+    "Client": local.splunk_prefix
+  }
   c2_account_standards_path = "../../../../prod/aws/mdr-prod-c2/005-account-standards-c2"
 }

common/aws/mdr-common-services/000-mdradmin-bootstrap/DISABLED

@@ -0,0 +1 @@
+Terraform only. Disabled for terragrunt-apply-all

common/aws/mdr-common-services/001-tfstate/DISABLED

@@ -0,0 +1 @@
+Terraform only. Disabled for terragrunt-apply-all

common/aws/mdr-common-services/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -20,7 +20,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-common-services/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws/mdr-common-services/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-common-services/008-xdr-binaries/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v1.0.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-common-services/010-public-dns/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/dns/public_dns?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/public_dns?ref=v1.20.1"
 }
 
 include {

common/aws/mdr-common-services/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v1.10.17"
 }
 
 include {

common/aws/mdr-common-services/011-defpoint_com-legacy-dns/.tfswitch.toml

@@ -0,0 +1 @@
+version = "0.13.5"

common/aws/mdr-common-services/011-defpoint_com-legacy-dns/terragrunt.hcl

@@ -0,0 +1,22 @@
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/legacy_defpoint_com?ref=v1.10.17"
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-common-services/015-security-vpc/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.8.5"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v1.20.8"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-common-services/019-qualys-service-account/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_iam_baseaccount?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_iam_baseaccount?ref=v0.9.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-common-services/072-salt-master-inventory-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v0.9.4"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Inventory for FedRAMP Compliance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-common-services/account.hcl

@@ -5,8 +5,11 @@ locals {
   account_alias  = "afs-mdr-common-services"
   aws_account_id = "471284459109"
   instance_termination_protection = true # set to true for production!
-  
-  account_tags = { } 
+  splunk_prefix = "moose"
+
+  account_tags = {
+    "Client": local.splunk_prefix
+  }
   c2_account_standards_path = "../../../../prod/aws/mdr-prod-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation

common/aws/mdr-cyber-range/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.9.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-cyber-range/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -20,7 +20,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-cyber-range/006-account-standards/README.md

@@ -2,6 +2,7 @@
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
 NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
 ```
 terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
@@ -9,3 +10,17 @@ aws --profile <account-profile> configservice describe-delivery-channels
 terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
 ```
 
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

common/aws/mdr-cyber-range/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-cyber-range/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v1.10.0"
 }
 
 dependency "account_standards" {

common/aws/mdr-cyber-range/072-salt-master-inventory-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v0.9.4"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Inventory for FedRAMP Compliance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-dev-ai/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.8.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.8.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/partition.hcl

@@ -40,7 +40,7 @@ locals {
     "common" = [
       "471284459109", # mdr-common-services
       "350838957895", # MDR Service Root
-      "035764279020", # MDR Playground / "Duane Test"
+#      "035764279020", # MDR Playground / "Duane Test"
       "228011623757", # mdr-dev-ai
       "952430311316", # mdr-cyber-range
     ],

common/env.hcl

@@ -5,6 +5,7 @@ locals {
   transit_gateway_account_name = "mdr-prod-c2" # Which account has the transit gateway
 
   environment_tags = {
+    "Schedule" = "none",
     Environment = local.environment
   }
 
@@ -50,7 +51,15 @@ locals {
     "public" = {
       zone = "xdr.accenturefederalcyber.com"
       zone_id = "Z0083657A94URZM2TM87"
-    }
+    },
+    "legacy_private" = {
+      zone = "msoc.defpoint.local"
+      zone_id = "Z2JVOIKXZP64QP"
+    },
+    "legacy_public" = {
+      zone = "mdr.defpoint.com"
+      zone_id = "Z2HYR9YEZ4KLDE"
+    },
   }
 
   # legacy DNS

globals.hcl

@@ -5,26 +5,20 @@ locals {
   binaries_bucket     = "afsxdr-binaries"        # Storage for binaries
 
   global_tags = {
-    "Schedule" = "MSOC",
     "Snapshot" = "Daily", # This will put it on some things where it doesn't belong, but seems useful overall
     #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
   }
 
   trusted_ips = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
-    "12.245.107.250/32",   # DPS Office Legato
-    "12.204.167.162/32",   # DPS Office San Antonio
-    "54.86.98.62/32",      # DPS AWS User VPN
     "75.138.227.80/32",    # Duane Waddle
     "24.11.231.98/32",     # George Starcher
     "99.151.37.185/32",    # Wesley Leonard
     "70.106.200.157/32",   # John Reuther
-    "108.243.20.48/32",    # Ryan Plas
     "73.10.53.113/32",     # Rick Page Home
     "50.21.207.50/32",     # Brad Poulton
     "70.160.60.248/32",    # Brandon Naughton
-    "173.71.212.4/32",     # Ryan Howard
     "99.56.213.129/32",    # Fred Damstra
-    "97.117.78.121/32",    # Colby Williams
+    "97.117.81.187/32",    # Colby Williams
   ]
   portal_test_whitelist = local.trusted_ips # for now, an alias
 
@@ -58,6 +52,40 @@ locals {
     "18.253.98.90/32",
   ]  
 
+  # All of the "external" things that need access to publically
+  # available C2 services, like Salt Masters, Repo Servers
+  #
+  # Structure is a list of maps, and the "description" value in the
+  # map must be unique across the whole list or it will cause an error.
+  #
+  # TODO:  the lists of IPs above need to be moved into this.  I did not
+  # attempt it NOW because of the upcoming change freeze and a desire to
+  # not put in unnecessary changes.
+  c2_services_external_ips = [
+    {
+      description = "NIH ORS LCP"
+      cidr_blocks = [
+        "137.187.0.0/16",   # Provided by Vikas @ NIH 2020-12-09
+        "128.231.0.0/16",   # Provided by Vikas @ NIH 2020-12-09
+        "165.112.0.0/16",   # Provided by Vikas @ NIH 2020-12-09
+        "156.40.208.0/20",  # Derived from our VPC Flow Logs deny logs 2020-12-11
+      ]
+    },
+    {
+      description = "BP-OT-DEMO LCP"
+      cidr_blocks = [
+        "184.105.253.64/28", # Provided by OT IP address range for Houston CFC 2021-02-09
+      ]
+    },
+    {
+      description = "Test LCPs"
+      cidr_blocks = [
+        "18.252.65.137/32",                 # Test LCP in Govcloud (EIP in common-services-gov)
+        "54.224.56.231/32",                 # Test LCP in Commercial (EIP in common-services)
+      ]
+    },
+  ]
+
   dns_zone_map = {
     "accenturefederalcyber.com" = "Z03575081VGXN3FUZ8ERU"
     "accenturefederalcyber.net" = "Z07771312N8X39HKP141M"
@@ -65,12 +93,31 @@ locals {
     "xdrtest.accenturefederalcyber.com" = "Z01677392W0QM639KU2KC"
   }
 
+  repo_server_whitelist = concat(
+    local.trusted_ips,
+    local.afs_pop,
+    local.afs_azure_pop,
+    local.nga_pop,
+    [ "52.179.13.17/32",  #???
+      "75.138.227.80/32", # Duane's House
+    ],
+    local.xdr_interconnect
+  )
+
   key_pairs = {
     # Should be your username -> key pair
     "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key",
     "fdamstra" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr",
   }
 
+  # Sensu Thresholds
+  sensu_checks = {
+    "dns": {
+       "warning":  "5.0", # warn if no resolution for 5 seconds
+       "critical": "10.0" # critical if no resolution for 10 seconds
+    },
+  }
+
   # Some sane defaults we don't want to specify everywhere
   is_legacy = false # By default, accounts are not legacy accounts
   extra_ebs_key_admins = [ ]

prod/aws-us-gov/mdr-prod-bas/005-iam/terragrunt.hcl

@@ -0,0 +1,62 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env            = local.environment_vars.locals.environment
+  aws_region     = local.region_vars.locals.aws_region
+  account_id     = local.account_vars.locals.aws_account_id
+  
+}
+
+# TODO: For provisioning only. Comment out after provisioning
+#generate "provider" {
+#  path      = "provider.tf"
+#  if_exists = "overwrite_terragrunt"
+#  contents  = <<EOF
+#provider "template" {
+#  version = "~> 2.1"
+#}
+
+#provider "aws" {
+#  version = "~> 3.0"
+#  region = "${local.aws_region}"
+#
+#  # TODO: make sure you have a profile matching this
+#  profile = "tmp"
+#
+#  # Only these AWS Account IDs may be operated on by this template
+#  allowed_account_ids = ["${local.account_id}"]
+#}
+#EOF
+#}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v1.10.21"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-bas/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v1.10.21"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-bas/006-account-standards/README.md

@@ -0,0 +1,26 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws-us-gov/mdr-prod-bas/006-account-standards/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.21"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
+}

prod/aws-us-gov/mdr-prod-bas/010-vpc-splunk/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

000-skeleton/020-attach-transit-gateway-to-vpc-splunk/terragrunt.hcl → prod/aws-us-gov/mdr-prod-bas/010-vpc-splunk/terragrunt.hcl

@@ -9,22 +9,16 @@ locals {
   region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
   global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-}
-
-dependency "transit_gateway" {
-  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
-}
 
-dependency "vpc_splunk" {
-  config_path = "../010-vpc-splunk"
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
 }
 
-
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.3"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v1.21.0"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -32,19 +26,22 @@ include {
   path = find_in_parent_folders()
 }
 
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  accept_tgw_invitation = true # Should we accept the Transit GT invitation? Should only be true for the first vpc
+  tgw_share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_info = local.account_vars.locals.vpc_info["vpc-splunk"]
   tags = {
-    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+    #Purpose # grabbed from vpc_info
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
-  accept_invitation = true # Should only be true for the first one
-  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
-  tgw_id = dependency.transit_gateway.outputs.tgw_id
-  vpc_id = dependency.vpc_splunk.outputs.vpc_id
-  subnets = dependency.vpc_splunk.outputs.private_subnets
-  route_tables = concat(dependency.vpc_splunk.outputs.private_route_tables, dependency.vpc_splunk.outputs.public_route_tables)
+  accept_tgw_invitation = true
 }

prod/aws-us-gov/mdr-prod-bas/021-qualys-connector-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_connector_role?ref=v1.10.21"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Qualys Connector Role"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}