Initial Commit

.gitattributes

@@ -0,0 +1,6 @@
+**/ks.cfg text eol=lf
+packer/scripts/** text eol=lf
+packer/configurator-tool/** text eol=lf
+packer/hyperv-provision/**  eol=crlf
+packer/hyperv-setup/**  eol=crlf
+**/*.tfstate binary -diff merge=binary

.gitignore

@@ -0,0 +1,99 @@
+**/*.swp
+**/*.swo
+**/*.iso
+*.rpm
+salt/splunk/deployment_server/files/*
+salt/splunk/master/files/*
+
+# Created by https://www.gitignore.io/api/macos,splunk,terraform,visualstudiocode
+# Edit at https://www.gitignore.io/?templates=macos,splunk,terraform,visualstudiocode
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Splunk ###
+# gitignore template for Splunk apps
+# documentation: http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Defaultmetaconf
+
+# Splunk local meta file
+local.meta
+
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+!**/000-mdradmin-bootstrap/terraform.tfstate 
+!**/001-tfstate/terraform.tfstate
+
+### Terragrunt ###
+# Local .terragrunt directories
+.terragrunt-cache
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+
+# End of https://www.gitignore.io/api/macos,splunk,terraform,visualstudiocode
+
+\.vscode/
+
+# python
+__pycache__/*
+*.pyc

000-skeleton-GOV/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

000-skeleton-GOV/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

000-skeleton-GOV/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

000-skeleton-GOV/005-iam/child_account.tf

@@ -0,0 +1,9 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+  TODO: Replace with correct alias
+  account_alias = "afs-mdr-TODO-TODO"
+
+  assume_role_trusted_arns  = [
+    "arn:aws-us-gov:iam::701290387780:role/user/mdr_engineer_readonly",
+  ]
+}

000-skeleton-GOV/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

000-skeleton-GOV/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

000-skeleton-GOV/README.md

@@ -0,0 +1,5 @@
+# A skeleton for a new account
+
+Intended to be copied whenever a new account is added to bring it to the current standards.
+
+REPLACE THE CONTENTS OF THIS FILE WITH A DESCRIPTION OF THE ACCOUNT

000-skeleton-GOV/account.hcl

@@ -0,0 +1,7 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "TODO"
+  aws_account_id = "TODO"
+}

000-skeleton/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

000-skeleton/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

000-skeleton/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

000-skeleton/005-iam/child_account.tf

@@ -0,0 +1,9 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+  TODO: Replace with correct alias
+  account_alias = "afs-mdr-TODO-TODO"
+
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+  ]
+}

000-skeleton/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

000-skeleton/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

000-skeleton/README.md

@@ -0,0 +1,5 @@
+# A skeleton for a new account
+
+Intended to be copied whenever a new account is added to bring it to the current standards.
+
+REPLACE THE CONTENTS OF THIS FILE WITH A DESCRIPTION OF THE ACCOUNT

000-skeleton/account.hcl

@@ -0,0 +1,7 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "TODO"
+  aws_account_id = "TODO"
+}

README.md

@@ -0,0 +1,5 @@
+# xdr live
+
+Live configurations of the environments.
+
+For development, put this repository at the same level as a copy of `xdr-terraform-modules` or the local scripts will not work for testing. You can certainly look at how the local scripts work and modify them for your development environment.

bin/okta_group_maker.py

@@ -0,0 +1,285 @@
+#!/usr/bin/env python
+"""
+Makes the Okta groups and group rules needed to support the Okta + AWS integration.
+A master group has a group rule associated with it.  The group rule auto-assigns
+membership in several "subgroups" - each of which maps to a given role in a given
+AWS account.  All of this is so that if we assign to you the "foo-role" group in
+Okta, you'll be able to assume "foo-role" in each of the many AWS accounts we have.
+"""
+from __future__ import print_function
+import json
+import logging
+import os
+import sys
+import re
+import requests
+from requests.auth import AuthBase
+
+
+# Configuration:
+#   * a list of groups that should exist
+#       * a regex for matching up 'child groups'
+# Maybe this should be a configuration file?  Perhaps one day
+# but for now I'm happy with it in here.
+LOGLEVEL = logging.DEBUG
+API_URL = 'https://mdr-multipass.okta.com'
+API_KEY = os.environ.get('OKTA_API_TOKEN')
+MASTER_GROUPS = [
+
+    {
+        'group_name': 'AWS - MDR_Engineer-Readonly Role',
+        'subgroup_regex': r'^aws(?:-us-gov)?#[^#]+#mdr_engineer_readonly#\d+$'
+    },
+    {
+        'group_name': 'AWS - Cyber Range / A&I',
+        'subgroup_regex': r'^aws(?:-us-gov)?#afs-mdr-common-services(?:-gov)?#mdr_developer_readonly#\d+$'
+    }
+
+]
+
+class OktaAuth(AuthBase):
+    """
+    Adds Okta API expected auth header
+    """
+    def __init__(self, api_key):
+        self.api_key = api_key
+
+    def __call__(self, r):
+        r.headers['Authorization'] = 'SSWS {0}'.format(self.api_key)
+        return r
+
+def main(args):
+    """
+    The main
+    """
+    logging.basicConfig(stream=sys.stderr,
+                        level=LOGLEVEL,
+                        format='%(asctime)s %(levelname)s %(funcName)s %(message)s')
+
+    for group in MASTER_GROUPS:
+        process_group(group)
+
+
+def process_group(group):
+    """
+    Process a group obviously
+    """
+    log = logging.getLogger(__name__)
+
+    payload = {
+        'q' : group.get('group_name')
+    }
+
+    log.debug("Processing Group %s", group.get('group_name'))
+    r = requests.get('{0}/api/v1/groups'.format(API_URL),
+                     auth=OktaAuth(API_KEY),
+                     params=payload)
+    log.debug("Response code %d", r.status_code)
+
+    my_group = None
+
+    # we should "always" get a 200 even if we get an empty-ish response
+    # a basic [ ] json doc.
+    if r.status_code == 200:
+        data = r.json()
+        if data:
+            for rec in data:
+                if rec.get('profile').get('name') == group.get('group_name'):
+                    my_group = rec
+
+    # Our group does not exist, we need to make it
+
+    payload = {
+        'profile': {
+            'name'       : group.get('group_name'),
+            'description': 'AWS SAML Role'
+        }
+    }
+
+    headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json'
+    }
+
+    if my_group is None:
+        log.info("Creating Group %s", group.get('group_name'))
+        r = requests.post('{0}/api/v1/groups'.format(API_URL),
+                          auth=OktaAuth(API_KEY),
+                          data=json.dumps(payload),
+                          headers=headers)
+        log.debug("Response code: %d", r.status_code)
+        my_group = r.json()
+
+    log.info("Master group id=%s", my_group.get('id'))
+
+    subgroups = find_subgroups(group.get('subgroup_regex'))
+    log.info("Valid Subgroups = %s", repr(subgroups))
+
+    create_subgroup_rule(group.get('group_name'), my_group.get('id'), subgroups)
+
+
+def create_subgroup_rule(rule_name, master_group_id, subgroups):
+    """
+    Create a rule to assign a user to all of the subgroups
+    when they are assigned to the master group.  If a rule
+    by the same name exists, it will be destroyed and
+    re-created.  (Okta API artifact)
+    """
+
+    log = logging.getLogger(__name__)
+
+    log.debug("Checking for existing rule named %s", rule_name)
+    
+    payload = {
+        'q': rule_name
+    }
+
+    existing_rule_id = None
+
+    r = requests.get('{0}/api/v1/groups/rules'.format(API_URL),
+                     auth=OktaAuth(API_KEY),
+                     params=payload)
+    log.debug("Response code %d", r.status_code)
+    if r.status_code == 200:
+        rules = r.json()
+        for rule in rules:
+            if rule.get('name') == rule_name:
+                existing_rule_id = rule.get('id')
+    else:
+        raise 
+
+    # Need to remove the existing rule to add a new one
+    if existing_rule_id is not None:
+        remove_group_rule(existing_rule_id)
+
+    # Now let's make a new rule whee
+    new_rule = {
+        'type'      : 'group_rule',
+        'name'      : rule_name,
+        'conditions': {
+            'expression': {
+                'type' : 'urn:okta:expression:1.0',
+                'value': 'isMemberOfAnyGroup("{}")'.format(master_group_id)
+            }
+        },
+        'actions'   : {
+            'assignUserToGroups': {
+                'groupIds': subgroups
+            }
+        }
+
+    }
+
+    # First deactivate the rule, per Okta API
+    url = '{0}/api/v1/groups/rules'.format(API_URL)
+
+    headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json'
+    }
+
+    r = requests.post(url,
+                      auth=OktaAuth(API_KEY),
+                      headers=headers,
+                      data=json.dumps(new_rule))
+    log.debug("Response code: %d", r.status_code)
+
+    if r.status_code != 200:
+        log.error("Response code %d trying to create group rule id=%s", r.rule_name)
+        raise
+
+    new_rule_response=r.json()
+
+    url = '{0}/api/v1/groups/rules/{1}/lifecycle/activate'.format(
+           API_URL,
+           new_rule_response.get('id'))
+
+    r = requests.post(url,
+                      auth=OktaAuth(API_KEY),
+                      headers=headers,
+                      data=json.dumps(new_rule))
+    log.debug("Response code: %d", r.status_code)
+
+        
+def remove_group_rule(rule_id):
+
+    log = logging.getLogger(__name__)
+
+
+    # First deactivate the rule, per Okta API
+    url = '{0}/api/v1/groups/rules/{1}/lifecycle/deactivate'.format(
+            API_URL,
+            rule_id)
+
+    headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json'
+    }
+
+    r = requests.post(url,
+                      auth=OktaAuth(API_KEY),
+                      headers=headers)
+    log.debug("Response code: %d", r.status_code)
+
+    if r.status_code != 204:
+        log.error("Response code %d trying to deactivate group rule id=%s", r.status_code, rule_id)
+        raise
+
+    # Now let's try to delete it
+
+    url = '{0}/api/v1/groups/rules/{1}'.format(
+            API_URL,
+            rule_id)
+
+    headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json'
+    }
+
+    r = requests.delete(url,
+                        auth=OktaAuth(API_KEY),
+                        headers=headers)
+    log.debug("Response code: %d", r.status_code)
+
+    if r.status_code != 202:
+        log.error("Response code %d trying to delete group rule id=%s", r.status_code, rule_id)
+        raise
+    
+
+
+def find_subgroups(regex):
+    """
+    Finds all the groups matching a given regex, so that
+    we can attach them to a rule.
+    """
+
+    log = logging.getLogger(__name__)
+    log.debug("Looking for groups matching regex '%s'", regex)
+
+    payload = {
+        'q' : 'aws'
+    }
+
+    r = requests.get('{0}/api/v1/groups'.format(API_URL),
+                     auth=OktaAuth(API_KEY),
+                     params=payload)
+    log.debug("Response code %d", r.status_code)
+
+    groups = []
+
+    # we should "always" get a 200 even if we get an empty-ish response
+    # a basic [ ] json doc.
+    if r.status_code == 200:
+        data = r.json()
+        if data:
+            for rec in data:
+                name = rec.get('profile').get('name')
+                groupid = rec.get('id')
+                if re.match(regex, name) is not None:
+                    groups.append(groupid)
+    return groups
+
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv))

common/aws-us-gov/mdr-common-services/008-xdr-binaries/README.md

@@ -0,0 +1,3 @@
+# XDR-Binaries
+
+Creates an S3 bucket for storing binary blobs

common/aws-us-gov/mdr-common-services/008-xdr-binaries/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  #account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Ideally, these would be in a git repo with a version number, and we would override via 'terragrunt-source'
+  #source = "git::git@github.mdr.defpoint.com:frederick-t-damstra/terraform-modules.git//testvpc?ref=v0.1.0"
+  # Double slash is intentional and required to show root of modules
+  source = "../../../../modules//globally_accessible_bucket/0.1/"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  name = local.global_vars.locals.binaries_bucket
+  tags = {
+    Purpose = "Storage of replaceable binaries for XDR."
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws-us-gov/mdr-common-services/account.hcl

@@ -0,0 +1,10 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name   = "afs-mdr-common-services-gov"
+  aws_account_id = "701290387780"
+  instance_termination_protection = true # set to true for production!
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  #standard_vpc_cidr = "TBD"
+}

common/aws-us-gov/partition.hcl

@@ -0,0 +1,31 @@
+# Set common variables for the environment. This is automatically pulled in in the root terragrunt.hcl configuration to
+# feed forward to the child modules.
+# 
+# NOTE: There is only one copy of this, in the `common/` tree, and the others are symbolic links.
+locals {
+  aws_partition = "aws-us-gov"
+  common_services_account = "701290387780"
+  common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
+
+  account_map = {
+    "prod" = [
+      "721817724804", # mdr-prod-c2
+      "738736370544", # mdr-prod-modelclient
+      "876865127438", # mdr-prod-malware
+    ],
+    "test" = [
+      "738800754746", # mdr-test-c2
+      "701341250728", # mdr-test-modelclient
+      "876942499057", # mdr-test-malware
+    ],
+    "common" = [
+      "701290387780", # mdr-common-services
+    ],
+  }
+  # flatten the map into a single list
+  account_list = flatten([
+    for env, accounts in local.account_map: accounts
+  ])
+
+  aws_marketplace_ubuntu_owner_id = "874634375141"
+}

common/aws-us-gov/region.hcl

@@ -0,0 +1,9 @@
+# Set common variables for the region. This is automatically pulled in in the root terragrunt.hcl configuration to
+# feed forward to the child modules.
+#
+# NOTE: There is only one copy of this, in the `common/` tree, and the others are symbolic links.
+# 
+# At some point, this may need to be added as a hierarchical directory when we move to additional regions.
+locals {
+  aws_region = "us-gov-east-1"
+}

common/aws/legacy-mdr-root/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

common/aws/legacy-mdr-root/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

common/aws/legacy-mdr-root/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

common/aws/legacy-mdr-root/005-iam/child_account.tf

@@ -0,0 +1,8 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+
+  # no account_alias on purpose
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+  ]
+}

common/aws/legacy-mdr-root/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

common/aws/legacy-mdr-root/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws/legacy-mdr-root/README.md

@@ -0,0 +1,7 @@
+# legacy-mdr-root
+
+The "old" root account.  I don't expect much terraform
+to be "in here" because it's all in the old terraform 11 codebase
+
+This mostly exists for the AssumeRole linkage to the new common-services
+

common/aws/legacy-mdr-root/account.hcl

@@ -0,0 +1,6 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name   = "legacy-mdr-root"
+  aws_account_id = "350838957895"
+}

common/aws/mdr-common-services/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,18 @@
+# README
+
+The CAMRS folks that manage the AFS AWS accounts/organization manage the 
+AWS root account.  They create for us a somewhat nerfed user they've
+been naming "MDRAdmin". 
+
+This chunk of terraform adds a policy for MDRAdmin that gives them
+enough rights to be able to create the S3 bucket for terraform state
+and the dynamodb table for terraform locking.
+
+This has to be run before state buckets can be created obviously,
+but I don't expect it to run often.  Like, literally during
+initial account setup and that's probably it.
+
+You'll need working AWS account credentials.  Set `AWS_PROFILE`
+to the correct profile name.  Also, you may want to set
+`AWS_SDK_LOAD_CONFIG=1` in order to make the AWS Golang SDK
+read `$HOME/.aws/config`

common/aws/mdr-common-services/000-mdradmin-bootstrap/common-locals.tf

@@ -0,0 +1,3 @@
+locals {
+  name = "afsxdr-terraform-state"
+}

common/aws/mdr-common-services/000-mdradmin-bootstrap/main.tf

@@ -0,0 +1,6 @@
+module "mdradmin-bootstrap" {
+  source            = "../../../../modules/iam/bootstrap_mdradmin_policies/0.1"
+  users             = [ "MDRAdmin" ]
+  bucket_name       = local.name
+  lock_table_name   = local.name
+}

common/aws/mdr-common-services/000-mdradmin-bootstrap/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  region  = "us-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    471284459109
+  ]
+}

common/aws/mdr-common-services/000-mdradmin-bootstrap/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws/mdr-common-services/001-tfstate/common-locals.tf

@@ -0,0 +1,3 @@
+locals {
+  name = "afsxdr-terraform-state"
+}

common/aws/mdr-common-services/001-tfstate/main.tf

@@ -0,0 +1,5 @@
+module "tfstate" {
+  source            = "../../../../modules/tfstate/tfstate-s3/0.1"
+  bucket_name       = local.name
+  lock_table_name   = local.name
+}

common/aws/mdr-common-services/001-tfstate/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  region  = "us-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    471284459109
+  ]
+}

common/aws/mdr-common-services/001-tfstate/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws/mdr-common-services/005-iam/backend.tf

@@ -0,0 +1,12 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    key            = "aws/common/aws/mdr-common-services/005-iam/terraform.tfstate"
+    profile        = "commercial"
+    region         = "us-east-1"
+    role_arn       = "arn:aws:iam::471284459109:role/user/mdr_terraformer"
+    bucket         = "afsxdr-terraform-state"
+    dynamodb_table = "afsxdr-terraform-state"
+    encrypt        = true
+  }
+}

common/aws/mdr-common-services/005-iam/okta_saml.tf

@@ -0,0 +1,12 @@
+#module "okta_saml" {
+#  source        = "../../../../modules/iam/okta_saml_roles/0.1"
+#  account_alias = "afs-mdr-common-services"
+#  okta_app      = "AWS - Commercial"
+#}
+
+
+module "common_services_roles" {
+  source        = "../../../../modules/iam/common_services_roles/0.1"
+  account_alias = "afs-mdr-common-services"
+  okta_app      = "AWS - Commercial"
+}

common/aws/mdr-common-services/005-iam/provider-okta.tf

@@ -0,0 +1,5 @@
+provider "okta" {
+  org_name = "mdr-multipass"
+  base_url = "okta.com"
+}
+

common/aws/mdr-common-services/005-iam/provider.tf

@@ -0,0 +1,22 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+provider "aws" {
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::471284459109:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+  
+  profile = "commercial"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["471284459109"]
+}
+
+# The "common services" provider in the respective partition is always available
+provider "aws" {
+  region = "us-east-1"
+  allowed_account_ids = [ "471284459109", "701290387780" ]
+  profile = "commercial"
+  alias   = "common"
+}

common/aws/mdr-common-services/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

common/aws/mdr-common-services/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws/mdr-common-services/008-xdr-binaries/README.md

@@ -0,0 +1,3 @@
+# XDR-Binaries
+
+Creates an S3 bucket for storing binary blobs

common/aws/mdr-common-services/008-xdr-binaries/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  #account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Ideally, these would be in a git repo with a version number, and we would override via 'terragrunt-source'
+  #source = "git::git@github.mdr.defpoint.com:frederick-t-damstra/terraform-modules.git//testvpc?ref=v0.1.0"
+  # Double slash is intentional and required to show root of modules
+  source = "../../../../modules//globally_accessible_bucket/0.1/"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  name = local.global_vars.locals.binaries_bucket
+  tags = {
+    Purpose = "Storage of replaceable binaries for XDR."
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-common-services/README.md

@@ -0,0 +1,18 @@
+# README
+
+I'm not sure if this is a helpful readme or not tbh
+
+## Authentication
+
+A handful of these need the static access keys for the MDRAdmin account,
+mostly because at that point of setting up a new AWS account we don't have
+the okta integration in place.
+
+## Subfolders / subprojects
+
+| Subdirectory                 | auth               | Purpose |
+|------------------------------|--------------------|---------|
+|000-mdradmin-bootstrap        | MDRAdmin + aws-mfa | Configures MDRAdmin Account to have IAM rights to create terraform state 
+|001-tfstate                   | MDRAdmin + aws-mfa | Creates TF state s3 bucket, dynamodb tables
+|005-iam                       | okta + saml2aws    | Fundamental IAM setup - does OKTA linkage, sets up user roles and policies 
+|common                        | okta + saml2aws    | Variable / provider definitions used across multiple chunks 

common/aws/mdr-common-services/account.hcl

@@ -0,0 +1,10 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name   = "afs-mdr-common-services"
+  aws_account_id = "471284459109"
+  instance_termination_protection = true # set to true for production!
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  #standard_vpc_cidr = "TBD"
+}

common/aws/mdr-cyber-range/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

common/aws/mdr-cyber-range/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

common/aws/mdr-cyber-range/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

common/aws/mdr-cyber-range/005-iam/child_account.tf

@@ -0,0 +1,9 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+  account_alias = "afs-mdr-prod-cyber-range"
+
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+    "arn:aws:iam::471284459109:role/user/mdr_developer_readonly",
+  ]
+}

common/aws/mdr-cyber-range/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

common/aws/mdr-cyber-range/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws/mdr-cyber-range/README.md

@@ -0,0 +1,8 @@
+# prod cyber range (commercial)
+
+The cyber range used by content-as-a-service.  There will probably be
+limited terraform in "here" other than the shared account linkages
+because of there being a totally different terraform project
+for content as service.
+
+

common/aws/mdr-cyber-range/account.hcl

@@ -0,0 +1,7 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "afs-mdr-prod-cyber-range"
+  aws_account_id = "952430311316"
+}

common/aws/mdr-dev-ai/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

common/aws/mdr-dev-ai/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

common/aws/mdr-dev-ai/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

common/aws/mdr-dev-ai/005-iam/child_account.tf

@@ -0,0 +1,9 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+  account_alias = "afs-mdr-dev-ai"
+
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_developer_readonly",
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+  ]
+}

common/aws/mdr-dev-ai/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

common/aws/mdr-dev-ai/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws/mdr-dev-ai/README.md

@@ -0,0 +1,8 @@
+# mdr-dev-ai -- the A&I environment
+
+This is automation / innovation sandbox.  There is no artifical 
+intelligence here.  Sorry.  
+
+Most of the actual objects in A&I won't be terraformed because it
+is a sandbox.  This is just enough to do IAM linkage from
+common services / okta.

common/aws/mdr-dev-ai/account.hcl

@@ -0,0 +1,7 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "mdr-dev-ai"
+  aws_account_id = "228011623757"
+}

common/aws/partition.hcl

@@ -0,0 +1,31 @@
+# Set common variables for the environment. This is automatically pulled in in the root terragrunt.hcl configuration to
+# feed forward to the child modules.
+#
+# NOTE: There is only one copy of this, in the `common/` tree, and the others are symbolic links.
+locals {
+  aws_partition = "aws"
+  common_services_account = "471284459109"
+  common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
+
+  account_map = {
+    "prod" = [
+      "045312110490", # mdr-prod-c2
+      "425831147305", # mdr-prod-modelclient
+      "369723129071", # mdr-prod-malware
+    ],
+    "test" = [
+      "816914342178", # mdr-test-c2
+      "449047653882", # mdr-test-modelclient
+      "404265901253", # mdr-test-malware
+    ],
+    "common" = [
+      "471284459109", # mdr-common-services
+    ],
+  }
+  # flatten the map into a single list
+  account_list = flatten([
+    for env, accounts in local.account_map: accounts
+  ])
+
+  aws_marketplace_ubuntu_owner_id = "679593333241"
+}

common/aws/region.hcl

@@ -0,0 +1,9 @@
+# Set common variables for the region. This is automatically pulled in in the root terragrunt.hcl configuration to
+# feed forward to the child modules.
+#
+# NOTE: There is only one copy of this, in the `common/` tree, and the others are symbolic links.
+# 
+# At some point, this may need to be added as a hierarchical directory when we move to additional regions.
+locals {
+  aws_region = "us-east-1"
+}

common/env.hcl

@@ -0,0 +1,5 @@
+# Set common variables for the environment. This is automatically pulled in in the root terragrunt.hcl configuration to
+# feed forward to the child modules.
+locals {
+  environment = "common"
+}

globals.hcl

@@ -0,0 +1,34 @@
+# Set common variables for everything. This is automatically pulled in in the root terragrunt.hcl configuration to
+# feed forward to the child modules.
+locals {
+  remote_state_bucket = "afsxdr-terraform-state" # Could be moved to environment/partition.
+  binaries_bucket     = "afsxdr-binaries"        # Storage for binaries
+
+  inside_domain = "msoc.defpoint.local"
+  standard_tags = {
+    "Schedule" = "MSOC",
+    #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
+  }
+
+  portal_test_whitelist = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
+    "12.245.107.250/32",   # DPS Office Legato
+    "12.204.167.162/32",   # DPS Office San Antonio
+    "54.86.98.62/32",      # DPS AWS User VPN
+    "75.138.227.80/32",    # Duane Waddle
+    "24.11.231.98/32",     # George Starcher
+    "99.151.37.185/32",    # Wesley Leonard
+    "70.106.200.157/32",   # John Reuther
+    "108.243.20.48/32",    # Ryan Plas
+    "73.10.53.113/32",     # Rick Page Home
+    "50.21.207.50/32",     # Brad Poulton
+    "70.160.60.248/32",    # Brandon Naughton
+    "173.71.212.4/32",     # Ryan Howard
+    "99.56.213.129/32",    # Fred Damstra
+  ]
+
+  key_pairs = {
+    # Should be your username -> key pair
+    "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key",
+    "fdamstra" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr",
+  }
+}

prod/aws-us-gov/partition.hcl

@@ -0,0 +1 @@
+../../common/aws-us-gov/partition.hcl

prod/aws-us-gov/region.hcl

@@ -0,0 +1 @@
+../../common/aws-us-gov/region.hcl

prod/aws/legacy-mdr-prod/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

prod/aws/legacy-mdr-prod/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

prod/aws/legacy-mdr-prod/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

prod/aws/legacy-mdr-prod/005-iam/child_account.tf

@@ -0,0 +1,9 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+
+  # No account_alias on purpose
+
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+  ]
+}

prod/aws/legacy-mdr-prod/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

prod/aws/legacy-mdr-prod/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

prod/aws/legacy-mdr-prod/README.md

@@ -0,0 +1,5 @@
+# legacy-mdr-prod
+
+The legacy prod account.  Here for the okta linkage.  All the real
+code is still in terraform 0.11
+

prod/aws/legacy-mdr-prod/account.hcl

@@ -0,0 +1,7 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "legacy-mdr-prod"
+  aws_account_id = "477548533976"
+}

prod/aws/mdr-prod-c2/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

prod/aws/mdr-prod-c2/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

prod/aws/mdr-prod-c2/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

prod/aws/mdr-prod-c2/005-iam/child_account.tf

@@ -0,0 +1,8 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+  account_alias = "afs-mdr-prod-c2"
+
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+  ]
+}

prod/aws/mdr-prod-c2/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

prod/aws/mdr-prod-c2/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

prod/aws/mdr-prod-c2/README.md

@@ -0,0 +1,3 @@
+# mdr-prod-c2
+
+Production command and control in commercial

prod/aws/mdr-prod-c2/account.hcl

@@ -0,0 +1,6 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name   = "mdr-prod-c2"
+  aws_account_id = "045312110490"
+}

prod/aws/mdr-prod-malware/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

prod/aws/mdr-prod-malware/001-tfstate/README.md

@@ -0,0 +1,5 @@
+# UNUSED
+
+As of now this isnt needed.
+
+Reserved for future needs

prod/aws/mdr-prod-malware/005-iam/.gitignore

@@ -0,0 +1,3 @@
+# Terragrunt creates the backend.tf and provider.tf files, so we don't want to save them.
+backend.tf
+provider.tf

prod/aws/mdr-prod-malware/005-iam/child_account.tf

@@ -0,0 +1,8 @@
+module "iam_roles" {
+  source        = "../../../../modules/iam/child_account_roles/0.1"
+  account_alias = "afs-mdr-prod-malware"
+
+  assume_role_trusted_arns  = [
+    "arn:aws:iam::471284459109:role/user/mdr_engineer_readonly",
+  ]
+}

prod/aws/mdr-prod-malware/005-iam/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

prod/aws/mdr-prod-malware/005-iam/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

prod/aws/mdr-prod-malware/README.md

@@ -0,0 +1,3 @@
+# mdr-prod-malware
+
+Hosts VMRay

prod/aws/mdr-prod-malware/account.hcl

@@ -0,0 +1,6 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name   = "afs-mdr-prod-malware"
+  aws_account_id = "369723129071"
+}