Transit Gateway Testing in GovCloud Test

This adds transit gateway hub to mdr-test-c2 and attaches to it from
mdr-test-malware.

It also adds test-instances to these two accounts that can be toggled on
and off with a flag.

Additional minor changes:
* Adds partition alias to partition variables because we sometimes refer
  to the partition as 'aws-us-gov' and sometimes as 'govcloud'.
* Adds account standards and standard-vpc to mdr-test-c2-gov

common/aws-us-gov/partition.hcl

@@ -4,6 +4,7 @@
 # NOTE: There is only one copy of this, in the `common/` tree, and the others are symbolic links.
 locals {
   aws_partition = "aws-us-gov"
+  aws_partition_alias = "govcloud"
   common_services_account = "701290387780"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
 

common/aws/partition.hcl

@@ -4,6 +4,7 @@
 # NOTE: There is only one copy of this, in the `common/` tree, and the others are symbolic links.
 locals {
   aws_partition = "aws"
+  aws_partition_alias = "govcloud"
   common_services_account = "471284459109"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
 

prod/env.hcl

@@ -2,4 +2,5 @@
 # feed forward to the child modules.
 locals {
   environment = "prod"
+  transit_gateway_account_name = "mdr-prod-c2" # Which account has the transit gateway
 }

test/aws-us-gov/mdr-test-c2/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

test/aws-us-gov/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.0.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

test/aws-us-gov/mdr-test-c2/008-transit-gateway-hub/README.md

@@ -0,0 +1,2 @@
+# The hub of the transit gateway architecture
+

test/aws-us-gov/mdr-test-c2/008-transit-gateway-hub/terragrunt.hcl

@@ -0,0 +1,36 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+  tags = {
+    Purpose = "Transit Gateway Hub"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws-us-gov/mdr-test-c2/010-standard-vpc/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

test/aws-us-gov/mdr-test-c2/010-standard-vpc/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.0.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  name = "vpc_primary_${local.account_vars.locals.account_name}"
+  cidr = local.account_vars.locals.standard_vpc_cidr
+  tags = {
+    Purpose = "Malware Detonation"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws-us-gov/mdr-test-c2/019-attach-transit-gateway-to-hub-account/README.md

@@ -0,0 +1,5 @@
+# Attaches this account's standard VPCs to the transit gateway, but for the HUB account.
+
+You can reuse this module to attach additional VPCs by updating
+either the dependencies or the inputs, as appropriate.
+

test/aws-us-gov/mdr-test-c2/019-attach-transit-gateway-to-hub-account/terragrunt.hcl

@@ -0,0 +1,49 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+dependency "standard_vpc" {
+  config_path = "../010-standard-vpc"
+}
+
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = false # Should only be true for the first one
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id = dependency.standard_vpc.outputs.vpc_id
+  subnets = dependency.standard_vpc.outputs.private_subnets
+  route_tables = concat(dependency.standard_vpc.outputs.private_route_tables, dependency.standard_vpc.outputs.public_route_tables)
+}

test/aws-us-gov/mdr-test-c2/025-test-instance/README.md

@@ -0,0 +1 @@
+# Create a test instance if `create_test_instance` is set to true.

test/aws-us-gov/mdr-test-c2/025-test-instance/terragrunt.hcl

@@ -0,0 +1,41 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "standard_vpc" {
+  config_path = "../010-standard-vpc"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Testing Instance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  subnet_id = dependency.standard_vpc.outputs.public_subnets[0]
+  security_group_ids = [ dependency.standard_vpc.outputs.allow_all_sg_id ]
+}

test/aws-us-gov/mdr-test-c2/account.hcl

@@ -4,4 +4,15 @@ locals {
   account_name   = "afs-mdr-test-c2-gov"
   account_alias  = "afs-mdr-test-c2-gov"
   aws_account_id = "738800754746"
+  instance_termination_protection = false # set to true for production!
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  standard_vpc_cidr = "10.20.0.0/22"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "fdamstra" # They with which to provision the test instance
+
+  # AS Number used for various resources, but not every account needs one.
+  asn = 64710
 }

test/aws-us-gov/mdr-test-malware/020-attach-transit-gateway-to-standard-vpc/README.md

@@ -0,0 +1,5 @@
+# Attaches this account's standard VPCs to the transit gateway
+
+You can reuse this module to attach additional VPCs by updating
+either the dependencies or the inputs, as appropriate.
+

test/aws-us-gov/mdr-test-malware/020-attach-transit-gateway-to-standard-vpc/terragrunt.hcl

@@ -0,0 +1,50 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+dependency "standard_vpc" {
+  config_path = "../010-standard-vpc"
+}
+
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  accept_invitation = true # Should only be true for the first one
+  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_id = dependency.standard_vpc.outputs.vpc_id
+  subnets = dependency.standard_vpc.outputs.private_subnets
+  route_tables = concat(dependency.standard_vpc.outputs.private_route_tables, dependency.standard_vpc.outputs.public_route_tables)
+}

test/aws-us-gov/mdr-test-malware/025-test-instance/README.md

@@ -0,0 +1 @@
+# Create a test instance if `create_test_instance` is set to true.

test/aws-us-gov/mdr-test-malware/025-test-instance/terragrunt.hcl

@@ -0,0 +1,41 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "standard_vpc" {
+  config_path = "../010-standard-vpc"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Testing Instance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  subnet_id = dependency.standard_vpc.outputs.public_subnets[0]
+  security_group_ids = [ dependency.standard_vpc.outputs.allow_all_sg_id ]
+}

test/aws-us-gov/mdr-test-malware/account.hcl

@@ -9,6 +9,10 @@ locals {
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.20.4.0/22"
 
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "fdamstra" # if you change it, it will be rebuilt
+
   # VMRay Specific
   vmray_server_instance_type = "t3a.micro"
   vmray_worker_instance_type = "c5n.metal"

test/env.hcl

@@ -2,4 +2,5 @@
 # feed forward to the child modules.
 locals {
   environment = "test"
+  transit_gateway_account_name = "mdr-test-c2" # Which account has the transit gateway
 }