Palo Alto Infrastructure and Nodes

Creates the Palo Altos and supporting infrastructure. This project is
presently abandoned, but I'm not ready to throw away the instances or
configuration.

* Merges mdr-common-services and afs-mdr-common-services-gov directories
  which apparently got split.
* Adds security VPC to afs-mdr-common-services-gov
* Adds security vpc to mdr-common-services, though this is currently unused.
* Creates buckets for bootstrapping palo altos.
* Creates panorama instances
* Creates palo instances

000-skeleton/account.hcl

@@ -9,4 +9,8 @@ locals {
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "TODO/TODO"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "TODO" # The key with which to provision the test instance
 }

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,18 @@
+# README
+
+The CAMRS folks that manage the AFS AWS accounts/organization manage the 
+AWS root account.  They create for us a somewhat nerfed user they've
+been naming "MDRAdmin". 
+
+This chunk of terraform adds a policy for MDRAdmin that gives them
+enough rights to be able to create the S3 bucket for terraform state
+and the dynamodb table for terraform locking.
+
+This has to be run before state buckets can be created obviously,
+but I don't expect it to run often.  Like, literally during
+initial account setup and that's probably it.
+
+You'll need working AWS account credentials.  Set `AWS_PROFILE`
+to the correct profile name.  Also, you may want to set
+`AWS_SDK_LOAD_CONFIG=1` in order to make the AWS Golang SDK
+read `$HOME/.aws/config`

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/common-locals.tf

@@ -0,0 +1,3 @@
+locals {
+  name = "afsxdr-terraform-state"
+}

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/main.tf

@@ -0,0 +1,6 @@
+module "mdradmin-bootstrap" {
+  source            = "../../../../modules/iam/bootstrap_mdradmin_policies/0.1"
+  users             = [ "MDRAdmin" ]
+  bucket_name       = local.name
+  lock_table_name   = local.name
+}

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  region  = "us-gov-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    701290387780
+  ]
+}

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-iam/okta_saml.tf

@@ -0,0 +1,23 @@
+module "okta_saml" {
+  source = "../../../../modules/iam/okta_saml_roles/0.1"
+  account_alias = "afs-mdr-common-services"
+  okta_app      = "AWS - GovCloud"
+}
+
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}
+
+provider "aws" {
+  region  = "us-gov-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    701290387780
+  ]
+}
+
+provider "okta" {
+  org_name = "mdr-multipass"
+  base_url = "okta.com"
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/common-locals.tf

@@ -0,0 +1,3 @@
+locals {
+  name = "afsxdr-terraform-state"
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/main.tf

@@ -0,0 +1,5 @@
+module "tfstate" {
+  source            = "../../../../modules/tfstate/tfstate-s3/0.1"
+  bucket_name       = local.name
+  lock_table_name   = local.name
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  region  = "us-gov-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    701290387780
+  ]
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/terraform.tfstate

@@ -0,0 +1,398 @@
+{
+  "version": 4,
+  "terraform_version": "0.12.26",
+  "serial": 7,
+  "lineage": "98e5e789-5a16-5c08-b9f6-7e8cb242c2a4",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.tfstate",
+      "mode": "data",
+      "type": "aws_caller_identity",
+      "name": "current",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "account_id": "701290387780",
+            "arn": "arn:aws-us-gov:iam::701290387780:user/MDRAdmin",
+            "id": "2020-06-10 17:43:36.050495 +0000 UTC",
+            "user_id": "AIDA2GSBKDFCIOHM2OZMZ"
+          }
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "kms_key_policy_tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "3988755204",
+            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Id\": \"key-consolepolicy-3\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Enable IAM User Permissions\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"kms:*\",\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:root\"\n      }\n    },\n    {\n      \"Sid\": \"Allow access for Key Administrators\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:Update*\",\n        \"kms:UntagResource\",\n        \"kms:TagResource\",\n        \"kms:ScheduleKeyDeletion\",\n        \"kms:Revoke*\",\n        \"kms:Put*\",\n        \"kms:List*\",\n        \"kms:Get*\",\n        \"kms:Enable*\",\n        \"kms:Disable*\",\n        \"kms:Describe*\",\n        \"kms:Delete*\",\n        \"kms:Create*\",\n        \"kms:CancelKeyDeletion\"\n      ],\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"\n      }\n    },\n    {\n      \"Sid\": \"Allow use of the key\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:ReEncrypt*\",\n        \"kms:GenerateDataKey*\",\n        \"kms:Encrypt\",\n        \"kms:DescribeKey\",\n        \"kms:Decrypt\"\n      ],\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"\n      }\n    },\n    {\n      \"Sid\": \"Allow attachment of persistent resources\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:RevokeGrant\",\n        \"kms:ListGrants\",\n        \"kms:CreateGrant\"\n      ],\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"\n      },\n      \"Condition\": {\n        \"Bool\": {\n          \"kms:GrantIsForAWSResource\": \"true\"\n        }\n      }\n    }\n  ]\n}",
+            "override_json": null,
+            "policy_id": "key-consolepolicy-3",
+            "source_json": null,
+            "statement": [
+              {
+                "actions": [
+                  "kms:*"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:root"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Enable IAM User Permissions"
+              },
+              {
+                "actions": [
+                  "kms:CancelKeyDeletion",
+                  "kms:Create*",
+                  "kms:Delete*",
+                  "kms:Describe*",
+                  "kms:Disable*",
+                  "kms:Enable*",
+                  "kms:Get*",
+                  "kms:List*",
+                  "kms:Put*",
+                  "kms:Revoke*",
+                  "kms:ScheduleKeyDeletion",
+                  "kms:TagResource",
+                  "kms:UntagResource",
+                  "kms:Update*"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:user/MDRAdmin"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Allow access for Key Administrators"
+              },
+              {
+                "actions": [
+                  "kms:Decrypt",
+                  "kms:DescribeKey",
+                  "kms:Encrypt",
+                  "kms:GenerateDataKey*",
+                  "kms:ReEncrypt*"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:user/MDRAdmin"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Allow use of the key"
+              },
+              {
+                "actions": [
+                  "kms:CreateGrant",
+                  "kms:ListGrants",
+                  "kms:RevokeGrant"
+                ],
+                "condition": [
+                  {
+                    "test": "Bool",
+                    "values": [
+                      "true"
+                    ],
+                    "variable": "kms:GrantIsForAWSResource"
+                  }
+                ],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:user/MDRAdmin"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Allow attachment of persistent resources"
+              }
+            ],
+            "version": "2012-10-17"
+          }
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "data",
+      "type": "aws_partition",
+      "name": "current",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "dns_suffix": "amazonaws.com",
+            "id": "2020-06-10 17:43:35.802169 +0000 UTC",
+            "partition": "aws-us-gov"
+          }
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_dynamodb_table",
+      "name": "lock_table",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 1,
+          "attributes": {
+            "arn": "arn:aws-us-gov:dynamodb:us-gov-east-1:701290387780:table/afsxdr-terraform-state",
+            "attribute": [
+              {
+                "name": "LockID",
+                "type": "S"
+              }
+            ],
+            "billing_mode": "PAY_PER_REQUEST",
+            "global_secondary_index": [],
+            "hash_key": "LockID",
+            "id": "afsxdr-terraform-state",
+            "local_secondary_index": [],
+            "name": "afsxdr-terraform-state",
+            "point_in_time_recovery": [
+              {
+                "enabled": false
+              }
+            ],
+            "range_key": null,
+            "read_capacity": 0,
+            "replica": [],
+            "server_side_encryption": [
+              {
+                "enabled": true,
+                "kms_key_arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7"
+              }
+            ],
+            "stream_arn": "",
+            "stream_enabled": false,
+            "stream_label": "",
+            "stream_view_type": "",
+            "tags": {
+              "Name": "afsxdr-terraform-state"
+            },
+            "timeouts": null,
+            "ttl": [
+              {
+                "attribute_name": "",
+                "enabled": false
+              }
+            ],
+            "write_capacity": 0
+          },
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjM2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_kms_alias",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:alias/tfstate",
+            "id": "alias/tfstate",
+            "name": "alias/tfstate",
+            "name_prefix": null,
+            "target_key_arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "target_key_id": "dddb424f-ebdd-416e-8772-3fc18aa81cb7"
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_kms_key",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "customer_master_key_spec": "SYMMETRIC_DEFAULT",
+            "deletion_window_in_days": 30,
+            "description": "tfstate bucket default S3 SSE-KMS",
+            "enable_key_rotation": true,
+            "id": "dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "is_enabled": true,
+            "key_id": "dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "key_usage": "ENCRYPT_DECRYPT",
+            "policy": "{\"Id\":\"key-consolepolicy-3\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"},{\"Action\":[\"kms:Update*\",\"kms:UntagResource\",\"kms:TagResource\",\"kms:ScheduleKeyDeletion\",\"kms:Revoke*\",\"kms:Put*\",\"kms:List*\",\"kms:Get*\",\"kms:Enable*\",\"kms:Disable*\",\"kms:Describe*\",\"kms:Delete*\",\"kms:Create*\",\"kms:CancelKeyDeletion\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"},\"Resource\":\"*\",\"Sid\":\"Allow access for Key Administrators\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"},\"Resource\":\"*\",\"Sid\":\"Allow use of the key\"},{\"Action\":[\"kms:RevokeGrant\",\"kms:ListGrants\",\"kms:CreateGrant\"],\"Condition\":{\"Bool\":{\"kms:GrantIsForAWSResource\":\"true\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"},\"Resource\":\"*\",\"Sid\":\"Allow attachment of persistent resources\"}],\"Version\":\"2012-10-17\"}",
+            "tags": null
+          },
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_s3_bucket",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "acceleration_status": "",
+            "acl": "private",
+            "arn": "arn:aws-us-gov:s3:::afsxdr-terraform-state",
+            "bucket": "afsxdr-terraform-state",
+            "bucket_domain_name": "afsxdr-terraform-state.s3.amazonaws.com",
+            "bucket_prefix": null,
+            "bucket_regional_domain_name": "afsxdr-terraform-state.s3.us-gov-east-1.amazonaws.com",
+            "cors_rule": [],
+            "force_destroy": false,
+            "grant": [],
+            "hosted_zone_id": "Z31GFT0UA1I2HV",
+            "id": "afsxdr-terraform-state",
+            "lifecycle_rule": [
+              {
+                "abort_incomplete_multipart_upload_days": 7,
+                "enabled": true,
+                "expiration": [],
+                "id": "tf-s3-lifecycle-20200610174352244400000001",
+                "noncurrent_version_expiration": [
+                  {
+                    "days": 730
+                  }
+                ],
+                "noncurrent_version_transition": [
+                  {
+                    "days": 30,
+                    "storage_class": "STANDARD_IA"
+                  }
+                ],
+                "prefix": "",
+                "tags": null,
+                "transition": []
+              }
+            ],
+            "logging": [],
+            "object_lock_configuration": [],
+            "policy": null,
+            "region": "us-gov-east-1",
+            "replication_configuration": [],
+            "request_payer": "BucketOwner",
+            "server_side_encryption_configuration": [
+              {
+                "rule": [
+                  {
+                    "apply_server_side_encryption_by_default": [
+                      {
+                        "kms_master_key_id": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+                        "sse_algorithm": "aws:kms"
+                      }
+                    ]
+                  }
+                ]
+              }
+            ],
+            "tags": null,
+            "versioning": [
+              {
+                "enabled": true,
+                "mfa_delete": false
+              }
+            ],
+            "website": [],
+            "website_domain": null,
+            "website_endpoint": null
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_s3_bucket_public_access_block",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "block_public_acls": true,
+            "block_public_policy": true,
+            "bucket": "afsxdr-terraform-state",
+            "id": "afsxdr-terraform-state",
+            "ignore_public_acls": true,
+            "restrict_public_buckets": true
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate",
+            "module.tfstate.aws_s3_bucket.tfstate"
+          ]
+        }
+      ]
+    }
+  ]
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/okta_saml.tf

@@ -0,0 +1,11 @@
+#module "okta_saml" {
+#  source        = "../../../../modules/iam/okta_saml_roles/0.1"
+#  account_alias = "afs-mdr-common-services"
+#  okta_app      = "AWS - Commercial"
+#}
+
+module "common_services_roles" {
+  source        = "../../../../modules/iam/common_services_roles/0.1"
+  account_alias = "afs-mdr-common-services-gov"
+  okta_app      = "AWS - GovCloud"
+}

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/provider-okta.tf

@@ -0,0 +1,5 @@
+provider "okta" {
+  org_name = "mdr-multipass"
+  base_url = "okta.com"
+}
+

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

common/aws-us-gov/afs-mdr-common-services-gov/015-security-vpc/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

common/aws-us-gov/afs-mdr-common-services-gov/015-security-vpc/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/security_vpc?ref=v0.3.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Security VPC"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws-us-gov/afs-mdr-common-services-gov/016-panorama/README.md

@@ -0,0 +1,39 @@
+# 016-panorama
+
+Creates an HA pair of panarama nodes to manage the palo altos.
+
+Note: Post install configuration is required.
+
+## Post-install
+For each instance:
+```
+ssh -l admin <eip>
+configure
+set mgt-config users admin password
+<password>
+<password>
+commit
+```
+
+Then follow these steps:
+
+Step 1: Log in to the web interface of the primary Panorama server.
+Step 2: Accept the browser certificate warning.
+Step 3: On the There are no device groups dialog box, click OK.
+Step 4: On the Retrieve Panorama License dialog box, click OK.
+Step 5: On the Retrieve Panorama License dialog box, click Complete Manually.
+Step 6: On the Offline Licensing Information dialog box, click OK.
+Step 7: In Panorama > Setup > Management > General Settings, click the gear icon.
+Step 8: In the Hostname box, enter xdr-panorama-0 (or xdr-panorama-1 on the standby)
+Step 9: In the Time Zone list, choose the appropriate time zone (Example: US/Pacific).
+Step 10: In the Serial Number box, enter the serial number found in the customer support portal, and then click OK. 
+Step 11: In Panorama > Setup > Services, click the gear icon.
+Step 12: In the Primary DNS Server box, enter 169.254.169.253. This address is the DNS address for AWS.
+Step 13: In the Secondary DNS Server box, enter 8.8.8.8.
+Step 14: On the NTP tab, in the Primary NTP Server section, in the NTP Server Address box, enter 169.254.169.123
+Step 15: In the Secondary NTP Server section, in the NTP Server Address box, enter 0.pool.ntp.org, and then click OK.
+Step 16: On the Commit menu, select Commit to Panorama, and then click Commit.
+Step 17: In Panorama > Licenses, click Retrieve license keys from license server.
+Step 18: Verify in the status pane that Device Management License is active and has the correct device count.
+Step 19: If you are deploying Panorama as a HA pair, repeat this procedure on the secondary Panorama server. In Step 8, enter the name of the secondary Panorama server, Panorama-secondary. You must have a unique serial number for the secondary Panorama system.
+

common/aws-us-gov/afs-mdr-common-services-gov/016-panorama/terragrunt.hcl

@@ -0,0 +1,45 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/panorama?ref=v0.3.0"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Panorama"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  azs = dependency.security_vpc.outputs.azs
+  panorama_security_group_ids = [ 
+    dependency.security_vpc.outputs.security_groups["allow_trusted"],
+    dependency.security_vpc.outputs.security_groups["allow_all_intravpc"]
+  ] 
+  subnet_id_map = dependency.security_vpc.outputs.subnet_id_map
+  subnet_cidr_map = dependency.security_vpc.outputs.subnet_cidr_map
+  ebs_key = dependency.security_vpc.outputs.ebs_kms_arn
+}

common/aws-us-gov/afs-mdr-common-services-gov/017-palo-alto-bootstrap/README.md

@@ -0,0 +1 @@
+# Creates the palo alto bootstrap S3 bucket

common/aws-us-gov/afs-mdr-common-services-gov/017-palo-alto-bootstrap/terragrunt.hcl

@@ -0,0 +1,42 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/bootstrap?ref=v0.3.0"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+dependency "panorama" {
+  config_path = "../016-panorama"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Firewalls"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  panorama_servers = dependency.panorama.outputs.management_private_ips
+}

common/aws-us-gov/afs-mdr-common-services-gov/018-palo-alto-firewalls/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

common/aws-us-gov/afs-mdr-common-services-gov/018-palo-alto-firewalls/terragrunt.hcl

@@ -0,0 +1,48 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/firewall_nodes?ref=v0.3.0"
+}
+
+dependency "security_vpc" {
+  config_path = "../015-security-vpc"
+}
+
+dependency "palo_alto_bootstrap" {
+  config_path = "../017-palo-alto-bootstrap"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Palo Alto Firewalls"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  azs = dependency.security_vpc.outputs.azs
+  management_security_group_ids = [ dependency.security_vpc.outputs.security_groups["allow_trusted"] ]
+  untrusted_security_group_ids = [ dependency.security_vpc.outputs.security_groups["allow_all"] ]
+  subnet_id_map = dependency.security_vpc.outputs.subnet_id_map
+  subnet_cidr_map = dependency.security_vpc.outputs.subnet_cidr_map
+  bucket_ids = dependency.palo_alto_bootstrap.outputs.bucket_ids
+  instance_profile_names = dependency.palo_alto_bootstrap.outputs.instance_profile_names
+}

common/aws-us-gov/afs-mdr-common-services-gov/README.md

@@ -0,0 +1,17 @@
+# Common Services - GovCloud
+
+I'm not sure if this is a helpful readme or not tbh
+
+## Authentication
+
+A handful of these need the static access keys for the MDRAdmin account,
+mostly because at that point of setting up a new AWS account we don't have
+the okta integration in place.
+
+## Subfolders / subprojects
+
+| Subdirectory                 | auth               | Purpose |
+|------------------------------|--------------------|---------|
+|000-mdradmin-bootstrap        | MDRAdmin + aws-mfa | Configures MDRAdmin Account to have IAM rights to create terraform state 
+|001-tfstate                   | MDRAdmin + aws-mfa | Creates TF state s3 bucket, dynamodb tables
+|005-iam                       | okta + saml2aws    | Fundamental IAM setup - does OKTA linkage, sets up user roles and policies 

common/aws-us-gov/afs-mdr-common-services-gov/account.hcl

@@ -0,0 +1,47 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name   = "afs-mdr-common-services-gov"
+  account_alias  = "afs-mdr-common-services-gov"
+  aws_account_id = "701290387780"
+  instance_termination_protection = true # set to true for production!
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  standard_vpc_cidr = "10.1.132.0/22"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "TODO" # The key with which to provision the test instance
+
+  # Account Specific Module Variables
+  security_vpc_cidr = "10.1.128.0/22"
+
+  panorama_serial_numbers = [
+    "000702891433",
+    "000702138816"
+  ]
+  panorama_count = 2 # We need a second serial number for 2
+  panorama_instance_type = "m5.2xlarge"
+  #panorama_instance_type = "t3.xlarge"
+  panorama_key_name = "fdamstra" # DO NOT CHANGE
+  palo_alto_count = 2 # should be divisible by 2
+  palo_alto_instance_type = "m5.xlarge"
+  palo_alto_key_name = "fdamstra" # DO NOT CHANGE
+
+  # To generate auth keys, log in to the panorama cli and run:
+  #   request bootstrap vm-auth-key generate lifetime 720
+  # where 720 is the validity period in hours (720 is 30 days)
+  # (Should only need to be valid when you stand up the firewall)
+  palo_alto_auth_keys = [
+    "866071457115248", #Expires at: 2020/07/31 15:01:33
+    "165273115818468", #Expires at: 2020/07/31 15:01:34
+  ]
+  palo_alto_license_keys = [ # one per count
+    "32836999",
+    "65202677"
+  ]
+  palo_alto_feature_auth_keys = [ # one per count, not yet implemented
+    "28341453",
+    "62158825"
+  ]
+}

common/aws-us-gov/mdr-common-services/account.hcl

@@ -1,10 +0,0 @@
-# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
-# terragrunt.hcl configuration.
-locals {
-  account_name   = "afs-mdr-common-services-gov"
-  aws_account_id = "701290387780"
-  instance_termination_protection = true # set to true for production!
-
-  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
-  #standard_vpc_cidr = "TBD"
-}

common/aws/mdr-common-services/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

common/aws/mdr-common-services/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

common/aws/mdr-common-services/015-security-vpc/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

common/aws/mdr-common-services/015-security-vpc/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/security_vpc?ref=v0.3.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Security VPC"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-common-services/account.hcl

@@ -7,5 +7,38 @@ locals {
   instance_termination_protection = true # set to true for production!
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
-  #standard_vpc_cidr = "TBD"
+  standard_vpc_cidr = "10.1.1.0/22"
+  
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "fdamstra" # The key with which to provision the test instance
+
+#  # Account Specific Module Variables
+  security_vpc_cidr = "10.1.0.0/22"
+
+# Palo Alto moved to govcloud
+#  panorama_count = 2 # We need a second serial number for 2
+#  #panorama_instance_type = "m5.2xlarge"
+#  panorama_instance_type = "t3.xlarge"
+#  panorama_key_name = "fdamstra" # DO NOT CHANGE
+#  palo_alto_count = 2 # should be divisible by 2
+#  palo_alto_instance_type = "m5.xlarge"
+#  palo_alto_key_name = "fdamstra" # DO NOT CHANGE
+#  
+#  # To generate auth keys, log in to the panorama cli and run:
+#  #   request bootstrap vm-auth-key generate lifetime 720
+#  # where 720 is the validity period in hours (720 is 30 days)
+#  # (Should only need to be valid when you stand up the firewall)
+#  palo_alto_auth_keys = [
+#    "919502713609312", # Expires at: 2020/07/30 21:32:44
+#    "655051814206833", # Expires at: 2020/07/30 21:32:45
+#  ]
+#  palo_alto_license_keys = [ # one per count
+#    "32836999",
+#    "65202677"
+#  ]
+#  palo_alto_feature_auth_keys = [ # one per count, not yet implemented
+#    "28341453",
+#    "62158825"
+#  ]
 }

globals.hcl

@@ -10,7 +10,7 @@ locals {
     #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
   }
 
-  portal_test_whitelist = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
+  trusted_ips = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
     "12.245.107.250/32",   # DPS Office Legato
     "12.204.167.162/32",   # DPS Office San Antonio
     "54.86.98.62/32",      # DPS AWS User VPN
@@ -25,6 +25,7 @@ locals {
     "173.71.212.4/32",     # Ryan Howard
     "99.56.213.129/32",    # Fred Damstra
   ]
+  portal_test_whitelist = local.trusted_ips # for now, an alias
 
   key_pairs = {
     # Should be your username -> key pair

test/aws-us-gov/mdr-test-modelclient/006-account-standards/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

test/aws-us-gov/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  #name = "vpc_primary_${local.account_vars.locals.account_name}"
+  #cidr = local.account_vars.locals.standard_vpc_cidr
+  #tags = {
+  #  Purpose = "Malware Detonation"
+  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  #}
+}

test/aws-us-gov/mdr-test-modelclient/account.hcl

@@ -4,4 +4,12 @@ locals {
   account_name   = "afs-mdr-test-modelclient-gov"
   account_alias  = "afs-mdr-test-modelclient-gov"
   aws_account_id = "701341250728"
+  instance_termination_protection = false # set to true for production!
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  standard_vpc_cidr = "TODO/TODO"
+
+  # For testing
+  create_test_instance = false
+  test_instance_key_name = "TODO" # The key with which to provision the test instance
 }