Merge branch 'master' into feature/ftd_MSOCI-1277_shared_iso_key

000-skeleton/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/README.md

@@ -0,0 +1,18 @@
+# README
+
+The CAMRS folks that manage the AFS AWS accounts/organization manage the 
+AWS root account.  They create for us a somewhat nerfed user they've
+been naming "MDRAdmin". 
+
+This chunk of terraform adds a policy for MDRAdmin that gives them
+enough rights to be able to create the S3 bucket for terraform state
+and the dynamodb table for terraform locking.
+
+This has to be run before state buckets can be created obviously,
+but I don't expect it to run often.  Like, literally during
+initial account setup and that's probably it.
+
+You'll need working AWS account credentials.  Set `AWS_PROFILE`
+to the correct profile name.  Also, you may want to set
+`AWS_SDK_LOAD_CONFIG=1` in order to make the AWS Golang SDK
+read `$HOME/.aws/config`

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/common-locals.tf

@@ -0,0 +1,3 @@
+locals {
+  name = "afsxdr-terraform-state"
+}

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/main.tf

@@ -0,0 +1,6 @@
+module "mdradmin-bootstrap" {
+  source            = "../../../../modules/iam/bootstrap_mdradmin_policies/0.1"
+  users             = [ "MDRAdmin" ]
+  bucket_name       = local.name
+  lock_table_name   = local.name
+}

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  region  = "us-gov-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    701290387780
+  ]
+}

common/aws-us-gov/afs-mdr-common-services-gov/000-mdradmin-bootstrap/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/common-locals.tf

@@ -0,0 +1,3 @@
+locals {
+  name = "afsxdr-terraform-state"
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/main.tf

@@ -0,0 +1,5 @@
+module "tfstate" {
+  source            = "../../../../modules/tfstate/tfstate-s3/0.1"
+  bucket_name       = local.name
+  lock_table_name   = local.name
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  region  = "us-gov-east-1"
+  version = "~> 2.0"
+
+  allowed_account_ids = [
+    701290387780
+  ]
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/terraform.tfstate

@@ -0,0 +1,398 @@
+{
+  "version": 4,
+  "terraform_version": "0.12.26",
+  "serial": 7,
+  "lineage": "98e5e789-5a16-5c08-b9f6-7e8cb242c2a4",
+  "outputs": {},
+  "resources": [
+    {
+      "module": "module.tfstate",
+      "mode": "data",
+      "type": "aws_caller_identity",
+      "name": "current",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "account_id": "701290387780",
+            "arn": "arn:aws-us-gov:iam::701290387780:user/MDRAdmin",
+            "id": "2020-06-10 17:43:36.050495 +0000 UTC",
+            "user_id": "AIDA2GSBKDFCIOHM2OZMZ"
+          }
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "kms_key_policy_tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "3988755204",
+            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Id\": \"key-consolepolicy-3\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Enable IAM User Permissions\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"kms:*\",\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:root\"\n      }\n    },\n    {\n      \"Sid\": \"Allow access for Key Administrators\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:Update*\",\n        \"kms:UntagResource\",\n        \"kms:TagResource\",\n        \"kms:ScheduleKeyDeletion\",\n        \"kms:Revoke*\",\n        \"kms:Put*\",\n        \"kms:List*\",\n        \"kms:Get*\",\n        \"kms:Enable*\",\n        \"kms:Disable*\",\n        \"kms:Describe*\",\n        \"kms:Delete*\",\n        \"kms:Create*\",\n        \"kms:CancelKeyDeletion\"\n      ],\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"\n      }\n    },\n    {\n      \"Sid\": \"Allow use of the key\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:ReEncrypt*\",\n        \"kms:GenerateDataKey*\",\n        \"kms:Encrypt\",\n        \"kms:DescribeKey\",\n        \"kms:Decrypt\"\n      ],\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"\n      }\n    },\n    {\n      \"Sid\": \"Allow attachment of persistent resources\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:RevokeGrant\",\n        \"kms:ListGrants\",\n        \"kms:CreateGrant\"\n      ],\n      \"Resource\": \"*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"\n      },\n      \"Condition\": {\n        \"Bool\": {\n          \"kms:GrantIsForAWSResource\": \"true\"\n        }\n      }\n    }\n  ]\n}",
+            "override_json": null,
+            "policy_id": "key-consolepolicy-3",
+            "source_json": null,
+            "statement": [
+              {
+                "actions": [
+                  "kms:*"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:root"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Enable IAM User Permissions"
+              },
+              {
+                "actions": [
+                  "kms:CancelKeyDeletion",
+                  "kms:Create*",
+                  "kms:Delete*",
+                  "kms:Describe*",
+                  "kms:Disable*",
+                  "kms:Enable*",
+                  "kms:Get*",
+                  "kms:List*",
+                  "kms:Put*",
+                  "kms:Revoke*",
+                  "kms:ScheduleKeyDeletion",
+                  "kms:TagResource",
+                  "kms:UntagResource",
+                  "kms:Update*"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:user/MDRAdmin"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Allow access for Key Administrators"
+              },
+              {
+                "actions": [
+                  "kms:Decrypt",
+                  "kms:DescribeKey",
+                  "kms:Encrypt",
+                  "kms:GenerateDataKey*",
+                  "kms:ReEncrypt*"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:user/MDRAdmin"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Allow use of the key"
+              },
+              {
+                "actions": [
+                  "kms:CreateGrant",
+                  "kms:ListGrants",
+                  "kms:RevokeGrant"
+                ],
+                "condition": [
+                  {
+                    "test": "Bool",
+                    "values": [
+                      "true"
+                    ],
+                    "variable": "kms:GrantIsForAWSResource"
+                  }
+                ],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [
+                  {
+                    "identifiers": [
+                      "arn:aws-us-gov:iam::701290387780:user/MDRAdmin"
+                    ],
+                    "type": "AWS"
+                  }
+                ],
+                "resources": [
+                  "*"
+                ],
+                "sid": "Allow attachment of persistent resources"
+              }
+            ],
+            "version": "2012-10-17"
+          }
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "data",
+      "type": "aws_partition",
+      "name": "current",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "dns_suffix": "amazonaws.com",
+            "id": "2020-06-10 17:43:35.802169 +0000 UTC",
+            "partition": "aws-us-gov"
+          }
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_dynamodb_table",
+      "name": "lock_table",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 1,
+          "attributes": {
+            "arn": "arn:aws-us-gov:dynamodb:us-gov-east-1:701290387780:table/afsxdr-terraform-state",
+            "attribute": [
+              {
+                "name": "LockID",
+                "type": "S"
+              }
+            ],
+            "billing_mode": "PAY_PER_REQUEST",
+            "global_secondary_index": [],
+            "hash_key": "LockID",
+            "id": "afsxdr-terraform-state",
+            "local_secondary_index": [],
+            "name": "afsxdr-terraform-state",
+            "point_in_time_recovery": [
+              {
+                "enabled": false
+              }
+            ],
+            "range_key": null,
+            "read_capacity": 0,
+            "replica": [],
+            "server_side_encryption": [
+              {
+                "enabled": true,
+                "kms_key_arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7"
+              }
+            ],
+            "stream_arn": "",
+            "stream_enabled": false,
+            "stream_label": "",
+            "stream_view_type": "",
+            "tags": {
+              "Name": "afsxdr-terraform-state"
+            },
+            "timeouts": null,
+            "ttl": [
+              {
+                "attribute_name": "",
+                "enabled": false
+              }
+            ],
+            "write_capacity": 0
+          },
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjM2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_kms_alias",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:alias/tfstate",
+            "id": "alias/tfstate",
+            "name": "alias/tfstate",
+            "name_prefix": null,
+            "target_key_arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "target_key_id": "dddb424f-ebdd-416e-8772-3fc18aa81cb7"
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_kms_key",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "customer_master_key_spec": "SYMMETRIC_DEFAULT",
+            "deletion_window_in_days": 30,
+            "description": "tfstate bucket default S3 SSE-KMS",
+            "enable_key_rotation": true,
+            "id": "dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "is_enabled": true,
+            "key_id": "dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+            "key_usage": "ENCRYPT_DECRYPT",
+            "policy": "{\"Id\":\"key-consolepolicy-3\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"},{\"Action\":[\"kms:Update*\",\"kms:UntagResource\",\"kms:TagResource\",\"kms:ScheduleKeyDeletion\",\"kms:Revoke*\",\"kms:Put*\",\"kms:List*\",\"kms:Get*\",\"kms:Enable*\",\"kms:Disable*\",\"kms:Describe*\",\"kms:Delete*\",\"kms:Create*\",\"kms:CancelKeyDeletion\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"},\"Resource\":\"*\",\"Sid\":\"Allow access for Key Administrators\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"},\"Resource\":\"*\",\"Sid\":\"Allow use of the key\"},{\"Action\":[\"kms:RevokeGrant\",\"kms:ListGrants\",\"kms:CreateGrant\"],\"Condition\":{\"Bool\":{\"kms:GrantIsForAWSResource\":\"true\"}},\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-us-gov:iam::701290387780:user/MDRAdmin\"},\"Resource\":\"*\",\"Sid\":\"Allow attachment of persistent resources\"}],\"Version\":\"2012-10-17\"}",
+            "tags": null
+          },
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_s3_bucket",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "acceleration_status": "",
+            "acl": "private",
+            "arn": "arn:aws-us-gov:s3:::afsxdr-terraform-state",
+            "bucket": "afsxdr-terraform-state",
+            "bucket_domain_name": "afsxdr-terraform-state.s3.amazonaws.com",
+            "bucket_prefix": null,
+            "bucket_regional_domain_name": "afsxdr-terraform-state.s3.us-gov-east-1.amazonaws.com",
+            "cors_rule": [],
+            "force_destroy": false,
+            "grant": [],
+            "hosted_zone_id": "Z31GFT0UA1I2HV",
+            "id": "afsxdr-terraform-state",
+            "lifecycle_rule": [
+              {
+                "abort_incomplete_multipart_upload_days": 7,
+                "enabled": true,
+                "expiration": [],
+                "id": "tf-s3-lifecycle-20200610174352244400000001",
+                "noncurrent_version_expiration": [
+                  {
+                    "days": 730
+                  }
+                ],
+                "noncurrent_version_transition": [
+                  {
+                    "days": 30,
+                    "storage_class": "STANDARD_IA"
+                  }
+                ],
+                "prefix": "",
+                "tags": null,
+                "transition": []
+              }
+            ],
+            "logging": [],
+            "object_lock_configuration": [],
+            "policy": null,
+            "region": "us-gov-east-1",
+            "replication_configuration": [],
+            "request_payer": "BucketOwner",
+            "server_side_encryption_configuration": [
+              {
+                "rule": [
+                  {
+                    "apply_server_side_encryption_by_default": [
+                      {
+                        "kms_master_key_id": "arn:aws-us-gov:kms:us-gov-east-1:701290387780:key/dddb424f-ebdd-416e-8772-3fc18aa81cb7",
+                        "sse_algorithm": "aws:kms"
+                      }
+                    ]
+                  }
+                ]
+              }
+            ],
+            "tags": null,
+            "versioning": [
+              {
+                "enabled": true,
+                "mfa_delete": false
+              }
+            ],
+            "website": [],
+            "website_domain": null,
+            "website_endpoint": null
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.tfstate",
+      "mode": "managed",
+      "type": "aws_s3_bucket_public_access_block",
+      "name": "tfstate",
+      "provider": "provider.aws",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "block_public_acls": true,
+            "block_public_policy": true,
+            "bucket": "afsxdr-terraform-state",
+            "id": "afsxdr-terraform-state",
+            "ignore_public_acls": true,
+            "restrict_public_buckets": true
+          },
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.tfstate.aws_kms_key.tfstate",
+            "module.tfstate.aws_s3_bucket.tfstate"
+          ]
+        }
+      ]
+    }
+  ]
+}

common/aws-us-gov/afs-mdr-common-services-gov/001-tfstate/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/okta_saml.tf

@@ -0,0 +1,11 @@
+#module "okta_saml" {
+#  source        = "../../../../modules/iam/okta_saml_roles/0.1"
+#  account_alias = "afs-mdr-common-services"
+#  okta_app      = "AWS - Commercial"
+#}
+
+module "common_services_roles" {
+  source        = "../../../../modules/iam/common_services_roles/0.1"
+  account_alias = "afs-mdr-common-services-gov"
+  okta_app      = "AWS - GovCloud"
+}

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/provider-okta.tf

@@ -0,0 +1,5 @@
+provider "okta" {
+  org_name = "mdr-multipass"
+  base_url = "okta.com"
+}
+

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}

common/aws-us-gov/afs-mdr-common-services-gov/004-iam-okta/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12, < 0.13"
+}

common/aws-us-gov/afs-mdr-common-services-gov/README.md

@@ -0,0 +1,17 @@
+# Common Services - GovCloud
+
+I'm not sure if this is a helpful readme or not tbh
+
+## Authentication
+
+A handful of these need the static access keys for the MDRAdmin account,
+mostly because at that point of setting up a new AWS account we don't have
+the okta integration in place.
+
+## Subfolders / subprojects
+
+| Subdirectory                 | auth               | Purpose |
+|------------------------------|--------------------|---------|
+|000-mdradmin-bootstrap        | MDRAdmin + aws-mfa | Configures MDRAdmin Account to have IAM rights to create terraform state 
+|001-tfstate                   | MDRAdmin + aws-mfa | Creates TF state s3 bucket, dynamodb tables
+|005-iam                       | okta + saml2aws    | Fundamental IAM setup - does OKTA linkage, sets up user roles and policies 

common/aws-us-gov/mdr-common-services/account.hcl

@@ -1,10 +0,0 @@
-# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
-# terragrunt.hcl configuration.
-locals {
-  account_name   = "afs-mdr-common-services-gov"
-  aws_account_id = "701290387780"
-  instance_termination_protection = true # set to true for production!
-
-  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
-  #standard_vpc_cidr = "TBD"
-}

common/aws/legacy-mdr-root/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-cyber-range/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-dev-ai/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-malware/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-modelclient/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/legacy-mdr-prod/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/mdr-prod-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/mdr-prod-malware/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws/mdr-prod-modelclient/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-malware/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-modelclient/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/legacy-mdr-test/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-malware/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-modelclient/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.1.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
 }
 
 # Include all settings from the root terragrunt.hcl file