Brings common accounts up to standards

000-skeleton/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.3"
 }
 
 dependency "c2_account_standards" {

000-skeleton/010-standard-vpc/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/020-attach-transit-gateway-to-standard-vpc/terragrunt.hcl

@@ -24,7 +24,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/025-test-instance/terragrunt.hcl

@@ -19,7 +19,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

bin/update_all_from_skeleton

@@ -76,6 +76,11 @@ if [[ -f UNUSED.ACCOUNT ]]; then
   exit 4
 fi
 
+if [[ -f UNMANAGED.ACCOUNT ]]; then
+  >&2 echo Error: This account is marked as unmanaged. Failing...
+  exit 4
+fi
+
 for i in `seq -f "../../../000-skeleton/%g*" 0 9`; do
   MODULE=$( basename $i )
   [[ $TESTING ]] && >&2 echo debug: Processing module $MODULE...

bin/update_refs

@@ -83,11 +83,6 @@ if [[ $SHORT_PWD =~ ^[0-9]{3}-.* ]]; then
   fi
 fi
 
-if [[ -f UNUSED.ACCOUNT ]]; then
-  >&2 echo Error: This account is marked as unused. Failing...
-  exit 4
-fi
-
 if [[ $NEWTAG =~ v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
   [[ $TESTING ]] && >&2 echo debug: Newtag $NEWTAG is valid format.
 else

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/README.md

@@ -1,3 +1,11 @@
 # Account Standards
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.2"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,4 +34,5 @@ inputs = {
   tags = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

common/aws-us-gov/afs-mdr-common-services-gov/008-xdr-binaries/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v0.5.2"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.5.2"
 }
 
 include {

common/aws-us-gov/afs-mdr-common-services-gov/015-security-vpc/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.5.2"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws-us-gov/afs-mdr-common-services-gov/016-panorama/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/panorama?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/panorama?ref=v0.5.2"
 }
 
 dependency "security_vpc" {

common/aws-us-gov/afs-mdr-common-services-gov/017-palo-alto-bootstrap/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/bootstrap?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/bootstrap?ref=v0.5.2"
 }
 
 dependency "security_vpc" {

common/aws-us-gov/afs-mdr-common-services-gov/018-palo-alto-firewalls/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/firewall_nodes?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/firewall_nodes?ref=v0.5.2"
 }
 
 dependency "security_vpc" {

common/aws-us-gov/afs-mdr-common-services-gov/account.hcl

@@ -7,6 +7,7 @@ locals {
   instance_termination_protection = true # set to true for production!
   
   account_tags = { } 
+  c2_account_standards_path = "../../../../prod/aws-us-gov/mdr-prod-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.1.132.0/22"

common/aws/legacy-mdr-root/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/legacy-mdr-root/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/legacy-mdr-root/006-account-standards/README.md

@@ -0,0 +1,11 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

common/aws/legacy-mdr-root/006-account-standards/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.3"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
+}

common/aws/legacy-mdr-root/account.hcl

@@ -6,4 +6,5 @@ locals {
   aws_account_id = "350838957895"
   
   account_tags = { } 
+  c2_account_standards_path = "../../../../prod/aws/mdr-prod-c2/005-account-standards-c2"
 }

common/aws/mdr-common-services/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.1"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-common-services/006-account-standards/README.md

@@ -1,3 +1,11 @@
 # Account Standards
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

common/aws/mdr-common-services/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.3"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,10 +31,8 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
-  #name = "vpc_primary_${local.account_vars.locals.account_name}"
-  #cidr = local.account_vars.locals.standard_vpc_cidr
-  #tags = {
-  #  Purpose = "Malware Detonation"
-  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  #}
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

common/aws/mdr-common-services/008-xdr-binaries/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/globally_accessible_bucket?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-common-services/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.5.3"
 }
 
 include {

common/aws/mdr-common-services/015-security-vpc/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.5.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/security_vpc?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file

common/aws/mdr-common-services/account.hcl

@@ -7,6 +7,7 @@ locals {
   instance_termination_protection = true # set to true for production!
   
   account_tags = { } 
+  c2_account_standards_path = "../../../../prod/aws/mdr-prod-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.1.1.0/22"

common/aws/mdr-cyber-range/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.2"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,4 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

common/aws/mdr-cyber-range/006-account-standards-regional/us-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.3"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

common/aws/mdr-cyber-range/006-account-standards/README.md

@@ -1,3 +1,11 @@
 # Account Standards
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+

common/aws/mdr-cyber-range/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.2"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.3"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-cyber-range/010-shared-ami-key/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.5.2"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/shared_ami_key?ref=v0.5.3"
 }
 
 include {

common/aws/mdr-dev-ai/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.5.3"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,4 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

common/aws/mdr-dev-ai/UNMANAGED.ACCOUNT

@@ -0,0 +1,10 @@
+This account is mostly unmanaged. Terraform modules should not be installed without explicit reasons.
+
+
+Unmanaged per Wesley Leonard on 2020-07-30:
+
+Frederick Damstra  12:13 PM
+Should the dev A&I account be brought into CIS standards for centarlized logging, encryption by default, and so forth?
+
+Wesley Leonard  12:18 PM
+No, that's none production

common/aws/mdr-dev-ai/account.hcl

@@ -6,6 +6,7 @@ locals {
   aws_account_id = "228011623757"
   
   account_tags = { } 
+  c2_account_standards_path = "../../../../prod/aws/mdr-prod-c2/005-account-standards-c2"
 
   iam_additional_trusted_arns = [ "arn:aws:iam::471284459109:role/user/mdr_developer_readonly" ]
 }