Fixed merge conflicts

000-skeleton/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.17"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

bin/update-ami-accounts

@@ -17,7 +17,7 @@ Example 1: Let's just run a report of all AMIs matching '*Duane*' in all regions
 profile has access to.  Notice the wildcards in quotes so bash won't try to expand them
 out to filenames.
 
-[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py '*Duane*'
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./update-ami-accounts '*Duane*'
 Looking for AMIs matching "*Duane*" in the following regions:
     us-gov-east-1
     us-gov-west-1
@@ -31,7 +31,7 @@ us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617
 
 Example 2: Regions can be specified with a list or wildcard.  This is just a report too:
 
-[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py --region us-gov-east-1 --region '*west*' '*Duane*'
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./update-ami-accounts --region us-gov-east-1 --region '*west*' '*Duane*'
 Looking for AMIs matching "*Duane*" in the following regions:
     us-gov-east-1
     us-gov-west-1
@@ -44,7 +44,7 @@ us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617
 
 Example 3: If we list one or more accounts then sharing is updated
 
-[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py --region '*1' '*Duane*' 738800754746 721817724804
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./update-ami-accounts --region '*1' '*Duane*' 738800754746 721817724804
 Looking for AMIs matching "*Duane*" in the following regions:
  us-gov-east-1
  us-gov-west-1
@@ -62,7 +62,7 @@ us-gov-west-1  |ami-0ee37a86b09aefad0 |Duane_Testing_20201124233617            |
 Example 4: Sharing updates are atomic so if you could get a failure because
 one of several accounts you listed does not exist:
 
-[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./duane.py --region '*1' '*Duane*' 738800754746 72181772480
+[duane.e.waddle@DPS0591 bin]$ AWS_PROFILE=gov-common-services-terraformer ./update-ami-accounts --region '*1' '*Duane*' 738800754746 72181772480
 Looking for AMIs matching "*Duane*" in the following regions:
  us-gov-east-1
  us-gov-west-1
@@ -83,6 +83,8 @@ message as to which one caused the error.  Maybe one day I'll improve that...
 """
 
 import argparse
+import re
+import sys
 import boto3
 import botocore
 from botocore.config import Config
@@ -196,8 +198,7 @@ def runmain(ami_filter,accounts,region_filters):
             else:
                 print(report_format.format(region,ami.get('ImageId'),ami.get('Name')))
 
-
-if __name__ == "__main__":
+def cli():
 
     parser = argparse.ArgumentParser()
     parser.add_argument('--region',action='append',required=False,
@@ -206,4 +207,24 @@ if __name__ == "__main__":
     parser.add_argument('accounts',nargs='*',help='list of AWS accounts to add AMIs to')
     args = parser.parse_args()
 
+    # Remove dashes from account IDs as a nice thing for user
+    args.accounts = [ f.replace("-","") for f in args.accounts ]
+
+    # AWS Accounts are 12 digits, all digits
+    invalid_accounts = []
+    digit_check = re.compile(r"^\d+$")
+    for account in args.accounts:
+        if len(account) != 12:
+            invalid_accounts.append("{0}: {1}".format(account,"Account length not 12"))
+        elif digit_check.fullmatch(account) is None:
+            invalid_accounts.append("{0}: {1}".format(account,"Account contains non-digit chars"))
+
+    if len(invalid_accounts) > 0:
+        for message in invalid_accounts:
+            print(message)
+        sys.exit(1)
+
     runmain(args.ami_filter,args.accounts,args.region)
+
+if __name__ == "__main__":
+    cli()

common/aws-us-gov/afs-mdr-common-services-gov/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

common/aws-us-gov/partition.hcl

@@ -8,6 +8,7 @@ locals {
   common_services_account = "701290387780"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
   tfstate_region = "us-gov-east-1"
+  binaries_key = "key/a3ed054e-73be-45b4-acf8-6d06cb18cff9"
 
   # Statically setting the 'last known good' ami gives us some added flexibility
   # in building amis more regularly.
@@ -33,6 +34,7 @@ locals {
       "081915784976", # mdr-prod-bas
       "137793331041", # mdr-prod-doed
       "237704155425", # mdr-prod-frtib
+      "300401536936", # mdr-prod-ca-c19
     ],
     "test" = [
       "738800754746", # mdr-test-c2

common/aws/legacy-mdr-root/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-common-services/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

common/aws/mdr-cyber-range/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

common/aws/partition.hcl

@@ -8,6 +8,7 @@ locals {
   common_services_account = "471284459109"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
   tfstate_region = "us-east-1"
+  binaries_key = "key/b51760b2-d6e1-438a-afd4-1e56f5ac82ef"
 
   # Statically setting the 'last known good' ami gives us some added flexibility
   # in building amis more regularly.

prod/aws-us-gov/mdr-prod-bas/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.21"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws-us-gov/mdr-prod-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws-us-gov/mdr-prod-c2/220-instance-jira/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/jira/instance_jira?ref=v1.21.4"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/jira/instance_jira?ref=v1.21.6"
 }
 
 dependency "vpc" {

prod/aws-us-gov/mdr-prod-c2/250-phantom/terragrunt.hcl

@@ -0,0 +1,42 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/phantom?ref=v1.22.0"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-private-services"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Phantom System"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  instance_type = local.account_vars.locals.instance_types["phantom"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  public_subnets = dependency.vpc.outputs.public_subnets # Phantom is on a PUBLIC subnet for direct comm
+}

prod/aws-us-gov/mdr-prod-c2/account.hcl

@@ -141,15 +141,16 @@ locals {
   instance_types = {
     #"alsi-master"    = "t3a.small",
     #"alsi-worker"    = "t3a.small",
-    "splunk-cm"      = "m5a.xlarge",
-    "splunk-indexer" = "i3en.3xlarge",
-    "splunk-hf"      = "m5a.xlarge",
-    "splunk-sh"      = "m5a.4xlarge",
-    "qcompliance"    = "c5a.8xlarge", # legacy: c4.8xlarge
     "github"         = "c5.4xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test
     "github-backup"  = "t3a.medium", # legacy: t2.medium
     "jira-rds"       = "db.t3.medium",
     "jira-server"    = "t3a.medium", # legacy test: t2.small, legacy prod: t2.medium
+    "phantom"        = "m5a.4xlarge", # legacy test: t2.medium, legacy prod: m4.4xlarge
+    "qcompliance"    = "c5a.8xlarge", # legacy: c4.8xlarge
+    "splunk-cm"      = "m5a.xlarge",
+    "splunk-indexer" = "i3en.3xlarge",
+    "splunk-hf"      = "m5a.xlarge",
+    "splunk-sh"      = "m5a.4xlarge",
   }
 
   # Bastion

prod/aws-us-gov/mdr-prod-ca-c19/005-iam/terragrunt.hcl

@@ -0,0 +1,62 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env            = local.environment_vars.locals.environment
+  aws_region     = local.region_vars.locals.aws_region
+  account_id     = local.account_vars.locals.aws_account_id
+  
+}
+
+# TODO: For provisioning only. Comment out after provisioning
+#generate "provider" {
+#  path      = "provider.tf"
+#  if_exists = "overwrite_terragrunt"
+#  contents  = <<EOF
+#provider "template" {
+#  version = "~> 2.1"
+#}
+
+#provider "aws" {
+#  version = "~> 3.0"
+#  region = "${local.aws_region}"
+#
+#  # TODO: make sure you have a profile matching this
+#  profile = "tmp"
+#
+#  # Only these AWS Account IDs may be operated on by this template
+#  allowed_account_ids = ["${local.account_id}"]
+#}
+#EOF
+#}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v1.21.7"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws/legacy-mdr-test/disabled/022-attach-transit-gateway-to-legacy-la-c19/terragrunt.hcl → prod/aws-us-gov/mdr-prod-ca-c19/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -3,23 +3,24 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
   environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
   partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
   region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
   global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-}
 
-dependency "transit_gateway" {
-  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v1.21.7"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -27,19 +28,34 @@ include {
   path = find_in_parent_folders()
 }
 
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
   tags = {
-    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
-  accept_invitation = false # Should only be true for the first attachment
-  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
-  tgw_id = dependency.transit_gateway.outputs.tgw_id
-  vpc_id =  local.account_vars.locals.legacy_vpcs["la-c19"]["id"]
-  subnets = local.account_vars.locals.legacy_vpcs["la-c19"]["private_subnets"]
-  route_tables = concat(local.account_vars.locals.legacy_vpcs["la-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["la-c19"]["private_route_tables"])
 }

prod/aws-us-gov/mdr-prod-ca-c19/006-account-standards/README.md

@@ -0,0 +1,26 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws-us-gov/mdr-prod-ca-c19/006-account-standards/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.7"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
+}

prod/aws-us-gov/mdr-prod-ca-c19/010-vpc-splunk/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

test/aws/legacy-mdr-test/disabled/022-attach-transit-gateway-to-legacy-dc-c19/terragrunt.hcl → prod/aws-us-gov/mdr-prod-ca-c19/010-vpc-splunk/terragrunt.hcl

@@ -9,17 +9,16 @@ locals {
   region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
   global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-}
 
-dependency "transit_gateway" {
-  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v1.21.7"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -27,19 +26,22 @@ include {
   path = find_in_parent_folders()
 }
 
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  accept_tgw_invitation = true # Should we accept the Transit GT invitation? Should only be true for the first vpc
+  tgw_share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_info = local.account_vars.locals.vpc_info["vpc-splunk"]
   tags = {
-    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
+    #Purpose # grabbed from vpc_info
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
-  accept_invitation = false # Should only be true for the first attachment
-  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
-  tgw_id = dependency.transit_gateway.outputs.tgw_id
-  vpc_id =  local.account_vars.locals.legacy_vpcs["dc-c19"]["id"]
-  subnets = local.account_vars.locals.legacy_vpcs["dc-c19"]["private_subnets"]
-  route_tables = concat(local.account_vars.locals.legacy_vpcs["dc-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["dc-c19"]["private_route_tables"])
+  accept_tgw_invitation = true
 }

prod/aws-us-gov/mdr-prod-ca-c19/021-qualys-connector-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/qualys_connector_role?ref=v1.21.7"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Qualys Connector Role"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-ca-c19/025-test-instance/README.md

@@ -0,0 +1 @@
+# Create a test instance if `create_test_instance` is set to true.

test/aws-us-gov/mdr-test-c2/210-rds-jira/terragrunt.hcl → prod/aws-us-gov/mdr-prod-ca-c19/025-test-instance/terragrunt.hcl

@@ -11,11 +11,15 @@ locals {
   global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
+dependency "vpc_splunk" {
+  config_path = "../010-vpc-splunk"
+}
+
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/jira/rds_jira?ref=v1.21.4"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v1.21.7"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -23,20 +27,15 @@ include {
   path = find_in_parent_folders()
 }
 
-dependency "vpc" {
-  config_path = "../010-vpc-public"
-}
-
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
   tags = {
+    Purpose = "Testing Instance"
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
-  identifier = "jira2"
-  instance_type = local.account_vars.locals.instance_types["jira-rds"]
-  vpc_id = dependency.vpc.outputs.vpc_id
-  subnets = dependency.vpc.outputs.private_subnets
+  subnet_id = dependency.vpc_splunk.outputs.public_subnets[0]
+  security_group_ids = [ dependency.vpc_splunk.outputs.allow_all_from_trusted_sg_id ]
 }

prod/aws-us-gov/mdr-prod-ca-c19/072-salt-master-inventory-role/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v1.21.7"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Inventory for FedRAMP Compliance"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-ca-c19/140-splunk-frozen-bucket/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/frozen_s3_bucket?ref=v1.21.7"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Frozen Data"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-ca-c19/150-splunk-cluster-master/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/cluster_master?ref=v1.21.7"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Cluster Master"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-cm"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

prod/aws-us-gov/mdr-prod-ca-c19/160-splunk-indexer-cluster/README.md

@@ -0,0 +1,7 @@
+# Creates the Indexer Cluster
+
+* 3x indexer ASGs
+* NLB for splunk data
+* ALB for hec without ack
+* ELB classic for HEC with ack
+* Security Groups for all of the above

test/aws-us-gov/mdr-test-c2/220-instance-jira/terragrunt.hcl → prod/aws-us-gov/mdr-prod-ca-c19/160-splunk-indexer-cluster/terragrunt.hcl

@@ -13,15 +13,11 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/jira/instance_jira?ref=v1.21.4"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/indexer_cluster?ref=v1.21.7"
 }
 
 dependency "vpc" {
-  config_path = "../010-vpc-public"
-}
-
-dependency "rds" {
-  config_path = "../210-rds-jira"
+  config_path = "../010-vpc-splunk"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -35,14 +31,14 @@ inputs = {
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
   tags = {
-    Purpose = "Jira Ticketing"
+    Purpose = "Splunk Indexer Cluster"
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
-  instance_count = local.account_vars.locals.github_instance_count
-  instance_type = local.account_vars.locals.instance_types["jira-server"]
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-indexer"]
   vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
   azs = dependency.vpc.outputs.azs
-  public_subnets = dependency.vpc.outputs.public_subnets
   private_subnets = dependency.vpc.outputs.private_subnets
-  rds_sg = dependency.rds.outputs.security_group_id
+  public_subnets  = dependency.vpc.outputs.public_subnets
 }

prod/aws-us-gov/mdr-prod-ca-c19/170-splunk-searchhead/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/searchhead?ref=v1.21.7"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Searchhead"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-sh"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

prod/aws-us-gov/mdr-prod-ca-c19/180-splunk-heavy-forwarder/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/heavy_forwarder?ref=v1.21.7"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Heavy Forwarder"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-hf"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

prod/aws-us-gov/mdr-prod-ca-c19/README.md

@@ -0,0 +1,3 @@
+# California C-19
+
+Copied from skeleton ( 03-31-2021 )

prod/aws-us-gov/mdr-prod-ca-c19/account.hcl

@@ -0,0 +1,108 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "mdr-prod-ca-c19"
+  account_alias  = "mdr-prod-ca-c19"
+  aws_account_id = "300401536936"
+  instance_termination_protection = true # set to true for production!
+  splunk_prefix = "ca-c19"
+  splunk_private_hec = false # True if the customer needs a private HTTP Event Collector such as for ALSI
+
+  splunk_data_sources = [
+   # "x.x.x.x/32", # TODO: Add customer's public IP addresses
+  ]
+  splunk_legacy_cidr = [ ] # Should not be needed for new customers
+  splunk_asg_sizes   = [ 1, 1, 1 ] # How many indexers in each site
+  
+  
+  account_tags = {
+    "Client": local.splunk_prefix,
+  } 
+  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2" # TODO: Subsitute with test or prod
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  vpc_info = { 
+    "vpc-splunk" = {
+       "name" = "vpc-splunk",
+       "purpose" = "Splunk Systems ca-c19", # TODO: Substitute with Customer Name
+       "cidr" = "10.42.40.0/22",
+       "tgw_attached" = true
+    }
+  } 
+
+  # For testing
+  create_test_instance = false
+
+  # Qualys Connector - See https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/Qualys
+  qualys_connector_externalid = "LATER" # Needs to come from the qualys console
+
+  # End of TODO
+
+  # Splunk instance sizes can be customized
+  # TODO: Set these appropriately in the skeleton for prod
+  instance_types = {
+    "alsi-master"    = "t3a.small",
+    "alsi-worker"    = "t3a.small",
+    "splunk-cm"      = "m5a.xlarge",  # legacy: t2.small
+    "splunk-indexer" = "i3en.3xlarge", # legacy: t2.small, but whats the point if we don't have instance storage.
+    "splunk-hf"      = "m5a.xlarge", # legacy: t2.medium
+    "splunk-sh"      = "m5a.4xlarge", # legacy: ? not sure
+  }
+
+  # Splunk Volume Sizes are probably fine at defaults
+  splunk_volume_sizes = {
+    "cluster_master" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "indexer" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "searchhead" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "heavy_forwarder" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+  }
+
+  # ALSI - Aggregated Log Source Ingestion
+  #
+  # If cribl is being used for log ingestion, remember to turn on splunk_private_hec, too.
+  alsi_workers = 0 # how many cribl workers
+  alsi_splunk_nlb = false # splunk://moose-alsi-splunk.xdr{,test}.accenturefederalcyber.com:9997 and 9998
+  alsi_elastic_alb = false # https://moose-alsi-elastic.xdr{,test}.accenturefederalcyber.com -> 9200
+  alsi_hec_alb = false # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8080
+}

prod/aws-us-gov/mdr-prod-doed/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.21"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws-us-gov/mdr-prod-frtib/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.20.11"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws-us-gov/mdr-prod-modelclient/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.16"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws-us-gov/mdr-prod-nihors/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.21"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws-us-gov/partition.hcl

@@ -8,6 +8,7 @@ locals {
   common_services_account = "701290387780"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
   tfstate_region = "us-gov-east-1"
+  binaries_key = "key/a3ed054e-73be-45b4-acf8-6d06cb18cff9"
 
   # Statically setting the 'last known good' ami gives us some added flexibility
   # in building amis more regularly.
@@ -33,6 +34,7 @@ locals {
       "081915784976", # mdr-prod-bas
       "137793331041", # mdr-prod-doed
       "237704155425", # mdr-prod-frtib
+      "300401536936", # mdr-prod-ca-c19
     ],
     "test" = [
       "738800754746", # mdr-test-c2

prod/aws/legacy-mdr-prod/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/legacy-mdr-prod/210-rds-jira/terragrunt.hcl

@@ -15,7 +15,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/jira/rds_jira?ref=v1.10.15"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v1.21.7"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -25,14 +25,14 @@ include {
 
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
-  # All of the inputs from the inherited hcl files are available automatically
-  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
-  # will be more flexible if you specify particular input values.
-  tags = {
-    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  }
-  identifier = "jira2"
-  instance_type = local.account_vars.locals.instance_types["jira-rds"]
-  vpc_id = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
-  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
+#  # All of the inputs from the inherited hcl files are available automatically
+#  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+#  # will be more flexible if you specify particular input values.
+#  tags = {
+#    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+#  }
+#  identifier = "jira2"
+#  instance_type = local.account_vars.locals.instance_types["jira-rds"]
+#  vpc_id = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
+#  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
 }

prod/aws/mdr-prod-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/mdr-prod-ca-c19/005-iam/terragrunt.hcl

@@ -0,0 +1,62 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env            = local.environment_vars.locals.environment
+  aws_region     = local.region_vars.locals.aws_region
+  account_id     = local.account_vars.locals.aws_account_id
+  
+}
+
+# TODO: For provisioning only. Comment out after provisioning
+#generate "provider" {
+#  path      = "provider.tf"
+#  if_exists = "overwrite_terragrunt"
+#  contents  = <<EOF
+#provider "template" {
+#  version = "~> 2.1"
+#}
+
+#provider "aws" {
+#  version = "~> 3.0"
+#  region = "${local.aws_region}"
+#
+#  # TODO: make sure you have a profile matching this
+#  profile = "tmp"
+#
+#  # Only these AWS Account IDs may be operated on by this template
+#  allowed_account_ids = ["${local.account_id}"]
+#}
+#EOF
+#}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v1.10.17"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws/mdr-prod-ca-c19/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v1.0.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws/mdr-prod-ca-c19/006-account-standards/README.md

@@ -0,0 +1,26 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws/mdr-prod-ca-c19/006-account-standards/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.17"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
+}

prod/aws/mdr-prod-ca-c19/README.md

@@ -0,0 +1,2 @@
+# California C-19
+

prod/aws/mdr-prod-ca-c19/UNUSED.ACCOUNT

@@ -0,0 +1 @@
+This account is unused

prod/aws/mdr-prod-ca-c19/account.hcl

@@ -0,0 +1,108 @@
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  # TODO put the right values here
+  account_name   = "mdr-prod-ca-c19"
+  account_alias  = "mdr-prod-ca-c19"
+  aws_account_id = "054411035179"
+  instance_termination_protection = false # set to true for production!
+  splunk_prefix = "ca-c19"
+  splunk_private_hec = false # True if the customer needs a private HTTP Event Collector such as for ALSI
+
+  splunk_data_sources = [
+    "x.x.x.x/32", # TODO: Add customer's public IP addresses
+  ]
+  splunk_legacy_cidr = [ ] # Should not be needed for new customers
+  splunk_asg_sizes   = [ 1, 1, 1 ] # How many indexers in each site
+  
+  
+  account_tags = {
+    "Client": local.splunk_prefix,
+  } 
+  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2" # TODO: Subsitute with test or prod
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  vpc_info = { 
+    "vpc-splunk" = {
+       "name" = "vpc-splunk",
+       "purpose" = "Splunk Systems (TODO)", # TODO: Substitute with Customer Name
+       "cidr" = "TODO",
+       "tgw_attached" = true
+    }
+  } 
+
+  # For testing
+  create_test_instance = false
+
+  # Qualys Connector - See https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/Qualys
+  qualys_connector_externalid = "LATER" # Needs to come from the qualys console
+
+  # End of TODO
+
+  # Splunk instance sizes can be customized
+  # TODO: Set these appropriately in the skeleton for prod
+  instance_types = {
+    "alsi-master"    = "t3a.small",
+    "alsi-worker"    = "t3a.small",
+    "splunk-cm"      = "t3a.small",  # legacy: t2.small
+    "splunk-indexer" = "i3en.large", # legacy: t2.small, but whats the point if we don't have instance storage.
+    "splunk-hf"      = "t3a.small", # legacy: t2.medium
+    "splunk-sh"      = "t3a.small", # legacy: ? not sure
+  }
+
+  # Splunk Volume Sizes are probably fine at defaults
+  splunk_volume_sizes = {
+    "cluster_master" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "indexer" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "searchhead" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "heavy_forwarder" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+  }
+
+  # ALSI - Aggregated Log Source Ingestion
+  #
+  # If cribl is being used for log ingestion, remember to turn on splunk_private_hec, too.
+  alsi_workers = 0 # how many cribl workers
+  alsi_splunk_nlb = false # splunk://moose-alsi-splunk.xdr{,test}.accenturefederalcyber.com:9997 and 9998
+  alsi_elastic_alb = false # https://moose-alsi-elastic.xdr{,test}.accenturefederalcyber.com -> 9200
+  alsi_hec_alb = false # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8080
+}

prod/aws/mdr-prod-doed/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.17"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/mdr-prod-frtib/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.10.17"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

prod/aws/partition.hcl

@@ -8,6 +8,7 @@ locals {
   common_services_account = "471284459109"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
   tfstate_region = "us-east-1"
+  binaries_key = "key/b51760b2-d6e1-438a-afd4-1e56f5ac82ef"
 
   # Statically setting the 'last known good' ami gives us some added flexibility
   # in building amis more regularly.

test/aws-us-gov/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

test/aws-us-gov/mdr-test-c2/220-instance-jira/.tfswitch.toml

@@ -1 +0,0 @@
-version = "0.13.5"

test/aws-us-gov/mdr-test-c2/250-phantom/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../.tfswitch.toml

test/aws-us-gov/mdr-test-c2/250-phantom/terragrunt.hcl

@@ -0,0 +1,42 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/phantom?ref=v1.22.0"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-private-services"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Phantom System"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  instance_type = local.account_vars.locals.instance_types["phantom"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  public_subnets = dependency.vpc.outputs.public_subnets # Phantom is on a PUBLIC subnet for direct comm
+}

test/aws-us-gov/mdr-test-c2/account.hcl

@@ -142,18 +142,19 @@ locals {
   instance_types = {
     "alsi-master"    = "t3a.small",
     "alsi-worker"    = "t3a.small",
+    "github"         = "c5.2xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test
+    "github-backup"  = "t3a.medium", # legacy: t2.micro
+    "jira-rds"       = "db.t3.medium",
+    "jira-server"    = "t3a.small", # legacy test: t2.small, legacy prod: t2.medium
+    "phantom"        = "t3a.medium", # legacy test: t2.medium, legacy prod: m4.4xlarge
+    "qcompliance"    = "t3a.small", # legacy: ? not sure
     "splunk-cm"      = "t3a.small",  # legacy: t2.small
+    "splunk-hf"      = "t3a.small", # legacy: t2.medium
     #"splunk-indexer" = "t3a.small", # legacy: t2.small, but whats the point if we don't have instance storage.
     #"splunk-indexer" = "i3en.large", # legacy: t2.small, but whats the point if we don't have instance storage.
     #"splunk-indexer" = "m5d.large", # these are 1/2 the price of i3en.larges. 8GB RAM, 75GB storage
     "splunk-indexer" = "m5d.xlarge", # 16GB RAM, 150GB SSD
-    "splunk-hf"      = "t3a.small", # legacy: t2.medium
     "splunk-sh"      = "t3a.small", # legacy: ? not sure
-    "qcompliance"    = "t3a.small", # legacy: ? not sure
-    "github"         = "c5.2xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test
-    "github-backup"  = "t3a.medium", # legacy: t2.micro
-    "jira-rds"       = "db.t3.medium",
-    "jira-server"    = "t3a.small", # legacy test: t2.small, legacy prod: t2.medium
   }
 
   # TODO: The instance types below should be moved to the instance_type map above

test/aws-us-gov/mdr-test-malware/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

test/aws-us-gov/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.0.1"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

test/aws-us-gov/partition.hcl

@@ -8,6 +8,7 @@ locals {
   common_services_account = "701290387780"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
   tfstate_region = "us-gov-east-1"
+  binaries_key = "key/a3ed054e-73be-45b4-acf8-6d06cb18cff9"
 
   # Statically setting the 'last known good' ami gives us some added flexibility
   # in building amis more regularly.

test/aws/legacy-mdr-test/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

test/aws/legacy-mdr-test/210-rds-jira/terragrunt.hcl

@@ -15,7 +15,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/jira/rds_jira?ref=v1.10.15"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v1.21.7"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -25,14 +25,14 @@ include {
 
 # These are the variables we have to pass in to use the module specified in the terragrunt source above
 inputs = {
-  # All of the inputs from the inherited hcl files are available automatically
-  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
-  # will be more flexible if you specify particular input values.
-  tags = {
-    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  }
-  identifier = "jira2"
-  instance_type = local.account_vars.locals.instance_types["jira-rds"]
-  vpc_id = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
-  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
+#  # All of the inputs from the inherited hcl files are available automatically
+#  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+#  # will be more flexible if you specify particular input values.
+#  tags = {
+#    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+#  }
+#  identifier = "jira2"
+#  instance_type = local.account_vars.locals.instance_types["jira-rds"]
+#  vpc_id = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
+#  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
 }

test/aws/legacy-mdr-test/disabled/022-attach-transit-gateway-to-legacy-dc-c19/README.md

@@ -1,3 +0,0 @@
-# Attaches the legacy VPCs to the transit gateway
-
-

test/aws/legacy-mdr-test/disabled/022-attach-transit-gateway-to-legacy-la-c19/README.md

@@ -1,3 +0,0 @@
-# Attaches the legacy VPCs to the transit gateway
-
-

test/aws/legacy-mdr-test/disabled/022-attach-transit-gateway-to-legacy-ma-c19/README.md

@@ -1,3 +0,0 @@
-# Attaches the legacy VPCs to the transit gateway
-
-

test/aws/legacy-mdr-test/disabled/022-attach-transit-gateway-to-legacy-ma-c19/terragrunt.hcl

@@ -1,45 +0,0 @@
-locals {
-  # If you want to use any of the variables in _this_ file, you have to load them here.
-  # However, they will all be available as inputs to the module loaded in terraform.source
-  # below.
-
-  # e.g. inherited variables:
-  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
-  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-}
-
-dependency "transit_gateway" {
-  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
-}
-
-# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
-# working directory, into a temporary folder, and execute your Terraform commands in that folder.
-terraform {
-  # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.5.1"
-}
-
-# Include all settings from the root terragrunt.hcl file
-include {
-  path = find_in_parent_folders()
-}
-
-# These are the variables we have to pass in to use the module specified in the terragrunt source above
-inputs = {
-  # All of the inputs from the inherited hcl files are available automatically
-  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
-  # will be more flexible if you specify particular input values.
-  tags = {
-    Name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}-LEGACY"
-    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  }
-  accept_invitation = false # Should only be true for the first attachment
-  share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
-  tgw_id = dependency.transit_gateway.outputs.tgw_id
-  vpc_id =  local.account_vars.locals.legacy_vpcs["ma-c19"]["id"]
-  subnets = local.account_vars.locals.legacy_vpcs["ma-c19"]["private_subnets"]
-  route_tables = concat(local.account_vars.locals.legacy_vpcs["ma-c19"]["public_route_tables"], local.account_vars.locals.legacy_vpcs["ma-c19"]["private_route_tables"])
-}

test/aws/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

test/aws/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -14,7 +14,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.9.8"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v1.21.8"
 }
 
 dependency "c2_account_standards" {

test/aws/partition.hcl

@@ -8,6 +8,7 @@ locals {
   common_services_account = "471284459109"
   common_profile = "${local.aws_partition == "aws-us-gov" ? "govcloud" : "commercial"}"
   tfstate_region = "us-east-1"
+  binaries_key = "key/b51760b2-d6e1-438a-afd4-1e56f5ac82ef"
 
   # Statically setting the 'last known good' ami gives us some added flexibility
   # in building amis more regularly.