Merge pull request #20 from mdr-engineering/feature/ftd_MSOCI-1277_configure_vpns

Connects interconnect Nodes to both Transit Gateways

000-skeleton/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,4 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

000-skeleton/006-account-standards/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -31,10 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
-  #name = "vpc_primary_${local.account_vars.locals.account_name}"
-  #cidr = local.account_vars.locals.standard_vpc_cidr
-  #tags = {
-  #  Purpose = "Malware Detonation"
-  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  #}
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

000-skeleton/010-standard-vpc/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,7 +34,7 @@ inputs = {
   name = "vpc_primary_${local.account_vars.locals.account_name}"
   cidr = local.account_vars.locals.standard_vpc_cidr
   tags = {
-    Purpose = "Malware Detonation"
+    Purpose = "Standard VPC"
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
 }

000-skeleton/020-attach-transit-gateway-to-standard-vpc/terragrunt.hcl

@@ -24,7 +24,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

000-skeleton/025-test-instance/terragrunt.hcl

@@ -19,7 +19,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/test_instance?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

bin/update_all_from_skeleton

@@ -0,0 +1,92 @@
+#! /bin/bash
+# 
+# Run from an account directory to update all the child directory's standard files
+
+function argparse {
+  PARAMS=""
+  while (( "$#" )); do
+    case "$1" in
+      -h|--help)
+        echo Usage: $0 '[-t|--test] [-d|--debug]'
+        exit 0
+        ;;
+      -t|--test)
+        TESTING="/bin/echo TESTING: "
+        shift
+        ;;
+      -d|--debug)
+        >&2 echo debug: Enabling debugging..
+        DEBUG=1
+        shift
+        ;;
+#      -p|--only-path)
+#        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+#          ONLY_PATH=$2
+#          shift 2
+#        else
+#          echo "Error: Argument for $1 is missing" >&2
+#          exit 1
+#        fi
+#        ;;
+      -*|--*=) # unsupported flags
+        echo "Error: Unsupported flag $1" >&2
+        exit 1
+        ;;
+      *) # preserve positional arguments
+        PARAMS="$PARAMS $1"
+        shift
+        ;;
+    esac
+  done
+  # set positional arguments in their proper place
+  eval set -- "$PARAMS"
+}
+
+# Main
+argparse $*
+
+SHORT_PWD=$( basename ${PWD}  )
+PARENT_PWD=$( basename $( cd .. && pwd ) )
+[[ $DEBUG == 1 ]] && >&2 echo debug: PWD=$PWD
+[[ $DEBUG == 1 ]] && >&2 echo debug: SHORT_PWD=$SHORT_PWD
+
+# Sanity Checking
+if [[ $SHORT_PWD == "000-skeleton" ]]; then
+  >&2 echo Error: Cannot run from skeleton directory. Exiting...
+  exit 1
+fi
+
+if [[ $SHORT_PWD =~ ^[0-9]{3}-.* ]]; then
+  >&2 echo Error: We appear to be in a module directory. Please run from the account directory you wish to update. Exiting...
+  exit 2
+fi
+
+if [[ ! $PARENT_PWD =~ ^aws ]]; then
+  >&2 echo Error: We do not appear to be in an account directory. Failing...
+  exit 3
+fi
+
+for i in `seq -f "../../../000-skeleton/%g*" 0 9`; do
+  MODULE=$( basename $i )
+  [[ $TESTING ]] && >&2 echo debug: Processing module $MODULE...
+  if [[ -d $MODULE ]]; then
+    [[ $DEBUG ]] && >&2 echo debug: Module exists. Updating carefully.
+    pushd . > /dev/null
+    cd $MODULE
+    update_from_skeleton $*
+    popd > /dev/null
+  else
+    # Special case: 020-attach-transit-gateway-to-standard-vpc
+    if [[ $MODULE == "020-attach-transit-gateway-to-standard-vpc" && $SHORT_PWD =~ -c2$ ]]; then
+      echo Skipping $MODULE for C2 Accounts
+    else
+      [[ -d ../../../000-skeleton/$MODULE ]] && ${TESTING} cp -rv ../../../000-skeleton/$MODULE .
+    fi
+  fi
+done
+
+echo Finished. Don\'t forget to update account.hcl. 
+echo '--------------- 000-skeleton/account.hcl ----------------'
+cat ../../../000-skeleton/account.hcl
+echo '---------------       finished           ----------------'
+

bin/update_from_skeleton

@@ -0,0 +1,118 @@
+#! /bin/bash
+#
+# Updates the local environments from the skeleton directory
+# Parse Arguments. This is a standard parser.
+# 
+# At present, should be fun from a ###-module directory
+# Future work:
+#   * Run it from the account directory
+#   * Specify only one path
+
+function argparse {
+  PARAMS=""
+  while (( "$#" )); do
+    case "$1" in
+      -h|--help)
+        echo Usage: $0 '[-t|--test] [-d|--debug]'
+        exit 0
+        ;;
+      -t|--test)
+        TESTING="/bin/echo TESTING: "
+        shift
+        ;;
+      -d|--debug)
+        >&2 echo debug: Enabling debugging.. 
+        DEBUG=1
+        shift
+        ;;
+#      -p|--only-path)
+#        if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
+#          ONLY_PATH=$2
+#          shift 2
+#        else
+#          echo "Error: Argument for $1 is missing" >&2
+#          exit 1
+#        fi
+#        ;;
+      -*|--*=) # unsupported flags
+        echo "Error: Unsupported flag $1" >&2
+        exit 1
+        ;;
+      *) # preserve positional arguments
+        PARAMS="$PARAMS $1"
+        shift
+        ;;
+    esac
+  done
+  # set positional arguments in their proper place
+  eval set -- "$PARAMS"
+}
+
+function cmpfile {
+  # Returns 0 if they're the same (and should not be copied)
+  # Returns 1 if they're different (and should be copied)
+  SRCFILE=$1
+  DSTFILE=$1
+
+  if [[ ! -f $SRCFILE ]]; then
+    [[ $DEBUG ]] && echo Warning: $SRCFILE does not exist. Not copying...
+    return 0
+  fi
+
+  if [[ ! -f $DSTFILE ]]; then
+    echo Warning: $DSTFILE does not exist. Copying regardless...
+    return 1
+  fi
+
+  diff $SRCFILE $DSTFILE > /dev/null 2> /dev/null
+  if [[ $? == 0 ]]; then
+    [[ $DEBUG ]] && >&2 echo debug: $SRCFILE and $DSTFILE are same
+    return 0
+  else
+    [[ $DEBUG ]] && >&2 echo debug: $SRCFILE and $DSTFILE are different
+    return 1
+  fi
+}
+
+# Main
+argparse $*
+
+SHORT_PWD=$( basename ${PWD}  )
+PARENT_PWD=$( basename $( cd .. && pwd ) )
+[[ $DEBUG == 1 ]] && >&2 echo debug: PWD=$PWD
+[[ $DEBUG == 1 ]] && >&2 echo debug: SHORT_PWD=$SHORT_PWD
+[[ $DEBUG == 1 ]] && >&2 echo debug: PARENT_PWD=$PARENT_PWD
+
+# Sanity checking
+if [[ $SHORT_PWD == "000-skeleton" ]]; then
+  >&2 echo Error: Cannot run from skeleton directory. Exiting...
+  exit 1
+fi
+
+if [[ ! $SHORT_PWD =~ ^[0-9]{3}-.* ]]; then
+  >&2 echo Error: Please run from the module directory you wish to update. Exiting...
+  exit 2
+fi
+
+SRC=../../../../000-skeleton/${SHORT_PWD}
+
+if [[ ! -d ${SRC} ]]; then
+  >&2 echo Error: ${SRC} does not exist. Cannot copy.
+  exit 3
+fi
+
+cmpfile ${SRC}/README.md ./README.md
+if [[ $? != 0 ]]; then
+  echo Copying readme from skeleton...
+  ${TESTING} cp -vf ${SRC}/README.md .
+else
+  echo Not copying readme.
+fi
+
+cmpfile ${SRC}/terragrunt.hcl ./terragrunt.hcl
+if [[ $? != 0 ]]; then
+  echo Copying terragrunt.hcl from skeleton...
+  ${TESTING} cp -vf ${SRC}/terragrunt.hcl .
+else
+  echo Not copying terragrunt.
+fi

test/aws-us-gov/mdr-test-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.3.2"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/008-transit-gateway-hub/terragrunt.hcl

@@ -15,7 +15,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/010-standard-vpc/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/015-security-vpc/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/security_vpc?ref=v0.3.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/palo_alto/security_vpc?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/018-interconnect-instances/README.md

@@ -13,7 +13,7 @@ terragrunt plan
 1. Stop routing daemon on instance? (May not be necessary)
 1. Taint one instance: 
 ```
-terragrunt taint aws_instance.xdr_interconnects[0]
+terragrunt taint aws_instance.interconnects[0]
 ```
 1. Rebuild
 ```

test/aws-us-gov/mdr-test-c2/018-interconnect-instances/example.cft

@@ -1,727 +0,0 @@
-# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
-AWSTemplateFormatVersion: '2010-09-09'
-
-Description: strongSwan VPN Gateway as an EC2 Instance
-
-Metadata:
-  AWS::CloudFormation::Interface:
-    ParameterGroups:
-    - Label:
-        default: System Classification
-      Parameters:
-      - pOrg
-      - pSystem
-      - pApp
-    - Label:
-        default: System Environment
-      Parameters:
-      - pEnvPurpose
-    - Label:
-        default: VPN Tunnel 1
-      Parameters:
-      - pTunnel1Psk
-      - pTunnel1VgwOutsideIpAddress
-      - pTunnel1VgwInsideCidr
-      - pTunnel1CgwInsideCidr
-      - pTunnel1BgpAsn
-      - pTunnel1BgpNeighborIpAddress
-    - Label:
-        default: VPN Tunnel 2
-      Parameters:
-      - pTunnel2Psk
-      - pTunnel2VgwOutsideIpAddress
-      - pTunnel2VgwInsideCidr
-      - pTunnel2CgwInsideCidr
-      - pTunnel2BgpAsn
-      - pTunnel2BgpNeighborIpAddress
-    - Label:
-        default: Local Network Configuration
-      Parameters:
-      - pVpcId
-      - pVpcCidr
-      - pSubnetId
-      - pUseElasticIp
-      - pEipAllocationId
-      - pLocalBgpAsn
-    - Label:
-        default: EC2  
-      Parameters:
-      - pAmiId
-      - pInstanceType
-
-    ParameterLabels:
-      pOrg:
-        default: Organization Identifier
-      pSystem:
-        default: System Identifier
-      pApp:
-        default: Application Identifier
-      pEnvPurpose:
-        default: Environment Purpose
-
-      pTunnel1Psk:
-        default: VPN Tunnel 1 Pre-Shared Key
-      pTunnel1VgwOutsideIpAddress:
-        default: VPN Tunnel 1 Virtual Private Gateway Outside IP Address
-      pTunnel1VgwInsideCidr:
-        default: VPN Tunnel 1 Virtual Private Gateway Inside CIDR
-      pTunnel1CgwInsideCidr:
-        default: VPN Tunnel 1 Customer Gateway Inside CIDR
-      pTunnel1BgpAsn:
-        default: VPN Tunnel 1 BGP ASN
-      pTunnel1BgpNeighborIpAddress:
-        default: VPN Tunnel 1 BGP Neighbor IP Address
-
-      pTunnel2Psk:
-        default: VPN Tunnel 2 Pre-Shared Key
-      pTunnel2VgwOutsideIpAddress:
-        default: VPN Tunnel 2 Virtual Private Gateway Outside IP Address
-      pTunnel2VgwInsideCidr:
-        default: VPN Tunnel 2 Virtual Private Gateway Inside CIDR
-      pTunnel2CgwInsideCidr:
-        default: VPN Tunnel 2 Customer Gateway Inside CIDR
-      pTunnel2BgpAsn:
-        default: VPN Tunnel 2 BGP ASN
-      pTunnel2BgpNeighborIpAddress:
-        default: VPN Tunnel 2 BGP Neighbor IP Address
-
-      pUseElasticIp:
-        default: Use Elastic IP Address? (true/false)
-      pEipAllocationId:
-        default: Elastic IP Address Allocation ID
-      pLocalBgpAsn:
-        default: Local VPN Gateway's BGP ASN
-      pVpcId:
-        default: VPC ID
-      pVpcCidr:
-        default: VPC CIDR Block
-      pSubnetId:
-        default: Subnet ID for VPN Gateway
-
-      pInstanceType:
-        default: EC2 Instance Type
-      pAmiId:
-        default: EC2 AMI ID
-
-Parameters:
-  pOrg:
-    Type: String
-    Description: Used to qualify resource names
-    Default: example
-
-  pSystem:
-    Type: String
-    Description: Used to qualify resource names
-    Default: infra
-
-  pApp:
-    Type: String
-    Description: Used to qualify resource names
-    Default: vpngw
-
-  pEnvPurpose:
-    Type: String
-    Description: Used to qualify resource names. 10 characters max.
-    AllowedPattern: '^[a-zA-Z0-9-_]{1,10}$'
-  
-  pTunnel1Psk:
-    Description: VPN Tunnel 1 Pre-Shared Key
-    Type: String
-
-  pTunnel1VgwOutsideIpAddress:
-    Description: VPN Tunnel 1 Virtual Private Gateway Outside IP Address
-    Type: String
-
-  pTunnel1VgwInsideCidr:
-    Description: VPN Tunnel 1 Virtual Private Gateway Inside CIDR
-    Type: String
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|3[0-8]))$ 
-
-  pTunnel1CgwInsideCidr:
-    Description:  VPN Tunnel 1 Customer Gateway Inside CIDR
-    Type: String
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|3[0-8]))$ 
-
-  pTunnel1BgpAsn:
-    Description: VPN Tunnel 1 BGP ASN
-    Type: Number
-    Default: 64512
-
-  pTunnel1BgpNeighborIpAddress:
-    Description: VPN Tunnel 1 BGP Neighbor IP Address
-    Type: String
-  
-  pTunnel2Psk:
-    Description: VPN Tunnel 2 Pre-Shared Key
-    Type: String
-
-  pTunnel2VgwOutsideIpAddress:
-    Description: VPN Tunnel 2 Virtual Private Gateway Outside IP Address
-    Type: String
-
-  pTunnel2VgwInsideCidr:
-    Description: VPN Tunnel 2 Virtual Private Gateway Inside CIDR
-    Type: String
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|3[0-8]))$ 
-
-  pTunnel2CgwInsideCidr:
-    Description:  VPN Tunnel 2 Customer Gateway Inside CIDR
-    Type: String
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|3[0-8]))$ 
-  
-  pTunnel2BgpAsn:
-    Description: VPN Tunnel 2 BGP ASN
-    Type: Number
-    Default: 64512
-    
-  pUseElasticIp:
-    Type: String
-    Description: Whether Elastic IP address is to be used.
-    Default: false
-    AllowedValues: [true, false]
-
-  pEipAllocationId:
-    Description: Elastic IP Address Alocation ID
-    Type: String
-
-  pLocalBgpAsn:
-    Description: Local VPN Gateway's BGP ASN
-    Type: Number
-    Default: 65000
-
-  pTunnel2BgpNeighborIpAddress:
-    Description: VPN Tunnel 2 BGP Neighbor IP Address
-    Type: String
-
-  pVpcId:
-    Description: VPC ID
-    Type: AWS::EC2::VPC::Id
-
-  pVpcCidr:
-    Description: VPC CIDR Block
-    Type: String
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-
-  pSubnetId:
-    Description: Subnet ID for VPN Gateway
-    Type: AWS::EC2::Subnet::Id
-
-  pInstanceType:
-    Description: EC2 Instance Type
-    Type: String
-    Default: t3a.micro
-    AllowedValues:
-      - t3a.micro
-      - t3a.small
-      - t3a.medium
-    ConstraintDescription: must be a valid EC2 instance type.
-
-  pAmiId:
-    Description: EC2 AMI ID
-    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
-    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-ebs'
-
-Rules:
-  SubnetsInVPC:
-    Assertions:
-      - Assert:
-          'Fn::EachMemberIn':
-            - 'Fn::ValueOfAll':
-                - 'AWS::EC2::Subnet::Id'
-                - VpcId
-            - 'Fn::RefAll': 'AWS::EC2::VPC::Id'
-        AssertDescription: All subnets must in the VPC
-
-Conditions:
-  cUseElasticIp: !Equals [ !Ref 'pUseElasticIp', true ]
-
-Resources:
-  rInstanceSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      GroupName: !Sub '${pSystem}-${pApp}-ec2-${pEnvPurpose}'
-      VpcId: !Ref pVpcId
-      GroupDescription: Allow traffic from other VPN gateway and all locally sourced traffic
-      SecurityGroupIngress:
-        - IpProtocol: udp
-          FromPort: 500
-          ToPort: 500
-          CidrIp: !Sub '${pTunnel1VgwOutsideIpAddress}/32'
-        - IpProtocol: udp
-          FromPort: 500
-          ToPort: 500
-          CidrIp: !Sub '${pTunnel2VgwOutsideIpAddress}/32'
-        - IpProtocol: udp
-          FromPort: 4500
-          ToPort: 4500
-          CidrIp: !Sub '${pTunnel1VgwOutsideIpAddress}/32'
-        - IpProtocol: udp
-          FromPort: 4500
-          ToPort: 4500
-          CidrIp: !Sub '${pTunnel2VgwOutsideIpAddress}/32'
-        - IpProtocol: '50'
-          CidrIp: !Sub '${pTunnel1VgwOutsideIpAddress}/32'
-        - IpProtocol: '50'
-          CidrIp: !Sub '${pTunnel2VgwOutsideIpAddress}/32'
-        - IpProtocol: '51'
-          CidrIp: !Sub '${pTunnel1VgwOutsideIpAddress}/32'
-        - IpProtocol: '51'
-          CidrIp: !Sub '${pTunnel2VgwOutsideIpAddress}/32'
-        - IpProtocol: '-1'
-          FromPort: 0
-          ToPort: 65535
-          CidrIp: !Ref pVpcCidr
-
-  rLaunchTemplate:
-    Type: AWS::EC2::LaunchTemplate
-    Properties: 
-      LaunchTemplateName: !Sub '${pSystem}-${pApp}-${pEnvPurpose}'
-      LaunchTemplateData: 
-        InstanceType: !Ref pInstanceType
-        ImageId: !Ref pAmiId
-        IamInstanceProfile: 
-          Arn: !GetAtt rInstanceProfile.Arn
-        NetworkInterfaces:
-          - DeviceIndex: 0
-            DeleteOnTermination: true
-            Description: !Sub '${pSystem}-${pApp}-${pEnvPurpose}'
-            Groups:
-              - !Ref rInstanceSecurityGroup
-            AssociatePublicIpAddress: !Ref pUseElasticIp
-        UserData:
-          Fn::Base64: !Sub |
-            #!/bin/bash -xe
-            yum install -y aws-cfn-bootstrap
-
-            /opt/aws/bin/cfn-init -v \
-                --stack ${AWS::StackName} \
-                --resource rLaunchTemplate \
-                --configsets All \
-                --region ${AWS::Region}
-
-            /opt/aws/bin/cfn-signal -e $? \
-                '${rVpnGatewayWaitHandle}'
-    Metadata:
-      AWS::CloudFormation::Init:
-        configSets:
-          All:
-            - 01-ConfigureCloudWatchMetrics
-            - 02-ConfigureCloudWatchLogsAgent
-            - 03-InstallEpel
-            - 04-ConfigureVpnGateway
-        01-ConfigureCloudWatchMetrics:
-          packages:
-            yum:
-              perl-Switch: []
-              perl-DateTime: []
-              perl-Sys-Syslog: []
-              perl-LWP-Protocol-https: []
-              perl-Digest-SHA.x86_64: []
-          sources:
-            /home/ec2-user: >-
-              https://aws-cloudwatch.s3.amazonaws.com/downloads/CloudWatchMonitoringScripts-1.2.2.zip
-          files:
-            /home/ec2-user/crontab:
-              content: !Sub |
-                */1 * * * * ~/aws-scripts-mon/mon-put-instance-data.pl --aws-iam-role=${rRole} --mem-used --memory-units=megabytes --mem-util --disk-space-util --disk-space-used --disk-space-avail --disk-path=/
-              mode: '000600'
-              owner: ec2-user
-              group: ec2-user
-          commands:
-            01-yum-update:
-              command: yum update -y
-            02-monitoring-cron:
-              command: >-
-                chmod +x /home/ec2-user/aws-scripts-mon/*.pl && crontab -u
-                ec2-user /home/ec2-user/crontab && rm /home/ec2-user/crontab
-        02-ConfigureCloudWatchLogsAgent:
-          packages:
-            yum:
-              awslogs: []
-          files:
-            /etc/awslogs/awslogs.conf:
-              content: !Sub |
-                [general]
-                state_file= /var/awslogs/state/agent-state
-
-                [/var/log/cloud-init.log]
-                file = /var/log/cloud-init.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/cloud-init.log
-                datetime_format =
-
-                [/var/log/cloud-init-output.log]
-                file = /var/log/cloud-init-output.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/cloud-init-output.log
-                datetime_format =
-
-                [/var/log/cfn-init.log]
-                file = /var/log/cfn-init.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/cfn-init.log
-                datetime_format =
-
-                [/var/log/cfn-wire.log]
-                file = /var/log/cfn-wire.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/cfn-wire.log
-                datetime_format =
-
-                [/var/log/charon.log]
-                file = /var/log/charon.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/charon.log
-                datetime_format =
-
-                [/var/log/quagga/zebra.log]
-                file = /var/log/quagga/zebra.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/zebra.log
-                datetime_format =
-
-                [/var/log/quagga/bgpd.log]
-                file = /var/log/quagga/bgpd.log
-                log_group_name = ${rCloudWatchLogsAgentGroup}
-                log_stream_name = {instance_id}/bgpd.log
-                datetime_format =
-              mode: '000444'
-              owner: root
-              group: root
-            /etc/awslogs/awscli.conf:
-              content: !Sub |
-                [plugins]
-                cwlogs = cwlogs
-                [default]
-                region = ${AWS::Region}
-              mode: '000444'
-              owner: root
-              group: root
-          commands:
-            01-create-awslogs-state-file:
-              command: mkdir -p /var/awslogs/state
-            02-enable-awslogsd:
-              command: systemctl enable awslogsd.service
-            03-start-awslogsd:
-              command: systemctl start awslogsd
-        03-InstallEpel:
-          commands:
-            01-install-epel:
-              command: amazon-linux-extras install epel -y
-        04-ConfigureVpnGateway:
-          packages:
-            yum:
-              strongswan: []
-              ntp: []
-              quagga: []
-          files:
-            /etc/strongswan/strongswan.conf:
-              content: |
-                # strongswan.conf - strongSwan configuration file
-                #
-                # Refer to the strongswan.conf(5) manpage for details
-                #
-                # Configuration changes should be made in the included files
-                charon {
-                  plugins {
-                    include strongswan.d/charon/*.conf
-                  }
-                  load_modular = yes
-                  filelog {
-                    charon {
-                      path = /var/log/charon.log
-                      time_format = %b %e %T
-                      ike_name = yes
-                      append = yes
-                    }
-                  }
-                }
-              mode: '000600'
-              owner: root
-              group: root
-            /etc/strongswan/ipsec.conf:
-              content: !Sub |
-                conn %default
-                  leftauth=psk
-                  rightauth=psk
-                  ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
-                  ikelifetime=28800s
-                  aggressive=no
-                  esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
-                  lifetime=3600s
-                  type=tunnel
-                  dpddelay=10s
-                  dpdtimeout=30s
-                  keyexchange=ikev1
-                  rekey=yes
-                  reauth=no
-                  dpdaction=restart
-                  closeaction=restart
-                  left=%defaultroute
-                  leftsubnet=0.0.0.0/0,::/0
-                  rightsubnet=0.0.0.0/0,::/0
-                  leftupdown=/etc/strongswan/ipsec-vti.sh
-                  installpolicy=yes
-                  compress=no
-                  mobike=no
-
-                conn AWS-VPC-TUNNEL-1
-                  left=%any
-                  right=${pTunnel1VgwOutsideIpAddress}
-                  auto=start
-                  mark=100
-
-                conn AWS-VPC-TUNNEL-2
-                  left=%any
-                  right=${pTunnel2VgwOutsideIpAddress}
-                  auto=start
-                  mark=200
-              mode: '000600'
-              owner: root
-              group: root
-            /etc/strongswan/ipsec-vti.sh:
-              content: !Sub |
-                #!/bin/bash
-                
-                #@ /etc/strongswan/ipsec-vti.sh (Centos) or /etc/strongswan.d/ipsec-vti.sh (Ubuntu)
-                
-                # AWS VPC Hardware VPN Strongswan updown Script
-                
-                # Usage Instructions:
-                # Add "install_routes = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
-                # Add "install_virtual_ip = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
-                # For Ubuntu: Add "leftupdown=/etc/strongswan.d/ipsec-vti.sh" to /etc/ipsec.conf
-                # For RHEL/Centos: Add "leftupdown=/etc/strongswan/ipsec-vti.sh" to /etc/strongswan/ipsec.conf
-                # For RHEL/Centos 6 and below: git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git && cd iproute2 && make && cp ./ip/ip /usr/local/sbin/ip
-                
-                # Adjust the below according to the Generic Gateway Configuration file provided to you by AWS.
-                # Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html
-                
-                IP=$(which ip)
-                IPTABLES=$(which iptables)
-                
-                PLUTO_MARK_OUT_ARR=(${!PLUTO_MARK_OUT//// })
-                PLUTO_MARK_IN_ARR=(${!PLUTO_MARK_IN//// })
-                case "$PLUTO_CONNECTION" in
-                  AWS-VPC-TUNNEL-1)
-                    VTI_INTERFACE=vti1
-                    VTI_LOCALADDR=${pTunnel1CgwInsideCidr}
-                    VTI_REMOTEADDR=${pTunnel1VgwInsideCidr}
-                    ;;
-                  AWS-VPC-TUNNEL-2)
-                    VTI_INTERFACE=vti2
-                    VTI_LOCALADDR=${pTunnel2CgwInsideCidr}
-                    VTI_REMOTEADDR=${pTunnel2VgwInsideCidr}
-                    ;;
-                esac
-                
-                case "${!PLUTO_VERB}" in
-                    up-client)
-                        #$IP tunnel add ${!VTI_INTERFACE} mode vti local ${!PLUTO_ME} remote ${!PLUTO_PEER} okey ${!PLUTO_MARK_OUT_ARR[0]} ikey ${!PLUTO_MARK_IN_ARR[0]}
-                        $IP link add ${!VTI_INTERFACE} type vti local ${!PLUTO_ME} remote ${!PLUTO_PEER} okey ${!PLUTO_MARK_OUT_ARR[0]} ikey ${!PLUTO_MARK_IN_ARR[0]}
-                        sysctl -w net.ipv4.conf.${!VTI_INTERFACE}.disable_policy=1
-                        sysctl -w net.ipv4.conf.${!VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.${!VTI_INTERFACE}.rp_filter=0
-                        $IP addr add ${!VTI_LOCALADDR} remote ${!VTI_REMOTEADDR} dev ${!VTI_INTERFACE}
-                        $IP link set ${!VTI_INTERFACE} up mtu 1436
-                	      $IPTABLES -t mangle -I FORWARD -o ${!VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-                        $IPTABLES -t mangle -I INPUT -p esp -s ${!PLUTO_PEER} -d ${!PLUTO_ME} -j MARK --set-xmark ${!PLUTO_MARK_IN}
-                        $IP route flush table 220
-                        #/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd
-                        ;;
-                    down-client)
-                        #$IP tunnel del ${!VTI_INTERFACE}
-                        $IP link del ${!VTI_INTERFACE}
-                	      $IPTABLES -t mangle -D FORWARD -o ${!VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-                        $IPTABLES -t mangle -D INPUT -p esp -s ${!PLUTO_PEER} -d ${!PLUTO_ME} -j MARK --set-xmark ${!PLUTO_MARK_IN}
-                        ;;
-                esac
-              mode: '000700'
-              owner: root
-              group: root
-            /etc/strongswan/ipsec.secrets:
-              content: !Sub |
-                ${pTunnel1VgwOutsideIpAddress} : PSK "${pTunnel1Psk}"
-                ${pTunnel2VgwOutsideIpAddress} : PSK "${pTunnel2Psk}"
-              mode: '000600'
-              owner: root
-              group: root
-            /etc/quagga/zebra.conf:
-              content: |
-                hostname {HOSTNAME}
-                password zebra
-                enable password zebra
-                !
-                log file /var/log/quagga/zebra.log
-                !
-                ! Configure interfaces
-                interface lo
-                ! Change preferred source ip address of received routes
-                route-map RM_SET_SRC permit 10
-                  set src {PRIVATE_IP}
-                ip protocol bgp route-map RM_SET_SRC
-                !
-                line vty
-              mode: '000600'
-              owner: quagga
-              group: quagga
-            /etc/quagga/bgpd.conf:
-              content: !Sub |
-                hostname bgpd
-                password zebra
-                enable password zebra
-                !
-                log file /var/log/quagga/bgpd.log
-                !
-                debug bgp events
-                debug bgp filters
-                debug bgp fsm
-                debug bgp keepalives
-                debug bgp updates
-                !
-                router bgp ${pLocalBgpAsn}
-                  bgp router-id {PRIVATE_IP} 
-                  network ${pVpcCidr}
-                  neighbor ${pTunnel1BgpNeighborIpAddress} remote-as ${pTunnel1BgpAsn}
-                  neighbor ${pTunnel2BgpNeighborIpAddress} remote-as ${pTunnel2BgpAsn}
-                  neighbor ${pTunnel2BgpNeighborIpAddress} route-map RM_LOWER_PRIORITY out
-                !
-                route-map RM_LOWER_PRIORITY permit 10
-                  set as-path prepend ${pLocalBgpAsn} ${pLocalBgpAsn} ${pLocalBgpAsn}
-                !
-                line vty
-              mode: '000600'
-              owner: quagga
-              group: quagga
-            /etc/sysctl.conf:
-              content: |
-                # sysctl settings are defined through files in
-                # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
-                #
-                # Vendors settings live in /usr/lib/sysctl.d/.
-                # To override a whole file, create a new file with the same in
-                # /etc/sysctl.d/ and put new settings there. To override
-                # only specific settings, add a file with a lexically later
-                # name in /etc/sysctl.d/ and put new settings there.
-                #
-                # For more information, see sysctl.conf(5) and sysctl.d(5).
-                
-                net.ipv4.ip_forward = 1
-                net.ipv4.conf.all.send_redirects = 0
-                net.ipv4.conf.default.send_redirects = 0
-                net.ipv4.tcp_max_syn_backlog = 1280
-                net.ipv4.icmp_echo_ignore_broadcasts = 1
-                net.ipv4.conf.all.accept_source_route = 0
-                net.ipv4.conf.all.accept_redirects = 0
-                net.ipv4.conf.all.secure_redirects = 0
-                net.ipv4.conf.all.log_martians = 1
-                net.ipv4.conf.default.accept_source_route = 0
-                net.ipv4.conf.default.accept_redirects = 0
-                net.ipv4.conf.default.secure_redirects = 0
-                net.ipv4.icmp_echo_ignore_broadcasts = 1
-                net.ipv4.icmp_ignore_bogus_error_responses = 1
-                net.ipv4.tcp_syncookies = 1
-                net.ipv4.conf.all.rp_filter = 1
-                net.ipv4.conf.default.rp_filter = 1
-                net.ipv4.tcp_mtu_probing = 1
-              mode: '000600'
-              owner: root
-              group: root
-          commands:
-            00-sed-instance-specific-settings:
-              command: >- 
-                ipaddr=$(curl 169.254.169.254/latest/meta-data/local-ipv4) &&
-                sed -i -e "s/{PRIVATE_IP}/${ipaddr}/" /etc/quagga/zebra.conf && 
-                sed -i -e "s/{PRIVATE_IP}/${ipaddr}/" /etc/quagga/bgpd.conf && 
-                hostname=$(curl 169.254.169.254/latest/meta-data/local-hostname) &&
-                sed -i -e "s/{HOSTNAME}/${hostname}/" /etc/quagga/zebra.conf
-            01-load-sysctl-changes:
-              command: sysctl -p /etc/sysctl.conf
-            02-enable-ip-forwarding:
-              command: >- 
-                sysctl -w net.ipv4.ip_forward=1 && 
-                sysctl -w net.ipv4.conf.eth0.disable_xfrm=1 && 
-                sysctl -w net.ipv4.conf.eth0.disable_policy=1
-            03-enable-start-ntpd:
-              command: >- 
-                systemctl enable ntpd && 
-                systemctl start  ntpd
-            04-enable-start-strongswan:
-              command: >- 
-                systemctl enable strongswan && 
-                systemctl start  strongswan
-            05-enable-start-zebra:
-              command: >- 
-                systemctl enable zebra && 
-                systemctl start  zebra
-            06-enable-start-bgpd:
-              command: >- 
-                systemctl enable bgpd && 
-                systemctl start  bgpd
-
-  rVpnGatewayEipAssociation:
-    Type: AWS::EC2::EIPAssociation
-    Condition: cUseElasticIp
-    Properties:
-      AllocationId: !Ref pEipAllocationId
-      InstanceId: !Ref rVpnGateway
-
-  rVpnGateway:
-    Type: AWS::EC2::Instance
-    Properties:
-      LaunchTemplate:
-        LaunchTemplateId:
-          Ref: rLaunchTemplate
-        Version:
-          Fn::GetAtt:
-            [ rLaunchTemplate, LatestVersionNumber ]
-      NetworkInterfaces:
-        - DeviceIndex: '0'
-          SubnetId: !Ref pSubnetId
-      SourceDestCheck: false
-      Tags:
-        - Key: Name
-          Value: !Sub '${pSystem}-${pApp}-${pEnvPurpose}'
-
-  rVpnGatewayWaitHandle: 
-   Type: AWS::CloudFormation::WaitConditionHandle
-
-  rVpnGatewayWaitCondition1: 
-    Type: AWS::CloudFormation::WaitCondition
-    DependsOn: rVpnGateway
-    Properties: 
-      Handle: 
-        Ref: rVpnGatewayWaitHandle
-      Timeout: '300'
-      Count: 1
-
-  rRole:
-    Type: AWS::IAM::Role
-    Properties:
-      RoleName: !Sub '${pOrg}-${pSystem}-${pApp}-${pEnvPurpose}-svc-cloud-watch-ssm'
-      Path: !Sub '/${pOrg}/${pSystem}/${pApp}/'
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Effect: Allow
-            Principal:
-              Service: ec2.amazonaws.com
-            Action: sts:AssumeRole
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
-        - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
-
-  rInstanceProfile:
-    Type: AWS::IAM::InstanceProfile
-    Properties:
-      InstanceProfileName: !Sub '${pSystem}-${pApp}-${pEnvPurpose}'
-      Path: !Sub '/${pOrg}/${pSystem}/${pApp}/'
-      Roles:
-        - !Ref rRole
-
-  rCloudWatchLogsAgentGroup:
-    Type: AWS::Logs::LogGroup
-    Properties:
-      LogGroupName: !Sub '/${pSystem}/${pApp}/ec2/${pEnvPurpose}'
-      RetentionInDays: 1

test/aws-us-gov/mdr-test-c2/018-interconnect-instances/terragrunt.hcl

@@ -13,17 +13,13 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/interconnects?ref=v0.3.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/interconnects?ref=v0.4.0"
 }
 
 dependency "security_vpc" {
   config_path = "../015-security-vpc"
 }
 
-#dependency "palo_alto_bootstrap" {
-#  config_path = "../017-palo-alto-bootstrap"
-#}
-
 # Include all settings from the root terragrunt.hcl file
 include {
   path = find_in_parent_folders()

test/aws-us-gov/mdr-test-c2/019-attach-transit-gateway-to-hub-account/terragrunt.hcl

@@ -24,7 +24,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.3.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws-us-gov/mdr-test-c2/020-transit-gateway-interconnect-vpn/terragrunt.hcl

@@ -8,7 +8,7 @@ locals {
 
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_interconnect_vpn?ref=v0.3.3"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_interconnect_vpn?ref=v0.4.0"
 }
 
 dependency "transit-gateway-hub" {
@@ -16,7 +16,7 @@ dependency "transit-gateway-hub" {
 }
 
 dependency "interconnect-instances" {
-  config_path = "../018-interconnect-instances"
+  config_path = local.account_vars.locals.interconnect_instances_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -35,5 +35,6 @@ inputs = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
   interconnect_public_ips = dependency.interconnect-instances.outputs.public_ips
+  interconnect_private_ips = dependency.interconnect-instances.outputs.private_ips
   transit_gateway_id = dependency.transit-gateway-hub.outputs.tgw_id
 }

test/aws-us-gov/mdr-test-c2/account.hcl

@@ -21,8 +21,9 @@ locals {
   security_vpc_cidr = "10.179.128.0/22"
 
   # Interconnects
-  interconnect_asn = 64888
+  interconnect_asn = 64777
   interconnects_instance_type = "t3a.micro"
   interconnects_key_name = "fdamstra" # DO NOT CHANGE
   interconnects_count = 2
+  interconnect_instances_path = "../018-interconnect-instances"
 }

test/aws-us-gov/mdr-test-malware/006-account-standards/terragrunt.hcl

@@ -31,10 +31,7 @@ inputs = {
   # All of the inputs from the inherited hcl files are available automatically
   # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
   # will be more flexible if you specify particular input values.
-  #name = "vpc_primary_${local.account_vars.locals.account_name}"
-  #cidr = local.account_vars.locals.standard_vpc_cidr
-  #tags = {
-  #  Purpose = "Malware Detonation"
-  #  Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
-  #}
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
 }

test/aws/mdr-test-c2/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.2.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.0.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-c2/008-transit-gateway-hub/terragrunt.hcl

@@ -15,7 +15,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.3.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_hub?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-c2/010-standard-vpc/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.0.1"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-c2/019-attach-transit-gateway-to-hub-account/terragrunt.hcl

@@ -24,7 +24,7 @@ dependency "standard_vpc" {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.2.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_client?ref=v0.4.0"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/aws/mdr-test-c2/020-transit-gateway-interconnect-vpn/terragrunt.hcl

@@ -0,0 +1,39 @@
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/transit_gateway_interconnect_vpn?ref=v0.4.0"
+}
+
+dependency "transit-gateway-hub" {
+  config_path = "../008-transit-gateway-hub"
+}
+
+dependency "interconnect-instances" {
+  config_path = local.account_vars.locals.interconnect_instances_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  name = "${local.partition_vars.locals.aws_partition_alias}-${local.environment_vars.locals.environment}"
+  tags = {
+    Purpose = "Transit Gateway VPN"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  interconnect_public_ips = dependency.interconnect-instances.outputs.public_ips
+  transit_gateway_id = dependency.transit-gateway-hub.outputs.tgw_id
+}

test/aws/mdr-test-c2/account.hcl

@@ -17,4 +17,13 @@ locals {
 
   # AS Number used for various resources, but not every account needs one.
   asn = 64700
+
+  security_vpc_cidr = "10.179.132.0/22"
+
+  # Interconnects
+  interconnect_asn = 64777
+  interconnects_instance_type = "t3a.micro"
+  interconnects_key_name = "fdamstra" # DO NOT CHANGE
+  interconnects_count = 2
+  interconnect_instances_path = "../../../aws-us-gov/mdr-test-c2/018-interconnect-instances"
 }