Adds a resolver instance to the VMRay VPC

VMray servers cannot run dnsmasq nor unbound, so an extenal resolver is
required.

Also:
* Updates the AWS plugin version. This may necessitate running
  `terragrunt init -upgrade` on other modules.
* Fixes the salt-master IP address for deployment.

Will need to be updated once the resolver is stood up in prod

common/env.hcl

@@ -12,7 +12,7 @@ locals {
   proxy = "proxy.pvt.xdr.accenturefederalcyber.com"
   proxy_ip = "10.80.101.166"
   salt_master = "salt-master.pvt.xdr.accenturefederalcyber.com"
-  salt_master_ip = "10.80.101.170"
+  salt_master_ip = "10.40.2.106"
   hec = "iratemoses.pvt.xdr.accenturefederalcyber.com"
   hec_pub = "moose-hec.mdr.defpoint.com"
   hec_pub_ack = "moose-hec-ack.mdr.defpoint.com"

prod/aws-us-gov/mdr-prod-malware/010-vpc-vmray/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v3.1.6"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v3.1.13"
 }
 
 dependency "transit_gateway" {
@@ -38,6 +38,7 @@ inputs = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
   enable_nat_gateway = true
+  #dns_servers = [ "TBD" ]
 }
 terraform_version_constraint = "= 1.0.7"
 terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/023-dns-resolver-instance/terragrunt.hcl

@@ -0,0 +1,47 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-vmray"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/resolver_instance?ref=v3.1.13"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "DNS Resolver"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+    Schedule = "MSOC"
+  }
+  instance_prefix = "resolver-vmray"
+  instance_number = 0
+  subnet_id = dependency.vpc.outputs.public_subnets[0]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  reverse_enabled = true # Set to 'true' on second run
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/README.md

@@ -1,3 +1,16 @@
 # mdr-prod-malware
 
 Account for hosting vmray and/or other malware detonation.
+
+## NOTE ON DNS
+
+DNS resolvers exist in this account, in the vpc 010...
+However, the vpc relies on having dns resolvers to set the DHCP options.
+
+So chicken/egg.
+
+Here's how to do it.
+
+1) Create the vpc with the default var.dns_servers.
+2) Create the resolver
+3) Update the VPC, overriding var.dns_servers with the IP from #2

prod/env.hcl

@@ -12,7 +12,7 @@ locals {
   proxy = "proxy.pvt.xdr.accenturefederalcyber.com"
   proxy_ip = "10.80.101.166"
   salt_master = "salt-master.pvt.xdr.accenturefederalcyber.com"
-  salt_master_ip = "10.80.101.170"
+  salt_master_ip = "10.40.2.106"
   hec = "moose-hec.xdr.accenturefederalcyber.com"
   hec_pub = "moose-hec.xdr.accenturefederalcyber.com"
   hec_pub_ack = "moose-hec-ack.xdr.accenturefederalcyber.com"

terragrunt.hcl

@@ -69,7 +69,7 @@ terraform {
   required_providers {
     aws = {
       source = "hashicorp/aws"
-      version = "= 3.59.0" # 2021-09-21: upgrade from 3.37.0
+      version = "= 3.63.0" # 2021-09-21: upgrade from 3.37.0; 2021-10-29: Upgrade from 3.59.0
     }
     vault = {
       source = "hashicorp/vault"

test/aws-us-gov/mdr-test-malware/010-vpc-vmray/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v3.0.0"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v3.1.13"
 }
 
 dependency "transit_gateway" {
@@ -38,6 +38,7 @@ inputs = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
   enable_nat_gateway = true
+  dns_servers = [ "10.20.6.7" ]
 }
 terraform_version_constraint = "= 1.0.7"
 terragrunt_version_constraint = "= 0.32.3"

test/aws-us-gov/mdr-test-malware/023-dns-resolver-instance/terragrunt.hcl

@@ -0,0 +1,47 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-vmray"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/resolver_instance?ref=v3.1.13"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "DNS Resolver"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+    Schedule = "MSOC"
+  }
+  instance_prefix = "resolver-vmray"
+  instance_number = 0
+  subnet_id = dependency.vpc.outputs.public_subnets[0]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  reverse_enabled = true # Set to 'true' on second run
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

test/aws-us-gov/mdr-test-malware/README.md

@@ -2,4 +2,15 @@
 
 For hosting vmray and other malware detonation
 
+## NOTE ON DNS
 
+DNS resolvers exist in this account, in the vpc 010...
+However, the vpc relies on having dns resolvers to set the DHCP options.
+
+So chicken/egg.
+
+Here's how to do it.
+
+1) Create the vpc with the default var.dns_servers.
+2) Create the resolver
+3) Update the VPC, overriding var.dns_servers with the IP from #2

test/env.hcl

@@ -12,7 +12,7 @@ locals {
   proxy = "proxy.pvt.xdrtest.accenturefederalcyber.com"
   proxy_ip = "10.96.101.188"
   salt_master = "salt-master.pvt.xdrtest.accenturefederalcyber.com"
-  salt_master_ip = "10.96.101.161"
+  salt_master_ip = "10.20.2.32"
   hec = "moose-hec.xdrtest.accenturefederalcyber.com"
   hec_pub = "moose-hec.xdrtest.accenturefederalcyber.com"
   hec_pub_ack = "moose-hec-ack.xdrtest.accenturefederalcyber.com"