VMRay Deploys to Prod

Ran out of things I could do without a license installed, so it's time
for the prod account.

* Disables vmray in test, we don't have a license, no point in paying
  for the instances.
* Normalizes the mdr-prod-malware account and brings it to latest
  standards.

prod/aws-us-gov/mdr-prod-malware/005-iam/terragrunt.hcl

@@ -18,7 +18,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v3.0.0"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/iam?ref=v3.1.6"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-malware/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,62 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v3.1.6"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/006-account-standards/README.md

@@ -0,0 +1,26 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
+
+## NOTE: Possible aws_config_configuration_recorder conflict with camrs
+NOTE: For commercial accounts, camrs may have set up AWS config already, though in a configuration where they don't appear to be able to use it. This will conflict with the AWS Config setup present in this module. To fix this, the existing recorder must be imported. In the module directory, run (this will only need to be done once per account):
+```
+terragrunt import aws_config_configuration_recorder.awsconfig_recorder default
+aws --profile <account-profile> configservice describe-delivery-channels
+terragrunt import aws_config_delivery_channel.awsconfig_delivery_channel camrs-rt-aws-mdr-14019-tstsc-config-rDeliveryChannel-3JUH8QIHEQE6
+```
+
+## NOTE: Eventual consistency error with service-linked-role
+
+NOTE: This module creates a service-linked role for AWSAutoScaling. This role may not propagate before terraform tries to create policies that reference it as a principal, resulting in teh error:
+
+```
+Error: MalformedPolicyDocumentException: Policy contains a statement with one or more invalid principals.
+```
+
+I have a `depends_on` clause, but it doesn't resolve the issue. 
+
+This issue appears to be the same thing, but it apparently isn't fixed in this use case:
+https://github.com/hashicorp/terraform-provider-aws/issues/7646
+
+

prod/aws-us-gov/mdr-prod-malware/006-account-standards/terragrunt.hcl

@@ -0,0 +1,40 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v3.1.6"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/007-backups/terragrunt.hcl

@@ -0,0 +1,35 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/backups?ref=v3.1.6"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/010-vpc-vmray/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

prod/aws-us-gov/mdr-prod-malware/010-vpc-vmray/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/standard_vpc?ref=v3.1.6"
+}
+
+dependency "transit_gateway" {
+  config_path = "../../${local.environment_vars.locals.transit_gateway_account_name}/008-transit-gateway-hub"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  accept_tgw_invitation = true # Should we accept the Transit GT invitation? Should only be true for the first vpc
+  tgw_share_arn = dependency.transit_gateway.outputs.resource_share_arns[local.account_vars.locals.aws_account_id]
+  tgw_id = dependency.transit_gateway.outputs.tgw_id
+  vpc_info = local.account_vars.locals.vpc_info["vpc-vmray"]
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  enable_nat_gateway = true
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/044-VMRay-Instances/README.md

@@ -0,0 +1,7 @@
+# Standard VPC
+
+Creates a single VPC from the subnet defined in `../accounts.hcl`, divided into 3 subnets.
+
+## Note:
+
+This is the first using the "terragrunt best practice" template, so it will either serve as a good model or it will fail miserably. Either way, this may be outdated.

prod/aws-us-gov/mdr-prod-malware/044-VMRay-Instances/terragrunt.hcl

@@ -0,0 +1,49 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  # Extract out common variables for reuse
+  #env = local.environment_vars.locals.environment
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  #source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v3.1.6"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/vmray_instances?ref=v3.1.6"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-vmray"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Malware Detonation"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  vpc_id = dependency.vpc.outputs.vpc_id
+  azs = dependency.vpc.outputs.azs
+  public_subnets = dependency.vpc.outputs.public_subnets
+  private_subnets = dependency.vpc.outputs.private_subnets
+}
+terraform_version_constraint = "= 1.0.7"
+terragrunt_version_constraint = "= 0.32.3"

prod/aws-us-gov/mdr-prod-malware/072-salt-master-inventory-role/terragrunt.hcl

@@ -13,7 +13,7 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v3.0.0"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/salt_master_inventory_role?ref=v3.1.6"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/aws-us-gov/mdr-prod-malware/UNUSED.ACCOUNT

@@ -1 +0,0 @@
-This account is unused

prod/aws-us-gov/mdr-prod-malware/account.hcl

@@ -4,6 +4,25 @@ locals {
   account_name   = "afs-mdr-prod-malware-gov"
   account_alias  = "afs-mdr-prod-malware-gov"
   aws_account_id = "876865127438"
-  
-  account_tags = { } 
+  instance_termination_protection = true # set to true for production!
+
+  account_tags = { }
+  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2"
+
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  vpc_info = {
+    "vpc-vmray" = {
+      "name" = "vpc-vmray",
+      "purpose" = "Malware detonation",
+      "cidr" = "10.32.4.0/22",
+      "tgw_attached" = true,
+    }
+  }
+
+  instance_types = {
+    "vmray-server" = "m5a.xlarge",
+    "vmray-worker" = "c5n.metal"
+  }
+
+  vmray_worker_instance_count = 1
 }

test/aws-us-gov/mdr-test-malware/044-VMRay-Instances/terragrunt.hcl

@@ -18,8 +18,8 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/vmray_instances?ref=v3.0.0"
-  #source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v3.0.0"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v3.1.6"
+  #source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/vmray_instances?ref=v3.1.6"
 }
 
 dependency "vpc" {

test/aws-us-gov/mdr-test-malware/account.hcl

@@ -27,5 +27,5 @@ locals {
     "vmray-worker" = "c5n.metal"
   }
 
-  vmray_worker_instance_count = 0
+  vmray_worker_instance_count = 1
 }