Updates and Cleanup for tf update

* Removes the `to_be_reviewed` files from account standards. They're
  long gone.
* Changes all instances of `template_file` datasource (deprecated in
  tf0.12) and replaces with the templatefile() function.
* Removes 'version.tf' and 'versions.tf' that specify the terraform
  version. This is handled in xdr-terraform-live.
* Minor updates to teh customer searchhead snuck in. This is not
  production yet, but is fine to be included here.

Should be all set for updating terragrunt and terraform.

To be tagged v3.0.0

base/account_standards/to_be_reviewed/files/cloudtrail_status_check.py

@@ -1,75 +0,0 @@
-import os
-import boto3
-
-
-def answer_no(x): return True if str(x).lower() in [
-    '0', 'no', 'false'] else False
-
-
-def answer_yes(x): return True if str(x).lower() in [
-    '1', 'yes', 'true'] else False
-
-
-def send_notifications(message):
-    # TODO
-    return True
-
-
-def is_bucket_not_public(bucket_name):
-    s3 = boto3.client('s3')
-    bucket_acl = s3.get_bucket_acl(Bucket=bucket_name)
-
-    # If there is a permission attached with any value for AllUsers,
-    # it means the bucket is public
-    # We don't need to check if the permission any of
-    # READ|WRITE|READ_ACP|WRITE_ACP|FULL_CONTROL
-    for grantee in bucket_acl['Grants']:
-        if grantee['Grantee']['Type'] == 'Group' \
-                and grantee['Grantee']['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers':
-            return False
-    return True
-
-
-def lambda_handler(event, context):
-    rc = 1
-    message_body = 'Chekcing trails'
-    print message_body
-
-    cloudtrail = boto3.client('cloudtrail')
-    trails = cloudtrail.describe_trails()
-
-    for trail in trails['trailList']:
-        notification = 'Checking ' + trail['Name']
-        print notification
-        message_body += notification + "\n"
-
-        if trail['IsMultiRegionTrail'] \
-                and ('KmsKeyId' in trail and trail['KmsKeyId'] != '') \
-                and trail['IncludeGlobalServiceEvents'] \
-                and trail['LogFileValidationEnabled']:
-
-            notification = trail['Name'] + ' is OK'
-            print notification
-            message_body += notification + "\n"
-            rc = 0
-        else:
-            notification = trail['Name'] + \
-                ' does not match with the requirements'
-            print notification
-            message_body += notification + "\n"
-
-        if not is_bucket_not_public(trail['S3BucketName']):
-            rc = 1
-            notification = trail['Name'] + \
-                "\'s bucket has public access."
-            print notification
-            message_body += notification + "\n"
-
-    if rc == 1 and ('DRY_RUN' in os.environ and answer_no(os.environ['DRY_RUN'])):
-        send_notifications(message_body)
-        exit(rc)
-
-# if __name__ == "__main__":
-#    event = 1
-#    context = 1
-#    lambda_handler(event, context)

base/account_standards/to_be_reviewed/files/password_policy_check.py

@@ -1,67 +0,0 @@
-import os
-import boto3
-
-
-def send_notifications(message):
-    # TODO
-    return True
-
-
-def lambda_handler(event, context):
-    iam = boto3.client('iam')
-    message_body = ""
-
-    try:
-        policy = iam.get_account_password_policy()
-    except:
-        message_body = 'Account has no password policy'
-        print message_body
-
-    require_uppercase_characters = bool(
-        os.environ['REQUIRE_UPPERCASE_CHARACTERS']) if 'REQUIRE_UPPERCASE_CHARACTERS' in os.environ else True
-    require_lowercase_characters = bool(
-        os.environ['REQUIRE_LOWERCASE_CHARACTERS']) if 'REQUIRE_LOWERCASE_CHARACTERS' in os.environ else True
-    require_symbols = bool(
-        os.environ['REQUIRE_SYMBOLS']) if 'REQUIRE_SYMBOLS' in os.environ else True
-    require_numbers = bool(
-        os.environ['REQUIRE_NUMBERS']) if 'REQUIRE_NUMBERS' in os.environ else True
-    minimum_password_length = int(
-        os.environ['MINIMUM_PASSWORD_LENGTH']) if 'MINIMUM_PASSWORD_LENGTH' in os.environ else 14
-    password_reuse_prevention = int(
-        os.environ['PASSWORD_REUSE_PREVENTION']) if 'PASSWORD_REUSE_PREVENTION' in os.environ else 24
-    max_password_age = int(
-        os.environ['MAX_PASSWORD_AGE']) if 'MAX_PASSWORD_AGE' in os.environ else 90
-    allow_users_to_change_password = bool(
-        os.environ['ALLOW_USERS_TO_CHANGE_PASSWORD']) if 'ALLOW_USERS_TO_CHANGE_PASSWORD' in os.environ else True
-    hard_expiry = bool(os.environ['HARD_EXPIRY']
-                       ) if 'HARD_EXPIRY' in os.environ else True
-
-    if not message_body:
-        if policy['PasswordPolicy']['RequireUppercaseCharacters'] != require_uppercase_characters:
-            message_body += "Require an uppercase letter has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['RequireLowercaseCharacters'] != require_lowercase_characters:
-            message_body += "Require an lowercase letter has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['RequireSymbols'] != require_symbols:
-            message_body += "Require a symbol has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['RequireNumbers'] != require_numbers:
-            message_body += "Require a number has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['MinimumPasswordLength'] != minimum_password_length:
-            message_body += "Minimum password length has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['MaxPasswordAge'] != max_password_age:
-            message_body += "Maximum password age has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['AllowUsersToChangePassword'] != allow_users_to_change_password:
-            message_body += "Allow users to change password has been set incorrectly\n"
-
-        if policy['PasswordPolicy']['HardExpiry'] != hard_expiry:
-            message_body += "Hard password expiry has been set incorrectly\n"
-
-    if message_body:
-        send_notifications(message_body)
-    else:
-        print 'Everything seems fine'

base/account_standards/to_be_reviewed/files/user_policies_check.py

@@ -1,70 +0,0 @@
-import os
-import boto3
-
-iam = boto3.client('iam')
-
-
-def answer_no(x): return True if str(x).lower() in [
-    '0', 'no', 'false'] else False
-
-
-def answer_yes(x): return True if str(x).lower() in [
-    '1', 'yes', 'true'] else False
-
-
-def send_notifications(message):
-    # TO DO
-    return True
-
-
-def detach_policies(users):
-    message_body = 'AGGRESSIVE is set to ' + os.environ['AGGRESSIVE'] \
-        if ('AGGRESSIVE' in os.environ and answer_yes(os.environ['AGGRESSIVE'])) \
-        else 'AGGRESSIVE mode is not active'
-    print message_body
-
-    for user, policies in users.iteritems():
-        notification = 'Processing ' + user
-        print notification
-        message_body += notification + "\n"
-        for policy in policies:
-            notification = policy['PolicyName'] + \
-                ' will be detached from the user'
-            print notification
-            message_body += notification + "\n"
-            if ('DRY_RUN' not in os.environ or answer_no(os.environ['DRY_RUN'])) \
-                    and ('AGGRESSIVE' in os.environ and answer_yes(os.environ['AGGRESSIVE'])):
-                iam.detach_user_policy(
-                    UserName=user, PolicyArn=policy['PolicyArn'])
-            else:
-                notification = 'AGREESIVE is not active or DRY_RUN is enabled, so the policy is not removed'
-                print notification
-                message_body += notification + "\n"
-
-    if len(users) > 0 and ('DRY_RUN' not in os.environ or answer_no(os.environ['DRY_RUN'])):
-        send_notifications(message_body)
-    else:
-        print 'DRY_RUN is active and/or nothing to do'
-
-
-def lambda_handler(event, context):
-    users = iam.list_users()
-    user_policies = {}
-
-    for user in users['Users']:
-        attached_policy_list = iam.list_attached_user_policies(
-            UserName=user['UserName'])
-        user_policy_list = iam.list_user_policies(UserName=user['UserName'])
-
-        if len(attached_policy_list['AttachedPolicies']) > 0 \
-                or len(user_policy_list['PolicyNames']) > 0:
-
-            user_policies[user['UserName']] = attached_policy_list['AttachedPolicies'] + \
-                user_policy_list['PolicyNames']
-    detach_policies(user_policies)
-
-
-# if __name__ == "__main__":
-#    event = 1
-#    context = 1
-#    lambda_handler(event, context)

base/account_standards/to_be_reviewed/lambda_policy.tf

@@ -1,16 +0,0 @@
-# main.tf only contains shared resouces across the module for purpose even the best pracites says
-# keep roles as small as possible and have three files main,variables,outputs.tf
-# So, the motivation in here make the code easily readable.
-# You can open the CIS Benchmark and go step by step to verify or understand how
-# the every other section works.
-# Also, another aventage of this is easy to update the module when the benchmark
-# gets any updates
-#
-# So that, we decided to break down the module into files per section.
-
-# every lambda function uses this assume role policy
-data "template_file" "iam_lambda_assume_role_policy" {
-  template = file("${path.module}/templates/iam_lambda_assume_role_policy.json.tpl")
-}
-
-

base/account_standards/to_be_reviewed/section-1_16.tf

@@ -1,73 +0,0 @@
-# AccessKey age check and delete function
-## IAM Policy
-data "template_file" "user_policies_check_policy" {
-  template = file("${path.module}/templates/lambda_user_policies_check_policy.json.tpl")
-}
-
-resource "aws_iam_role" "user_policies_check" {
-  path               = "/lambda/"
-  name               = "${var.resource_name_prefix}-user-policies-check"
-  assume_role_policy = data.template_file.iam_lambda_assume_role_policy.rendered
-}
-
-resource "aws_iam_role_policy" "user_policies_check" {
-  name   = "${var.resource_name_prefix}-lambda-user-policies-check"
-  role   = aws_iam_role.user_policies_check.id
-  policy = data.template_file.user_policies_check_policy.rendered
-}
-
-## /IAM Policy
-
-## Create the function
-data "archive_file" "user_policies_check" {
-  type        = "zip"
-  source_file = "${path.module}/files/user_policies_check.py"
-  output_path = "${var.temp_artifacts_dir}/user_policies_check.zip"
-}
-
-resource "aws_lambda_function" "user_policies_check" {
-  filename         = "${var.temp_artifacts_dir}/user_policies_check.zip"
-  function_name    = "${var.resource_name_prefix}-user-policies-check"
-  role             = aws_iam_role.user_policies_check.arn
-  handler          = "user_policies_check.lambda_handler"
-  source_code_hash = data.archive_file.user_policies_check.output_base64sha256
-  runtime          = "python2.7"
-  timeout          = var.lambda_timeout
-
-  environment {
-    variables = {
-      DRY_RUN                = var.lambda_dry_run
-      AGGRESSIVE             = var.lambda_aggressive
-      IGNORE_IAM_USER_PREFIX = var.lambda_mfa_checker_user_prefix
-      IGNORE_IAM_USER_SUFFIX = var.lambda_mfa_checker_user_suffix
-    }
-  }
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-## /Create the function
-
-## Schedule the lambda function
-resource "aws_cloudwatch_event_rule" "user_policies_check" {
-  name                = "${var.resource_name_prefix}-user-policies-check"
-  description         = "remove expiring access keys"
-  schedule_expression = var.lambda_cron_schedule
-}
-
-resource "aws_cloudwatch_event_target" "user_policies_check" {
-  rule      = aws_cloudwatch_event_rule.user_policies_check.name
-  target_id = "${var.resource_name_prefix}-user-policies-check"
-  arn       = aws_lambda_function.user_policies_check.arn
-}
-
-resource "aws_lambda_permission" "user_policies_check" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.user_policies_check.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.user_policies_check.arn
-}
-
-## /Schedule the lambda function
-# /AccessKey age check and delete function

base/account_standards/to_be_reviewed/templates/billing_s3_bucket_policy.json.tpl

@@ -1,31 +0,0 @@
-{
-  "Id": "Policy",
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "s3:GetBucketAcl",
-        "s3:GetBucketPolicy"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${bucket_name}",
-      "Principal": {
-        "AWS": [
-          "${aws_billing_service_account_arn}"
-        ]
-      }
-    },
-    {
-      "Action": [
-        "s3:PutObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${bucket_name}/*",
-      "Principal": {
-        "AWS": [
-          "${aws_billing_service_account_arn}"
-        ]
-      }
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/cis_hardening_iam_role_policy_prod.json.tpl

@@ -1,197 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-       {   
-            "Effect": "Allow",
-            "Action": [
-                "sqs:ListQueues",
-                "sqs:GetQueueUrl",
-                "sqs:ListDeadLetterSourceQueues",
-                "sqs:ReceiveMessage",
-                "sqs:GetQueueAttributes",
-                "sqs:ListQueueTags",
-                "sqs:CreateQueue",
-                "sqs:SendMessage",
-                "sqs:SetQueueAttributes",
-                "sqs:TagQueue"
-            ],  
-            "Resource": "*" 
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudtrail:StopLogging",
-                "cloudtrail:StartLogging",
-                "cloudtrail:AddTags",
-                "cloudtrail:DeleteTrail",
-                "cloudtrail:UpdateTrail",
-                "cloudtrail:CreateTrail",
-                "cloudtrail:ListTags",
-                "cloudtrail:GetTrailStatus",
-                "cloudtrail:RemoveTags"
-            ],
-            "Resource": "arn:aws:cloudtrail:us-east-1:477548533976:trail/aws-cis-trail*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudtrail:LookupEvents",
-                "cloudtrail:PutEventSelectors",
-                "cloudtrail:ListPublicKeys",
-                "cloudtrail:ListTags",
-                "cloudtrail:GetEventSelectors",
-                "cloudtrail:DescribeTrails"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:DescribeRule",
-                "events:ListRuleNamesByTarget",
-                "events:EnableRule",
-                "events:ListRules",
-                "events:ListTargetsByRule"
-            ],
-            "Resource": "arn:aws:events:us-east-1:477548533976:rule/aws-cis-cloudtrail-status-check"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:PutTargets",
-                "events:PutRule",
-                "events:TestEventPattern"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:DescribeRule",
-                "events:ListRuleNamesByTarget",
-                "events:EnableRule",
-                "events:ListRules",
-                "events:ListTargetsByRule"
-            ],
-            "Resource": [
-                "arn:aws:events:us-east-1:477548533976:rule/aws-cis-password-policy-check",
-                "arn:aws:events:us-east-1:477548533976:rule/aws-cis-root-account-check",
-                "arn:aws:events:us-east-1:477548533976:rule/aws-cis-user-policies-check",
-                "arn:aws:events:us-east-1:477548533976:rule/aws-cis-support-group-check"
-            ]
-        },
-        {   
-            "Effect": "Allow",
-            "Action": [
-                "lambda:GetFunction",
-                "lambda:ListVersionsByFunction",
-                "lambda:GetPolicy"
-            ],  
-            "Resource": [
-                "arn:aws:lambda:us-east-1:477548533976:function:aws-cis-password-policy-check",
-                "arn:aws:lambda:us-east-1:477548533976:function:aws-cis-root-account-check",
-                "arn:aws:lambda:us-east-1:477548533976:function:aws-cis-user-policies-check",
-                "arn:aws:lambda:us-east-1:477548533976:function:aws-cis-support-group-check",
-                "arn:aws:lambda:us-east-1:477548533976:function:aws-cis-cloudtrail-status-check"
-            ]  
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:PutEvents",
-                "events:PutRule",
-                "events:TestEventPattern"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "kms:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "kms:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:ListTagsLogGroup",
-                "logs:DisassociateKmsKey",
-                "logs:DeleteSubscriptionFilter",
-                "logs:DescribeLogGroups",
-                "logs:UntagLogGroup",
-                "logs:DeleteLogGroup",
-                "logs:DescribeLogStreams",
-                "logs:DescribeSubscriptionFilters",
-                "logs:DescribeMetricFilters",
-                "logs:DeleteLogStream",
-                "logs:PutLogEvents",
-                "logs:CreateExportTask",
-                "logs:PutMetricFilter",
-                "logs:CreateLogStream",
-                "logs:DeleteMetricFilter",
-                "logs:TagLogGroup",
-                "logs:DeleteRetentionPolicy",
-                "logs:GetLogEvents",
-                "logs:AssociateKmsKey",
-                "logs:FilterLogEvents",
-                "logs:PutSubscriptionFilter",
-                "logs:PutRetentionPolicy"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:477548533976:log-group:aws-cis-logs*",
-                "arn:aws:logs:us-east-1:477548533976:log-group::log-stream:"
-             ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:DeleteResourcePolicy",
-                "logs:DescribeExportTasks",
-                "logs:PutResourcePolicy",
-                "logs:PutDestinationPolicy",
-                "logs:CancelExportTask",
-                "logs:TestMetricFilter",
-                "logs:DeleteDestination",
-                "logs:CreateLogGroup",
-                "logs:DescribeResourcePolicies",
-                "logs:PutDestination",
-                "logs:DescribeDestinations"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "sns:CreatePlatformApplication",
-                "sns:SetSMSAttributes",
-                "sns:ListTopics",
-                "sns:GetPlatformApplicationAttributes",
-                "sns:CreatePlatformEndpoint",
-                "sns:Unsubscribe",
-                "sns:GetSubscriptionAttributes",
-                "sns:ListSubscriptions",
-                "sns:CheckIfPhoneNumberIsOptedOut",
-                "sns:OptInPhoneNumber",
-                "sns:DeleteEndpoint",
-                "sns:SetEndpointAttributes",
-                "sns:ListPhoneNumbersOptedOut",
-                "sns:ListEndpointsByPlatformApplication",
-                "sns:GetEndpointAttributes",
-                "sns:SetSubscriptionAttributes",
-                "sns:DeletePlatformApplication",
-                "sns:SetPlatformApplicationAttributes",
-                "sns:ListPlatformApplications",
-                "sns:GetSMSAttributes"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sns:*",
-            "Resource": "arn:aws:sns:us-east-1:477548533976:dps-alarm"
-        }
-    ]
-}

base/account_standards/to_be_reviewed/templates/cis_hardening_iam_role_policy_test.json.tpl

@@ -1,197 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-       {
-            "Effect": "Allow",
-            "Action": [
-                "sqs:ListQueues",
-                "sqs:GetQueueUrl",
-                "sqs:ListDeadLetterSourceQueues",
-                "sqs:ReceiveMessage",
-                "sqs:GetQueueAttributes",
-                "sqs:ListQueueTags",
-                "sqs:CreateQueue",
-                "sqs:SendMessage",
-                "sqs:SetQueueAttributes",
-                "sqs:TagQueue"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudtrail:StopLogging",
-                "cloudtrail:StartLogging",
-                "cloudtrail:AddTags",
-                "cloudtrail:DeleteTrail",
-                "cloudtrail:UpdateTrail",
-                "cloudtrail:CreateTrail",
-                "cloudtrail:ListTags",
-                "cloudtrail:GetTrailStatus",
-                "cloudtrail:RemoveTags"
-            ],
-            "Resource": "arn:aws:cloudtrail:us-east-1:527700175026:trail/aws-cis-trail*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cloudtrail:LookupEvents",
-                "cloudtrail:PutEventSelectors",
-                "cloudtrail:ListPublicKeys",
-                "cloudtrail:ListTags",
-                "cloudtrail:GetEventSelectors",
-                "cloudtrail:DescribeTrails"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:DescribeRule",
-                "events:ListRuleNamesByTarget",
-                "events:EnableRule",
-                "events:ListRules",
-                "events:ListTargetsByRule"
-            ],
-            "Resource": "arn:aws:events:us-east-1:527700175026:rule/aws-cis-cloudtrail-status-check"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:PutTargets",
-                "events:PutRule",
-                "events:TestEventPattern"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:DescribeRule",
-                "events:ListRuleNamesByTarget",
-                "events:EnableRule",
-                "events:ListRules",
-                "events:ListTargetsByRule"
-            ],
-            "Resource": [
-                "arn:aws:events:us-east-1:527700175026:rule/aws-cis-password-policy-check",
-                "arn:aws:events:us-east-1:527700175026:rule/aws-cis-root-account-check",
-                "arn:aws:events:us-east-1:527700175026:rule/aws-cis-user-policies-check",
-                "arn:aws:events:us-east-1:527700175026:rule/aws-cis-support-group-check"
-            ]
-        },
-        {   
-            "Effect": "Allow",
-            "Action": [
-                "lambda:GetFunction",
-                "lambda:ListVersionsByFunction",
-                "lambda:GetPolicy"
-            ],  
-            "Resource": [
-                "arn:aws:lambda:us-east-1:527700175026:function:aws-cis-password-policy-check",
-                "arn:aws:lambda:us-east-1:527700175026:function:aws-cis-root-account-check",
-                "arn:aws:lambda:us-east-1:527700175026:function:aws-cis-user-policies-check",
-                "arn:aws:lambda:us-east-1:527700175026:function:aws-cis-support-group-check",
-                "arn:aws:lambda:us-east-1:527700175026:function:aws-cis-cloudtrail-status-check"
-            ]  
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "events:PutEvents",
-                "events:PutRule",
-                "events:TestEventPattern"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "kms:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "kms:*",
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:ListTagsLogGroup",
-                "logs:DisassociateKmsKey",
-                "logs:DeleteSubscriptionFilter",
-                "logs:DescribeLogGroups",
-                "logs:UntagLogGroup",
-                "logs:DeleteLogGroup",
-                "logs:DescribeLogStreams",
-                "logs:DescribeSubscriptionFilters",
-                "logs:DescribeMetricFilters",
-                "logs:DeleteLogStream",
-                "logs:PutLogEvents",
-                "logs:CreateExportTask",
-                "logs:PutMetricFilter",
-                "logs:CreateLogStream",
-                "logs:DeleteMetricFilter",
-                "logs:TagLogGroup",
-                "logs:DeleteRetentionPolicy",
-                "logs:GetLogEvents",
-                "logs:AssociateKmsKey",
-                "logs:FilterLogEvents",
-                "logs:PutSubscriptionFilter",
-                "logs:PutRetentionPolicy"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:527700175026:log-group:aws-cis-logs*",
-                "arn:aws:logs:us-east-1:527700175026:log-group::log-stream:"
-             ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:DeleteResourcePolicy",
-                "logs:DescribeExportTasks",
-                "logs:PutResourcePolicy",
-                "logs:PutDestinationPolicy",
-                "logs:CancelExportTask",
-                "logs:TestMetricFilter",
-                "logs:DeleteDestination",
-                "logs:CreateLogGroup",
-                "logs:DescribeResourcePolicies",
-                "logs:PutDestination",
-                "logs:DescribeDestinations"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "sns:CreatePlatformApplication",
-                "sns:SetSMSAttributes",
-                "sns:ListTopics",
-                "sns:GetPlatformApplicationAttributes",
-                "sns:CreatePlatformEndpoint",
-                "sns:Unsubscribe",
-                "sns:GetSubscriptionAttributes",
-                "sns:ListSubscriptions",
-                "sns:CheckIfPhoneNumberIsOptedOut",
-                "sns:OptInPhoneNumber",
-                "sns:DeleteEndpoint",
-                "sns:SetEndpointAttributes",
-                "sns:ListPhoneNumbersOptedOut",
-                "sns:ListEndpointsByPlatformApplication",
-                "sns:GetEndpointAttributes",
-                "sns:SetSubscriptionAttributes",
-                "sns:DeletePlatformApplication",
-                "sns:SetPlatformApplicationAttributes",
-                "sns:ListPlatformApplications",
-                "sns:GetSMSAttributes"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": "sns:*",
-            "Resource": "arn:aws:sns:us-east-1:527700175026:dps-alarm"
-        }
-    ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_cloudwatch_logs_inline_policy_prod.json.tpl

@@ -1,25 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailCreateLogStream20141101",
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:477548533976:log-group:aws-cis-logs:log-stream:477548533976_CloudTrail_us-east-1*"
-            ]
-        },
-        {
-            "Sid": "AWSCloudTrailPutLogEvents20141101",
-            "Effect": "Allow",
-            "Action": [
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:477548533976:log-group:aws-cis-logs:log-stream:477548533976_CloudTrail_us-east-1*"
-            ]
-        }
-    ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_cloudwatch_logs_inline_policy_test.json.tpl

@@ -1,25 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailCreateLogStream20141101",
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:527700175026:log-group:aws-cis-logs:log-stream:527700175026_CloudTrail_us-east-1*"
-            ]
-        },
-        {
-            "Sid": "AWSCloudTrailPutLogEvents20141101",
-            "Effect": "Allow",
-            "Action": [
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-1:527700175026:log-group:aws-cis-logs:log-stream:527700175026_CloudTrail_us-east-1*"
-            ]
-        }
-    ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_cloudwatch_logs_role_policy_prod.json.tpl

@@ -1,13 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {   
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "cloudtrail.amazonaws.com"
-      },  
-      "Effect": "Allow",
-      "Sid": ""
-    }   
-  ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_cloudwatch_logs_role_policy_test.json.tpl

@@ -1,13 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {   
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "cloudtrail.amazonaws.com"
-      },  
-      "Effect": "Allow",
-      "Sid": ""
-    }   
-  ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_kms_policy.json.tpl

@@ -1,95 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Id": "Key policy created by CloudTrail",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": [
-          "arn:aws:iam::${aws_account_id}:root"
-        ]
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow CloudTrail to encrypt logs",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "cloudtrail.amazonaws.com"
-      },
-      "Action": "kms:GenerateDataKey*",
-      "Resource": "*",
-      "Condition": {
-        "StringLike": {
-          "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${aws_account_id}:trail/*"
-        }
-      }
-    },
-    {
-      "Sid": "Allow CloudTrail to describe key",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "cloudtrail.amazonaws.com"
-      },
-      "Action": "kms:DescribeKey",
-      "Resource": "*"
-    },
-    {
-      "Sid": "Allow principals in the account to decrypt log files",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "kms:Decrypt",
-        "kms:ReEncryptFrom"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "kms:CallerAccount": "${aws_account_id}"
-        },
-        "StringLike": {
-          "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${aws_account_id}:trail/*"
-        }
-      }
-    },
-    {
-      "Sid": "Allow alias creation during setup",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "kms:CreateAlias",
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "kms:CallerAccount": "${aws_account_id}",
-          "kms:ViaService": "ec2.us-east-1.amazonaws.com"
-        }
-      }
-    },
-    {
-      "Sid": "Enable cross account log decryption",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "kms:Decrypt",
-        "kms:ReEncryptFrom"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "kms:CallerAccount": "${aws_account_id}"
-        },
-        "StringLike": {
-          "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${aws_account_id}:trail/*"
-        }
-      }
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_s3_policy.json.tpl

@@ -1,30 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailAclCheck",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::dps-mdr-cloudtrail"
-        },
-        {
-            "Sid": "AWSCloudTrailWrite",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:PutObject",
-            "Resource": [
-                "arn:aws:s3:::dps-mdr-cloudtrail/AWSLogs/350838957895/*"
-            ],
-            "Condition": {
-                "StringEquals": {
-                    "s3:x-amz-acl": "bucket-owner-full-control"
-                }
-            }
-        }
-    ]
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_s3_policy_prod.json.tpl

@@ -1,30 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {   
-            "Sid": "AWSCloudTrailAclCheck",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },  
-            "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::dps-mdr-cloudtrail-prod"
-        },  
-        {   
-            "Sid": "AWSCloudTrailWrite",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },  
-            "Action": "s3:PutObject",
-            "Resource": [
-                "arn:aws:s3:::dps-mdr-cloudtrail-prod/AWSLogs/477548533976/*"
-            ],  
-            "Condition": {
-                "StringEquals": {
-                    "s3:x-amz-acl": "bucket-owner-full-control"
-                }   
-            }   
-        }   
-    ]   
-}

base/account_standards/to_be_reviewed/templates/cloudtrail_s3_policy_test.json.tpl

@@ -1,30 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailAclCheck",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::dps-mdr-cloudtrail-test"
-        },
-        {
-            "Sid": "AWSCloudTrailWrite",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:PutObject",
-            "Resource": [
-                "arn:aws:s3:::dps-mdr-cloudtrail-test/AWSLogs/527700175026/*"
-            ],
-            "Condition": {
-                "StringEquals": {
-                    "s3:x-amz-acl": "bucket-owner-full-control"
-                }
-            }
-        }
-    ]
-}

base/account_standards/to_be_reviewed/templates/iam_lambda_assume_role_policy.json.tpl

@@ -1,13 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/lambda_cloudtrail_status_check_policy.json.tpl

@@ -1,21 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "arn:aws:logs:*:*:*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "cloudtrail:DescribeTrails"
-      ],
-      "Resource": "*"
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/lambda_password_policy_check_policy.json.tpl

@@ -1,21 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "arn:aws:logs:*:*:*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:GetAccountPasswordPolicy"
-      ],
-      "Resource": "*"
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/lambda_root_account_check_policy.json.tpl

@@ -1,21 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "arn:aws:logs:*:*:*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:GetAccountSummary"
-      ],
-      "Resource": "*"
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/lambda_support_group_check_policy.json.tpl

@@ -1,23 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "arn:aws:logs:*:*:*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:ListEntitiesForPolicy",
-        "iam:GetGroup",
-        "iam:ListPolicies"
-      ],
-      "Resource": "*"
-    }
-  ]
-}

base/account_standards/to_be_reviewed/templates/lambda_user_policies_check_policy.json.tpl

@@ -1,21 +0,0 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ],
-      "Resource": "arn:aws:logs:*:*:*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:GetAccountPasswordPolicy"
-      ],
-      "Resource": "*"
-    }
-  ]
-}

base/account_standards/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/account_standards_c2/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/account_standards_regional/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/bastion/main.tf

@@ -163,22 +163,6 @@ module "public_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -189,7 +173,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/bastion/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/customer_portal/main.tf

@@ -184,22 +184,6 @@ resource "aws_autoscaling_group" "customer_portal" {
   }
 }
 
-
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    zone = var.dns_info["private"]["zone"]
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -210,7 +194,17 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        zone = var.dns_info["private"]["zone"]
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/customer_portal/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/dns/resolver_instance/main.tf

@@ -81,23 +81,6 @@ module "public_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = local.instance_name
-    fqdn = "resolver-${var.aws_partition_alias}-${var.instance_number}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    # can't use the DNS name like we would most places, because this is the DNS server
-    saltmaster  = var.salt_master_ip
-    proxy = var.proxy_ip
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -108,7 +91,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = local.instance_name
+        fqdn = "resolver-${var.aws_partition_alias}-${var.instance_number}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        # can't use the DNS name like we would most places, because this is the DNS server
+        saltmaster  = var.salt_master_ip
+        proxy = var.proxy_ip
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/dns/resolver_instance/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/github/backup_server.tf

@@ -123,22 +123,6 @@ resource "aws_instance" "ghe-backup-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "ghe-backup" })
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "ghe-backup"
-    fqdn = "ghe-backup.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -149,7 +133,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "ghe-backup"
+        fqdn = "ghe-backup.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/github/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/globally_accessible_bucket/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/iam/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/interconnects/cloud-init.tf

@@ -1,22 +1,3 @@
-data "template_file" "cloud-init" {
-  count = var.interconnects_count
-
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "interconnect-${count.index}"
-    fqdn = "interconnect-${count.index}.${var.dns_info["private"]["zone"]}"
-    saltmaster = "salt-master.${ var.dns_public["name"] }"
-    environment = var.environment
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-    interconnect_id = count.index
-    vpc_cidr = var.security_vpc_cidr
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -28,7 +9,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "interconnect-${count.index}"
+        fqdn = "interconnect-${count.index}.${var.dns_info["private"]["zone"]}"
+        saltmaster = "salt-master.${ var.dns_public["name"] }"
+        environment = var.environment
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+        interconnect_id = count.index
+        vpc_cidr = var.security_vpc_cidr
+      }
+    )
   }
 
   # Additional parts as needed

base/interconnects/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/jira/instance_jira/main.tf

@@ -133,22 +133,6 @@ resource "aws_instance" "jira-server-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "jira-server" })
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "jira-server"
-    fqdn = "jira-server.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -159,7 +143,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "jira-server"
+        fqdn = "jira-server.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/jira/instance_jira/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/jira/rds_jira/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/kinesis_firehose_waf_logs/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/mailrelay/instance-mailrelay.tf

@@ -124,23 +124,6 @@ module "private_dns_record" {
   }
 }
 
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.old_instance_name
-    fqdn = "${var.old_instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
@@ -151,7 +134,18 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.old_instance_name
+        fqdn = "${var.old_instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   #  part {

base/mailrelay/instance-mailrelay2.tf

@@ -123,23 +123,6 @@ module "private_dns_record2" {
   }
 }
 
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init2" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config2" {
@@ -150,7 +133,18 @@ data "template_cloudinit_config" "cloud_init_config2" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init2.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   #  part {

base/mailrelay/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/nessus/instance_nessus_manager/main.tf

@@ -146,22 +146,6 @@ resource "aws_instance" "nessus-manager-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "nessus-manager-${count.index}" })
 }
 
-data "template_file" "cloud-init" {
-  count = var.nessus_manager_count
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "nessus-manager-${count.index}"
-    fqdn = "nessus-manager-${count.index}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -173,7 +157,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "nessus-manager-${count.index}"
+        fqdn = "nessus-manager-${count.index}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/nessus/instance_nessus_manager/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/nessus/instance_nessus_scanner/main.tf

@@ -134,22 +134,6 @@ resource "aws_instance" "nessus-scanner-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "nessus-scanner-${count.index}" })
 }
 
-data "template_file" "cloud-init" {
-  count = var.nessus_scanner_count
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "nessus-scanner-${count.index}"
-    fqdn = "nessus-scanner-${count.index}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -161,7 +145,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "nessus-scanner-${count.index}"
+        fqdn = "nessus-scanner-${count.index}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/nessus/instance_nessus_scanner/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/nessus/instance_security_center/main.tf

@@ -133,22 +133,6 @@ resource "aws_instance" "security-center-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "security-center-0" })
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "security-center-0"
-    fqdn = "security-center-0.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -159,7 +143,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "security-center-0"
+        fqdn = "security-center-0.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/nessus/instance_security_center/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/openvpn/main.tf

@@ -141,22 +141,6 @@ module "private_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -167,7 +151,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/openvpn/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/palo_alto/firewall_nodes/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/palo_alto/panorama/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/phantom/main.tf

@@ -159,22 +159,6 @@ resource "aws_instance" "phantom-server-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "phantom-${count.index}" })
 }
 
-data "template_file" "cloud-init" {
-  count = var.phantom_instance_count
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "phantom-${count.index}"
-    fqdn = "phantom-${count.index}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -186,7 +170,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "phantom-${count.index}"
+        fqdn = "phantom-${count.index}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # mount /dev/xvdf at /opt/

base/phantom/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/proxy_server/main.tf

@@ -163,23 +163,6 @@ module "public_dns_record" {
   }
 }
 
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
@@ -190,7 +173,18 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 }
 

base/proxy_server/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/repo_server/main.tf

@@ -163,23 +163,6 @@ module "public_dns_record" {
   }
 }
 
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
@@ -190,7 +173,18 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   part {

base/repo_server/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/rhsso/main.tf

@@ -162,25 +162,6 @@ module "private_dns_record" {
 #  }
 #}
 
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init" {
-  count = var.rhsso_instance_count
-
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "rhsso-${count.index}"
-    fqdn = "rhsso-${count.index}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
@@ -192,6 +173,17 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "rhsso-${count.index}"
+        fqdn = "rhsso-${count.index}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 }

base/rhsso/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/s3_bucket_writer_role/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/salt_master/main.tf

@@ -163,25 +163,6 @@ module "public_dns_record" {
   }
 }
 
-#The Cloud init data is to prepare the Salt Master for use. 
-#This includes secrets from the AWS Secrets Manager, Github connectivity via SSH, and
-#prepopulating the salt master private key. May history judge me kindly.  
-data "template_file" "salt_master_cloud_init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud_init_salt_master.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "salt_master_cloud_init_config" {
@@ -192,7 +173,18 @@ data "template_cloudinit_config" "salt_master_cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.salt_master_cloud_init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud_init_salt_master.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/salt_master/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/salt_master_inventory_role/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/security_vpc/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/sensu/main.tf

@@ -128,22 +128,6 @@ resource "aws_instance" "instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -154,7 +138,18 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # Additional parts as needed

base/splunk_servers/alsi/master.tf

@@ -67,23 +67,6 @@ module "private_dns_record_master" {
   }
 }
 
-data "template_file" "cloud-init-master" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = local.instance_name_master
-    fqdn = "${local.instance_name_master}.${var.dns_info["private"]["zone"]}"
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init-master" {
@@ -94,7 +77,19 @@ data "template_cloudinit_config" "cloud-init-master" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init-master.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = local.instance_name_master
+        fqdn = "${local.instance_name_master}.${var.dns_info["private"]["zone"]}"
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 }
 

base/splunk_servers/alsi/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/alsi/workers.tf

@@ -83,25 +83,6 @@ module "private_dns_record_worker" {
   }
 }
 
-data "template_file" "cloud-init-worker" {
-  count = var.alsi_workers
-
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "${local.instance_name_worker}-${count.index}"
-    fqdn = "${local.instance_name_worker}-${count.index}.${var.dns_info["private"]["zone"]}"
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init-worker" {
@@ -113,7 +94,19 @@ data "template_cloudinit_config" "cloud-init-worker" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init-worker[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl", 
+      {
+        hostname = "${local.instance_name_worker}-${count.index}"
+        fqdn = "${local.instance_name_worker}-${count.index}.${var.dns_info["private"]["zone"]}"
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 }
 

base/splunk_servers/cluster_master/main.tf

@@ -153,23 +153,6 @@ module "private_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = local.instance_name
-    fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -180,7 +163,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl", 
+      {
+        hostname = local.instance_name
+        fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # mount /dev/xvdf at /opt/splunk

base/splunk_servers/cluster_master/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/customer_searchhead/certificate-auth.tf

@@ -0,0 +1,35 @@
+#Certificate 
+resource "aws_acm_certificate" "cert-auth" {
+  domain_name       = "${local.auth_short_name}.${var.dns_info["public"]["zone"]}"
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "cert-auth" {
+  certificate_arn         = aws_acm_certificate.cert-auth.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert-validation-auth: record.fqdn]
+}
+
+resource "aws_route53_record" "cert-validation-auth" {
+  provider = aws.mdr-common-services-commercial
+
+  for_each = {
+    for dvo in aws_acm_certificate.cert-auth.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["public"]["zone_id"]
+}

base/splunk_servers/customer_searchhead/elb-auth.tf

@@ -0,0 +1,134 @@
+resource "aws_lb" "searchhead-auth-alb" {
+  name               = "${local.alb_name}-auth"
+  internal           = false
+  load_balancer_type = "application"
+  # Not supported for NLB
+  security_groups    = [aws_security_group.searchhead-auth-alb-sg.id]
+  # Note, changing subnets results in recreation of the resource
+  subnets            = var.public_subnets
+  enable_cross_zone_load_balancing = true
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+#########################
+# Listeners
+resource "aws_lb_listener" "searchhead-auth-alb-listener-https" {
+  load_balancer_arn = aws_lb.searchhead-auth-alb.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  certificate_arn   = aws_acm_certificate.cert-auth.arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn
+  }
+}
+
+# Redirect HTTP to HTTPS
+resource "aws_lb_listener" "searchhead-auth-alb-listener-http" {
+  load_balancer_arn = aws_lb.searchhead-auth-alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+#########################
+# Targets
+resource "aws_lb_target_group" "searchhead-auth-alb-target-10000" {
+  name     = "${local.alb_name}-10000"
+  port     = 10000
+  protocol = "HTTPS"
+  target_type = "instance"
+  vpc_id   = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+
+  health_check {
+    enabled = true
+    path = "/Saml2IDP/proxy.xml"
+    port = 10000
+    protocol = "HTTPS"
+  }
+
+  # Stickiness is not needed here, but we'll need it if we add SHs
+  stickiness {
+    type = "lb_cookie"
+    cookie_duration = 86400 # 1 day
+    enabled = true
+  }
+}
+
+resource "aws_lb_target_group_attachment" "searchhead-auth-alb-target-10000-instance" {
+  target_group_arn = aws_lb_target_group.searchhead-auth-alb-target-10000.arn
+  target_id        = aws_instance.instance.id
+  port             = 10000
+}
+
+#########################
+# Security Group for ALB
+resource "aws_security_group" "searchhead-auth-alb-sg" {
+  name = "${local.alb_name}-customer-auth-alb-sh"
+  description = "Security Group for the Customer Searchhead Authorization ALB"
+  vpc_id = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_security_group_rule" "searchhead-auth-alb-https-in" {
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = local.alb_clients
+  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
+}
+
+resource "aws_security_group_rule" "searchhead-auth-http-in" {
+  # Port 80 is open as a redirect to 443
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = local.alb_clients
+  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
+}
+
+resource "aws_security_group_rule" "searchhead-auth-alb-10000-out" {
+  type              = "egress"
+  from_port         = 10000
+  to_port           = 10000
+  protocol          = "tcp"
+  # Maybe should limit to the local vpc, but I don't readily have that cidr available
+  cidr_blocks       = [ var.vpc_cidr ]
+  security_group_id = aws_security_group.searchhead-auth-alb-sg.id
+}
+
+#########################
+# DNS Entry
+module "public_dns_record_cust-auth-elb" {
+  source = "../../../submodules/dns/public_ALIAS_record"
+
+  name = "${local.auth_short_name}"
+
+  target_dns_name = aws_lb.searchhead-auth-alb.dns_name
+  target_zone_id  = aws_lb.searchhead-auth-alb.zone_id
+  dns_info = var.dns_info
+
+  providers = {
+    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
+  }
+}

base/splunk_servers/customer_searchhead/main.tf

@@ -4,6 +4,7 @@ locals {
   instance_name = var.instance_name != "" ? var.instance_name : "${ var.prefix }-splunk-cust-sh"
   alb_name = "${ var.prefix }-splunk-cust-sh"
   dns_short_name = "search.${ var.prefix }"
+  auth_short_name = "search-auth.${ var.prefix }"
 }
 
 # Rather than pass in the aws security group, we just look it up. This will
@@ -162,23 +163,6 @@ module "private_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = local.instance_name
-    fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -189,7 +173,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl", 
+      {
+        hostname = local.instance_name
+        fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # mount /dev/xvdf at /opt/splunk
@@ -235,6 +231,19 @@ resource "aws_security_group_rule" "splunk-web-in" {
   security_group_id = aws_security_group.searchhead_security_group.id
 }
 
+resource "aws_security_group_rule" "splunk-auth-in" {
+  description       = "Web access"
+  type              = "ingress"
+  from_port         = 10000
+  to_port           = 10000
+  protocol          = "tcp"
+  cidr_blocks       = toset(concat(var.cidr_map["vpc-access"], 
+                                   var.cidr_map["vpc-private-services"], 
+                                   [ var.vpc_cidr ], 
+                      ))
+  security_group_id = aws_security_group.searchhead_security_group.id
+}
+
 resource "aws_security_group_rule" "splunk-api-in" {
   description       = "Splunk API"
   type              = "ingress"

base/splunk_servers/customer_searchhead/outputs.tf

@@ -2,6 +2,10 @@ output fqdn {
   value = module.public_dns_record_cust-elb.forward
 }
 
+output auth-fqdn {
+  value = module.public_dns_record_cust-auth-elb.forward
+}
+
 output instance_arn {
   value = aws_instance.instance.arn
 }

base/splunk_servers/customer_searchhead/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/customer_searchhead/waf.tf

@@ -5,7 +5,11 @@ module "waf" {
   allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
   additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
   resource_arn = aws_lb.searchhead-alb.arn
-  fqdns = keys(module.public_dns_record_cust-elb.forward) # first entry in list will be the WAF name
+  fqdns = concat( # first entry in list will be the WAF name
+    keys(module.public_dns_record_cust-elb.forward),
+    keys(module.public_dns_record_cust-auth-elb.forward),
+  )
+
 
   # These are passed through and should be the same for module
   tags = merge(var.standard_tags, var.tags)
@@ -13,3 +17,28 @@ module "waf" {
   aws_region = var.aws_region
   aws_account_id = var.aws_account_id
 }
+
+# Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
+# using the commented section below, if the need arises.
+
+# Temporary disabled
+#resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
+#  resource_arn = aws_lb.searchhead-auth-alb.arn
+#  web_acl_arn  = module.waf.web_acl_id
+#}
+
+#module "waf-auth" {
+#  source = "../../../submodules/wafv2"
+#
+#  # Custom to resource
+#  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
+#  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
+#  resource_arn = aws_lb.searchhead-auth-alb.arn
+#  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
+#
+#  # These are passed through and should be the same for module
+#  tags = merge(var.standard_tags, var.tags)
+#  aws_partition = var.aws_partition
+#  aws_region = var.aws_region
+#  aws_account_id = var.aws_account_id
+#}

base/splunk_servers/frozen_s3_bucket/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/heavy_forwarder/main.tf

@@ -153,23 +153,6 @@ module "private_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = local.instance_name
-    fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -180,7 +163,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = local.instance_name
+        fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # mount /dev/xvdf at /opt/splunk

base/splunk_servers/heavy_forwarder/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/indexer_cluster/cloud-init.tf

@@ -1,20 +1,3 @@
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    prefix = var.prefix
-    zone = var.dns_info["private"]["zone"]
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -25,7 +8,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        prefix = var.prefix
+        zone = var.dns_info["private"]["zone"]
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   part {

base/splunk_servers/indexer_cluster/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/legacy_hec/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/splunk_servers/searchhead/main.tf

@@ -158,23 +158,6 @@ module "private_dns_record" {
   }
 }
 
-data "template_file" "cloud-init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = local.instance_name
-    fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
-    splunk_prefix = var.prefix
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
@@ -185,7 +168,19 @@ data "template_cloudinit_config" "cloud-init" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = local.instance_name
+        fqdn = "${local.instance_name}.${var.dns_info["private"]["zone"]}"
+        splunk_prefix = var.prefix
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 
   # mount /dev/xvdf at /opt/splunk

base/splunk_servers/searchhead/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/standard_vpc/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/teleport-single-instance/main.tf

@@ -151,23 +151,6 @@ module "private_dns_record" {
   }
 }
 
-#The Cloud init data is to prepare the instance for use. 
-data "template_file" "cloud_init" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
@@ -178,6 +161,17 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = var.instance_name
+        fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
 }

base/teleport-single-instance/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/transit_gateway_client/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/transit_gateway_hub/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/transit_gateway_interconnect_vpn/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/vault/main.tf

@@ -157,24 +157,6 @@ module "private_dns_record" {
   }
 }
 
-#The Cloud init data is to prepare Vault.  
-data "template_file" "cloud_init" {
-  for_each = toset(var.instance_count)
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "${var.instance_name}-${each.value}"
-    fqdn = "${var.instance_name}-${each.value}.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
@@ -186,7 +168,18 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init[each.key].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "${var.instance_name}-${each.value}"
+        fqdn = "${var.instance_name}-${each.value}.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+      }
+    )
   }
   
 }

base/vault/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/vmray_instances/server.tf

@@ -98,23 +98,6 @@ locals {
   secret_ubuntu = jsondecode(data.aws_secretsmanager_secret_version.ubuntu.secret_string)
 }
 
-data "template_file" "cloud-init-vmray-server" {
-  # Should these be in a common directory? I suspect they'd be reusable
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "vmray-server"
-    fqdn = "vmray-server.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-    ua_key = local.secret_ubuntu["ua_key"]
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init-vmray-server" {
@@ -125,7 +108,19 @@ data "template_cloudinit_config" "cloud-init-vmray-server" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init-vmray-server.rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "vmray-server"
+        fqdn = "vmray-server.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+        ua_key = local.secret_ubuntu["ua_key"]
+      }
+    )
   }
 
   # Additional parts as needed

base/vmray_instances/version.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

base/vmray_instances/worker.tf

@@ -41,23 +41,6 @@ resource "aws_instance" "vmray-worker-instance" {
   volume_tags = merge( var.standard_tags, var.tags, { Name = "vmray-worker-${ count.index }" })
 }
 
-data "template_file" "cloud-init-vmray-worker" {
-  count = var.vmray_worker_instance_count
-  template = file("${path.module}/cloud-init/cloud-init.tpl")
-
-  vars = {
-    hostname = "vmray-worker-${ count.index }"
-    fqdn = "vmray-worker-${ count.index }.${var.dns_info["private"]["zone"]}"
-    environment = var.environment
-    salt_master  = var.salt_master
-    proxy = var.proxy
-    aws_partition = var.aws_partition
-    aws_partition_alias = var.aws_partition_alias
-    aws_region = var.aws_region
-    ua_key = local.secret_ubuntu["ua_key"] # This is gathered in server.tf
-  }
-}
-
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init-vmray-worker" {
@@ -69,7 +52,19 @@ data "template_cloudinit_config" "cloud-init-vmray-worker" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud-init-vmray-worker[count.index].rendered
+    content      = templatefile("${path.module}/cloud-init/cloud-init.tpl",
+      {
+        hostname = "vmray-worker-${ count.index }"
+        fqdn = "vmray-worker-${ count.index }.${var.dns_info["private"]["zone"]}"
+        environment = var.environment
+        salt_master  = var.salt_master
+        proxy = var.proxy
+        aws_partition = var.aws_partition
+        aws_partition_alias = var.aws_partition_alias
+        aws_region = var.aws_region
+        ua_key = local.secret_ubuntu["ua_key"] # This is gathered in server.tf
+      }
+    )
   }
 
   # Additional parts as needed

submodules/iam/child_account_roles/versions.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = "~> 0.13"
-}

submodules/iam/common_services_roles/modules/saml_linked_role/versions.tf

@@ -7,5 +7,4 @@ terraform {
       source = "oktadeveloper/okta"
     }
   }
-  required_version = ">= 0.13"
 }