Skip to content

feat: add test environment support and standardize GOAD deployment configuration#81

Merged
l50 merged 2 commits into
mainfrom
feat/terraform-terragrunt-updates
Apr 6, 2026
Merged

feat: add test environment support and standardize GOAD deployment configuration#81
l50 merged 2 commits into
mainfrom
feat/terraform-terragrunt-updates

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented Apr 6, 2026

Key Changes:

  • Introduced a fully parameterized "test" environment for GOAD deployments
  • Centralized admin password management using a single GOAD lab config JSON
  • Standardized Windows AMI selection and instance provisioning logic
  • Improved documentation and dependency version updates for reliability

Added:

  • Comprehensive "test" environment configuration for GOAD, including env.hcl,
    region.hcl, and VPC/network setup for us-east-2
  • Parameterized Terragrunt configurations for test DCs and servers with secure
    admin password injection from ad/GOAD/data/test-config.json
  • Windows user data PowerShell templates for secure instance initialization
    and SSM agent setup in the test environment
  • New lab config file (test-config.json) for the test environment, supporting
    host definitions, domains, users, groups, and vulnerabilities

Changed:

  • Updated all AWS Windows and Linux host config files to clarify AMI ID
    region-specific usage and reference the AWS Marketplace for correct AMI IDs
  • Standardized admin password retrieval across all environments (dev, staging,
    test) to pull from environment-specific lab config JSON instead of environment
    variables, ensuring a single source of truth
  • Modified Terragrunt host configuration to use dynamic lab config JSON and
    host registry file resolution for improved portability and maintainability
  • Updated instance AMI selection logic: now uses most recent warpgate-built
    AMIs by name glob (goad-dc-base-*, goad-member-base-2016-*, etc.) and
    restricts to AMIs owned by the current account (owners = ["self"])
  • Upgraded Go module dependencies to latest patch versions for
    aws-sdk-go-v2/config, credentials, smithy-go, and others to improve
    reliability and compatibility
  • Enhanced Ansible role documentation for settings_updates and
    wazuh_agent_linux with task breakdowns

Removed:

  • Deprecated static admin password environment variable usage from all
    Terragrunt host configs, eliminating the risk of password drift or accidental
    exposure
  • Redundant static AMI ID references from Windows/Linux host configs to avoid
    confusion and ensure always using up-to-date AMIs

@l50
feat: add GOAD test environment with reusable templates and config-dr…
dcd087c 
…iven secrets

**Added:**

- Introduced a new GOAD test environment under `infra/goad-deployment/test/`
- Added environment configuration (`env.hcl`) for the test environment, setting
  deployment name, AWS account ID, environment, and VPC CIDR
- Created regional configuration (`region.hcl`) for `us-east-2`
- Implemented a new VPC network module for the test environment with SSM/S3 VPC
  endpoints and tagging
- Added reusable PowerShell user data templates for domain controllers and
  member servers, ensuring TLS 1.2, SSM agent installation, and secure
  admin/ansible account setup
- Added wrapper script templates for injecting compressed, base64-encoded
  PowerShell user data
- Added terragrunt configuration for deploying domain controllers (`dc01`,
  `dc02`, `dc03`) and member servers (`srv02`, `srv03`) in the test
  environment, sourcing secrets and host metadata from a single config file
- Introduced a comprehensive test lab configuration in
  `ad/GOAD/data/test-config.json` defining hosts, domains, users, groups,
  ACLs, and vulnerabilities for the test environment

**Changed:**

- Added prominent region-specific AMI ID warnings and marketplace reference
  comments to all AWS provider `linux.tf` and `windows.tf` files for clarity
- Updated `infra/goad-deployment/host.hcl` to use `find_in_parent_folders` for
  locating `host-registry.yaml`, improving portability
- Modified `infra/goad-deployment/staging/env.hcl` to auto-discover the AWS
  account ID using `get_aws_account_id()`
- Refactored DC and server terragrunt modules (`dc01`, `dc02`, `dc03`, `srv02`,
  `srv03`) in `staging/us-west-1/goad`:
    - Now read admin passwords directly from the lab config JSON for single
      source of truth
    - Use mock outputs for dependencies to support `init`, `validate`, `plan`
      without AWS resources
    - Updated Windows AMI lookup logic to filter by AMI name patterns
      (`goad-dc-base-*`, `goad-member-base-2016-*`, etc.), removing hardcoded
      AMI IDs and supporting most recent self-owned images
    - Improved documentation comments and streamlined input blocks
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added lab/NHA Changes made to NHA lab lab/GOAD Changes made to GOAD lab lab/GOAD-Mini Changes made to GOAD-Mini lab area/ad-labs Changes made to AD lab definitions lab/SCCM Changes made to SCCM lab lab/GOAD-Light Changes made to GOAD-Light lab labels Apr 6, 2026
@l50 l50 force-pushed the feat/terraform-terragrunt-updates branch from 9b805ed to 76d5774 Compare April 6, 2026 19:59
@l50 l50 merged commit 8d692bb into main Apr 6, 2026
6 checks passed
@l50 l50 deleted the feat/terraform-terragrunt-updates branch April 6, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/ad-labs Changes made to AD lab definitions lab/GOAD Changes made to GOAD lab lab/GOAD-Light Changes made to GOAD-Light lab lab/GOAD-Mini Changes made to GOAD-Mini lab lab/NHA Changes made to NHA lab lab/SCCM Changes made to SCCM lab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50