# `range`

# ATT&CK Evaluations Enterprise 2025

Terraform deployment 3 of 3. Please see the main Terraform Deployment page for more information.

Before proceeding with this stage, please review deploy.auto.tfvars and ensure these variables are set:

aws_trusted_account_id — the 12-digit ID of the AWS account where on-prem scenarios will be emulated (default).
win_srv_admin_username — desired domain admin username to be applied to hosts.
win_srv_admin_password — desired domain admin password to be applied to hosts.

# Requirements

Name	Version
terraform	>=1.1.0
ansible	~> 1.3.0
aws	~> 5.97.0

# Providers

Name	Version
ansible	1.3.0
aws	5.97.0
aws.cloud-detections	5.97.0
aws.cloud-protections	5.97.0
aws.default	5.97.0
terraform	n/a
time	0.13.1

# Modules

Name	Source	Version
amis	../modules/aws/amis	n/a
amis-cloud	../modules/aws/amis	n/a
b3-access-srv1	../modules/aws/base-vm	n/a
b3-addc-srv1	../modules/aws/base-vm-win	n/a
b3-dmz-guacamole-srv1	../modules/aws/base-vm	n/a
b3-dmz-mfa-srv1	../modules/aws/base-vm	n/a
b3-file-srv1	../modules/aws/base-vm	n/a
b3-file-srv2	../modules/aws/base-vm	n/a
b3-mail-srv1	../modules/aws/base-vm	n/a
b3-mdm-srv1	../modules/aws/base-vm	n/a
b3-win-jumpbox1	../modules/aws/base-vm	n/a
b3-win11-desk1	../modules/aws/base-vm	n/a
b3-win11-desk2	../modules/aws/base-vm	n/a
b3-win11-desk3	../modules/aws/base-vm	n/a
b3-win11-desk4	../modules/aws/base-vm	n/a
choco-srv1	../modules/aws/base-vm	n/a
cloud-airbyte-srv1	../modules/aws/base-vm	n/a
cloud-defaults	../modules/aws/defaults	n/a
cloud-gitlab-srv1	../modules/aws/base-vm	n/a
cloud-wekan-srv1	../modules/aws/base-vm	n/a
defaults	../modules/aws/defaults	n/a
dmz-guacamole-srv1	../modules/aws/base-vm	n/a
dns-srv1	../modules/aws/base-vm	n/a
idp-srv1	../modules/aws/base-vm	n/a
on-prem-access-srv1	../modules/aws/base-vm	n/a
on-prem-addc-srv1	../modules/aws/base-vm-win	n/a
on-prem-file-srv1	../modules/aws/base-vm	n/a
on-prem-file-srv2	../modules/aws/base-vm	n/a
on-prem-mail-srv1	../modules/aws/base-vm	n/a
on-prem-mfa-srv1	../modules/aws/base-vm	n/a
on-prem-win11-desk1	../modules/aws/base-vm	n/a
on-prem-win11-desk2	../modules/aws/base-vm	n/a
on-prem-win11-desk3	../modules/aws/base-vm	n/a
on-prem-win11-desk4	../modules/aws/base-vm	n/a
openvpn-client	../modules/aws/vpn-client	n/a
postfix-srv1	../modules/aws/base-vm	n/a
postfix-srv2	../modules/aws/base-vm	n/a
postfix-srv3	../modules/aws/base-vm	n/a
preflights-box1	../modules/aws/base-vm	n/a
red-kali1	../modules/aws/base-vm	n/a
redirect-srv1	../modules/aws/base-vm	n/a
redirect-srv2	../modules/aws/base-vm	n/a
redirect-srv3	../modules/aws/base-vm	n/a
redirect-srv4	../modules/aws/base-vm	n/a
rmm-srv1	../modules/aws/base-vm	n/a
rustdesk-srv1	../modules/aws/base-vm	n/a
ssm_activation	../modules/aws/ssm-activation	n/a
unmanaged-win11-desk1	../modules/aws/base-vm	n/a
win-jumpbox1	../modules/aws/base-vm	n/a
wstunnel-srv1	../modules/aws/base-vm	n/a

# Resources

Name	Type
ansible_group.domain_kingslanding	resource
ansible_group.domain_vale	resource
ansible_group.linux	resource
ansible_group.linux_cloud	resource
ansible_group.linux_kali	resource
ansible_group.linux_preflights	resource
ansible_group.linux_ubuntu	resource
ansible_group.red_jumpbox_servers	resource
ansible_group.windows	resource
ansible_group.windows_desktops	resource
ansible_group.windows_domain_controllers	resource
ansible_group.windows_file_servers	resource
ansible_group.windows_rds_servers	resource
ansible_group.windows_servers	resource
ansible_host.b3-access-srv1	resource
ansible_host.b3-addc-srv1	resource
ansible_host.b3-dmz-guacamole-srv1	resource
ansible_host.b3-dmz-mfa-srv1	resource
ansible_host.b3-file-srv1	resource
ansible_host.b3-file-srv2	resource
ansible_host.b3-mail-srv1	resource
ansible_host.b3-mdm-srv1	resource
ansible_host.b3-win-jumpbox1	resource
ansible_host.b3-win11-desk1	resource
ansible_host.b3-win11-desk2	resource
ansible_host.b3-win11-desk3	resource
ansible_host.b3-win11-desk4	resource
ansible_host.choco-srv1	resource
ansible_host.cloud-airbyte-srv1	resource
ansible_host.cloud-gitlab-srv1	resource
ansible_host.cloud-wekan-srv1	resource
ansible_host.dmz-guacamole-srv1	resource
ansible_host.dns-srv1	resource
ansible_host.on-prem-access-srv1	resource
ansible_host.on-prem-addc-srv1	resource
ansible_host.on-prem-file-srv1	resource
ansible_host.on-prem-file-srv2	resource
ansible_host.on-prem-mail-srv1	resource
ansible_host.on-prem-mfa-srv1	resource
ansible_host.on-prem-win11-desk1	resource
ansible_host.on-prem-win11-desk2	resource
ansible_host.on-prem-win11-desk3	resource
ansible_host.on-prem-win11-desk4	resource
ansible_host.postfix-srv1	resource
ansible_host.postfix-srv2	resource
ansible_host.postfix-srv3	resource
ansible_host.preflights-box1	resource
ansible_host.red-idp-srv1	resource
ansible_host.red-kali1	resource
ansible_host.red-win-jumpbox1	resource
ansible_host.redirect-srv1	resource
ansible_host.redirect-srv2	resource
ansible_host.redirect-srv3	resource
ansible_host.redirect-srv4	resource
ansible_host.rmm-srv1	resource
ansible_host.rustdesk-srv1	resource
ansible_host.unmanaged-win11-desk1	resource
ansible_host.wstunnel-srv1	resource
aws_ebs_volume.on-prem-file-srv2-disks	resource
aws_ec2_managed_prefix_list.attacker	resource
aws_ec2_managed_prefix_list.attacker-cloud	resource
aws_ec2_managed_prefix_list.attacker-cloud-protections	resource
aws_ec2_managed_prefix_list.b3	resource
aws_ec2_managed_prefix_list.b3-cloud	resource
aws_ec2_managed_prefix_list.b3-cloud-protections	resource
aws_ec2_managed_prefix_list.cloud-victim-cloud	resource
aws_ec2_managed_prefix_list.cloud-victim-cloud-protections	resource
aws_ec2_managed_prefix_list.detections-cloud-victim-cloud-protections	resource
aws_ec2_managed_prefix_list.main-victim-cloud-protections	resource
aws_ec2_managed_prefix_list.neutral	resource
aws_ec2_managed_prefix_list.neutral-cloud	resource
aws_ec2_managed_prefix_list.neutral-cloud-protections	resource
aws_ec2_managed_prefix_list.onprem-cloud	resource
aws_ec2_managed_prefix_list.onprem-cloud-protections	resource
aws_ec2_managed_prefix_list.victim	resource
aws_ec2_managed_prefix_list.victim-cloud	resource
aws_ec2_managed_prefix_list.vpn	resource
aws_ec2_transit_gateway.main	resource
aws_ec2_transit_gateway_prefix_list_reference.cloud-protections-plr-attacker	resource
aws_ec2_transit_gateway_prefix_list_reference.cloud-protections-plr-neutral	resource
aws_ec2_transit_gateway_prefix_list_reference.cloud-protections-plr-protections	resource
aws_ec2_transit_gateway_prefix_list_reference.cloud-protections-plr-victim	resource
aws_ec2_transit_gateway_prefix_list_reference.cloud-protections-plr-victim-cloud	resource
aws_ec2_transit_gateway_route.cloud-protections-internet	resource
aws_ec2_transit_gateway_route_table.cloud-protections	resource
aws_ec2_transit_gateway_route_table_association.cloud-protections	resource
aws_ec2_transit_gateway_vpc_attachment.b3-tgwa	resource
aws_ec2_transit_gateway_vpc_attachment.cloud-protections-tgwa	resource
aws_ec2_transit_gateway_vpc_attachment.cloud-tgwa	resource
aws_ec2_transit_gateway_vpc_attachment.neutral-tgwa	resource
aws_ec2_transit_gateway_vpc_attachment.victim-tgwa	resource
aws_eip.attacker-nat-eip	resource
aws_eip.b3-nat-eip	resource
aws_eip.cloud-nat-eip	resource
aws_eip.victim-nat-eip	resource
aws_iam_policy.admin_policy-detections	resource
aws_iam_policy.admin_policy-protections	resource
aws_iam_policy.vendor_iam_access	resource
aws_iam_policy_attachment.detections_admin_policy_sso	resource
aws_iam_policy_attachment.detections_vendor_policy_sso	resource
aws_iam_policy_attachment.protections_admin_policy_sso	resource
aws_iam_policy_attachment.protections_vendor_policy_sso	resource
aws_iam_role.cloudwatch-detections	resource
aws_iam_role.cloudwatch-protections	resource
aws_iam_role.detections_authentik_admin_role	resource
aws_iam_role.detections_authentik_vendor_role	resource
aws_iam_role.detections_cross_account_role	resource
aws_iam_role.protections_authentik_admin_role	resource
aws_iam_role.protections_authentik_vendor_role	resource
aws_iam_role.protections_cross_account_role	resource
aws_iam_role_policy.detections_snapshot_management	resource
aws_iam_role_policy.protections_snapshot_management	resource
aws_iam_role_policy_attachment.ssmic-detections	resource
aws_iam_role_policy_attachment.ssmic-protections	resource
aws_iam_role_policy_attachment.ssmpatch-detections	resource
aws_iam_role_policy_attachment.ssmpatch-protections	resource
aws_iam_role_policy_attachment.ssmserver-detections	resource
aws_iam_role_policy_attachment.ssmserver-protections	resource
aws_internet_gateway.attacker-igw	resource
aws_internet_gateway.b3-igw	resource
aws_internet_gateway.cloud-igw	resource
aws_internet_gateway.victim-igw	resource
aws_key_pair.cloud-ssh-key-pair	resource
aws_key_pair.ssh-key-pair	resource
aws_key_pair.ssh-key-pair-vendor	resource
aws_nat_gateway.attacker-nat	resource
aws_nat_gateway.b3-nat	resource
aws_nat_gateway.cloud-nat	resource
aws_nat_gateway.victim-nat	resource
aws_network_interface.redirect1-b	resource
aws_network_interface.redirect2-b	resource
aws_network_interface.redirect3-b	resource
aws_network_interface.redirect4-b	resource
aws_ram_principal_association.tgw	resource
aws_ram_principal_association.tgw-protections	resource
aws_ram_resource_association.tgw	resource
aws_ram_resource_share.tgw	resource
aws_ram_resource_share_accepter.tgw	resource
aws_ram_resource_share_accepter.tgw-protections	resource
aws_route_table.attacker-rtb	resource
aws_route_table.attacker-rtb-public	resource
aws_route_table.b3-rtb	resource
aws_route_table.b3-rtb-public	resource
aws_route_table.cloud-rtb	resource
aws_route_table.cloud-rtb-protections	resource
aws_route_table.cloud-rtb-public	resource
aws_route_table.neutral-rtb	resource
aws_route_table.victim-rtb	resource
aws_route_table.victim-rtb-public	resource
aws_route_table_association.attacker-nat-rtba	resource
aws_route_table_association.attacker-rtba	resource
aws_route_table_association.b3-desk-rtba	resource
aws_route_table_association.b3-dmz-rtba	resource
aws_route_table_association.b3-nat-rtba	resource
aws_route_table_association.b3-srv-rtba	resource
aws_route_table_association.b3-tgw-rtba	resource
aws_route_table_association.cloud-nat-rtba	resource
aws_route_table_association.cloud-rtba	resource
aws_route_table_association.cloud-rtba-protections	resource
aws_route_table_association.cloud-tgw-rtba	resource
aws_route_table_association.cloud-tgw-rtba-protections	resource
aws_route_table_association.neutral-redirect1	resource
aws_route_table_association.neutral-redirect2	resource
aws_route_table_association.neutral-redirect3	resource
aws_route_table_association.neutral-redirect4	resource
aws_route_table_association.neutral-support	resource
aws_route_table_association.neutral-tgw	resource
aws_route_table_association.on-prem-dmz-rtba	resource
aws_route_table_association.on-prem-tgw-rtba	resource
aws_route_table_association.on-prem-victim-desk-rtba	resource
aws_route_table_association.on-prem-victim-nat-rtba	resource
aws_route_table_association.on-prem-victim-srv-rtba	resource
aws_route_table_association.on-prem-vpn-rtba	resource
aws_secretsmanager_secret.gitlab_pat	resource
aws_secretsmanager_secret_version.gitlab_pat	resource
aws_security_group.allow-outbound-attacker	resource
aws_security_group.allow-outbound-b3	resource
aws_security_group.allow-outbound-victim	resource
aws_security_group.attacker	resource
aws_security_group.b3	resource
aws_security_group.b3-dmz	resource
aws_security_group.block-outbound-attacker	resource
aws_security_group.block-outbound-b3	resource
aws_security_group.block-outbound-victim	resource
aws_security_group.victim-cloud	resource
aws_security_group.victim-cloud-protections	resource
aws_security_group.victim-dmz	resource
aws_security_group.victim-on-prem	resource
aws_security_group_rule.outbound-allow-attacker	resource
aws_security_group_rule.outbound-allow-b3	resource
aws_security_group_rule.outbound-allow-victim	resource
aws_security_group_rule.outbound-lockdown-attacker	resource
aws_security_group_rule.outbound-lockdown-b3	resource
aws_security_group_rule.outbound-lockdown-victim	resource
aws_ssm_association.inventory	resource
aws_ssm_parameter.activation_code	resource
aws_ssm_parameter.activation_id	resource
aws_subnet.attacker	resource
aws_subnet.attacker-nat	resource
aws_subnet.b3-desktops	resource
aws_subnet.b3-dmz	resource
aws_subnet.b3-nat	resource
aws_subnet.b3-servers	resource
aws_subnet.b3-tgw	resource
aws_subnet.cloud	resource
aws_subnet.cloud-nat	resource
aws_subnet.cloud-protections	resource
aws_subnet.cloud-tgw	resource
aws_subnet.cloud-tgw-protections	resource
aws_subnet.neutral-redirect1	resource
aws_subnet.neutral-redirect2	resource
aws_subnet.neutral-redirect3	resource
aws_subnet.neutral-redirect4	resource
aws_subnet.neutral-support	resource
aws_subnet.neutral-tgw	resource
aws_subnet.victim-desktops	resource
aws_subnet.victim-dmz	resource
aws_subnet.victim-nat	resource
aws_subnet.victim-servers	resource
aws_subnet.victim-tgw	resource
aws_subnet.vpn	resource
aws_volume_attachment.on-prem-file-srv2-disks_attachment	resource
aws_vpc.attacker	resource
aws_vpc.b3	resource
aws_vpc.cloud	resource
aws_vpc.cloud-protections	resource
aws_vpc.victim	resource
aws_vpc_dhcp_options.dns_resolver	resource
aws_vpc_dhcp_options.dns_resolver_cloud	resource
aws_vpc_dhcp_options_association.dns_resolver_cloud	resource
aws_vpc_dhcp_options_association.dns_resolver_red	resource
aws_vpc_dhcp_options_association.dns_resolver_victim	resource
aws_vpc_ipv4_cidr_block_association.attacker-redirect-cidr	resource
aws_vpc_ipv4_cidr_block_association.b3-nat-cidr	resource
aws_vpc_ipv4_cidr_block_association.b3-tgw-cidr	resource
aws_vpc_ipv4_cidr_block_association.nat-cidr	resource
aws_vpc_ipv4_cidr_block_association.neutral_cidrs	resource
aws_vpc_ipv4_cidr_block_association.tgw-cidr	resource
aws_vpc_ipv4_cidr_block_association.vpn-cidr	resource
aws_vpc_security_group_egress_rule.allow_all_outbound	resource
aws_vpc_security_group_egress_rule.attacker_egress	resource
aws_vpc_security_group_egress_rule.b3_allow_all_outbound	resource
aws_vpc_security_group_egress_rule.cloud_allow_all_outbound	resource
aws_vpc_security_group_egress_rule.cloud_allow_all_outbound_protections	resource
aws_vpc_security_group_ingress_rule.attacker_allowed_self_ingress	resource
aws_vpc_security_group_ingress_rule.attacker_prefix_list_ingress	resource
aws_vpc_security_group_ingress_rule.b3_dmz_ingress	resource
aws_vpc_security_group_ingress_rule.b3_prefix_list_ingress	resource
aws_vpc_security_group_ingress_rule.b3_self_ingress	resource
aws_vpc_security_group_ingress_rule.cloud_allowed_self_ingress	resource
aws_vpc_security_group_ingress_rule.cloud_allowed_self_ingress_protections	resource
aws_vpc_security_group_ingress_rule.cloud_prefix_list_ingress	resource
aws_vpc_security_group_ingress_rule.cloud_prefix_list_ingress_protections	resource
aws_vpc_security_group_ingress_rule.main	resource
aws_vpc_security_group_ingress_rule.prefix_list_ingress	resource
aws_vpc_security_group_ingress_rule.self_ingress	resource
time_sleep.wait_for_tgw_protections_share	resource
time_sleep.wait_for_tgw_share	resource
aws_caller_identity.cloud-detections	data source
aws_caller_identity.cloud-protections	data source
aws_caller_identity.current	data source
aws_ec2_managed_prefix_list.outbound	data source
aws_iam_policy_document.detections_snapshot_management	data source
aws_iam_policy_document.protections_snapshot_management	data source
terraform_remote_state.orgs	data source

# Inputs

Name	Description	Type	Default	Required
aws-region	AWS region to use, (default: us-east-1)	`string`	`"us-east-1"`	no
aws-region-az	AWS availability zone to use, (default: us-east-1a)	`string`	`"us-east-1a"`	no
aws-shared-credentials	AWS credentials to use with Terraform	`list(string)`	n/a	yes
aws_trusted_account_id	AWS account ID of the account to use to create a trust relationship	`string`	n/a	yes
category	Category of resource group, (similar to name, used for ansible automation)	`string`	n/a	yes
charge-code	String charge code for ER7 resources	`string`	n/a	yes
environment	(Optional) Environment tag of resource group	`string`	`"Development"`	no
name-prefix	String prefix for resource names	`string`	n/a	yes
round-name	Uppercase description of the resource group, e.g., MSR3, ER7	`string`	n/a	yes
shutdown_ok	Whether the resource can be safely disabled or shutdown	`string`	`"vendor-schedule"`	no
ssh_private_key_path	Path to SSH private key to use for Linux ssh systems (public and private key must be matching pair)	`string`	n/a	yes
ssh_private_key_path_vendor	Path to SSH private key to use for preflights Linux box (public and private key must be matching pair)	`string`	n/a	yes
ssh_public_key_path	Path to SSH public key to use for Linux ssh systems (public and private key must be matching pair)	`string`	n/a	yes
ssh_public_key_path_vendor	Path to SSH public key to use for preflights Linux box (public and private key must be matching pair)	`string`	n/a	yes
vendor	Name of vendor to associate to range	`string`	n/a	yes
win_srv_admin_password	Default password for Windows Server administrators	`string`	n/a	yes
win_srv_admin_username	Default username for Windows Server administrators	`string`	n/a	yes

# Outputs

Name	Description
b1_prefix	n/a
cacert	output cert and key separately to simplify redirecting to file used to generate vpn profiles
cakey	n/a
detections_role_arn	ARN of the created IAM role
detections_role_name	Name of the created IAM role
endpointid	n/a
gitlab_pat_secret_arn	ARN of the GitLab PAT secret
protections_role_arn	ARN of the created IAM role
protections_role_name	Name of the created IAM role
rdp_data	n/a
vendor_iam_access_policy_arn	ARN of the vendor IAM access policy
vpn	n/a
vpn-assoc	module issue - if output, terraform will consider this a dependency to include in destroy plan

# range