feat: add Ludus and Proxmox provider support with unified infra/provision orchestration

.github/workflows/pre-commit.yaml

@@ -63,6 +63,14 @@ jobs:
         with:
           terraform_version: "1.9.7"
 
+      - name: Set up Terragrunt
+        run: |
+          TG_VERSION="v0.69.1"
+          curl -fsSL -o /tmp/terragrunt \
+            "https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64"
+          sudo install -m 0755 /tmp/terragrunt /usr/local/bin/terragrunt
+          terragrunt --version
+
       - name: Set up TFLint
         uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6
         with:

.pre-commit-config.yaml

@@ -72,6 +72,8 @@ repos:
     hooks:
       - id: terraform_fmt
         files: ^(modules|infra)/
+      - id: terragrunt_fmt
+        files: ^infra/
       - id: terraform_validate
         files: ^modules/
         args:

ad/GOAD/data/dev-overlay.json

@@ -26,7 +26,9 @@
     "hosts": {
       "dc01": {
         "vulns": [
-          "disable_firewall"
+          "disable_firewall",
+          "adcs_esc10_case1",
+          "adcs_esc10_case2"
         ]
       },
       "dc02": {
@@ -60,9 +62,11 @@
         },
         "vulns": [
           "ntlmdowngrade",
-          "disable_firewall"
-        ],
-        "vulns_vars": null
+          "disable_firewall",
+          "adcs_esc7",
+          "adcs_esc13",
+          "adcs_esc15"
+        ]
       },
       "srv02": {
         "vulns": [
@@ -79,7 +83,9 @@
       "srv03": {
         "vulns": [
           "openshares",
-          "disable_firewall"
+          "disable_firewall",
+          "adcs_esc6",
+          "adcs_esc11"
         ]
       }
     }

ad/GOAD/data/staging-overlay.json

@@ -20,7 +20,9 @@
       "dc01": {
         "local_admin_password": "ykRXQ@rWNV4znesz-h!c",
         "vulns": [
-          "disable_firewall"
+          "disable_firewall",
+          "adcs_esc10_case1",
+          "adcs_esc10_case2"
         ]
       },
       "dc02": {
@@ -55,9 +57,11 @@
         },
         "vulns": [
           "ntlmdowngrade",
-          "disable_firewall"
-        ],
-        "vulns_vars": null
+          "disable_firewall",
+          "adcs_esc7",
+          "adcs_esc13",
+          "adcs_esc15"
+        ]
       },
       "srv02": {
         "local_admin_password": "moydNed_wEKuP8KN6rUx"
@@ -66,7 +70,9 @@
         "local_admin_password": "-cwuyGW494yZnC_M8wLN",
         "vulns": [
           "openshares",
-          "disable_firewall"
+          "disable_firewall",
+          "adcs_esc6",
+          "adcs_esc11"
         ]
       }
     }

ad/GOAD/data/test-overlay.json

@@ -12,7 +12,9 @@
     "hosts": {
       "dc01": {
         "vulns": [
-          "disable_firewall"
+          "disable_firewall",
+          "adcs_esc10_case1",
+          "adcs_esc10_case2"
         ]
       },
       "dc02": {
@@ -45,14 +47,18 @@
         },
         "vulns": [
           "ntlmdowngrade",
-          "disable_firewall"
-        ],
-        "vulns_vars": null
+          "disable_firewall",
+          "adcs_esc7",
+          "adcs_esc13",
+          "adcs_esc15"
+        ]
       },
       "srv03": {
         "vulns": [
           "openshares",
-          "disable_firewall"
+          "disable_firewall",
+          "adcs_esc6",
+          "adcs_esc11"
         ]
       }
     }

ad/GOAD/providers/ludus/inventory

@@ -17,10 +17,150 @@ dc03 ansible_host={{ip_range}}.12 dns_domain=dc03 dict_key=dc03
 srv03 ansible_host={{ip_range}}.23 dns_domain=dc03 dict_key=srv03
 
 [all:vars]
+; domain_name : folder inside ad/
+domain_name=GOAD
+
+; administrator user
+admin_user=administrator
+
+; global settings inventory default value
+keyboard_layouts=["en-US", "da-DK", "fr-FR"]
+
+; modify this to add a default route
+add_route=no
+route_gateway=192.168.56.1
+route_network=10.0.0.0/8
+
+; modify this to enable http proxy
+enable_http_proxy=no
+ad_http_proxy=http://x.x.x.x:xxxx
+ad_https_proxy=http://x.x.x.x:xxxx
+
+;force_dns_server
 force_dns_server=no
 dns_server={{ip_range}}.254
 
+;dns server forwarder
 dns_server_forwarder={{ip_range}}.254
 
+; winrm connection (windows)
 ansible_user=localuser
 ansible_password=password
+ansible_connection=winrm
+ansible_winrm_server_cert_validation=ignore
+ansible_winrm_operation_timeout_sec=400
+ansible_winrm_read_timeout_sec=500
+
+; LAB SCENARIO CONFIGURATION -----------------------------
+
+; computers inside domain (mandatory)
+; usage : build.yml, ad-relations.yml, ad-servers.yml, vulnerabilities.yml
+[domain]
+dc01
+dc02
+dc03
+srv02
+srv03
+
+[linux_domain]
+
+; domain controller (mandatory)
+; usage : ad-acl.yml, ad-data.yml, ad-relations.yml, laps.yml
+[dc]
+dc01
+dc02
+dc03
+
+; domain server to enroll (mandatory if you want servers)
+; usage : ad-data.yml, ad-servers.yml, laps.yml
+[server]
+srv02
+srv03
+
+; workstation to enroll (mandatory if you want workstation)
+; usage : ad-servers.yml, laps.yml
+[workstation]
+
+; parent domain controller (mandatory)
+; usage : ad-servers.yml
+[parent_dc]
+dc01
+dc03
+
+; child domain controller (need a fqdn child_name.parent_name)
+; usage : ad-servers.yml
+[child_dc]
+dc02
+
+; external trust, need domain trust entry in config (bidirectionnal)
+; usage : ad-trusts.yml
+[trust]
+dc01
+dc03
+
+; install adcs
+; usage : adcs.yml
+[adcs]
+dc01
+srv03
+
+; install custom template (dc)
+; usage : adcs.yml
+[adcs_customtemplates]
+dc03
+
+; install iis with default website asp upload on 80
+; usage : servers.yml
+[iis]
+srv02
+
+; install mssql
+; usage : servers.yml
+[mssql]
+srv02
+srv03
+
+; install mssql gui
+; usage : servers.yml
+[mssql_ssms]
+srv02
+
+; install webdav
+[webdav]
+srv02
+srv03
+
+[laps_dc]
+dc03
+[laps_server]
+srv03
+[laps_workstation]
+
+; allow computer update
+; usage : update.yml
+[update]
+srv02
+
+; disable update
+; usage : update.yml
+[no_update]
+dc01
+dc02
+dc03
+srv03
+
+; allow defender
+; usage : security.yml
+[defender_on]
+dc01
+dc02
+dc03
+srv03
+
+; disable defender
+; usage : security.yml
+[defender_off]
+srv02
+
+;stay empty until override
+[extensions]

ansible/playbooks/ad-trusts.yml

@@ -23,7 +23,6 @@
   - { role: 'dreadnode.goad.trusts', tags: 'trust' }
   vars:
     domain: "{{ lab.hosts[dict_key].domain }}"
-    domain_username: "{{ domain }}\\{{ admin_user }}"
     domain_password: "{{ lab.domains[domain].domain_password }}"
     remote_forest: "{{ lab.domains[domain].trust }}"
     remote_admin: "{{ admin_user }}@{{ remote_forest }}"

ansible/playbooks/load_network_mappings.yml

@@ -0,0 +1,28 @@
+---
+# Pre-flight for `lab reset` (and any AD-state-only run): populates the
+# host_ipv4 / dc_ipv4 / instance_to_ip / dc_hostname_to_ip facts that
+# downstream plays read via hostvars.
+#
+# Full provision runs network_setup.yml which gathers facts from each
+# Windows host. lab reset skips that for speed and instead reuses the
+# AWS instance mapping JSON the CLI writes to /tmp before the run, via
+# the same network_discovery role task files network_setup uses.
+
+- name: Load AWS mappings and DC facts for AD-state plays
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Apply AWS instance mapping
+      ansible.builtin.include_role:
+        name: dreadnode.goad.network_discovery
+        tasks_from: aws_mapping.yml
+
+    - name: Store DC IPs as facts
+      ansible.builtin.include_role:
+        name: dreadnode.goad.network_discovery
+        tasks_from: dc_facts.yml
+
+    - name: Build and distribute dc_hostname_to_ip mapping
+      ansible.builtin.include_role:
+        name: dreadnode.goad.network_discovery
+        tasks_from: dc_hostname_mapping.yml

ansible/playbooks/main.yml

@@ -66,6 +66,10 @@
 # specifics security linked to the scenario are here
 - name: Import Security
   ansible.builtin.import_playbook: security.yml
+# enables LDAP diagnostic logging on DCs and SQL audit on MSSQL hosts so
+# attack reconnaissance produces detectable telemetry
+- name: Import Security Logging
+  ansible.builtin.import_playbook: security_logging.yml
 # --------------------------------------------------------------------
 # specifics vulns linked to the scenario are here
 - name: Import Vulnerabilities

ansible/playbooks/network_setup.yml

@@ -16,16 +16,11 @@
   gather_facts: false
   serial: 10
   tasks:
-    - name: Build and distribute DC and instance IP mappings
+    # instance_to_ip is set by network_discovery's aws_mapping.yml on SSM hosts.
+    # For non-SSM connections (where ansible_host is already an IP/hostname),
+    # rebuild it from per-host host_ipv4 facts.
+    - name: Build instance_to_ip fallback for non-SSM connections
       ansible.builtin.set_fact:
-        dc_hostname_to_ip: >-
-          {%- set mapping = {} -%}
-          {%- for host in groups['dc'] -%}
-            {%- if hostvars[host]['dc_ipv4'] is defined and hostvars[host]['dc_ipv4'] != '' -%}
-              {%- set _ = mapping.update({host: hostvars[host]['dc_ipv4']}) -%}
-            {%- endif -%}
-          {%- endfor -%}
-          {{ mapping }}
         instance_to_ip: >-
           {%- set mapping = {} -%}
           {%- for host in groups['all'] -%}
@@ -40,6 +35,12 @@
       delegate_to: "{{ item }}"
       loop: "{{ groups['all'] }}"
       throttle: 5
+      when: ansible_connection is not search('aws_ssm')
+
+    - name: Build and distribute dc_hostname_to_ip mapping
+      ansible.builtin.include_role:
+        name: dreadnode.goad.network_discovery
+        tasks_from: dc_hostname_mapping.yml
 
     - name: Debug the mappings
       ansible.builtin.debug:

ansible/roles/ad/README.md

@@ -15,12 +15,9 @@ Configure Active Directory domain administrator membership and settings
 
 ### groups.yml
 
-- **Create Universal Groups** (ansible.windows.win_powershell) - Conditional
-- **Wait for Universal group creation to complete** (ansible.builtin.async_status) - Conditional
-- **Create Global Groups** (ansible.windows.win_powershell) - Conditional
-- **Wait for Global group creation to complete** (ansible.builtin.async_status) - Conditional
-- **Create DomainLocal Groups** (ansible.windows.win_powershell) - Conditional
-- **Wait for DomainLocal group creation to complete** (ansible.builtin.async_status) - Conditional
+- **Create Universal Groups** (microsoft.ad.group) - Conditional
+- **Create Global Groups** (microsoft.ad.group) - Conditional
+- **Create DomainLocal Groups** (microsoft.ad.group) - Conditional
 
 ### main.yml