Configuration
Attack Range is driven by YAML configuration files. Each running or in-progress range has a config file in config/ named by its attack range ID (e.g. config/<uuid>.yml). Configs are created from templates in templates/{aws,azure,gcp}/.
Config file structure
A typical config has:
general — Passwords, cloud provider, naming, IP whitelist, description, and internal fields (e.g.
attack_range_id,status,key_name,template_path).Provider block —
aws,azure, orgcpwith region, keys, tags, etc.attack_range — List of servers (Splunk, Windows, Linux, Kali, Zeek, etc.) with instance types, IP octets, and roles.
Example (minimal):
general:
attack_range_password: "changeme123!"
cloud_provider: aws
attack_range_name: ar
ip_whitelist: 0.0.0.0/0
description: Minimal AWS deployment with Splunk only
aws:
region: eu-central-1
attack_range:
- name: splunk
ami_name_filter: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*
ami_owner: "099720109477"
instance_type: t3.xlarge
ip_last_octet: 10
linux: true
user_name: ubuntu
roles:
- role: P4T12ICK.ludus_ar_splunk
vars:
ludus_ar_splunk_password: "changeme123!"
General section
Field |
Description |
|---|---|
|
Master password used for Splunk, Windows/Linux accounts, and role vars when not overridden. |
|
|
|
Short name prefix for resources (e.g. |
|
CIDR(s) allowed to reach certain resources (e.g. |
|
Human-readable description of the range. |
|
Unique ID (UUID) for this range; set when creating from template. |
|
SSH key name in the cloud (often same as |
|
Template name/path (set when creating from template). |
|
Internal: |
Passwords in role vars (e.g. ludus_ar_splunk_password, ar_guacamole_password) override or complement the general password.
Provider sections
AWS (aws)
region— e.g.eu-central-1.private_key_path— Path to the SSH private key (often underssh_keys/<attack_range_id>.key).ami_name_filter,ami_owner— Used per server when not using a shared image.aws_default_tags— Optional tags applied to resources.
Azure (azure)
location— e.g.West Europe.subscription_id— Azure subscription ID.image_publisher,image_offer,image_sku— Defined per server in the template.
GCP (gcp)
Region/project and image settings as defined in the template and Terraform variables.
Attack range (servers)
Each entry under attack_range is a machine:
Field |
Description |
|---|---|
|
Host name; used as Ansible inventory host and as simulation target. |
|
Cloud instance type (e.g. |
|
Last octet of the private IP (e.g. 10 → |
|
OS type. |
|
SSH (Linux) or RDP (Windows) user. |
|
List of Ansible roles (and optional |
Additional provider-specific fields (e.g. ami_name_filter, image_offer) are set per server in templates.
Where configs live
Templates:
templates/aws/,templates/azure/,templates/gcp/— Read-only; use to create a new range.Active configs:
config/<attack_range_id>.yml— Created from a template at build start; updated with status, WireGuard config, sharing, etc.
The API and app always work with the config directory; the CLI uses config/ and resolves -c to a path or to config/<id>.yml.
Do not modify files in the config/ folder manually. The app and API create and update these files during build, destroy, share, and status changes. Editing them by hand can cause unintended side effects (e.g. out-of-sync state, failed operations, or duplicate or orphaned resources). Use the app, API, or CLI for all operations.
Creating a config from a template
API:
POST /attack-range/buildwith{"template": "aws/splunk_minimal_aws"}(orprovider/name/name). The server createsconfig/<new_uuid>.ymland starts the build.CLI:
python attack_range.py build -t aws/splunk_minimal_aws. The CLI creates the config and runs the two-phase build.
Environment and credentials
Docker: Mount
~/.aws,~/.azure, and/or~/.config/gcloudinto the API and CLI containers so they can call cloud APIs and run Terraform.API:
GET /providers/checkreturns which provider CLIs and credentials are available.
See Templates for the list of built-in templates and their structure.