Initial Modules and Configuration for Splunk in GC Prod

prod/aws-us-gov/mdr-prod-c2/140-splunk-frozen-bucket/terragrunt.hcl

@@ -0,0 +1,33 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/frozen_s3_bucket?ref=v1.10.17"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Frozen Data"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

prod/aws-us-gov/mdr-prod-c2/150-splunk-cluster-master/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/cluster_master?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Cluster Master"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-cm"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

prod/aws-us-gov/mdr-prod-c2/160-splunk-indexer-cluster/README.md

@@ -0,0 +1,7 @@
+# Creates the Indexer Cluster
+
+* 3x indexer ASGs
+* NLB for splunk data
+* ALB for hec without ack
+* ELB classic for HEC with ack
+* Security Groups for all of the above

prod/aws-us-gov/mdr-prod-c2/160-splunk-indexer-cluster/terragrunt.hcl

@@ -0,0 +1,44 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/indexer_cluster?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Indexer Cluster"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-indexer"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  private_subnets = dependency.vpc.outputs.private_subnets
+  public_subnets  = dependency.vpc.outputs.public_subnets
+}

prod/aws-us-gov/mdr-prod-c2/165-splunk-legacy-hec/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../.tfswitch.toml

prod/aws-us-gov/mdr-prod-c2/165-splunk-legacy-hec/terragrunt.hcl

@@ -0,0 +1,70 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/legacy_hec?ref=v1.10.2"
+}
+
+generate "provider" {
+  path      = "provider-legacy.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 3.0"
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_vars.locals.legacy_account}:role/user/mdr_terraformer"
+    session_name = "terraform-legacy"
+  }
+
+  profile = "commercial"
+  alias   = "legacy"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = [ ${local.environment_vars.locals.legacy_account} ]
+}
+EOF
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+dependency "indexers" {
+  config_path = "../160-splunk-indexer-cluster"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Legacy ELB for Splunk Migration"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+    Schedule  = "none"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  public_subnets  = dependency.vpc.outputs.public_subnets
+  elb_attachments = dependency.indexers.outputs.elb_attachments
+}

prod/aws-us-gov/mdr-prod-c2/170-splunk-searchhead/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/searchhead?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Searchhead"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-sh"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

prod/aws-us-gov/mdr-prod-c2/180-splunk-heavy-forwarder/terragrunt.hcl

@@ -0,0 +1,43 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/splunk_servers/heavy_forwarder?ref=v1.10.17"
+}
+
+dependency "vpc" {
+  config_path = "../010-vpc-splunk"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Splunk Heavy Forwarder"
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  prefix = local.account_vars.locals.splunk_prefix
+  instance_type = local.account_vars.locals.instance_types["splunk-hf"]
+  vpc_id = dependency.vpc.outputs.vpc_id
+  vpc_cidr = local.account_vars.locals.vpc_info["vpc-splunk"]["cidr"]
+  azs = dependency.vpc.outputs.azs
+  subnets = dependency.vpc.outputs.private_subnets
+}

prod/aws-us-gov/mdr-prod-c2/account.hcl

@@ -7,19 +7,90 @@ locals {
   instance_termination_protection = true # set to true for production!
   splunk_prefix = "moose"
   
+  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
+  standard_vpc_cidr = "10.40.0.0/22"
+
+  splunk_data_sources = [
+    "170.248.172.0/23", # legacy afs_whitelist
+    "20.190.250.137/32", # legacy afs_azure_whitelist: EastUS2_External_Access
+    "52.232.227.197/32", # legacy afs_azure_whitelist: Azure US-East Palo
+    "52.185.64.173/32", # legacy afs_azure_whitelist: CentralUS_External_Access
+    "52.242.225.98/32", # legacy afs_azure_whitelist: Azure US-Central Palo 20200721
+    "52.177.84.83/32", # legacy afs_azure_whitelist: Lab_External_Access
+    "199.16.64.3/32", # legacy nga_whitelist
+  ]
+  splunk_legacy_cidr = [ # Allow splunk ports to/from here, too
+    "10.80.0.0/16",
+  ]
+  splunk_asg_sizes = [ 1, 1, 1 ] # How many?
+  splunk_volume_sizes = {
+    "cluster_master" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "indexer" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "searchhead" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "qcompliance" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+    "heavy_forwarder" = {
+      "swap": 8,  # minimum: 8
+      "/": 10,    # minimum: 10
+      "/home": 4, # minimum: 4
+      "/var": 15, # minimum: 15
+      "/var/tmp": 4, # minimum: 4
+      "/var/log": 8, # minimum: 8
+      "/var/log/audit": 8, # minimum: 8
+      "/tmp": 4,  # minimum: 4
+      "/opt/splunk": 30, # No minimum; not in base image
+    },
+  }
+
   account_tags = { 
     "Client": local.splunk_prefix
   } 
   c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2"
 
-  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
-  standard_vpc_cidr = "10.40.0.0/22"
-
   vpc_info = {
     "vpc-splunk" = {
       "name" = "vpc-splunk"
       "purpose" = "Splunk Systems (MOOSE)"
-      "cidr" = "10.20.16.0/22",
+      "cidr" = "10.40.16.0/22",
       "tgw_attached" = true,
     },
     "vpc-system-services" = {