Merge pull request #589 from mdr-engineering/feature/ftd_MSOCI-2083_RemoveLegacyIPs

Removes Legacy IP Addresses; Removes Legacy DNS Entry Modules

common/env.hcl

@@ -10,25 +10,25 @@ locals {
   }
 
   proxy = "proxy.pvt.xdr.accenturefederalcyber.com"
-  proxy_ip = "10.80.101.166"
+  proxy_ip = "10.40.2.107"
   salt_master = "salt-master.pvt.xdr.accenturefederalcyber.com"
   salt_master_ip = "10.40.2.106"
-  hec = "iratemoses.pvt.xdr.accenturefederalcyber.com"
-  hec_pub = "moose-hec.mdr.defpoint.com"
-  hec_pub_ack = "moose-hec-ack.mdr.defpoint.com"
+  hec = "moose-hec.pvt.xdr.accenturefederalcyber.com"
+  hec_pub = "moose-hec.xdr.accenturefederalcyber.com"
+  hec_pub_ack = "moose-hec-ack.xdr.accenturefederalcyber.com"
 
   # When there are multiples, put govcloud first, then commercial, and alternate if there are more than 2.
   # Put any standalone IPs at the end.
   cidr_map = {
-    "bastions" = [ "10.80.101.133/32", "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
-    "vpns"     = [ "10.80.101.126/32", "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
+    "bastions" = [ "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
+    "vpns"     = [ "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
     "scanners" = [ "10.40.12.0/22" ], # vpc-qualys
     "dns"      = [ "10.40.0.0/22", "10.32.0.0/22" ], # vpc-system-services in commercial nad gov
-    "monitoring" = [ "10.80.101.230/32", "10.40.0.0/22" ], # legacy sensu, and vpc-system-services in gov
-    "salt"     = [ "10.80.101.170/32", "10.40.0.0/22" ], # legacy salt-master, and vpc-system-services in gov
-    "web"      = [ "10.80.101.166/32", "10.80.101.197/32", "10.40.0.0/22" ], # legacy proxy/repo, and vpc-system-services in gov
-    "smtp"     = [ "10.80.1.107/32", "10.20.0.0/22" ], # legacy relay, and vpc-system-services in gov
-    "moose"    = [ "10.80.0.0/16", "10.40.16.0/22" ], # legacy vpc, and vpc-system-services in gov
+    "monitoring" = [ "10.40.0.0/22" ], # legacy sensu, and vpc-system-services in gov
+    "salt"     = [ "10.40.0.0/22" ], # legacy salt-master, and vpc-system-services in gov
+    "web"      = [ "10.40.0.0/22" ], # legacy proxy/repo, and vpc-system-services in gov
+    "smtp"     = [ "10.20.0.0/22" ], # legacy relay, and vpc-system-services in gov
+    "moose"    = [ "10.40.16.0/22" ], # legacy vpc, and vpc-system-services in gov
   }
 
   legacy_account = "477548533976"
@@ -76,5 +76,4 @@ locals {
     "id" = "Z2HYR9YEZ4KLDE"
     "name" = "mdr.defpoint.com"
   }
-
 }

prod/aws/legacy-mdr-prod/026-legacy-dns-entries/terragrunt.hcl

@@ -15,7 +15,8 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/legacy_dns_entries?ref=v3.5.16"
+  #source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/legacy_dns_entries?ref=v3.5.16"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v4.0.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

prod/env.hcl

@@ -28,45 +28,30 @@ locals {
   # Put any standalone IPs at the end.
   cidr_map = {
     "vpc-splunk"           = [ "10.40.16.0/22",  # Splunk -- **MOOSE**
-                               "10.80.0.0/16",   # legacy moose subnet
                              ],
     "vpc-access"           = [ "10.40.20.0/22",    # VPN, bastions (if any), etc.
-                               "10.80.101.133/32", # legacy bastion
-                               "10.80.101.126/32", # legacy openvpn
                              ],
     "vpc-public"           = [ "10.40.24.0/22",    # Public sites (github, ghe-backup, jira, ...) 
-                               "10.80.101.250/32", # legacy jira
-                               "10.80.101.78/32",  # legacy github
                              ],
     "vpc-scanners"         = [ "10.40.12.0/22",
-                               "10.80.1.44/32",  # Legacy Qualys #1
-                               "10.80.1.103/32", # Legacy Qualys #2
                              ],  # Qualys, etc.
     "vpc-system-services"  = [ "10.32.0.0/22",     # Internal services such as dns, mailrelay, etc.
                                "10.40.0.0/22",
-                               "10.80.101.230/32", # legacy sensu
-                               "10.80.101.170/32", # legacy salt master
-                               "10.80.101.166/32", # legacy proxy
-                               "10.80.101.197/32", # legacy repo
-                               "10.80.1.107/32",   # legacy smtp
                              ],
 
     "vpc-private-services" = [
                                "10.40.28.0/22",    # Private Services - fm-shared-search, qcompliance, phantom, etc.
-                               "10.80.101.221/32", # Phantom - legacy account production
-                               "10.80.0.0/16",     # the whole legacy infra VPC, so the sync lambda can sync (this is temp)
-                                                   # (wes made me do it honest)
                              ],
 
     # "old" mappings before architecture planning... we should eliminate these.
-    "bastions" = [ "10.80.101.133/32", "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
-    "vpns"     = [ "10.80.101.126/32", "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
+    "bastions" = [ "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
+    "vpns"     = [ "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov
     "scanners" = [ "10.40.12.0/22" ], # vpc-qualys
     "dns"      = [ "10.40.0.0/22", "10.32.0.0/22" ], # vpc-system-services in commercial nad gov
-    "monitoring" = [ "10.80.101.230/32", "10.40.0.0/22" ], # legacy sensu, and vpc-system-services in gov
-    "salt"     = [ "10.80.101.170/32", "10.40.0.0/22" ], # legacy salt-master, and vpc-system-services in gov
-    "web"      = [ "10.80.101.166/32", "10.80.101.197/32", "10.40.0.0/22" ], # legacy proxy/repo, and vpc-system-services in gov
-    "moose"    = [ "10.80.0.0/16", "10.40.16.0/22" ], # legacy vpc, and vpc-system-services in gov
+    "monitoring" = [ "10.40.0.0/22" ], # legacy sensu, and vpc-system-services in gov
+    "salt"     = [ "10.40.0.0/22" ], # legacy salt-master, and vpc-system-services in gov
+    "web"      = [ "10.40.0.0/22" ], # legacy proxy/repo, and vpc-system-services in gov
+    "moose"    = [ "10.40.16.0/22" ], # legacy vpc, and vpc-system-services in gov
   }
 
   legacy_account = "477548533976"
@@ -127,44 +112,4 @@ locals {
     "id" = "Z2HYR9YEZ4KLDE"
     "name" = "mdr.defpoint.com"
   }
-
-  # Provide some legacy DNS entries so that systems we build
-  # don't have to be rebuilt when we migrate the supporting systems.
-  # Idea here is just to build entries for those systems we need during
-  # the transition.
-  #
-  # When you migrate one of the systems below:
-  # 1) Remove the entry from this list.
-  # 2) Reapply the legacy-mdr-*/026-legacy-dns-entries module.
-  # 3) Create a new entry in the module with which you're creating the new instance.
-  legacy_private_dns = {
-    #"moose-splunk-cm" = "10.80.101.77", # Needed for Universal Forwarder
-    #"moose-splunk-sh" = "10.80.101.65", # Needed for xdr-inventory
-    #"jira-server" = "10.80.101.250",
-    #"mailrelay" = "10.80.1.107",
-    #"openvpn" = "10.100.0.129",
-    #"phantom" = "10.80.101.221",
-    #"proxy" = "10.80.101.166",
-    #"reposerver" = "10.80.101.197",
-    #"sensu" = "10.80.101.230",
-    #"splunk-mc" = "10.80.1.27",
-    #"vault-1" = "10.80.1.134",
-    #"vault-2" = "10.80.2.236",
-    #"vault-3" = "10.80.3.61",
-    "salt-master-legacy" = "10.80.101.170",
-  }
-  legacy_private_cname_dns = {
-    #"iratemoses" = "internal-moose-internal-187462540.us-east-1.elb.amazonaws.com"
-  }
-  legacy_public_dns = {
-    #"proxy" = "35.153.103.164",
-    #"reposerver" = "18.234.16.205",
-    "salt-master-legacy" = "52.5.165.105",
-    #"sensu" = "52.6.95.246",
-  }
-  # cnames only
-  legacy_public_cname_dns = {
-    #"iratemoses" = "moose-external-1850541289.us-east-1.elb.amazonaws.com",
-    #"portal" = "portal-alb-prod-1353134871.us-east-1.elb.amazonaws.com"
-  }
 }

test/aws/legacy-mdr-test/026-legacy-dns-entries/terragrunt.hcl

@@ -15,7 +15,8 @@ locals {
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/legacy_dns_entries?ref=v3.5.16"
+  #source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/dns/legacy_dns_entries?ref=v3.5.16"
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/terminated?ref=v4.0.4"
 }
 
 # Include all settings from the root terragrunt.hcl file

test/env.hcl

@@ -10,7 +10,7 @@ locals {
   }
 
   proxy = "proxy.pvt.xdrtest.accenturefederalcyber.com"
-  proxy_ip = "10.96.101.188"
+  proxy_ip = "10.20.2.22"
   salt_master = "salt-master.pvt.xdrtest.accenturefederalcyber.com"
   salt_master_ip = "10.20.2.32"
   hec = "moose-hec.xdrtest.accenturefederalcyber.com"
@@ -29,40 +29,27 @@ locals {
   cidr_map = {
     # See infrastructure_notes/Architecture_Notes.md and https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation for more information
     "vpc-splunk"           = [ "10.20.16.0/22",  # Splunk -- **MOOSE**
-                               "10.96.100.0/22", # legacy moose subnet
                              ],
     "vpc-access"           = [ "10.20.20.0/22",    # VPN, bastions (if any), etc.
-                               "10.96.101.218/32", # legacy bastion
-                               "10.96.101.249/32", # legacy openvpn
                              ],
     "vpc-public"           = [ "10.20.24.0/22",    # Public sites (github, ghe-backup, jira, ...) 
-                               "10.96.101.193/32", # legacy jira
-                               "10.96.101.217/32", # legacy github
                              ],
     "vpc-scanners"         = [ "10.20.12.0/22" ],  # Qualys, etc.
     "vpc-system-services"  = [ "10.16.0.0/22",     # Internal services such as dns, mailrelay, etc.
                                "10.20.0.0/22",
-                               "10.96.101.43/32",  # legacy sensu
-                               "10.96.101.161/32", # legacy salt master
-                               "10.96.101.188/32", # legacy proxy
-                               "10.96.101.160/32", # legacy repo
-                               "10.96.1.160/32",   # legacy smtp
                              ],
     "vpc-private-services" = [ "10.20.28.0/22",    # Private Services - fm-shared-search, qcompliance, phantom, etc. 
-                               "10.96.101.221/32", # Phantom - legacy account production
-                               "10.96.0.0/16",     # the whole legacy infra VPC, so the sync lambda can sync (this is temp)
-                                                   # (wes made me do it honest)
                              ],
 
     # "old" mappings before architecture planning... we should eliminate these.
-    "bastions" = [ "10.96.101.218/32", "10.20.20.0/22" ], # vpc-access in mdr-test-c2-gov
-    "vpns"     = [ "10.96.101.249/32", "10.20.20.0/22" ], # vpc-access in mdr-test-c2-gov
+    "bastions" = [ "10.20.20.0/22" ], # vpc-access in mdr-test-c2-gov
+    "vpns"     = [ "10.20.20.0/22" ], # vpc-access in mdr-test-c2-gov
     "scanners" = [ "10.20.12.0/22" ], # vpc-qualys
     "dns"      = [ "10.20.0.0/22", "10.16.0.0/22" ], # vpc-system-services in commercial nad gov
-    "monitoring" = [ "10.96.101.43/32", "10.20.0.0/22" ], # legacy sensu, and vpc-system-services in gov
-    "salt"     = [ "10.96.101.161/32", "10.20.0.0/22" ], # legacy salt-master, and vpc-system-services in gov
-    "web"      = [ "10.96.101.188/32", "10.96.101.160/32", "10.20.0.0/22" ], # legacy proxy/repo, and vpc-system-services in gov
-    "moose"    = [ "10.96.0.0/16", "10.20.16.0/22" ], # legacy vpc and vpc-splunk in gov
+    "monitoring" = [ "10.20.0.0/22" ], # legacy sensu, and vpc-system-services in gov
+    "salt"     = [ "10.20.0.0/22" ], # legacy salt-master, and vpc-system-services in gov
+    "web"      = [ "10.20.0.0/22" ], # legacy proxy/repo, and vpc-system-services in gov
+    "moose"    = [ "10.20.16.0/22" ], # legacy vpc and vpc-splunk in gov
   }
 
   legacy_account = "527700175026"
@@ -122,48 +109,4 @@ locals {
     "id" = "Z3E22S3CIP0UCO",
     "name" = "mdr-test.defpoint.com"
   }
-
-  # Provide some legacy DNS entries so that systems we build
-  # don't have to be rebuilt when we migrate the supporting systems.
-  # Idea here is just to build entries for those systems we need during
-  # the transition.
-  #
-  # When you migrate one of the systems below:
-  # 1) Remove the entry from this list.
-  # 2) Reapply the legacy-mdr-*/026-legacy-dns-entries module.
-  # 3) Create a new entry in the module with which you're creating the new instance.
-  legacy_private_dns = {
-    #"moose-splunk-cm" = "10.96.101.87",
-    #"moose-splunk-hf" = "10.96.101.75",
-    #"moose-splunk-sh" = "10.96.101.154", # needed for xdr-inventory
-    #"clu" = "10.96.101.122",
-    #"fm-shared-search" = "10.96.1.39",
-    #"ghe-backup" = "10.96.101.71",
-    #"mailrelay" = "10.96.1.160",
-    #"openvpn" = "10.96.101.249",
-    #"phantom" = "10.96.101.186",
-    #"proxy" = "10.96.101.188",
-    #"reposerver" = "10.96.101.160",
-    #"sensu" = "10.96.101.43",
-    #"splunk-mc" = "10.96.1.133",
-    #"vault-1" = "10.96.1.38",
-    #"vault-2" = "10.96.2.63",
-    #"vault-3" = "10.96.3.88",
-    "salt-master-legacy" = "10.96.101.161",
-  }
-  legacy_private_cname_dns = {
-    #"iratemoses" = "internal-iratemoses-435580743.us-gov-east-1.elb.amazonaws.com",
-  }
-  # not many public entries, as the use of saml negates their usefulness
-  legacy_public_dns = {
-    #"proxy" = "18.214.39.158",
-    #"reposerver" = "34.202.16.40",
-    "salt-master-legacy" = "18.233.43.236",
-    #"sensu" = "34.235.81.176"
-  }
-  # cnames only
-  legacy_public_cname_dns = {
-    #"iratemoses" = "moose-legacy-hec-1138113830.us-gov-east-1.elb.amazonaws.com",
-    #"portal" = "portal-alb-test-868493124.us-east-1.elb.amazonaws.com"
-  }
 }