# Set common variables for everything. This is automatically pulled in in the root terragrunt.hcl configuration to # feed forward to the child modules. locals { remote_state_bucket = "afsxdr-terraform-state" # Could be moved to environment/partition. binaries_bucket = "afsxdr-binaries" # Storage for binaries global_tags = { "Snapshot" = "Daily", # This will put it on some things where it doesn't belong, but seems useful overall #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates. } trusted_ips = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing. "108.203.37.38/32", # Duane Waddle "24.11.231.98/32", # George Starcher "99.151.37.185/32", # Wesley Leonard "73.10.53.113/32", # Rick Page Home "74.211.32.26/32", # Brad Poulton "70.160.60.248/32", # Brandon Naughton "99.56.213.129/32", # Fred Damstra #"76.173.128.126/32", # Jeremy Cooper "97.117.83.215/32", # Colby Williams ] portal_test_whitelist = [ # IPs for Portal Test and vmray "12.245.107.250/32", # DPS Office Legato "12.204.167.162/32", # DPS Office San Antonio "54.86.98.62/32", # DPS AWS User VPN "108.203.37.38/32", # Duane Waddle "24.11.231.98/32", # George Starcher "99.151.37.185/32", # Wesley Leonard "73.10.53.113/32", # Rick Page Home "74.211.32.26/32", # Brad Poulton "70.160.60.248/32", # Brandon Naughton "99.56.213.129/32", # Frederick Damstra "97.117.83.215/32", # Colby Williams #"76.173.128.126/32", # Jeremy Cooper "73.213.108.186/32", # LaDonia Wicks ] admin_ips = [ "108.28.25.119/32", # James Kerr Home "73.10.53.113/32", # Rick Page Home "99.151.37.185/32", # Wesley Leonard Home "74.211.32.26/32", # Brad Poulton Home "104.9.149.90/32", # Greg Rivas Home "100.4.76.3/32", # Brandon Naughton Home "170.248.173.247/32", # AFS site "170.248.173.245/32", # AFS site "107.207.74.118/32", # Angelita Crawley Home "69.207.192.131/32", # Aaron Flores Home "70.120.19.33/32", # Hilda Colon-Martinez Home "198.13.82.11/32", # Hussein Carrenard Home "136.226.18.198/32", # Jose Alvarez Home ] # from https://config.zscaler.com/zscalergov.net/cenr zscalar_ips = [ "165.225.3.0/24", "136.226.10.0/23", "136.226.12.0/23", "136.226.14.0/23", "165.225.46.0/24", "136.226.6.0/23", "136.226.4.0/23", "136.226.8.0/23", "136.226.22.0/24", "165.225.48.0/24", "136.226.18.0/23", "136.226.16.0/23", "136.226.20.0/23", ] # Customer External IPs # To increase flexibility and to provide better documentation, # break up the IPs based on on-prem and not on-prem. # # All of the "external" things that need access to publically # available C2 services, like Salt Masters, Repo Servers # # Structure is a list of maps, and the "description" value in the # map must be unique across the whole list or it will cause an error. # c2_services_external_ips = [ { description = "Test LCPs" cidr_blocks = [ "18.252.65.137/32", # Test LCP in Govcloud (EIP in common-services-gov) "54.224.56.231/32", # Test LCP in Commercial (EIP in common-services) ] }, { description = "NGA" cidr_blocks = [ "199.16.64.3/32", # NGA ] }, { description = "AFS OnPrem" cidr_blocks = [ "170.248.172.0/23", # AFS Onprem ] }, { description = "AFS Azure" cidr_blocks = [ "20.190.250.137/32", # EastUS2_External_Access "52.232.227.197/32", # Azure US-East Palo "52.185.64.173/32", # CentralUS_External_Access "52.242.225.98/32", # Azure US-Central Palo 20200721 "52.177.84.83/32", # Lab_External_Access ] }, { description = "BAS-Commerce CMPS" cidr_blocks = [ "52.61.137.158/32", # 2021-04-06 From Daniel Dicke "52.61.70.43/32", # 2021-04-15 yanked from VPC flow logs ] }, { description = "FRTIB VDI" cidr_blocks = [ "52.61.113.202/32", # 2021-04-15 From Brian Nguyen brian.a.nguyen@accenturefederal.com ] }, { description = "FRTIB CMPS" cidr_blocks = [ "15.200.226.57/32", # 2021-07-12 From Brian Nguyen brian.a.nguyen@accenturefederal.com ] }, { description = "FRTIB ALIGHT" cidr_blocks = [ "54.205.60.17/32", # 2021-05-04 From John Conrad john.conrad.2@alight.com "52.206.203.98/32", "34.233.188.131/32", ] }, { description = "FRTIB ALIGHT 2" cidr_blocks = [ "34.214.247.125/32", # 2022-01-20 From John Conrad john.conrad.2@alight.com "44.235.174.214/32", "52.89.203.9/32", ] }, { description = "CA-C19" cidr_blocks = [ "34.223.59.103/32", # 2021-05-04 From Wes Leonard "44.234.190.14/32", "44.228.141.151/32", "18.215.158.202/32", # 2022-01-03 From Ben Troglia "54.234.108.195/32", "34.228.38.91/32", ] }, { description = "DGI" cidr_blocks = [ "3.32.175.159/32", # 2021-06-24 From Angelita Crawley MSOCI-1776 "15.200.13.143/32", ] }, { description = "FRTIB Chaos us-east-1" cidr_blocks = [ "3.221.245.113/32", "34.237.100.242/32", "35.172.75.107/32", "54.164.205.89/32", "54.209.105.32/32", "54.224.69.136/32", ] }, ] dns_zone_map = { "accenturefederalcyber.com" = "Z03575081VGXN3FUZ8ERU" "accenturefederalcyber.net" = "Z07771312N8X39HKP141M" "xdr.accenturefederalcyber.com" = "Z0083657A94URZM2TM87" "xdrtest.accenturefederalcyber.com" = "Z01677392W0QM639KU2KC" } repo_server_whitelist = concat( [ "52.179.13.17/32", #??? ], ) key_pairs = { # Should be your username -> key pair "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key", "fdamstra" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr", } # Sensu Thresholds sensu_checks = { "dns": { "warning": "5.0", # warn if no resolution for 5 seconds "critical": "10.0" # critical if no resolution for 10 seconds }, } # Some sane defaults we don't want to specify everywhere is_legacy = false # By default, accounts are not legacy accounts extra_ebs_key_admins = [ ] extra_ebs_key_users = [ ] extra_ebs_key_attachers = [ ] }