# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root # terragrunt.hcl configuration. locals { account_name = "afs-mdr-prod-c2-gov" account_alias = "afs-mdr-prod-c2-gov" aws_account_id = "721817724804" instance_termination_protection = true # set to true for production! splunk_prefix = "moose" splunk_private_hec = true # True if the customer needs a private HTTP Event Collector such as for ALSI # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation standard_vpc_cidr = "10.40.0.0/22" splunk_data_sources = [ "170.248.172.0/23", # legacy afs_whitelist "20.190.250.137/32", # legacy afs_azure_whitelist: EastUS2_External_Access "52.232.227.197/32", # legacy afs_azure_whitelist: Azure US-East Palo "52.185.64.173/32", # legacy afs_azure_whitelist: CentralUS_External_Access "52.242.225.98/32", # legacy afs_azure_whitelist: Azure US-Central Palo 20200721 "52.177.84.83/32", # legacy afs_azure_whitelist: Lab_External_Access "199.16.64.3/32", # legacy nga_whitelist "54.205.60.17/32", #FRTIB ALIGHT "52.206.203.98/32", #FRTIB ALIGHT "34.233.188.131/32", #FRTIB ALIGHT "34.214.247.125/32", #FRTIB ALIGHT2 "44.235.174.214/32", #FRTIB ALIGHT2 "52.89.203.9/32", #FRTIB ALIGHT2 "52.61.113.202/32", #FRTIB VDI "15.200.226.57/32", #FRTIB CMPS "52.61.137.158/32", #BAS-Commerce CMPS "34.223.59.103/32", # CA-C19 "44.234.190.14/32", # CA-C19 "44.228.141.151/32", # CA-C19 "18.215.158.202/32", # CA-C19 "54.234.108.195/32", # CA-C19 "34.228.38.91/32", # CA-C19 "3.32.175.159/32", # DGI "15.200.13.143/32", # DGI "3.221.245.113/32", # FRTIB Chaos us-east-1 "34.237.100.242/32", # FRTIB Chaos us-east-1 "35.172.75.107/32", # FRTIB Chaos us-east-1 "54.164.205.89/32", # FRTIB Chaos us-east-1 "54.209.105.32/32", # FRTIB Chaos us-east-1 "54.224.69.136/32", # FRTIB Chaos us-east-1 ] splunk_legacy_cidr = [ # Allow splunk ports to/from here, too "10.80.0.0/16", ] splunk_asg_sizes = [ 1, 1, 1 ] # How many? splunk_volume_sizes = { "cluster_master" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 30, # No minimum; not in base image }, "indexer" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 60, # No minimum; not in base image }, "searchhead" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 60, # No minimum; not in base image }, # qcompliance, fm-shared-search, and the monitoring console are all searchheads # "qcompliance" = { # "swap": 8, # minimum: 8 # "/": 20, # minimum: 20 # "/home": 4, # minimum: 4 # "/var": 15, # minimum: 15 # "/var/tmp": 4, # minimum: 4 # "/var/log": 8, # minimum: 8 # "/var/log/audit": 8, # minimum: 8 # "/tmp": 4, # minimum: 4 # "/opt/splunk": 30, # No minimum; not in base image # }, "heavy_forwarder" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 10 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 30, # No minimum; not in base image }, } account_tags = { "Client": local.splunk_prefix } c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2" vpc_info = { "vpc-splunk" = { "name" = "vpc-splunk" "purpose" = "Splunk Systems (MOOSE)" "cidr" = "10.40.16.0/22", "tgw_attached" = true, }, "vpc-system-services" = { "name" = "vpc-system-services", "purpose" = "Internal Services for Systems", "cidr" = "10.40.0.0/22", "tgw_attached" = false, # Attached via tgw creation }, "vpc-scanners" = { "name" = "vpc-scanners", "purpose" = "Security Scanning", "cidr" = "10.40.12.0/22", "tgw_attached" = true, }, "vpc-interconnects" = { "name" = "vpc-interconnects", "purpose" = "Interconnections between AWS partitions", "cidr" = "10.179.0.0/22", "tgw_attached" = true, }, "vpc-access" = { "name" = "vpc-access" "purpose" = "Systems providing restricted access, such as bastions and vpn concentrators" "cidr" = "10.40.20.0/22", "tgw_attached" = true, }, "vpc-portal" = { "name" = "vpc-portal" "purpose" = "The Customer Portal" "cidr" = "10.40.32.0/24", "tgw_attached" = true, }, "vpc-public" = { "name" = "vpc-public" "purpose" = "Publicly Accessible Infrastructure Services, such as GHE and Jira" "cidr" = "10.40.24.0/22", "tgw_attached" = true, }, "vpc-private-services" = { "name" = "vpc-private-services" "purpose" = "Private XDR Services for XDR users" "cidr" = "10.40.28.0/22", "tgw_attached" = true, }, } instance_types = { #"alsi-master" = "t3a.small", #"alsi-worker" = "t3a.small", "bastion" = "t3a.medium", "fm-shared-search" = "m5a.large", # Legacy: t2.small, prod m4.large "github" = "c5.4xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test "github-backup" = "t3a.medium", # legacy: t2.medium "jira-rds" = "db.t3.medium", "jira-server" = "m5a.xlarge", # legacy test: t2.small, legacy prod: t2.medium "nessus_security_center" = "m5a.xlarge", "nessus_scanners" = "m5a.large", "nessus_managers" = "m5a.large", "phantom" = "m5a.4xlarge", # legacy test: t2.medium, legacy prod: m4.4xlarge "qcompliance" = "c5a.8xlarge", # legacy: c4.8xlarge "rhsso" = "m5a.large", "rhsso-db" = "db.t3.micro" "splunk-cm" = "m5a.xlarge", "splunk-hf" = "m5a.4xlarge", "splunk-indexer" = "i3en.3xlarge", "splunk-mc" = "m5a.large", # Legacy: t2.small, prod m4.large "splunk-sh" = "m5a.4xlarge", "portal" = "t3a.medium", # legacy: t2.medium } # GitHub github_instance_count = 1 github_data_volume_size = 500 # Salt Master salt_master_instance_type = "t3a.xlarge" # mailrelay mailrelay_instance_type = "t3a.xlarge" # Nessus Scanner Variables nessus_scanner_count = 2 nessus_manager_count = 1 # Can't see us needing more than one? # OpenVPN Server openvpn_instance_type = "t3a.medium" # Phantom Server phantom_instance_count = 1 # Proxy proxy_server_instance_type = "t3a.medium" # Repo Server repo_server_instance_type = "t3a.xlarge" # rhsso rhsso_instance_count = 1 # > 1 is untested, likely requires additional work # DNS Resolver resolver_instance_type = "t3a.xlarge" # Vault Server vault_server_instance_type = "t3a.medium" # Sensu Server sensu_server_instance_type = "m5a.xlarge" # AS Number used for various resources, but not every account needs one. asn = 64810 security_vpc_cidr = "10.179.0.0/22" # Interconnects interconnect_asn = 64888 #interconnects_instance_type = "t3a.micro" interconnects_instance_type = "m5.xlarge" interconnects_key_name = "fdamstra" # DO NOT CHANGE interconnects_count = 2 interconnect_instances_path = "../018-interconnect-instances" # Qualys Scanners qualys_personalization_codes = { standard = "21007869625439" # XDR_Prod_Govcloud_Standard preauthorized = "21028116523735" # XDR_Prod_Govcloud_Preauthorized } # Qualys Connector, defined in AssetView in Qualys Console qualys_connector_externalid = "1621818655116" # mdr-prod-c2-gov moose_cloudwatch_log_groups = { "/aws/lambda/portal_customer_sync" = { hec_token = "eb79bb2d-b27d-455d-bc5c-e8cf3165b294" firehose_name = "portal_customer_sync_firehose" lambda_function_name = "portal_customer_sync_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-customer-sync-s3" log_stream_name = "SplunkDelivery_portal_customer_sync" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_customer_sync" kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-customer-sync" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_customer_sync" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_customer_sync" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_customer_sync" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_customer_sync" } "/aws/lambda/portal_scheduler" = { hec_token = "bce12568-f390-4b17-8dfe-ea26b856820b" firehose_name = "portal_scheduler_firehose" lambda_function_name = "portal_scheduler_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-scheduler-s3" log_stream_name = "SplunkDelivery_portal_scheduler" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_scheduler" kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-scheduler" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_scheduler" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_scheduler" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_scheduler" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_scheduler" } "/aws/vpn" = { hec_token = "1E187167-1ED0-4AD1-A8C2-8AEB297C4E81" firehose_name = "aws_vpn_firehose" lambda_function_name = "aws_vpn_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-aws-vpn-s3" log_stream_name = "ClientVPN" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-aws_vpn" kinesis_firehose_role_name = "kinesis-firehose-role-name-aws-vpn" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-aws_vpn" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-aws_vpn" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-aws_vpn" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-aws_vpn" }, "/aws/lambda/AWSClientVPN-ConnectionHandler" = { hec_token = "BEB99C82-7608-454A-B0B1-CB1564A147A4" firehose_name = "aws_vpn_connectionhandler_firehose" lambda_function_name = "aws_vpn_connectionhandler_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-aws-vpn-connectionhandler-s3" log_stream_name = "ClientVPNConnectionHandler" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-aws_vpn_connectionhandler" kinesis_firehose_role_name = "kinesis-firehose-role-name-aws-vpn-connectionhandler" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-aws_vpn_connectionhandler" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-aws_vpn_connectionhandler" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-aws_vpn_connectionhandler" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-aws_vpn_connectionhandler" } } }