# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root # terragrunt.hcl configuration. locals { account_name = "afs-mdr-test-c2-gov" account_alias = "afs-mdr-test-c2-gov" aws_account_id = "738800754746" instance_termination_protection = false # set to true for production! splunk_prefix = "moose" splunk_private_hec = true # True if the customer needs a private HTTP Event Collector such as for ALSI # Additional sources that are allowed to send data, such as Customer LCPs, Azure, etc. splunk_data_sources = [ "170.248.172.0/23", # ? "20.190.250.137/32", # ? "52.232.227.197/32", # ? "52.185.64.173/32", # ? "52.242.225.98/32", # ? "52.177.84.83/32", # ? "199.16.64.3/32", #? "99.56.213.129/32", # Fred Damstra's Home IP - For testing ] splunk_legacy_cidr = [ # Allow splunk ports to/from here, too "10.96.0.0/16", ] splunk_asg_sizes = [ 1, 1, 0 ] # How many? splunk_volume_sizes = { "cluster_master" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 30, # No minimum; not in base image }, "indexer" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 30, # No minimum; not in base image }, "searchhead" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 30, # No minimum; not in base image }, # Qcompliance, fm-shared-search, and the mc are all searchheads # "qcompliance" = { # "swap": 8, # minimum: 8 # "/": 20, # minimum: 20 # "/home": 4, # minimum: 4 # "/var": 15, # minimum: 15 # "/var/tmp": 4, # minimum: 4 # "/var/log": 8, # minimum: 8 # "/var/log/audit": 8, # minimum: 8 # "/tmp": 4, # minimum: 4 # "/opt/splunk": 30, # No minimum; not in base image # }, "heavy_forwarder" = { "swap": 8, # minimum: 8 "/": 20, # minimum: 20 "/home": 4, # minimum: 4 "/var": 15, # minimum: 15 "/var/tmp": 4, # minimum: 4 "/var/log": 8, # minimum: 8 "/var/log/audit": 8, # minimum: 8 "/tmp": 4, # minimum: 4 "/opt/splunk": 60, # No minimum; not in base image }, } account_tags = { "Client": local.splunk_prefix, } c2_account_standards_path = "../../mdr-test-c2/005-account-standards-c2" # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation vpc_info = { "vpc-splunk" = { "name" = "vpc-splunk" "purpose" = "Splunk Systems (MOOSE)" "cidr" = "10.20.16.0/22", "tgw_attached" = true, }, "vpc-system-services" = { "name" = "vpc-system-services", "purpose" = "Internal Services for Systems (not people)", "cidr" = "10.20.0.0/22", "tgw_attached" = false, # NOTE: This is attached via the transit gateway creation }, "vpc-scanners" = { "name" = "vpc-scanners", "purpose" = "Security Scanning", "cidr" = "10.20.12.0/22", "tgw_attached" = true, }, "vpc-interconnects" = { "name" = "vpc-interconnects", "purpose" = "Interconnections between AWS partitions", "cidr" = "10.179.128.0/22", "tgw_attached" = false, }, "vpc-access" = { "name" = "vpc-access" "purpose" = "Systems providing restricted access, such as bastions and vpn concentrators" "cidr" = "10.20.20.0/22" "tgw_attached" = true, }, "vpc-cisco" = { "name" = "vpc-cisco" "purpose" = "Cisco VPN Subnet" "cidr" = "10.20.36.0/22", "tgw_attached" = true, }, "vpc-portal" = { "name" = "vpc-portal" "purpose" = "The Customer Portal" "cidr" = "10.20.32.0/24" "tgw_attached" = true, }, "vpc-public" = { "name" = "vpc-public" "purpose" = "Publicly Accessible Infrastructure Services, such as GHE and Jira" "cidr" = "10.20.24.0/22" "tgw_attached" = true, }, "vpc-private-services" = { "name" = "vpc-private-services" "purpose" = "Private XDR Services for XDR users" "cidr" = "10.20.28.0/22" "tgw_attached" = true, }, } instance_types = { "alsi-master" = "t3a.small", "alsi-worker" = "t3a.small", "bastion" = "t3a.medium", "fm-shared-search" = "t3a.small", # Legacy: t2.small, prod m4.large "github" = "c5.2xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test "github-backup" = "t3a.medium", # legacy: t2.micro "jira-rds" = "db.t3.medium", "jira-server" = "t3a.small", # legacy test: t2.small, legacy prod: t2.medium "keycloak" = "t3a.large", "keycloak-db" = "db.t3.micro" "nessus_security_center" = "m5a.xlarge", "nessus_scanners" = "m5a.large", "nessus_managers" = "m5a.large", "phantom" = "t3a.xlarge", # legacy test: t2.medium, legacy prod: m4.4xlarge "qcompliance" = "t3a.small", # legacy: ? not sure "rhsso" = "t3a.large", "rhsso-db" = "db.t3.micro" "splunk-cm" = "t3a.small", # legacy: t2.small "splunk-hf" = "t3a.small", # legacy: t2.medium #"splunk-indexer" = "t3a.small", # legacy: t2.small, but whats the point if we don't have instance storage. #"splunk-indexer" = "i3en.large", # legacy: t2.small, but whats the point if we don't have instance storage. #"splunk-indexer" = "m5d.large", # these are 1/2 the price of i3en.larges. 8GB RAM, 75GB storage "splunk-indexer" = "m5d.xlarge", # 16GB RAM, 150GB SSD "splunk-mc" = "t3a.small", # Legacy: t2.small, prod m4.large "splunk-sh" = "t3a.small", # legacy: ? not sure "threatq" = "t3a.2xlarge", # legacy: t2.medium "portal" = "t3a.medium", # legacy: t2.medium } # TODO: The instance types below should be moved to the instance_type map above # DNS Resolver resolver_instance_type = "t3a.xlarge" # Keycloak keycloak_instance_count = 1 # May or may not support > 1 # Salt Master salt_master_instance_type = "t3a.large" # Mail Relay Server mailrelay_instance_type = "t3a.xlarge" # Nessus Scanner Variables nessus_scanner_count = 2 nessus_manager_count = 1 # Can't see us needing more than one? # OpenVPN Server openvpn_instance_type = "t3a.medium" # Phantom Server phantom_instance_count = 1 # Proxy Server proxy_server_instance_type = "t3a.xlarge" # Repo Server repo_server_instance_type = "t3a.xlarge" # rhsso rhsso_instance_count = 1 # > 1 is untested, likely requires additional work # Vault Server vault_server_instance_type = "t3a.small" # Sensu Server sensu_server_instance_type = "t3a.medium" # Github Servers github_instance_count = 1 github_data_volume_size = 500 # ALSI Servers alsi_workers = 2 alsi_splunk_nlb = true # splunk://moose-alsi-splunk.xdr{,test}.accenturefederalcyber.com:9997 and 9998 alsi_elastic_alb = true # https://moose-alsi-elastic.xdr{,test}.accenturefederalcyber.com -> 9200 alsi_hec_alb = true # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8080 # AS Number used for various resources, but not every account needs one. asn = 64710 # changing this replaces the gateway # Interconnects interconnect_asn = 64777 interconnects_instance_type = "t3a.xlarge" interconnects_key_name = "fdamstra" # DO NOT CHANGE interconnects_count = 2 interconnect_instances_path = "../018-interconnect-instances" # Qualys Scanners qualys_personalization_codes = { standard = "21074115957347" # XDR_Test_Govcloud_Standard preauthorized = "21054299967066" # XDR_Test_Govcloud_Preauthorized } # Qualys Connector qualys_connector_externalid = "1601148045651" # Needs to come from the qualys console moose_cloudwatch_log_groups = { "/aws/lambda/portal_customer_sync" = { hec_token = "eb79bb2d-b27d-455d-bc5c-e8cf3165b294" firehose_name = "portal_customer_sync_firehose" lambda_function_name = "portal_customer_sync_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-customer-sync-s3" log_stream_name = "SplunkDelivery_portal_customer_sync" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_customer_sync" kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-customer-sync" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_customer_sync" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_customer_sync" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_customer_sync" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_customer_sync" } "/aws/lambda/portal_scheduler" = { hec_token = "bce12568-f390-4b17-8dfe-ea26b856820b" firehose_name = "portal_scheduler_firehose" lambda_function_name = "portal_scheduler_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-scheduler-s3" log_stream_name = "SplunkDelivery_portal_scheduler" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_scheduler" kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-scheduler" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_scheduler" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_scheduler" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_scheduler" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_scheduler" } "/aws/vpn" = { hec_token = "1E187167-1ED0-4AD1-A8C2-8AEB297C4E81" firehose_name = "aws_vpn_firehose" lambda_function_name = "aws_vpn_kinesis_firehose_transform" s3_bucket_name = "${local.account_name}-kinesis-aws-vpn-s3" log_stream_name = "ClientVPN" kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-aws_vpn" kinesis_firehose_role_name = "kinesis-firehose-role-name-aws-vpn" lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-aws_vpn" kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-aws_vpn" cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-aws_vpn" cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-aws_vpn" } } }