AFS
/
xdr-terraform-live


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288
							# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
# terragrunt.hcl configuration.
locals {
  account_name   = "afs-mdr-test-c2-gov"
  account_alias  = "afs-mdr-test-c2-gov"
  aws_account_id = "738800754746"
  instance_termination_protection = false # set to true for production!
  splunk_prefix = "moose"
  splunk_private_hec = true # True if the customer needs a private HTTP Event Collector such as for ALSI

  # Additional sources that are allowed to send data, such as Customer LCPs, Azure, etc.
  splunk_data_sources = [
    "170.248.172.0/23", # ?
    "20.190.250.137/32", # ?
    "52.232.227.197/32", # ?
    "52.185.64.173/32", # ?
    "52.242.225.98/32", # ?
    "52.177.84.83/32", # ?
    "199.16.64.3/32", #?
    "99.56.213.129/32", # Fred Damstra's Home IP - For testing
  ]
  splunk_legacy_cidr = [ # Allow splunk ports to/from here, too
    "10.96.0.0/16",
  ]
  splunk_asg_sizes = [ 1, 1, 0 ] # How many?
  splunk_volume_sizes = {
    "cluster_master" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 30, # No minimum; not in base image
    },
    "indexer" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 30, # No minimum; not in base image
    },
    "searchhead" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 30, # No minimum; not in base image
    },
# Qcompliance, fm-shared-search, and the mc are all searchheads
#    "qcompliance" = {
#      "swap": 8,  # minimum: 8
#      "/": 20,    # minimum: 20
#      "/home": 4, # minimum: 4
#      "/var": 15, # minimum: 15
#      "/var/tmp": 4, # minimum: 4
#      "/var/log": 8, # minimum: 8
#      "/var/log/audit": 8, # minimum: 8
#      "/tmp": 4,  # minimum: 4
#      "/opt/splunk": 30, # No minimum; not in base image
#    },
    "heavy_forwarder" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 60, # No minimum; not in base image
    },
  }
  
  account_tags = {
    "Client": local.splunk_prefix,
  } 

  c2_account_standards_path = "../../mdr-test-c2/005-account-standards-c2"

  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
  vpc_info = {
    "vpc-splunk" = {
      "name" = "vpc-splunk"
      "purpose" = "Splunk Systems (MOOSE)"
      "cidr" = "10.20.16.0/22",
      "tgw_attached" = true,
    },
    "vpc-system-services" = {
      "name" = "vpc-system-services",
      "purpose" = "Internal Services for Systems (not people)",
      "cidr" = "10.20.0.0/22",
      "tgw_attached" = false, # NOTE: This is attached via the transit gateway creation
    },
    "vpc-scanners" = {
      "name" = "vpc-scanners",
      "purpose" = "Security Scanning",
      "cidr" = "10.20.12.0/22",
      "tgw_attached" = true,
    },
    "vpc-interconnects" = {
      "name" = "vpc-interconnects",
      "purpose" = "Interconnections between AWS partitions",
      "cidr" = "10.179.128.0/22",
      "tgw_attached" = false,
    },
    "vpc-access" = {
      "name" = "vpc-access"
      "purpose" = "Systems providing restricted access, such as bastions and vpn concentrators"
      "cidr" = "10.20.20.0/22"
      "tgw_attached" = true,
    },
    "vpc-cisco" = {
      "name" = "vpc-cisco"
      "purpose" = "Cisco VPN Subnet"
      "cidr" = "10.20.36.0/22",
      "tgw_attached" = true,
    },
    "vpc-portal" = {
      "name" = "vpc-portal"
      "purpose" = "The Customer Portal"
      "cidr" = "10.20.32.0/24"
      "tgw_attached" = true,
    },
    "vpc-public" = {
      "name" = "vpc-public"
      "purpose" = "Publicly Accessible Infrastructure Services, such as GHE and Jira"
      "cidr" = "10.20.24.0/22"
      "tgw_attached" = true,
    },
    "vpc-private-services" = {
      "name" = "vpc-private-services"
      "purpose" = "Private XDR Services for XDR users"
      "cidr" = "10.20.28.0/22"
      "tgw_attached" = true,
    },
  }

  instance_types = {
    "alsi-master"    = "t3a.small",
    "alsi-worker"    = "t3a.small",
    "bastion" = "t3a.medium",
    "fm-shared-search" = "t3a.small", # Legacy: t2.small,  prod m4.large
    "github"         = "c5.2xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test
    "github-backup"  = "t3a.medium", # legacy: t2.micro
    "jira-rds"       = "db.t3.medium",
    "jira-server"    = "t3a.small", # legacy test: t2.small, legacy prod: t2.medium
    "keycloak"       = "t3a.large",
    "keycloak-db"    = "db.t3.micro"
    "nessus_security_center" = "m5a.xlarge",
    "nessus_scanners" = "m5a.large",
    "nessus_managers" = "m5a.large",
    "phantom"        = "t3a.xlarge", # legacy test: t2.medium, legacy prod: m4.4xlarge
    "qcompliance"    = "t3a.small", # legacy: ? not sure
    "rhsso"          = "t3a.large",
    "rhsso-db"       = "db.t3.micro"
    "splunk-cm"      = "t3a.small",  # legacy: t2.small
    "splunk-hf"      = "t3a.small", # legacy: t2.medium
    #"splunk-indexer" = "t3a.small", # legacy: t2.small, but whats the point if we don't have instance storage.
    #"splunk-indexer" = "i3en.large", # legacy: t2.small, but whats the point if we don't have instance storage.
    #"splunk-indexer" = "m5d.large", # these are 1/2 the price of i3en.larges. 8GB RAM, 75GB storage
    "splunk-indexer" = "m5d.xlarge", # 16GB RAM, 150GB SSD
    "splunk-mc"      = "t3a.small", # Legacy: t2.small, prod m4.large
    "splunk-sh"      = "t3a.small", # legacy: ? not sure
    "threatq"        = "t3a.2xlarge", # legacy: t2.medium
    "portal"         = "t3a.medium", # legacy: t2.medium
  }

  # TODO: The instance types below should be moved to the instance_type map above
  # DNS Resolver
  resolver_instance_type = "t3a.xlarge"

  # Keycloak
  keycloak_instance_count = 1 # May or may not support > 1

  # Salt Master
  salt_master_instance_type = "t3a.large"

  # Mail Relay Server
  mailrelay_instance_type = "t3a.xlarge"

  # Nessus Scanner Variables
  nessus_scanner_count = 2
  nessus_manager_count = 1 # Can't see us needing more than one?

  # OpenVPN Server
  openvpn_instance_type = "t3a.medium"

  # Phantom Server
  phantom_instance_count = 1

  # Proxy Server
  proxy_server_instance_type = "t3a.xlarge"

  # Repo Server
  repo_server_instance_type = "t3a.xlarge"

  # rhsso
  rhsso_instance_count = 1 # > 1 is untested, likely requires additional work

  # Vault Server
  vault_server_instance_type = "t3a.small"

  # Sensu Server
  sensu_server_instance_type = "t3a.medium"

  # Github Servers
  github_instance_count = 1
  github_data_volume_size = 500

  # ALSI Servers
  alsi_workers = 2
  alsi_splunk_nlb = true # splunk://moose-alsi-splunk.xdr{,test}.accenturefederalcyber.com:9997 and 9998
  alsi_elastic_alb = true # https://moose-alsi-elastic.xdr{,test}.accenturefederalcyber.com -> 9200
  alsi_hec_alb = true # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8080

  # AS Number used for various resources, but not every account needs one.
  asn = 64710 # changing this replaces the gateway

  # Interconnects
  interconnect_asn = 64777
  interconnects_instance_type = "t3a.xlarge"
  interconnects_key_name = "fdamstra" # DO NOT CHANGE
  interconnects_count = 2
  interconnect_instances_path = "../018-interconnect-instances"

  # Qualys Scanners
  qualys_personalization_codes = {
    standard      = "21074115957347" # XDR_Test_Govcloud_Standard
    preauthorized = "21054299967066" # XDR_Test_Govcloud_Preauthorized
  }

  # Qualys Connector
  qualys_connector_externalid = "1601148045651" # Needs to come from the qualys console

  moose_cloudwatch_log_groups = {
    "/aws/lambda/portal_customer_sync" = {
      hec_token = "eb79bb2d-b27d-455d-bc5c-e8cf3165b294"
      firehose_name = "portal_customer_sync_firehose"
      lambda_function_name = "portal_customer_sync_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-customer-sync-s3"
      log_stream_name = "SplunkDelivery_portal_customer_sync"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_customer_sync"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-customer-sync"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_customer_sync"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_customer_sync"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_customer_sync"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_customer_sync"
    }
    "/aws/lambda/portal_scheduler" = {
      hec_token = "bce12568-f390-4b17-8dfe-ea26b856820b"
      firehose_name = "portal_scheduler_firehose"
      lambda_function_name = "portal_scheduler_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-scheduler-s3"
      log_stream_name = "SplunkDelivery_portal_scheduler"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_scheduler"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-scheduler"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_scheduler"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_scheduler"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_scheduler"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_scheduler"
    }
    "/aws/vpn" = {
      hec_token = "1E187167-1ED0-4AD1-A8C2-8AEB297C4E81"
      firehose_name = "aws_vpn_firehose"
      lambda_function_name = "aws_vpn_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-aws-vpn-s3"
      log_stream_name = "ClientVPN"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-aws_vpn"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-aws-vpn"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-aws_vpn"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-aws_vpn"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-aws_vpn"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-aws_vpn"
    }
  }
  
}