xdr-terraform-live/globals.hcl

# Set common variables for everything. This is automatically pulled in in the root terragrunt.hcl configuration to
# feed forward to the child modules.
locals {
  remote_state_bucket = "afsxdr-terraform-state" # Could be moved to environment/partition.
  binaries_bucket     = "afsxdr-binaries"        # Storage for binaries

  global_tags = {
    "Snapshot" = "Daily", # This will put it on some things where it doesn't belong, but seems useful overall
    #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
  }

  trusted_ips = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
    "12.245.107.250/32",   # DPS Office Legato
    "12.204.167.162/32",   # DPS Office San Antonio
    "54.86.98.62/32",      # DPS AWS User VPN
    "75.138.227.80/32",    # Duane Waddle
    "24.11.231.98/32",     # George Starcher
    "99.151.37.185/32",    # Wesley Leonard
    "70.106.200.157/32",   # John Reuther
    "108.243.20.48/32",    # Ryan Plas
    "73.10.53.113/32",     # Rick Page Home
    "50.21.207.50/32",     # Brad Poulton
    "70.160.60.248/32",    # Brandon Naughton
    "173.71.212.4/32",     # Ryan Howard
    "99.56.213.129/32",    # Fred Damstra
    "97.117.78.121/32",    # Colby Williams
  ]
  portal_test_whitelist = local.trusted_ips # for now, an alias

  #Customer External IPs
  #To increase flexibility and to provide better documentation,
  #break up the IPs based on on-prem and not on-prem. 

  #### AFS ON-PREM POP ####
  afs_pop = [
    "170.248.172.0/23",
  ]

  # AFS Azure POP external IPs
  afs_azure_pop = [
    "20.190.250.137/32",     # EastUS2_External_Access
    "52.232.227.197/32",     # Azure US-East Palo
    "52.185.64.173/32",      # CentralUS_External_Access
    "52.242.225.98/32",      # Azure US-Central Palo 20200721
    "52.177.84.83/32",       # Lab_External_Access
  ]

  #### NGA ####
  nga_pop = [
    "199.16.64.3/32"
  ]

  xdr_interconnect = [
    "18.252.61.218/32",
    "18.252.67.171/32",
    "18.253.123.98/32",
    "18.253.98.90/32",
  ]  

  dns_zone_map = {
    "accenturefederalcyber.com" = "Z03575081VGXN3FUZ8ERU"
    "accenturefederalcyber.net" = "Z07771312N8X39HKP141M"
    "xdr.accenturefederalcyber.com" = "Z0083657A94URZM2TM87"
    "xdrtest.accenturefederalcyber.com" = "Z01677392W0QM639KU2KC"
  }

  repo_server_whitelist = concat(
    local.trusted_ips,
    local.afs_pop,
    local.afs_azure_pop,
    local.nga_pop,
    [ "52.179.13.17/32",  #???
      "75.138.227.80/32", #???
    ],
    local.xdr_interconnect
  )

  key_pairs = {
    # Should be your username -> key pair
    "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key",
    "fdamstra" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr",
  }

  # Some sane defaults we don't want to specify everywhere
  is_legacy = false # By default, accounts are not legacy accounts
  extra_ebs_key_admins = [ ]
  extra_ebs_key_users  = [ ]
  extra_ebs_key_attachers = [ ]
}