xdr-terraform-live/prod/aws-us-gov/mdr-prod-c2/account.hcl

# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
# terragrunt.hcl configuration.
locals {
  account_name   = "afs-mdr-prod-c2-gov"
  account_alias  = "afs-mdr-prod-c2-gov"
  aws_account_id = "721817724804"
  instance_termination_protection = true # set to true for production!
  splunk_prefix = "moose"
  splunk_private_hec = true # True if the customer needs a private HTTP Event Collector such as for ALSI
  
  # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
  standard_vpc_cidr = "10.40.0.0/22"

  splunk_data_sources = [
    "170.248.172.0/23", # legacy afs_whitelist
    "20.190.250.137/32", # legacy afs_azure_whitelist: EastUS2_External_Access
    "52.232.227.197/32", # legacy afs_azure_whitelist: Azure US-East Palo
    "52.185.64.173/32", # legacy afs_azure_whitelist: CentralUS_External_Access
    "52.242.225.98/32", # legacy afs_azure_whitelist: Azure US-Central Palo 20200721
    "52.177.84.83/32", # legacy afs_azure_whitelist: Lab_External_Access
    "199.16.64.3/32", # legacy nga_whitelist
    "54.205.60.17/32", #FRTIB ALIGHT
    "52.206.203.98/32", #FRTIB ALIGHT
    "34.233.188.131/32", #FRTIB ALIGHT
    "34.214.247.125/32", #FRTIB ALIGHT2
    "44.235.174.214/32", #FRTIB ALIGHT2
    "52.89.203.9/32",   #FRTIB ALIGHT2
    "52.61.113.202/32", #FRTIB VDI
    "15.200.226.57/32", #FRTIB CMPS
    "52.61.137.158/32", #BAS-Commerce CMPS
    "34.223.59.103/32", # CA-C19 
    "44.234.190.14/32", # CA-C19
    "44.228.141.151/32", # CA-C19
    "18.215.158.202/32", # CA-C19
    "54.234.108.195/32", # CA-C19
    "34.228.38.91/32", # CA-C19
    "3.32.175.159/32", # DGI
    "15.200.13.143/32", # DGI
    "3.221.245.113/32",  # FRTIB Chaos us-east-1
    "34.237.100.242/32", # FRTIB Chaos us-east-1
    "35.172.75.107/32",  # FRTIB Chaos us-east-1
    "54.164.205.89/32",  # FRTIB Chaos us-east-1
    "54.209.105.32/32",  # FRTIB Chaos us-east-1
    "54.224.69.136/32",  # FRTIB Chaos us-east-1
  ]
  splunk_legacy_cidr = [ # Allow splunk ports to/from here, too
    "10.80.0.0/16",
  ]
  splunk_asg_sizes = [ 1, 1, 1 ] # How many?
  splunk_volume_sizes = {
    "cluster_master" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 30, # No minimum; not in base image
    },
    "indexer" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 60, # No minimum; not in base image
    },
    "searchhead" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 20
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 60, # No minimum; not in base image
    },
# qcompliance, fm-shared-search, and the monitoring console are all searchheads
#    "qcompliance" = {
#      "swap": 8,  # minimum: 8
#      "/": 20,    # minimum: 20
#      "/home": 4, # minimum: 4
#      "/var": 15, # minimum: 15
#      "/var/tmp": 4, # minimum: 4
#      "/var/log": 8, # minimum: 8
#      "/var/log/audit": 8, # minimum: 8
#      "/tmp": 4,  # minimum: 4
#      "/opt/splunk": 30, # No minimum; not in base image
#    },
    "heavy_forwarder" = {
      "swap": 8,  # minimum: 8
      "/": 20,    # minimum: 10
      "/home": 4, # minimum: 4
      "/var": 15, # minimum: 15
      "/var/tmp": 4, # minimum: 4
      "/var/log": 8, # minimum: 8
      "/var/log/audit": 8, # minimum: 8
      "/tmp": 4,  # minimum: 4
      "/opt/splunk": 30, # No minimum; not in base image
    },
  }

  account_tags = { 
    "Client": local.splunk_prefix
  } 
  c2_account_standards_path = "../../mdr-prod-c2/005-account-standards-c2"

  vpc_info = {
    "vpc-splunk" = {
      "name" = "vpc-splunk"
      "purpose" = "Splunk Systems (MOOSE)"
      "cidr" = "10.40.16.0/22",
      "tgw_attached" = true,
    },
    "vpc-system-services" = {
      "name" = "vpc-system-services",
      "purpose" = "Internal Services for Systems",
      "cidr" = "10.40.0.0/22",
      "tgw_attached" = false, # Attached via tgw creation
    },
    "vpc-scanners" = {
      "name" = "vpc-scanners",
      "purpose" = "Security Scanning",
      "cidr" = "10.40.12.0/22",
      "tgw_attached" = true,
    },
    "vpc-interconnects" = {
      "name" = "vpc-interconnects",
      "purpose" = "Interconnections between AWS partitions",
      "cidr" = "10.179.0.0/22",
      "tgw_attached" = true,
    },
    "vpc-access" = {
      "name" = "vpc-access"
      "purpose" = "Systems providing restricted access, such as bastions and vpn concentrators"
      "cidr" = "10.40.20.0/22",
      "tgw_attached" = true,
    },
    "vpc-portal" = {
      "name" = "vpc-portal"
      "purpose" = "The Customer Portal"
      "cidr" = "10.40.32.0/24",
      "tgw_attached" = true,
    },
    "vpc-public" = {
      "name" = "vpc-public"
      "purpose" = "Publicly Accessible Infrastructure Services, such as GHE and Jira"
      "cidr" = "10.40.24.0/22",
      "tgw_attached" = true,
    },
    "vpc-private-services" = {
      "name" = "vpc-private-services"
      "purpose" = "Private XDR Services for XDR users"
      "cidr" = "10.40.28.0/22",
      "tgw_attached" = true,
    },
  }

  instance_types = {
    #"alsi-master"    = "t3a.small",
    #"alsi-worker"    = "t3a.small",
    "bastion" = "t3a.medium",
    "fm-shared-search" = "m5a.large", # Legacy: t2.small,  prod m4.large
    "github"         = "c5.4xlarge", # legacy: c4.4xlarge in prod, c5.2xlarge in test
    "github-backup"  = "t3a.medium", # legacy: t2.medium
    "jira-rds"       = "db.t3.medium",
    "jira-server"    = "m5a.xlarge", # legacy test: t2.small, legacy prod: t2.medium
    "nessus_security_center" = "m5a.xlarge",
    "nessus_scanners" = "m5a.large",
    "nessus_managers" = "m5a.large",
    "phantom"        = "m5a.4xlarge", # legacy test: t2.medium, legacy prod: m4.4xlarge
    "qcompliance"    = "c5a.8xlarge", # legacy: c4.8xlarge
    "rhsso"          = "m5a.large",
    "rhsso-db"       = "db.t3.micro"
    "splunk-cm"      = "m5a.xlarge",
    "splunk-hf"      = "m5a.4xlarge",
    "splunk-indexer" = "i3en.3xlarge",
    "splunk-mc"      = "m5a.large", # Legacy: t2.small, prod m4.large
    "splunk-sh"      = "m5a.4xlarge",
    "portal"         = "t3a.medium", # legacy: t2.medium
  }

  # GitHub
  github_instance_count = 1
  github_data_volume_size = 500

  # Salt Master
  salt_master_instance_type = "t3a.xlarge"

  # mailrelay
  mailrelay_instance_type = "t3a.xlarge"

  # Nessus Scanner Variables
  nessus_scanner_count = 2
  nessus_manager_count = 1 # Can't see us needing more than one?

  # OpenVPN Server
  openvpn_instance_type = "t3a.medium"

  # Phantom Server
  phantom_instance_count = 1
  
  # Proxy
  proxy_server_instance_type = "t3a.medium"

  # Repo Server
  repo_server_instance_type = "t3a.xlarge"

  # rhsso
  rhsso_instance_count = 1 # > 1 is untested, likely requires additional work

  # DNS Resolver
  resolver_instance_type = "t3a.xlarge"

  # Vault Server
  vault_server_instance_type = "t3a.medium"
  
  # Sensu Server
  sensu_server_instance_type = "m5a.xlarge"

  # AS Number used for various resources, but not every account needs one.
  asn = 64810

  security_vpc_cidr = "10.179.0.0/22"

  # Interconnects
  interconnect_asn = 64888
  #interconnects_instance_type = "t3a.micro"
  interconnects_instance_type = "m5.xlarge"
  interconnects_key_name = "fdamstra" # DO NOT CHANGE
  interconnects_count = 2
  interconnect_instances_path = "../018-interconnect-instances"

  # Qualys Scanners
  qualys_personalization_codes = {
    standard      = "21007869625439" # XDR_Prod_Govcloud_Standard
    preauthorized = "21028116523735" # XDR_Prod_Govcloud_Preauthorized
  }

  # Qualys Connector, defined in AssetView in Qualys Console
  qualys_connector_externalid = "1621818655116" # mdr-prod-c2-gov 

  moose_cloudwatch_log_groups = {
    "/aws/lambda/portal_customer_sync" = {
      hec_token = "eb79bb2d-b27d-455d-bc5c-e8cf3165b294"
      firehose_name = "portal_customer_sync_firehose"
      lambda_function_name = "portal_customer_sync_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-customer-sync-s3"
      log_stream_name = "SplunkDelivery_portal_customer_sync"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_customer_sync"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-customer-sync"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_customer_sync"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_customer_sync"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_customer_sync"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_customer_sync"
    }
    "/aws/lambda/portal_scheduler" = {
      hec_token = "bce12568-f390-4b17-8dfe-ea26b856820b"
      firehose_name = "portal_scheduler_firehose"
      lambda_function_name = "portal_scheduler_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-flowlogs-portal-scheduler-s3"
      log_stream_name = "SplunkDelivery_portal_scheduler"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-portal_scheduler"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-portal-scheduler"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-portal_scheduler"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-portal_scheduler"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-portal_scheduler"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-portal_scheduler"
    }
    "/aws/vpn" = {
      hec_token = "1E187167-1ED0-4AD1-A8C2-8AEB297C4E81"
      firehose_name = "aws_vpn_firehose"
      lambda_function_name = "aws_vpn_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-aws-vpn-s3"
      log_stream_name = "ClientVPN"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-aws_vpn"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-aws-vpn"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-aws_vpn"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-aws_vpn"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-aws_vpn"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-aws_vpn"
    },
    "/aws/lambda/AWSClientVPN-ConnectionHandler" = {
      hec_token = "BEB99C82-7608-454A-B0B1-CB1564A147A4"
      firehose_name = "aws_vpn_connectionhandler_firehose"
      lambda_function_name = "aws_vpn_connectionhandler_kinesis_firehose_transform"
      s3_bucket_name = "${local.account_name}-kinesis-aws-vpn-connectionhandler-s3"
      log_stream_name = "ClientVPNConnectionHandler"
      kinesis_firehose_lambda_role_name = "KinesisFirehoseToLambaRole-aws_vpn_connectionhandler"
      kinesis_firehose_role_name = "kinesis-firehose-role-name-aws-vpn-connectionhandler"
      lambda_iam_policy_name = "Kinesis-Firehose-to-Splunk-Policy-aws_vpn_connectionhandler"
      kinesis_firehose_iam_policy_name = "KinesisFirehose-Policy-aws_vpn_connectionhandler"
      cloudwatch_to_firehose_trust_iam_role_name = "CloudWatchToSplunkFirehoseTrust-aws_vpn_connectionhandler"
      cloudwatch_to_fh_access_policy_name = "KinesisCloudWatchToFirehosePolicy-aws_vpn_connectionhandler"
    }
  }
}