xdr-terraform-live/globals.hcl

# Set common variables for everything. This is automatically pulled in in the root terragrunt.hcl configuration to
# feed forward to the child modules.
locals {
  remote_state_bucket = "afsxdr-terraform-state" # Could be moved to environment/partition.
  binaries_bucket     = "afsxdr-binaries"        # Storage for binaries

  global_tags = {
    "Snapshot" = "Daily", # This will put it on some things where it doesn't belong, but seems useful overall
    #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
  }

  trusted_ips = [       # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
    "108.203.37.38/32", # Duane Waddle
    "24.11.231.98/32",  # George Starcher
    "99.151.37.185/32", # Wesley Leonard
    "73.10.53.113/32",  # Rick Page Home
    "74.211.32.26/32",  # Brad Poulton
    "70.160.60.248/32", # Brandon Naughton
    "99.56.213.129/32", # Fred Damstra
    #"76.173.128.126/32",   # Jeremy Cooper
    "97.117.83.215/32", # Colby Williams
  ]

  portal_test_whitelist = [ # IPs for Portal Test and vmray
    "12.245.107.250/32",    # DPS Office Legato
    "12.204.167.162/32",    # DPS Office San Antonio
    "54.86.98.62/32",       # DPS AWS User VPN
    "108.203.37.38/32",     # Duane Waddle
    "24.11.231.98/32",      # George Starcher
    "99.151.37.185/32",     # Wesley Leonard
    "73.10.53.113/32",      # Rick Page Home
    "74.211.32.26/32",      # Brad Poulton
    "70.160.60.248/32",     # Brandon Naughton 
    "99.56.213.129/32",     # Frederick Damstra
    "97.117.83.215/32",     # Colby Williams
    #"76.173.128.126/32",   # Jeremy Cooper
    "73.213.108.186/32", # LaDonia Wicks
  ]

  admin_ips = [
    "108.28.25.119/32",   # James Kerr Home
    "73.10.53.113/32",    # Rick Page Home
    "99.151.37.185/32",   # Wesley Leonard Home
    "74.211.32.26/32",    # Brad Poulton Home
    "104.9.149.90/32",    # Greg Rivas Home
    "100.4.76.3/32",      # Brandon Naughton Home
    "170.248.173.247/32", # AFS site
    "170.248.173.245/32", # AFS site
    "107.207.74.118/32",  # Angelita Crawley Home
    "69.207.192.131/32",  # Aaron Flores Home
    "70.120.19.33/32",    # Hilda Colon-Martinez Home
    "198.13.82.11/32",    # Hussein Carrenard Home
    "136.226.18.198/32",  # Jose Alvarez Home 
  ]

  # from https://config.zscaler.com/zscalergov.net/cenr
  zscalar_ips = [
    "165.225.3.0/24",
    "136.226.10.0/23",
    "136.226.12.0/23",
    "136.226.14.0/23",
    "165.225.46.0/24",
    "136.226.6.0/23",
    "136.226.4.0/23",
    "136.226.8.0/23",
    "136.226.22.0/24",
    "165.225.48.0/24",
    "136.226.18.0/23",
    "136.226.16.0/23",
    "136.226.20.0/23",
  ]

  # Customer External IPs
  # To increase flexibility and to provide better documentation,
  # break up the IPs based on on-prem and not on-prem. 
  #
  # All of the "external" things that need access to publically
  # available C2 services, like Salt Masters, Repo Servers
  #
  # Structure is a list of maps, and the "description" value in the
  # map must be unique across the whole list or it will cause an error.
  #

  c2_services_external_ips = [
    {
      description = "Test LCPs"
      cidr_blocks = [
        "18.252.65.137/32", # Test LCP in Govcloud (EIP in common-services-gov)
        "54.224.56.231/32", # Test LCP in Commercial (EIP in common-services)
      ]
    },
    {
      description = "NGA"
      cidr_blocks = [
        "199.16.64.3/32", #  NGA
      ]
    },
    {
      description = "AFS OnPrem"
      cidr_blocks = [
        "170.248.172.0/23", #  AFS Onprem
      ]
    },
    {
      description = "AFS Azure"
      cidr_blocks = [
        "20.190.250.137/32", # EastUS2_External_Access
        "52.232.227.197/32", # Azure US-East Palo
        "52.185.64.173/32",  # CentralUS_External_Access
        "52.242.225.98/32",  # Azure US-Central Palo 20200721
        "52.177.84.83/32",   # Lab_External_Access
      ]
    },
    {
      description = "BAS-Commerce CMPS"
      cidr_blocks = [
        "52.61.137.158/32", # 2021-04-06 From Daniel Dicke <daniel.dicke@asmr.com>
        "52.61.70.43/32",   # 2021-04-15 yanked from VPC flow logs
      ]
    },
    {
      description = "FRTIB VDI"
      cidr_blocks = [
        "52.61.113.202/32", # 2021-04-15 From Brian Nguyen brian.a.nguyen@accenturefederal.com
      ]
    },
    {
      description = "FRTIB CMPS"
      cidr_blocks = [
        "15.200.226.57/32", # 2021-07-12 From Brian Nguyen brian.a.nguyen@accenturefederal.com
      ]
    },
    {
      description = "FRTIB ALIGHT"
      cidr_blocks = [
        "54.205.60.17/32", # 2021-05-04 From John Conrad john.conrad.2@alight.com
        "52.206.203.98/32",
        "34.233.188.131/32",
      ]
    },
    {
      description = "FRTIB ALIGHT 2"
      cidr_blocks = [
        "34.214.247.125/32", # 2022-01-20 From John Conrad john.conrad.2@alight.com
        "44.235.174.214/32",
        "52.89.203.9/32",
      ]
    },
    {
      description = "CA-C19"
      cidr_blocks = [
        "34.223.59.103/32", # 2021-05-04 From Wes Leonard 
        "44.234.190.14/32",
        "44.228.141.151/32",
        "18.215.158.202/32", # 2022-01-03 From Ben Troglia
        "54.234.108.195/32",
        "34.228.38.91/32",
      ]
    },
    {
      description = "DGI"
      cidr_blocks = [
        "3.32.175.159/32", # 2021-06-24 From Angelita Crawley MSOCI-1776 
        "15.200.13.143/32",
      ]
    },
    {
      description = "FRTIB Chaos test us-east-1"
      cidr_blocks = [
        "3.221.245.113/32",
        "34.237.100.242/32",
        "35.172.75.107/32",
        "54.164.205.89/32",
        "54.209.105.32/32",
        "54.224.69.136/32",
      ]
    },
    {
      description = "FRTIB Chaos prod us-east-1"
      cidr_blocks = [
        "34.237.183.65/32",
        "34.227.214.27/32",
        "3.232.76.136/32",
      ]
    },

  ]

  dns_zone_map = {
    "accenturefederalcyber.com"         = "Z03575081VGXN3FUZ8ERU"
    "accenturefederalcyber.net"         = "Z07771312N8X39HKP141M"
    "xdr.accenturefederalcyber.com"     = "Z0083657A94URZM2TM87"
    "xdrtest.accenturefederalcyber.com" = "Z01677392W0QM639KU2KC"
  }

  repo_server_whitelist = concat(
    ["52.179.13.17/32", #???
    ],
  )

  key_pairs = {
    # Should be your username -> key pair
    "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key",
    "fdamstra"   = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr",
  }

  # Sensu Thresholds
  sensu_checks = {
    "dns" : {
      "warning" : "5.0",  # warn if no resolution for 5 seconds
      "critical" : "10.0" # critical if no resolution for 10 seconds
    },
  }

  # Some sane defaults we don't want to specify everywhere
  is_legacy               = false # By default, accounts are not legacy accounts
  extra_ebs_key_admins    = []
  extra_ebs_key_users     = []
  extra_ebs_key_attachers = []
}