xdr-terraform-live/globals.hcl

# Set common variables for everything. This is automatically pulled in in the root terragrunt.hcl configuration to
# feed forward to the child modules.
locals {
  remote_state_bucket = "afsxdr-terraform-state" # Could be moved to environment/partition.
  binaries_bucket     = "afsxdr-binaries"        # Storage for binaries

  global_tags = {
    "Snapshot" = "Daily", # This will put it on some things where it doesn't belong, but seems useful overall
    #"Last_Updated" = timestamp() # while this is cool, its usefulness does not warrant the constant updates.
  }

  trusted_ips = [ # IPs for 'permissive' ingress. Used for the bastion host and for testing. Think twice before employing.
    "75.138.227.80/32",    # Duane Waddle
    "24.11.231.98/32",     # George Starcher
    "99.151.37.185/32",    # Wesley Leonard
    "70.106.200.157/32",   # John Reuther
    "73.10.53.113/32",     # Rick Page Home
    "74.211.32.26/32",     # Brad Poulton
    "70.160.60.248/32",    # Brandon Naughton
    "99.56.213.129/32",    # Fred Damstra
    "76.173.128.126/32",   # Jeremy Cooper
    "97.117.87.190/32",    # Colby Williams
  ]

  portal_test_whitelist = [ # IPs for Portal Test and vmray
    "12.245.107.250/32",   # DPS Office Legato
    "12.204.167.162/32",   # DPS Office San Antonio
    "54.86.98.62/32",      # DPS AWS User VPN
    "75.138.227.80/32",    # Duane Waddle
    "24.11.231.98/32",     # George Starcher
    "99.151.37.185/32",    # Wesley Leonard
    "70.106.200.157/32",   # John Reuther
    "73.10.53.113/32",     # Rick Page Home
    "74.211.32.26/32",     # Brad Poulton
    "70.160.60.248/32",    # Brandon Naughton 
    "99.56.213.129/32",    # Frederick Damstra
    "97.117.81.187/32",    # Colby Williams
    "76.173.128.126/32",   # Jeremy Cooper
  ]

  admin_remote_ipset = [ 
    {
      "value" = "108.28.205.174/32"   # James Kerr Home
      type    = "IPV4"
    },
    {
      "value" = "73.10.53.113/32"    # Rick Page Home
      type    = "IPV4"
    },
    {
      "value" = "99.151.37.185/32"   # Wesley Leonard Home
      type    = "IPV4"
    },
    {
      "value" = "74.211.32.26/32"   # Brad Poulton Home
      type    = "IPV4"
    },
    {
      "value" = "104.9.149.90/32"    # Greg Rivas Home
      type    = "IPV4"
    },
    {
      "value" = "100.4.76.3/32"      # Brandon Naughton Home
      type    = "IPV4"
    },
    {
      "value" = "170.248.173.247/32" # AFS site
      type    = "IPV4"
    },
    {
      "value" = "170.248.173.245/32" # AFS site
      type    = "IPV4"
    },
    {
      "value" = "70.120.41.230/32"   # Will Ledesma Home
      type    = "IPV4"
    },
    {
      "value" = "107.207.74.118/32"  # Angelita Crawley Home
      type    = "IPV4"
    },
    {
      "value" = "69.207.192.131/32"  # Aaron Flores Home
      type    = "IPV4"
    },
    {
      "value" = "96.231.213.193/32"  # Rob Robinette Home
      type    = "IPV4"
    },
    {
      "value" = "142.197.131.217/32"   # Hilda Colon Home
      type    = "IPV4"
    },
    {
      "value" = "198.13.82.11/32"   # Hussein Carrenard Home
      type    = "IPV4"
    },
  ]

  #Customer External IPs
  #To increase flexibility and to provide better documentation,
  #break up the IPs based on on-prem and not on-prem. 

  #### AFS ON-PREM POP ####
  afs_pop = [
    "170.248.172.0/23",
  ]

  # AFS Azure POP external IPs
  afs_azure_pop = [
    "20.190.250.137/32",     # EastUS2_External_Access
    "52.232.227.197/32",     # Azure US-East Palo
    "52.185.64.173/32",      # CentralUS_External_Access
    "52.242.225.98/32",      # Azure US-Central Palo 20200721
    "52.177.84.83/32",       # Lab_External_Access
  ]

  #### NGA ####
  nga_pop = [
    "199.16.64.3/32"
  ]

  xdr_interconnect = [
    "18.252.61.218/32",
    "18.252.67.171/32",
    "18.253.123.98/32",
    "18.253.98.90/32",
  ]  

  # All of the "external" things that need access to publically
  # available C2 services, like Salt Masters, Repo Servers
  #
  # Structure is a list of maps, and the "description" value in the
  # map must be unique across the whole list or it will cause an error.
  #
  # TODO:  the lists of IPs above need to be moved into this.  I did not
  # attempt it NOW because of the upcoming change freeze and a desire to
  # not put in unnecessary changes.
  c2_services_external_ips = [
    {
      description = "Test LCPs"
      cidr_blocks = [
        "18.252.65.137/32",                 # Test LCP in Govcloud (EIP in common-services-gov)
        "54.224.56.231/32",                 # Test LCP in Commercial (EIP in common-services)
      ]
    },
    {
      description = "BAS-Commerce CMPS"
      cidr_blocks = [
        "52.61.137.158/32",                 # 2021-04-06 From Daniel Dicke <daniel.dicke@asmr.com>
        "52.61.70.43/32",	            # 2021-04-15 yanked from VPC flow logs
      ]
    },
    {
      description = "FRTIB VDI"
      cidr_blocks = [
        "52.61.113.202/32",                 # 2021-04-15 From Brian Nguyen brian.a.nguyen@accenturefederal.com
      ]
    },
    {
      description = "FRTIB CMPS"
      cidr_blocks = [
        "15.200.226.57/32",                # 2021-07-12 From Brian Nguyen brian.a.nguyen@accenturefederal.com
      ]
    },
    {
      description = "FRTIB ALIGHT"
      cidr_blocks = [
        "54.205.60.17/32",             # 2021-05-04 From John Conrad john.conrad.2@alight.com
        "52.206.203.98/32",
        "34.233.188.131/32",
      ]
    },
    {
      description = "CA-C19"
      cidr_blocks = [
        "34.223.59.103/32",         # 2021-05-04 From Wes Leonard 
        "44.234.190.14/32",
        "44.228.141.151/32",
      ]
    },
    {
      description = "DGI"
      cidr_blocks = [
        "3.32.175.159/32",         # 2021-06-24 From Angelita Crawley MSOCI-1776 
        "15.200.13.143/32",
      ]
    },
  ]

  dns_zone_map = {
    "accenturefederalcyber.com" = "Z03575081VGXN3FUZ8ERU"
    "accenturefederalcyber.net" = "Z07771312N8X39HKP141M"
    "xdr.accenturefederalcyber.com" = "Z0083657A94URZM2TM87"
    "xdrtest.accenturefederalcyber.com" = "Z01677392W0QM639KU2KC"
  }

  repo_server_whitelist = concat(
    local.afs_pop,
    local.afs_azure_pop,
    local.nga_pop,
    [ "52.179.13.17/32",  #???
    ],
    local.xdr_interconnect
  )

  key_pairs = {
    # Should be your username -> key pair
    "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key",
    "fdamstra" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr",
  }

  # Sensu Thresholds
  sensu_checks = {
    "dns": {
       "warning":  "5.0", # warn if no resolution for 5 seconds
       "critical": "10.0" # critical if no resolution for 10 seconds
    },
  }

  # Some sane defaults we don't want to specify everywhere
  is_legacy = false # By default, accounts are not legacy accounts
  extra_ebs_key_admins = [ ]
  extra_ebs_key_users  = [ ]
  extra_ebs_key_attachers = [ ]
}