Updates Customer Search Head

* ELB is public, fool.
* DNS name fixed to our 'new standard' for customer-facing services of <function>.<cust>.xdr.accenturefederalcyber.com.
* WAF updated to limit to US

base/splunk_servers/customer_searchhead/certificate.tf

@@ -1,8 +1,12 @@
 #Certificate 
 resource "aws_acm_certificate" "cert" {
-  domain_name       = "${local.alb_name}.${var.dns_info["public"]["zone"]}"
+  domain_name       = "${local.dns_short_name}.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = merge(var.standard_tags, var.tags)
 }
 

base/splunk_servers/customer_searchhead/elb.tf

@@ -1,17 +1,21 @@
 locals {
   # alb_clients access the SH
-  alb_clients = toset(concat(
-    var.cidr_map["vpc-access"], # VPN users
-    var.cidr_map["vpc-system-services"], # Salt master, etc
-    var.cidr_map["vpc-private-services"], # fm-shared search, qcompliance, phantom
-    var.trusted_ips,
-    var.splunk_customer_cidrs,
-  ))
+  #
+  # Old way: restricted
+  #alb_clients = toset(concat(
+  #  var.cidr_map["vpc-access"], # VPN users
+  #  var.cidr_map["vpc-system-services"], # Salt master, etc
+  #  var.cidr_map["vpc-private-services"], # fm-shared search, qcompliance, phantom
+  #  var.trusted_ips,
+  #  var.splunk_customer_cidrs,
+  #))
+  # New way: WAF protects us
+  alb_clients = [ "0.0.0.0/0" ]
 }
 
 resource "aws_lb" "searchhead-alb" {
-  name               = var.alb_name != "" ? "${local.alb_name}-alb" : "${var.prefix}-cust-sh"
-  internal           = true
+  name               = local.alb_name
+  internal           = false
   load_balancer_type = "application"
   # Not supported for NLB
   security_groups    = [aws_security_group.searchhead-alb-sg.id]
@@ -62,7 +66,7 @@ resource "aws_lb_listener" "searchhead-alb-listener-http" {
 #########################
 # Targets
 resource "aws_lb_target_group" "searchhead-alb-target-8000" {
-  name     = var.alb_name != "" ? "${local.alb_name}-customer-alb-target-8000" : "${var.prefix}-cust-alb-8000"
+  name     = "${local.alb_name}-8000"
   port     = 8000
   protocol = "HTTPS"
   target_type = "instance"
@@ -93,7 +97,7 @@ resource "aws_lb_target_group_attachment" "searchhead-alb-target-8000-instance"
 #########################
 # Security Group for ALB
 resource "aws_security_group" "searchhead-alb-sg" {
-  name = var.alb_name != "" ? "${local.alb_name}-customer-alb-sh" : "${var.prefix}-customer-sh-alb-sg"
+  name = "${local.alb_name}-customer-alb-sh"
   description = "Security Group for the Customer Searchhead ALB"
   vpc_id = var.vpc_id
   tags = merge(var.standard_tags, var.tags)
@@ -130,10 +134,10 @@ resource "aws_security_group_rule" "searchhead-alb-8000-out" {
 
 #########################
 # DNS Entry
-module "public_dns_record_hec_ack" {
+module "public_dns_record_cust-elb" {
   source = "../../../submodules/dns/public_ALIAS_record"
 
-  name = local.alb_name
+  name = local.dns_short_name
 
   target_dns_name = aws_lb.searchhead-alb.dns_name
   target_zone_id  = aws_lb.searchhead-alb.zone_id

base/splunk_servers/customer_searchhead/main.tf

@@ -2,7 +2,8 @@
 locals {
   ami_selection = "minion" # master, minion, ...
   instance_name = var.instance_name != "" ? var.instance_name : "${ var.prefix }-splunk-cust-sh"
-  alb_name = var.alb_name != "" ? var.alb_name : "${ var.prefix }-splunk"
+  alb_name = "${ var.prefix }-splunk-cust-sh"
+  dns_short_name = "search.${ var.prefix }"
 }
 
 # Rather than pass in the aws security group, we just look it up. This will

base/splunk_servers/customer_searchhead/outputs.tf

@@ -1,3 +1,7 @@
+output fqdn {
+  value = module.public_dns_record_cust-elb.forward
+}
+
 output instance_arn {
   value = aws_instance.instance.arn
 }

base/splunk_servers/customer_searchhead/vars.tf

@@ -9,12 +9,6 @@ variable "instance_name" {
   default = ""
 }
 
-variable "alb_name" {
-  description = "[Optional] Override the ALB Name"
-  type = string
-  default = ""
-}
-
 variable "prefix" {
   description = "Prefix for Instance Names"
   type = string
@@ -70,3 +64,4 @@ variable "aws_partition_alias" { type = string }
 variable "aws_account_id" { type = string }
 variable "common_services_account" { type = string }
 variable "instance_termination_protection" { type = bool }
+variable "splunk_prefix" { type = string }

base/splunk_servers/customer_searchhead/waf.tf

@@ -2,6 +2,10 @@
 # See https://registry.terraform.io/modules/trussworks/wafv2/aws/latest
 #
 # Attempted to add some sane defaults so we can customize as needed
+
+# Goals:
+#  - US IPs only  -  https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html
+
 resource "aws_wafv2_ip_set" "ipset" {
   name = "blocked_ips"
 
@@ -12,6 +16,49 @@ resource "aws_wafv2_ip_set" "ipset" {
   ]
 }
 
+resource "aws_wafv2_rule_group" "xdr_custom_rules" {
+  name = "xdr_custom_rules"
+  scope    = "REGIONAL"
+  capacity = 2
+
+  # Note, there is visibilty config for the group and for the rule
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "xdr_custom_rules"
+    sampled_requests_enabled   = true
+  }
+
+  rule {
+    name     = "Block_Nonpermitted_Countries"
+    priority = 1
+
+    action {
+      block {}
+    }
+
+    statement {
+      not_statement {
+        statement {
+          geo_match_statement {
+            country_codes = [
+              "US",
+              "DE",
+            ]
+          }
+        }
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "Block_Nonpermitted_Countries"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # Add additional custom rules here
+}
+
 module "wafv2" {
   source = "trussworks/wafv2/aws"
   version = "~> 2.0"
@@ -26,7 +73,7 @@ module "wafv2" {
     {
       name       = "blocked_ips"
       action     = "block"
-      priority   = 1
+      priority   = 2
       ip_set_arn = aws_wafv2_ip_set.ipset.arn
     }
   ]
@@ -39,6 +86,16 @@ module "wafv2" {
     action   = "block"
   }
 
+  #group_rules = [
+  #  {
+  #    name            = aws_wafv2_rule_group.xdr_custom_rules.name
+  #    arn             = aws_wafv2_rule_group.xdr_custom_rules.name
+  #    priority        = 1
+  #    override_action = "none"
+  #    excluded_rules  = []
+  #  }
+  #]
+
   tags = merge(var.standard_tags, var.tags)
 }