Merge pull request #4 from Coalfire-CF/finalupdates

Finalupdates

.gitignore

@@ -27,11 +27,6 @@ override.tf.json
 *.zip
 .DS_Store
 
-# NessusBurp Install files are too large to commit
-**/nessusburp/*.exe
-**/nessusburp/*.msi
-**/nessusburp/*.txt
-
 # Ansible
 *.pub
 *.ppk

README.md

@@ -66,7 +66,7 @@ Each module, e.g. `region-setup`, has a README file that provides deployment ste
 
 ## Modifications when new Admins are added
 
-- Add their PIP or use the Coalfire VPN to access and deploy resources, otherwise the user cannot access Key Vaults, storage account with the state files or the bastion hosts.
+- Add their PIP or use VPN IP CIDR to access and deploy resources, otherwise the user cannot access Key Vaults, storage account with the state files or the bastion hosts.
 
 - Re-run `terraform apply` on the bastion folder to add the new PIP to the bastion NSG.
 

terraform/prod/us-va/app/app-network/app.tf

@@ -38,8 +38,6 @@ module "app-vnet" {
   }
 
   diag_log_analytics_id = data.terraform_remote_state.core.outputs.core_la_id
-  #storage_account_flowlogs_id     = data.terraform_remote_state.setup.outputs.storage_account_flowlogs_id
-  #network_watcher_name            = data.terraform_remote_state.setup.outputs.network_watcher_name
 
   #Attach Vnet to Private DNS zone
   private_dns_zone_id = data.terraform_remote_state.core.outputs.core_private_dns_zone_id.0

terraform/prod/us-va/mgmt/backup/backupConfig.tf

@@ -4,25 +4,6 @@ resource "azurerm_recovery_services_vault" "ars_vault" {
   resource_group_name = data.terraform_remote_state.setup.outputs.management_rg_name
   sku                 = "Standard"
 
-  # Encryption using customer managed keys cannot be enabled after registering items to the vault. 
-  # Create a new vault and enable encryption using customer managed keys before adding any items for backup
-
-  # identity {
-  #   type = "SystemAssigned"
-  # }
-
-  # encryption {
-  #   key_id = data.terraform_remote_state.core.outputs.ars-cmk_id
-  #   infrastructure_encryption_enabled = false
-  # }goo
-}
-
-# resource "azurerm_role_assignment" "ars_kv_encryptionuser" {
-#   scope                = data.terraform_remote_state.core.outputs.core_kv_id
-#   role_definition_name = "Key Vault Crypto Service Encryption User"
-#   principal_id         = azurerm_recovery_services_vault.ars_vault.identity.0.principal_id
-# }
-
 resource "azurerm_backup_container_storage_account" "container" {
   resource_group_name = data.terraform_remote_state.setup.outputs.management_rg_name
   recovery_vault_name = azurerm_recovery_services_vault.ars_vault.name

terraform/prod/us-va/mgmt/mgmt-network/mgmt.tf

@@ -109,70 +109,13 @@ module "mgmt-vnet" {
   }
 
   diag_log_analytics_id = data.terraform_remote_state.core.outputs.core_la_id
-  # storage_account_flowlogs_id     = data.terraform_remote_state.setup.outputs.storage_account_flowlogs_id
-  #network_watcher_name            = data.terraform_remote_state.setup.outputs.network_watcher_name
 
   #Attach Vnet to Private DNS zone
   private_dns_zone_id = data.terraform_remote_state.core.outputs.core_private_dns_zone_id.0
 
-  #Note: DNS servers should be left to Azure default until the DC's are up. Otherwise the VM's will fail to get DNS to download scripts from storage accounts.
-  #dns_servers   = concat(data.terraform_remote_state.usgv-ad.outputs.ad_dc1_ip, data.terraform_remote_state.usgv-ad.outputs.ad_dc2_ip)
-  #regional_tags = var.regional_tags
-  #global_tags   = merge(var.global_tags, local.global_local_tags)
   tags = {
     Function = "Networking"
     Plane    = "Management"
   }
 }
 
-
-# Commented out for now. Testing moving vbnet to module -DF
-# Required for PSQL Flexible Servers
-# module "psql-nsg" {
-#   source = "../../../../modules/azurerm-network-security-group/"
-
-#   resource_group_name             = data.terraform_remote_state.setup.outputs.network_rg_name
-#   security_group_name             = "${local.resource_prefix}-psql-nsg"
-#   location                        = var.location
-#   storage_account_flowlogs_id     = data.terraform_remote_state.setup.outputs.storage_account_flowlogs_id
-#   network_watcher_name            = data.terraform_remote_state.setup.outputs.network_watcher_name
-#   network_watcher_flow_log_name   = "${local.resource_prefix}-psql-nfl"
-#   global_tags                     = merge(var.global_tags, local.global_local_tags)
-#   regional_tags                   = var.regional_tags
-#   diag_log_analytics_id           = data.terraform_remote_state.core.outputs.core_la_id
-#   diag_log_analytics_workspace_id = data.terraform_remote_state.core.outputs.core_la_workspace_id
-#   nsg_tags = {
-#     Function = "Database"
-#     Plane    = "Management"
-#   }
-
-#   custom_rules = [
-#     {
-#       name                    = "PSQL"
-#       priority                = "1000"
-#       direction               = "Inbound"
-#       access                  = "Allow"
-#       protocol                = "Tcp"
-#       destination_port_range  = "5432, 6432"
-#       source_address_prefixes = [var.mgmt_network_cidr]
-#       description             = "PSQL Access Ports"
-#     },
-#     {
-#       access                     = "Allow"
-#       description                = "AzureStorage"
-#       destination_address_prefix = "Storage"
-#       destination_port_range     = "*"
-#       direction                  = "Inbound"
-#       name                       = "AzureStorage"
-#       priority                   = "2000"
-#       protocol                   = "*"
-#       source_address_prefixes    = [var.mgmt_network_cidr]
-#       source_port_range          = "*"
-#     }
-#   ]
-# }
-
-# resource "azurerm_subnet_network_security_group_association" "psql" {
-#   subnet_id                 = module.mgmt-vnet.vnet_subnets["${local.resource_prefix}-psql-sn-1"]
-#   network_security_group_id = module.psql-nsg.network_security_group_id
-# }

terraform/prod/us-va/mgmt/sentinel/sentinel.tf

@@ -15,30 +15,3 @@ module "sentinel" {
   }, var.regional_tags, local.global_local_tags)
 }
 
-
-
-
-# resource "azurerm_log_analytics_solution" "tm-sentinel" {
-#   solution_name         = "SecurityInsights"
-#   location              = var.location
-#   resource_group_name   = data.terraform_remote_state.core.outputs.core_rg_name
-#   workspace_resource_id = data.terraform_remote_state.core.outputs.core_la_workspace_id
-#   workspace_name        = data.terraform_remote_state.core.outputs.core_la_workspace_name
-
-#   plan {
-#     publisher = "Microsoft"
-#     product   = "OMSGallery/SecurityInsights"
-#   }
-# }
-
-# # It appears enabling this manually may not be required. Initial deployment showed this getting enabled based on the logs
-# # already existing in the workspace
-# # resource "azurerm_sentinel_data_connector_azure_active_directory" "sentinel-aad" {
-# #   name                       = "AAD-Connector"
-# #   log_analytics_workspace_id = data.terraform_remote_state.core.outputs.core_la_workspace_id
-# # }
-
-# resource "azurerm_sentinel_data_connector_threat_intelligence" "sentinel-taxii" {
-#   name                       = "TAXII"
-#   log_analytics_workspace_id = data.terraform_remote_state.core.outputs.core_la_workspace_id
-# }

terraform/prod/us-va/region-setup/README.md

@@ -72,7 +72,7 @@ data "terraform_remote_state" "setup" {
 }
 ```
 
-After the `mgmt/mgmt-network` is created, uncomment this `sa_virtual_network_subnet_ids` argument, and rerun `terraform apply`
+After the `mgmt/mgmt-network` is created, uncomment this `firewall_vnet_subnet_ids` argument, and rerun `terraform apply`
 
 ## Created Resources
 

terraform/prod/us-va/region-setup/setup.tf

@@ -22,6 +22,7 @@ module "setup" {
 
   # uncomment the following line when the mgmt-network is created
   #firewall_vnet_subnet_ids = values(data.terraform_remote_state.usgv_mgmt_vnet.outputs.usgv_mgmt_vnet_subnet_ids) #Uncomment and rerun terraform apply after the mgmt-network is created
+
   additional_resource_groups = [
     "${local.resource_prefix}-identity-rg"
   ]

terraform/prod/us-va/security-core/core.tf

@@ -26,7 +26,4 @@ module "core" {
     "privatelink.file.core.usgovcloudapi.net",
     "privatelink.postgres.database.usgovcloudapi.net"
   ]
-
-  # uncomment and rerun terraform apply after the networks are created if you're using FWs
-  #fw_virtual_network_subnet_ids = data.terraform_remote_state.usgv_mgmt_vnet.outputs.usgv_mgmt_vnet_subnet_ids["${local.resource_prefix}-bastion-sn-1"] #Uncomment and rerun terraform apply after the mgmt-network is created
 }