forked from nozaq/terraform-aws-secure-baseline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
97 lines (76 loc) · 2.67 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
locals {
flow_logs_to_cw_logs = var.enable_flow_logs && var.flow_logs_destination_type == "cloud-watch-logs"
}
data "aws_subnets" "default" {
filter {
name = "default-for-az"
values = [true]
}
}
data "aws_subnet" "default" {
for_each = toset(data.aws_subnets.default.ids)
id = each.value
}
# --------------------------------------------------------------------------------------------------
# Enable VPC Flow Logs for the default VPC.
# --------------------------------------------------------------------------------------------------
resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" {
count = var.enable_flow_logs && local.flow_logs_to_cw_logs ? 1 : 0
name = var.flow_logs_log_group_name
retention_in_days = var.flow_logs_retention_in_days
tags = var.tags
}
resource "aws_flow_log" "default_vpc_flow_logs" {
count = var.enable_flow_logs ? 1 : 0
log_destination_type = var.flow_logs_destination_type
log_destination = local.flow_logs_to_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0].arn : "${var.flow_logs_s3_arn}/${var.flow_logs_s3_key_prefix}"
iam_role_arn = local.flow_logs_to_cw_logs ? var.flow_logs_iam_role_arn : null
vpc_id = aws_default_vpc.default.id
traffic_type = "ALL"
tags = var.tags
}
# --------------------------------------------------------------------------------------------------
# Clears rules associated with default resources.
# --------------------------------------------------------------------------------------------------
resource "aws_default_vpc" "default" {
tags = merge(
var.tags,
{ Name = "Default VPC" }
)
}
resource "aws_default_subnet" "default" {
for_each = data.aws_subnet.default
availability_zone = each.value.availability_zone
map_public_ip_on_launch = false
tags = merge(
var.tags,
{ Name = "Default Subnet" }
)
}
resource "aws_default_route_table" "default" {
default_route_table_id = aws_default_vpc.default.default_route_table_id
tags = merge(
var.tags,
{ Name = "Default Route Table" }
)
}
# Ignore "subnet_ids" changes to avoid the known issue below.
# https://github.com/hashicorp/terraform/issues/9824
# https://github.com/terraform-providers/terraform-provider-aws/issues/346
resource "aws_default_network_acl" "default" {
default_network_acl_id = aws_default_vpc.default.default_network_acl_id
tags = merge(
var.tags,
{ Name = "Default Network ACL" }
)
lifecycle {
ignore_changes = [subnet_ids]
}
}
resource "aws_default_security_group" "default" {
vpc_id = aws_default_vpc.default.id
tags = merge(
var.tags,
{ Name = "Default Security Group" }
)
}