- Enable VPC Flow Logs with the default VPC in all regions.
- Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
- Disable automatic public IP assignments in default subnets.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.50.0 |
| Name | Version |
|---|---|
| aws | 3.60.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.default_vpc_flow_logs | resource |
| aws_default_network_acl.default | resource |
| aws_default_route_table.default | resource |
| aws_default_security_group.default | resource |
| aws_default_subnet.default | resource |
| aws_default_vpc.default | resource |
| aws_flow_log.default_vpc_flow_logs | resource |
| aws_availability_zones.all | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| enable_flow_logs | The boolean flag whether to enable VPC Flow Logs in the default VPC | bool |
true |
no |
| enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
true |
no |
| flow_logs_destination_type | The type of the logging destination. Valid values: cloud-watch-logs, s3 | string |
"cloud-watch-logs" |
no |
| flow_logs_iam_role_arn | The ARN of the IAM Role which will be used by VPC Flow Logs if vpc_log_destination_type is cloud-watch-logs. | string |
"" |
no |
| flow_logs_log_group_name | The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc_log_destination_type is cloud-watch-logs. | string |
"" |
no |
| flow_logs_retention_in_days | Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | number |
365 |
no |
| flow_logs_s3_arn | The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3. | string |
"" |
no |
| flow_logs_s3_key_prefix | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | string |
"flow-logs" |
no |
| tags | Specifies object tags key and value. This applies to all resources created by this module. | map |
{ |
no |
| Name | Description |
|---|---|
| default_network_acl | The default network ACL. |
| default_route_table | The default route table. |
| default_security_group | The default security group. |
| default_vpc | The default VPC. |
| vpc_flow_logs_group | The CloudWatch Logs log group which stores VPC Flow Logs. |