forked from nozaq/terraform-aws-secure-baseline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
97 lines (73 loc) · 2.74 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
locals {
is_cw_logs = var.enable_flow_logs && var.flow_logs_destination_type == "cloud-watch-logs"
s3_destination_arn = "${var.flow_logs_s3_arn}/${var.flow_logs_s3_key_prefix}"
}
data "aws_availability_zones" "all" {
}
# --------------------------------------------------------------------------------------------------
# Enable VPC Flow Logs for the default VPC.
# --------------------------------------------------------------------------------------------------
resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" {
count = var.enabled && var.enable_flow_logs && local.is_cw_logs ? 1 : 0
name = var.flow_logs_log_group_name
retention_in_days = var.flow_logs_retention_in_days
tags = var.tags
}
resource "aws_flow_log" "default_vpc_flow_logs" {
count = var.enabled && var.enable_flow_logs ? 1 : 0
log_destination_type = var.flow_logs_destination_type
log_destination = local.is_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0].arn : local.s3_destination_arn
iam_role_arn = local.is_cw_logs ? var.flow_logs_iam_role_arn : null
vpc_id = aws_default_vpc.default[0].id
traffic_type = "ALL"
tags = var.tags
}
# --------------------------------------------------------------------------------------------------
# Clears rules associated with default resources.
# --------------------------------------------------------------------------------------------------
resource "aws_default_vpc" "default" {
count = var.enabled ? 1 : 0
tags = merge(
var.tags,
{ Name = "Default VPC" }
)
}
resource "aws_default_subnet" "default" {
count = var.enabled ? length(data.aws_availability_zones.all.names) : 0
availability_zone = data.aws_availability_zones.all.names[count.index]
map_public_ip_on_launch = false
tags = merge(
var.tags,
{ Name = "Default Subnet" }
)
}
resource "aws_default_route_table" "default" {
count = var.enabled ? 1 : 0
default_route_table_id = aws_default_vpc.default[0].default_route_table_id
tags = merge(
var.tags,
{ Name = "Default Route Table" }
)
}
// Ignore "subnet_ids" changes to avoid the known issue below.
// https://github.com/hashicorp/terraform/issues/9824
// https://github.com/terraform-providers/terraform-provider-aws/issues/346
resource "aws_default_network_acl" "default" {
count = var.enabled ? 1 : 0
default_network_acl_id = aws_default_vpc.default[0].default_network_acl_id
tags = merge(
var.tags,
{ Name = "Default Network ACL" }
)
lifecycle {
ignore_changes = [subnet_ids]
}
}
resource "aws_default_security_group" "default" {
count = var.enabled ? 1 : 0
vpc_id = aws_default_vpc.default[0].id
tags = merge(
var.tags,
{ Name = "Default Security Group" }
)
}