# Make the default VPC compliant
# tfsec:ignore:aws-vpc-no-default-vpc - tfsec says "Don't use the default VPC". We're just making a note not to.
resource "aws_default_vpc" "default" {
  tags = merge(local.standard_tags, var.tags, { "Notes" = "Not connected. For testing only. VPC not for production use." })
}

resource "aws_kms_key" "default-flowlogs" {
  enable_key_rotation     = true
  deletion_window_in_days = 30
}

resource "aws_flow_log" "default-flowlogs" {
  iam_role_arn    = aws_iam_role.flowlogs.arn
  log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn

  traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
  vpc_id       = aws_default_vpc.default.id
}

# CIS 4.3 - Default security group should restrict all traffic
#
# This resource is special, and clears out existing rules. See:
# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
resource "aws_default_security_group" "default" {
  vpc_id = aws_default_vpc.default.id
  tags   = merge(local.standard_tags, var.tags)
}