# For now, we've left the standard VPC, but we still need it compliant.
# If we change our minds, this would be a good place to delete the standard vpc.
data "aws_vpcs" "foo" {
  filter {
    name = "isDefault"
    values = [ true ]
  }
}

resource "aws_flow_log" "flowlogs" {
  # Note: Flow log configuration is "special" here. For a generic version you can copy to your own module,
  # see the example in standard_vpc
  for_each = data.aws_vpcs.foo.ids
  iam_role_arn = aws_iam_role.flowlogs.arn
  log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn

  traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
  vpc_id = each.value
}