| 123456789101112131415161718192021222324252627 |
- # Make the default VPC compliant
- # tfsec:ignore:aws-vpc-no-default-vpc - tfsec says "Don't use the default VPC". We're just making a note not to.
- resource "aws_default_vpc" "default" {
- tags = merge(local.standard_tags, var.tags, { "Notes" = "Not connected. For testing only. VPC not for production use." })
- }
- resource "aws_kms_key" "default-flowlogs" {
- enable_key_rotation = true
- deletion_window_in_days = 30
- }
- resource "aws_flow_log" "default-flowlogs" {
- iam_role_arn = aws_iam_role.flowlogs.arn
- log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
- traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
- vpc_id = aws_default_vpc.default.id
- }
- # CIS 4.3 - Default security group should restrict all traffic
- #
- # This resource is special, and clears out existing rules. See:
- # See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
- resource "aws_default_security_group" "default" {
- vpc_id = aws_default_vpc.default.id
- tags = merge(local.standard_tags, var.tags)
- }
|
