Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

vpc-baseline

Features

  • Enable VPC Flow Logs with the default VPC in all regions.
  • Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
  • Disable automatic public IP assignments in default subnets.

Requirements

Name Version
terraform >= 0.13
aws >= 3.55.0

Providers

Name Version
aws 3.60.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.default_vpc_flow_logs resource
aws_default_network_acl.default resource
aws_default_route_table.default resource
aws_default_security_group.default resource
aws_default_subnet.default resource
aws_default_vpc.default resource
aws_flow_log.default_vpc_flow_logs resource
aws_availability_zones.all data source
aws_subnet.default data source
aws_subnets.default data source

Inputs

Name Description Type Default Required
enable_flow_logs The boolean flag whether to enable VPC Flow Logs in the default VPC bool true no
enabled The boolean flag whether this module is enabled or not. No resources are created when set to false. bool true no
flow_logs_destination_type The type of the logging destination. Valid values: cloud-watch-logs, s3 string "cloud-watch-logs" no
flow_logs_iam_role_arn The ARN of the IAM Role which will be used by VPC Flow Logs if vpc_log_destination_type is cloud-watch-logs. string "" no
flow_logs_log_group_name The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc_log_destination_type is cloud-watch-logs. string "" no
flow_logs_retention_in_days Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. number 365 no
flow_logs_s3_arn The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3. string "" no
flow_logs_s3_key_prefix The prefix used when VPC Flow Logs delivers logs to the S3 bucket. string "flow-logs" no
tags Specifies object tags key and value. This applies to all resources created by this module. map
{
"Terraform": true
}
no

Outputs

Name Description
default_network_acl The default network ACL.
default_route_table The default route table.
default_security_group The default security group.
default_vpc The default VPC.
vpc_flow_logs_group The CloudWatch Logs log group which stores VPC Flow Logs.