vpc-baseline

vpc-baseline

Features

• Enable VPC Flow Logs with the default VPC in all regions.
• Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
• Disable automatic public IP assignments in default subnets.

Requirements

Name	Version
terraform	>= 1.1.4
aws	>= 4.3

Providers

Name	Version
aws	>= 4.3

Inputs

Name	Description	Type	Required
enable_flow_logs	The boolean flag whether to enable VPC Flow Logs in the default VPC	bool	no
flow_logs_destination_type	The type of the logging destination. Valid values: cloud-watch-logs, s3	string	no
flow_logs_iam_role_arn	The ARN of the IAM Role which will be used by VPC Flow Logs if vpc_log_destination_type is cloud-watch-logs.	string	no
flow_logs_log_group_name	The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc_log_destination_type is cloud-watch-logs.	string	no
flow_logs_retention_in_days	Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely.	number	no
flow_logs_s3_arn	The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3.	string	no
flow_logs_s3_key_prefix	The prefix used when VPC Flow Logs delivers logs to the S3 bucket.	string	no
tags	Specifies object tags key and value. This applies to all resources created by this module.	map(string)	no

Outputs

Name	Description
default_network_acl	The default network ACL.
default_route_table	The default route table.
default_security_group	The default security group.
default_vpc	The default VPC.
vpc_flow_logs_group	The CloudWatch Logs log group which stores VPC Flow Logs.