diff --git a/CHANGELOG.md b/CHANGELOG.md
index 92c5560..4efffac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -77,4 +77,5 @@
- add new submodule to retrieve an attribute value from a search
- move it out to its own module
-
+* v1.10.0 -- 20210407
+ - vpc-remove-defaults created
diff --git a/common/version.tf b/common/version.tf
index e761cc8..b7f4def 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.9.0"
+ _module_version = "1.10.0"
}
diff --git a/vpc-remove-defaults/README.md b/vpc-remove-defaults/README.md
new file mode 100644
index 0000000..2c6f1a0
--- /dev/null
+++ b/vpc-remove-defaults/README.md
@@ -0,0 +1,88 @@
+# aws-inf-setup :: vpc-remove defaults
+
+# Usage
+
+```hcl
+module "vpc_defaults" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults"
+
+ account_alias = "ma5-gov"
+ # optional
+ # enable_delete = true
+ # enable_igw_check = true
+}
+```
+
+# Removing Defaults
+On a new account, a number of default things are set up:
+* VPC
+* Route Table
+* Security Group
+* Network ACL
+* DHCP Options
+* Subnets
+* Internet Gateway (this may be optional)
+
+These can be somewhat managed by Terraform, but destroying the resources does not remove them.
+This module generates a script which uses the `aws` CLI to remove all the resources. It is in
+`setup/delete-defaults.sh`. Run it like this for dry-run:
+
+```console
+% setup/delete-defaults.sh
+```
+
+ To execute it not in dry-run mode, pass any argument:
+```console
+% setup/delete-defaults.sh 1
+```
+If the module is set with `enable_delete` set to true, this will be run automatically.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
+| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_default_subnet.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_subnet) | resource |
+| [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
+| [aws_default_vpc_dhcp_options.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc_dhcp_options) | resource |
+| [null_resource.execute_script](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.script](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_internet_gateway.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/internet_gateway) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [enable\_delete](#input\_enable\_delete) | Execute delete-defaults.sh script at the end of apply | `bool` | `false` | no |
+| [enable\_igw\_check](#input\_enable\_igw\_check) | Enable check of Internet Gateway (IGW) as part of default detection | `bool` | `true` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [defaults](#output\_defaults) | AWS VPC Defaults |
diff --git a/vpc-remove-defaults/data.tf b/vpc-remove-defaults/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/vpc-remove-defaults/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/vpc-remove-defaults/defaults.tf b/vpc-remove-defaults/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/vpc-remove-defaults/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-remove-defaults/main.tf b/vpc-remove-defaults/main.tf
new file mode 100644
index 0000000..891eec0
--- /dev/null
+++ b/vpc-remove-defaults/main.tf
@@ -0,0 +1,234 @@
+/*
+* # aws-inf-setup :: vpc-remove defaults
+*
+* # Usage
+*
+* ```hcl
+* module "vpc_defaults" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults"
+*
+* account_alias = "ma5-gov"
+* # optional
+* # enable_delete = true
+* # enable_igw_check = true
+* }
+* ```
+*
+* # Removing Defaults
+* On a new account, a number of default things are set up:
+* * VPC
+* * Route Table
+* * Security Group
+* * Network ACL
+* * DHCP Options
+* * Subnets
+* * Internet Gateway (this may be optional)
+*
+* These can be somewhat managed by Terraform, but destroying the resources does not remove them.
+* This module generates a script which uses the `aws` CLI to remove all the resources. It is in
+* `setup/delete-defaults.sh`. Run it like this for dry-run:
+*
+* ```console
+* % setup/delete-defaults.sh
+* ```
+*
+* To execute it not in dry-run mode, pass any argument:
+* ```console
+* % setup/delete-defaults.sh 1
+* ```
+* If the module is set with `enable_delete` set to true, this will be run automatically.
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = var.region == "" ? data.aws_region.current.name : var.region
+
+ base_tags = {
+ "Organization" = "census:aditcio:csvd"
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ }
+}
+
+locals {
+ vpc_id = aws_default_vpc.default.id
+ vpc_title = format("%v-%v-%v", local.account_id, var.account_alias, local.region)
+ vpc_availability_zones = toset(data.aws_availability_zones.zones.names)
+ defaults_script = "${path.root}/setup/delete-defaults.sh"
+ enable_defaults = fileexists(local.defaults_script) ? 0 : 1
+
+ default_output = templatefile("${path.module}/templates/delete-defaults.sh.tpl",
+ {
+ profile = var.profile
+ region = local.region
+ security_group = aws_default_security_group.default.id
+ network_acl = aws_default_network_acl.default.id
+ subnet = [for s in aws_default_subnet.default : s.id]
+ route_table = aws_default_route_table.default.id
+ vpc_dhcp_options = aws_default_vpc_dhcp_options.default.id
+ vpc = aws_default_vpc.default.id
+ igw = var.enable_igw_check ? concat(data.aws_internet_gateway.default[*].id, list("")) : ""
+ })
+}
+
+#---
+# get availability zones
+#---
+data "aws_availability_zones" "zones" {
+ state = "available"
+}
+
+#---
+# default vpc
+#---
+resource "aws_default_vpc" "default" {
+ tags = merge(
+ local.common_tags,
+ map("Name", format("default-vpc-%s", local.vpc_title))
+ )
+}
+
+#---
+# default dhcp options set
+#---
+resource "aws_default_vpc_dhcp_options" "default" {
+ tags = merge(
+ local.common_tags,
+ map("Name", format("default-dhcpopt-%s", local.vpc_title))
+ )
+}
+
+#---
+# default security group
+#---
+resource "aws_default_security_group" "default" {
+ vpc_id = local.vpc_id
+
+ tags = merge(
+ local.common_tags,
+ map("Name", format("default-sg-%s", local.vpc_title))
+ )
+}
+
+#---
+# default subnets
+#---
+resource "aws_default_subnet" "default" {
+ for_each = local.vpc_availability_zones
+ availability_zone = each.key
+
+ tags = merge(
+ local.common_tags,
+ map("Name", format("default-subnet-%s-%s", local.vpc_title, each.key))
+ )
+}
+
+
+#---
+# default nacl
+#---
+resource "aws_default_network_acl" "default" {
+ default_network_acl_id = aws_default_vpc.default.default_network_acl_id
+
+ tags = merge(
+ local.common_tags,
+ map("Name", format("default-nacl-%s", local.vpc_title))
+ )
+}
+
+#---
+# default route table
+#---
+resource "aws_default_route_table" "default" {
+ default_route_table_id = aws_default_vpc.default.main_route_table_id
+
+ tags = merge(
+ local.common_tags,
+ map("Name", format("default-rt-%s", local.vpc_title))
+ )
+}
+
+#---
+# internet gateway
+#---
+data "aws_internet_gateway" "default" {
+ count = var.enable_igw_check ? 1 : 0
+ filter {
+ name = "attachment.vpc-id"
+ values = [local.vpc_id]
+ }
+}
+
+# import this, then remove it
+# resource "aws_internet_gateway" "default" {
+# vpc_id = local.vpc_id
+# }
+
+# resource "null_resource" "default_igw" {
+# count = local.enable_defaults
+# triggers = {
+# igw_id = data.aws_internet_gateway.default.id
+# }
+# # provisioner "local-exec" {
+# # command = "echo 'remove internet-gateway id ${data.aws_internet_gateway.default.id}'"
+# # }
+# }
+
+resource "null_resource" "script" {
+ triggers = {}
+
+ provisioner "local-exec" {
+ command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
+ }
+ provisioner "local-exec" {
+ command = "echo '${local.default_output}' > ${local.defaults_script}"
+ }
+ provisioner "local-exec" {
+ command = "chmod 755 ${local.defaults_script}"
+ }
+}
+
+resource "null_resource" "execute_script" {
+ count = var.enable_delete ? 1 : 0
+ triggers = {
+ script_created = null_resource.script.id
+ }
+ provisioner "local-exec" {
+ command = "./${local.defaults_script}"
+ }
+}
+
+output "defaults" {
+ description = "AWS VPC Defaults"
+ value = {
+ "security_group" = aws_default_security_group.default.id
+ "network_acl" = aws_default_network_acl.default.id
+ "subnet" = [for s in aws_default_subnet.default : s.id]
+ "route_table" = aws_default_route_table.default.id
+ "vpc_dhcp_options" = aws_default_vpc_dhcp_options.default.id
+ "vpc" = aws_default_vpc.default.id
+ "igw" = var.enable_igw_check ? concat(data.aws_internet_gateway.default[*].id, list("")) : ""
+ }
+}
+
+# delete resources, create script to do this from a template
+#
+# null_resource.default_igw
+# aws_default_security_group.default
+# aws_default_network_acl.default
+# aws_default_subnet.default["us-gov-east-1a"]
+# aws_default_subnet.default["us-gov-east-1b"]
+# aws_default_subnet.default["us-gov-east-1c"]
+# aws_default_route_table.default
+# aws_default_vpc_dhcp_options.default
+# aws_default_vpc.default
+
+# delete-security-group --group-id
+# delete-internet-gateway --internet-gateway-id
+# delete-network-acl --network-acl-id
+# delete-subnet --subnet-id
+# delete-route-table --route-table-id
+# delete-dhcp-options --dhcp-options-id
+# delete-vpc --vpc-id
+
diff --git a/vpc-remove-defaults/outputs.tf b/vpc-remove-defaults/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/vpc-remove-defaults/prefixes.tf b/vpc-remove-defaults/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/vpc-remove-defaults/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-remove-defaults/templates/delete-defaults.sh.tpl b/vpc-remove-defaults/templates/delete-defaults.sh.tpl
new file mode 100644
index 0000000..3ccdbb9
--- /dev/null
+++ b/vpc-remove-defaults/templates/delete-defaults.sh.tpl
@@ -0,0 +1,20 @@
+#!/bin/bash -x
+
+# pass any argument to script to execute and remove
+
+if [ -z "$1" ]
+then
+ DRYRUN="--dry-run"
+else
+ DRYRUN=""
+fi
+
+aws --profile ${profile} --region ${region} ec2 delete-security-group --group-id ${security_group} $DRYRUN
+aws --profile ${profile} --region ${region} ec2 delete-internet-gateway --internet-gateway-id ${igw} $DRYRUN
+aws --profile ${profile} --region ${region} ec2 delete-network-acl --network-acl-id ${network_acl} $DRYRUN
+%{ for sn in subnet ~}
+aws --profile ${profile} --region ${region} ec2 delete-subnet --subnet-id ${sn} $DRYRUN
+%{ endfor ~}
+aws --profile ${profile} --region ${region} ec2 delete-route-table --route-table-id ${route_table} $DRYRUN
+aws --profile ${profile} --region ${region} ec2 delete-dhcp-options --dhcp-options-id ${vpc_dhcp_options} $DRYRUN
+aws --profile ${profile} --region ${region} ec2 delete-vpc --vpc-id ${vpc} $DRYRUN
diff --git a/vpc-remove-defaults/variables.common.tf b/vpc-remove-defaults/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/vpc-remove-defaults/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-remove-defaults/variables.tf b/vpc-remove-defaults/variables.tf
new file mode 100644
index 0000000..d17bcc4
--- /dev/null
+++ b/vpc-remove-defaults/variables.tf
@@ -0,0 +1,11 @@
+variable "enable_delete" {
+ description = "Execute delete-defaults.sh script at the end of apply"
+ type = bool
+ default = false
+}
+
+variable "enable_igw_check" {
+ description = "Enable check of Internet Gateway (IGW) as part of default detection"
+ type = bool
+ default = true
+}
diff --git a/vpc-remove-defaults/version.tf b/vpc-remove-defaults/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/vpc-remove-defaults/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file