v1.10.0: add module vpc-remove-defaults

CHANGELOG.md

@@ -77,4 +77,5 @@
     - add new submodule to retrieve an attribute value from a search
     - move it out to its own module
 
-
+* v1.10.0 -- 20210407
+  - vpc-remove-defaults created

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.9.0"
+  _module_version = "1.10.0"
 }

vpc-remove-defaults/README.md

@@ -0,0 +1,88 @@
+# aws-inf-setup :: vpc-remove defaults
+
+# Usage
+
+```hcl
+module "vpc_defaults" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults"
+
+  account_alias         = "ma5-gov"
+  # optional
+  # enable_delete       = true
+  # enable_igw_check    = true
+}
+```
+
+# Removing Defaults
+On a new account, a number of default things are set up:
+* VPC
+* Route Table
+* Security Group
+* Network ACL
+* DHCP Options
+* Subnets
+* Internet Gateway (this may be optional)
+
+These can be somewhat managed by Terraform, but destroying the resources does not remove them.
+This module generates a script which uses the `aws` CLI to remove all the resources.  It is in
+`setup/delete-defaults.sh`.  Run it like this for dry-run:
+
+```console
+% setup/delete-defaults.sh
+```
+
+ To execute it not in dry-run mode, pass any argument:
+```console
+% setup/delete-defaults.sh 1
+```
+If the module is set with `enable_delete` set to true, this will be run automatically.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
+| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_default_subnet.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_subnet) | resource |
+| [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
+| [aws_default_vpc_dhcp_options.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc_dhcp_options) | resource |
+| [null_resource.execute_script](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.script](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_internet_gateway.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/internet_gateway) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_enable_delete"></a> [enable\_delete](#input\_enable\_delete) | Execute delete-defaults.sh script at the end of apply | `bool` | `false` | no |
+| <a name="input_enable_igw_check"></a> [enable\_igw\_check](#input\_enable\_igw\_check) | Enable check of Internet Gateway (IGW) as part of default detection | `bool` | `true` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_defaults"></a> [defaults](#output\_defaults) | AWS VPC Defaults |

vpc-remove-defaults/data.tf

@@ -0,0 +1 @@
+../common/data.tf

vpc-remove-defaults/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

vpc-remove-defaults/main.tf

@@ -0,0 +1,234 @@
+/*
+* # aws-inf-setup :: vpc-remove defaults
+* 
+* # Usage
+*
+* ```hcl
+* module "vpc_defaults" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults"
+*
+*   account_alias         = "ma5-gov"
+*   # optional
+*   # enable_delete       = true
+*   # enable_igw_check    = true
+* }
+* ```
+*
+* # Removing Defaults
+* On a new account, a number of default things are set up:
+* * VPC
+* * Route Table
+* * Security Group
+* * Network ACL
+* * DHCP Options
+* * Subnets
+* * Internet Gateway (this may be optional)
+*
+* These can be somewhat managed by Terraform, but destroying the resources does not remove them.
+* This module generates a script which uses the `aws` CLI to remove all the resources.  It is in
+* `setup/delete-defaults.sh`.  Run it like this for dry-run:
+*
+* ```console
+* % setup/delete-defaults.sh
+* ```
+*
+*  To execute it not in dry-run mode, pass any argument:
+* ```console
+* % setup/delete-defaults.sh 1
+* ```
+* If the module is set with `enable_delete` set to true, this will be run automatically.
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = var.region == "" ? data.aws_region.current.name : var.region
+
+  base_tags = {
+    "Organization"          = "census:aditcio:csvd"
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+locals {
+  vpc_id                 = aws_default_vpc.default.id
+  vpc_title              = format("%v-%v-%v", local.account_id, var.account_alias, local.region)
+  vpc_availability_zones = toset(data.aws_availability_zones.zones.names)
+  defaults_script        = "${path.root}/setup/delete-defaults.sh"
+  enable_defaults        = fileexists(local.defaults_script) ? 0 : 1
+
+  default_output = templatefile("${path.module}/templates/delete-defaults.sh.tpl",
+    {
+      profile          = var.profile
+      region           = local.region
+      security_group   = aws_default_security_group.default.id
+      network_acl      = aws_default_network_acl.default.id
+      subnet           = [for s in aws_default_subnet.default : s.id]
+      route_table      = aws_default_route_table.default.id
+      vpc_dhcp_options = aws_default_vpc_dhcp_options.default.id
+      vpc              = aws_default_vpc.default.id
+      igw              = var.enable_igw_check ? concat(data.aws_internet_gateway.default[*].id, list("")) : ""
+  })
+}
+
+#---
+# get availability zones
+#---
+data "aws_availability_zones" "zones" {
+  state = "available"
+}
+
+#---
+# default vpc
+#---
+resource "aws_default_vpc" "default" {
+  tags = merge(
+    local.common_tags,
+    map("Name", format("default-vpc-%s", local.vpc_title))
+  )
+}
+
+#---
+# default dhcp options set
+#---
+resource "aws_default_vpc_dhcp_options" "default" {
+  tags = merge(
+    local.common_tags,
+    map("Name", format("default-dhcpopt-%s", local.vpc_title))
+  )
+}
+
+#---
+# default security group
+#---
+resource "aws_default_security_group" "default" {
+  vpc_id = local.vpc_id
+
+  tags = merge(
+    local.common_tags,
+    map("Name", format("default-sg-%s", local.vpc_title))
+  )
+}
+
+#---
+# default subnets
+#---
+resource "aws_default_subnet" "default" {
+  for_each          = local.vpc_availability_zones
+  availability_zone = each.key
+
+  tags = merge(
+    local.common_tags,
+    map("Name", format("default-subnet-%s-%s", local.vpc_title, each.key))
+  )
+}
+
+
+#---
+# default nacl
+#---
+resource "aws_default_network_acl" "default" {
+  default_network_acl_id = aws_default_vpc.default.default_network_acl_id
+
+  tags = merge(
+    local.common_tags,
+    map("Name", format("default-nacl-%s", local.vpc_title))
+  )
+}
+
+#---
+# default route table
+#---
+resource "aws_default_route_table" "default" {
+  default_route_table_id = aws_default_vpc.default.main_route_table_id
+
+  tags = merge(
+    local.common_tags,
+    map("Name", format("default-rt-%s", local.vpc_title))
+  )
+}
+
+#---
+# internet gateway
+#---
+data "aws_internet_gateway" "default" {
+  count = var.enable_igw_check ? 1 : 0
+  filter {
+    name   = "attachment.vpc-id"
+    values = [local.vpc_id]
+  }
+}
+
+# import this, then remove it
+# resource "aws_internet_gateway" "default" {
+#   vpc_id = local.vpc_id
+# }
+
+# resource "null_resource" "default_igw" {
+#   count = local.enable_defaults
+#   triggers = {
+#     igw_id = data.aws_internet_gateway.default.id
+#   }
+#   #  provisioner "local-exec" {
+#   #    command = "echo 'remove internet-gateway id ${data.aws_internet_gateway.default.id}'"
+#   #  }
+# }
+
+resource "null_resource" "script" {
+  triggers = {}
+
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/setup || mkdir ${path.root}/setup"
+  }
+  provisioner "local-exec" {
+    command = "echo '${local.default_output}' > ${local.defaults_script}"
+  }
+  provisioner "local-exec" {
+    command = "chmod 755 ${local.defaults_script}"
+  }
+}
+
+resource "null_resource" "execute_script" {
+  count = var.enable_delete ? 1 : 0
+  triggers = {
+    script_created = null_resource.script.id
+  }
+  provisioner "local-exec" {
+    command = "./${local.defaults_script}"
+  }
+}
+
+output "defaults" {
+  description = "AWS VPC Defaults"
+  value = {
+    "security_group"   = aws_default_security_group.default.id
+    "network_acl"      = aws_default_network_acl.default.id
+    "subnet"           = [for s in aws_default_subnet.default : s.id]
+    "route_table"      = aws_default_route_table.default.id
+    "vpc_dhcp_options" = aws_default_vpc_dhcp_options.default.id
+    "vpc"              = aws_default_vpc.default.id
+    "igw"              = var.enable_igw_check ? concat(data.aws_internet_gateway.default[*].id, list("")) : ""
+  }
+}
+
+# delete resources, create script to do this from a template
+#
+#  null_resource.default_igw
+#  aws_default_security_group.default
+#  aws_default_network_acl.default
+#  aws_default_subnet.default["us-gov-east-1a"]
+#  aws_default_subnet.default["us-gov-east-1b"]
+#  aws_default_subnet.default["us-gov-east-1c"]
+#  aws_default_route_table.default
+#  aws_default_vpc_dhcp_options.default
+#  aws_default_vpc.default
+
+# delete-security-group --group-id
+# delete-internet-gateway --internet-gateway-id
+# delete-network-acl --network-acl-id
+# delete-subnet --subnet-id
+# delete-route-table --route-table-id
+# delete-dhcp-options --dhcp-options-id
+# delete-vpc --vpc-id
+

vpc-remove-defaults/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

vpc-remove-defaults/templates/delete-defaults.sh.tpl

@@ -0,0 +1,20 @@
+#!/bin/bash -x
+
+# pass any argument to script to execute and remove
+
+if [ -z "$1" ]
+then
+  DRYRUN="--dry-run"
+else
+  DRYRUN=""
+fi
+
+aws --profile ${profile} --region ${region}  ec2 delete-security-group --group-id ${security_group} $DRYRUN
+aws --profile ${profile} --region ${region}  ec2 delete-internet-gateway --internet-gateway-id ${igw} $DRYRUN
+aws --profile ${profile} --region ${region}  ec2 delete-network-acl --network-acl-id ${network_acl} $DRYRUN
+%{ for sn in subnet ~}
+aws --profile ${profile} --region ${region}  ec2 delete-subnet --subnet-id ${sn} $DRYRUN
+%{ endfor ~}
+aws --profile ${profile} --region ${region}  ec2 delete-route-table --route-table-id ${route_table} $DRYRUN
+aws --profile ${profile} --region ${region}  ec2 delete-dhcp-options --dhcp-options-id ${vpc_dhcp_options} $DRYRUN
+aws --profile ${profile} --region ${region}  ec2 delete-vpc --vpc-id ${vpc} $DRYRUN

vpc-remove-defaults/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

vpc-remove-defaults/variables.tf

@@ -0,0 +1,11 @@
+variable "enable_delete" {
+  description = "Execute delete-defaults.sh script at the end of apply"
+  type        = bool
+  default     = false
+}
+
+variable "enable_igw_check" {
+  description = "Enable check of Internet Gateway (IGW) as part of default detection"
+  type        = bool
+  default     = true
+}

vpc-remove-defaults/version.tf

@@ -0,0 +1 @@
+../common/version.tf