From 544332906d57a9ecdc12a395fe67078d7b20ed1b Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 8 Apr 2021 09:42:24 -0400 Subject: [PATCH 1/2] add variables profile, region --- vpc-remove-defaults/README.md | 11 ++- vpc-remove-defaults/main.tf | 37 +++----- .../templates/delete-defaults.sh.tpl | 84 +++++++++++++++++-- vpc-remove-defaults/variables.tf | 13 +++ 4 files changed, 111 insertions(+), 34 deletions(-) diff --git a/vpc-remove-defaults/README.md b/vpc-remove-defaults/README.md index 2c6f1a0..f1f77ab 100644 --- a/vpc-remove-defaults/README.md +++ b/vpc-remove-defaults/README.md @@ -7,12 +7,19 @@ module "vpc_defaults" { source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults" account_alias = "ma5-gov" - # optional + + ## optional # enable_delete = true # enable_igw_check = true + + # region = "us-gov-west-1" + # profile = "myprofile" } ``` +By default, it will use the current region, and it will use a profile assumed to be constructed of +the `account_id`+`account_alias`. + # Removing Defaults On a new account, a number of default things are set up: * VPC @@ -79,6 +86,8 @@ No modules. | [enable\_delete](#input\_enable\_delete) | Execute delete-defaults.sh script at the end of apply | `bool` | `false` | no | | [enable\_igw\_check](#input\_enable\_igw\_check) | Enable check of Internet Gateway (IGW) as part of default detection | `bool` | `true` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [profile](#input\_profile) | AWS Config profile (required for calling the aws cli; assumed to be {account\_id}-{account\_alias}) | `string` | `""` | no | +| [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | ## Outputs diff --git a/vpc-remove-defaults/main.tf b/vpc-remove-defaults/main.tf index 891eec0..7eb7f1a 100644 --- a/vpc-remove-defaults/main.tf +++ b/vpc-remove-defaults/main.tf @@ -8,12 +8,19 @@ * source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults" * * account_alias = "ma5-gov" -* # optional +* +* ## optional * # enable_delete = true * # enable_igw_check = true +* +* # region = "us-gov-west-1" +* # profile = "myprofile" * } * ``` * +* By default, it will use the current region, and it will use a profile assumed to be constructed of +* the `account_id`+`account_alias`. +* * # Removing Defaults * On a new account, a number of default things are set up: * * VPC @@ -43,6 +50,7 @@ locals { account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region = var.region == "" ? data.aws_region.current.name : var.region + profile = var.profile == "" ? format("%v-%v", local.account_id, var.account_alias) : var.profile base_tags = { "Organization" = "census:aditcio:csvd" @@ -53,14 +61,14 @@ locals { locals { vpc_id = aws_default_vpc.default.id - vpc_title = format("%v-%v-%v", local.account_id, var.account_alias, local.region) + vpc_title = format("%v-%v", local.account_id, var.account_alias, local.region) vpc_availability_zones = toset(data.aws_availability_zones.zones.names) defaults_script = "${path.root}/setup/delete-defaults.sh" enable_defaults = fileexists(local.defaults_script) ? 0 : 1 default_output = templatefile("${path.module}/templates/delete-defaults.sh.tpl", { - profile = var.profile + profile = local.profile region = local.region security_group = aws_default_security_group.default.id network_acl = aws_default_network_acl.default.id @@ -195,7 +203,7 @@ resource "null_resource" "execute_script" { script_created = null_resource.script.id } provisioner "local-exec" { - command = "./${local.defaults_script}" + command = "./${local.defaults_script} delete |& tee -a ${local.defaults_script}.log" } } @@ -211,24 +219,3 @@ output "defaults" { "igw" = var.enable_igw_check ? concat(data.aws_internet_gateway.default[*].id, list("")) : "" } } - -# delete resources, create script to do this from a template -# -# null_resource.default_igw -# aws_default_security_group.default -# aws_default_network_acl.default -# aws_default_subnet.default["us-gov-east-1a"] -# aws_default_subnet.default["us-gov-east-1b"] -# aws_default_subnet.default["us-gov-east-1c"] -# aws_default_route_table.default -# aws_default_vpc_dhcp_options.default -# aws_default_vpc.default - -# delete-security-group --group-id -# delete-internet-gateway --internet-gateway-id -# delete-network-acl --network-acl-id -# delete-subnet --subnet-id -# delete-route-table --route-table-id -# delete-dhcp-options --dhcp-options-id -# delete-vpc --vpc-id - diff --git a/vpc-remove-defaults/templates/delete-defaults.sh.tpl b/vpc-remove-defaults/templates/delete-defaults.sh.tpl index 3ccdbb9..dcf120f 100644 --- a/vpc-remove-defaults/templates/delete-defaults.sh.tpl +++ b/vpc-remove-defaults/templates/delete-defaults.sh.tpl @@ -1,4 +1,4 @@ -#!/bin/bash -x +#!/bin/bash # pass any argument to script to execute and remove @@ -9,12 +9,80 @@ else DRYRUN="" fi -aws --profile ${profile} --region ${region} ec2 delete-security-group --group-id ${security_group} $DRYRUN -aws --profile ${profile} --region ${region} ec2 delete-internet-gateway --internet-gateway-id ${igw} $DRYRUN -aws --profile ${profile} --region ${region} ec2 delete-network-acl --network-acl-id ${network_acl} $DRYRUN +if [ -z "${profile}" ] +then + echo "* profile is missing, exiting" + exit 1 +fi +if [ -z "${region}" ] +then + echo "* region is missing, exiting" + exit 1 +fi + +AWS=$(which aws 2>/dev/null) +if [ -z $AWS ] +then + echo "* cannot find aws binary, exiting" + exit 1 +fi + +if [ ! -z "${security_group}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-security-group --group-id ${security_group} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-security-group --group-id ${security_group} $DRYRUN +else + echo "# skipping delete security-group, missing" +fi + +if [ ! -z "${igw}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-internet-gateway --internet-gateway-id ${igw} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-internet-gateway --internet-gateway-id ${igw} $DRYRUN +else + echo "# skipping delete igw, missing" +fi + +if [ ! -z "${network_acl}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-network-acl --network-acl-id ${network_acl} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-network-acl --network-acl-id ${network_acl} $DRYRUN +else + echo "# skipping delete network_acl, missing" +fi + %{ for sn in subnet ~} -aws --profile ${profile} --region ${region} ec2 delete-subnet --subnet-id ${sn} $DRYRUN +if [ ! -z "${sn}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-subnet --subnet-id ${sn} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-subnet --subnet-id ${sn} $DRYRUN +else + echo "# skipping delete subnet, missing" +fi %{ endfor ~} -aws --profile ${profile} --region ${region} ec2 delete-route-table --route-table-id ${route_table} $DRYRUN -aws --profile ${profile} --region ${region} ec2 delete-dhcp-options --dhcp-options-id ${vpc_dhcp_options} $DRYRUN -aws --profile ${profile} --region ${region} ec2 delete-vpc --vpc-id ${vpc} $DRYRUN + +if [ ! -z "${route_table}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-route-table --route-table-id ${route_table} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-route-table --route-table-id ${route_table} $DRYRUN +else + echo "# skipping delete route_table, missing" +fi + +if [ ! -z "${vpc_dhcp_options}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-dhcp-options --dhcp-options-id ${vpc_dhcp_options} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-dhcp-options --dhcp-options-id ${vpc_dhcp_options} $DRYRUN +else + echo "# skipping delete dhcp_options, missing" +fi + +if [ ! -z "${vpc}" ] +then + echo "# aws --profile ${profile} --region ${region} ec2 delete-vpc --vpc-id ${vpc} $DRYRUN" + aws --profile ${profile} --region ${region} ec2 delete-vpc --vpc-id ${vpc} $DRYRUN +else + echo "# skipping delete vpc, missing" +fi + +exit 0 diff --git a/vpc-remove-defaults/variables.tf b/vpc-remove-defaults/variables.tf index d17bcc4..02bfe33 100644 --- a/vpc-remove-defaults/variables.tf +++ b/vpc-remove-defaults/variables.tf @@ -9,3 +9,16 @@ variable "enable_igw_check" { type = bool default = true } + +variable "region" { + description = "AWS Region (default takes from current executing region)" + type = string + default = "" +} + +variable "profile" { + description = "AWS Config profile (required for calling the aws cli; assumed to be {account_id}-{account_alias})" + type = string + default = "" +} + From 457cdb6dca1df7faaf9f7f7375043ded54e37d13 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 8 Apr 2021 09:43:12 -0400 Subject: [PATCH 2/2] add variables profile, region --- CHANGELOG.md | 4 ++++ common/version.tf | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4efffac..0c360c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -79,3 +79,7 @@ * v1.10.0 -- 20210407 - vpc-remove-defaults created + +* v1.10.1 -- 20210408 + - vpc-remove-defaults + - add `region` and `profile` variables diff --git a/common/version.tf b/common/version.tf index b7f4def..2bd0272 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.10.0" + _module_version = "1.10.1" }