A Terraform module to delete the default VPCs in all regions when new AWS accounts are added or invited to an AWS Organization.
The Lambda function is triggered for the account by an Event Rule that matches the CreateAccountResult or InviteAccountToOrganization events. The function then describes the available regions, and deletes all resources associated with the default VPC in every region for that account.
Name | Version |
---|---|
terraform | >= 1.3 |
aws | >= 4.9 |
Name | Version |
---|---|
aws | >= 4.9 |
Name | Type |
---|---|
aws_iam_policy_document.lambda | data source |
aws_partition.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
project_name | Project name to prefix resources with | string |
n/a | yes |
assume_role_name | Name of the IAM role that the lambda will assume in the target account | string |
"OrganizationAccountAccessRole" |
no |
aws_sts_regional_endpoints | Sets AWS STS endpoint resolution logic for boto3. | string |
"regional" |
no |
dry_run | Boolean toggle to control the dry-run mode of the lambda function | bool |
true |
no |
event_bus_name | Event bus name to create event rules in | string |
"default" |
no |
event_types | Event types that will trigger this lambda | set(string) |
[ |
no |
lambda | Object of optional attributes passed on to the lambda module | object({ |
{} |
no |
log_level | Log level for lambda | string |
"INFO" |
no |
max_workers | Number of worker threads to use to process delete | number |
20 |
no |
tags | Tags for resource | map(string) |
{} |
no |
No outputs.
Steps to run via the CLI
- Install and configure aws cli.
- Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can assume the role and run commands from)
- Review the options for the script and run
Supported Environment Variables:
'LOG_LEVEL': defaults to 'info'
- set the desired log level ('error', 'warning', 'info' or 'debug')
'DRY_RUN': defaults to 'true'
- set whether actions should be simulated or live
- value of 'true' (case insensitive) will be simulated.
'MAX_WORKERS': defaults to '20'
-sets max number of worker threads to run simultaneously.
'AWS_STS_REGIONAL_ENDPOINTS': defaults to 'regional'
-sets AWS STS endpoint resolution logic for boto3.
- helpful when using opt-in AWS regions
options:
-h, --help show this help message and exit
required arguments:
--target-account-id TARGET_ACCOUNT_ID
Account number to delete default VPC resources in
--assume-role-arn ASSUME_ROLE_ARN
ARN of IAM role to assume in the target account (case sensitive)
OR
--assume-role-name ASSUME_ROLE_NAME
Name of IAM role to assume in the target account (case sensitive)
usage: delete_default_vpc.py [-h] --target-account-id TARGET_ACCOUNT_ID (--assume-role-arn ASSUME_ROLE_ARN | --assume-role-name ASSUME_ROLE_NAME)
mkdir vpc_env
python3 -m venv vpc_env
source vpc_env/bin/activate
python3 -m pip install -U pip
pip3 install -r src/requirements.txt
python3 src/delete_default_vpc.py --target-account-id=<TARGET ACCT ID> (--assume-role-arn=<ROLE ARN TO ASSUME> | --assume-role-name=<ROLE NAME TO ASSUME>)
deactivate
rm -rf vpc_env