Skip to content

Terraform module for a lambda function that deletes default VPCs in all regions when an account is added to an AWS Organization

License

Notifications You must be signed in to change notification settings

plus3it/terraform-aws-org-new-account-delete-default-vpcs

Repository files navigation

terraform-aws-org-new-account-delete-default-vpcs

A Terraform module to delete the default VPCs in all regions when new AWS accounts are added or invited to an AWS Organization.

The Lambda function is triggered for the account by an Event Rule that matches the CreateAccountResult or InviteAccountToOrganization events. The function then describes the available regions, and deletes all resources associated with the default VPC in every region for that account.

Requirements

Name Version
terraform >= 1.3
aws >= 4.9

Providers

Name Version
aws >= 4.9

Resources

Name Type
aws_iam_policy_document.lambda data source
aws_partition.current data source

Inputs

Name Description Type Default Required
project_name Project name to prefix resources with string n/a yes
assume_role_name Name of the IAM role that the lambda will assume in the target account string "OrganizationAccountAccessRole" no
aws_sts_regional_endpoints Sets AWS STS endpoint resolution logic for boto3. string "regional" no
dry_run Boolean toggle to control the dry-run mode of the lambda function bool true no
event_bus_name Event bus name to create event rules in string "default" no
event_types Event types that will trigger this lambda set(string)
[
"CreateAccountResult",
"InviteAccountToOrganization",
"EnableOptInRegion"
]
no
lambda Object of optional attributes passed on to the lambda module
object({
artifacts_dir = optional(string, "builds")
build_in_docker = optional(bool, false)
create_package = optional(bool, true)
ephemeral_storage_size = optional(number)
ignore_source_code_hash = optional(bool, true)
local_existing_package = optional(string)
memory_size = optional(number, 128)
recreate_missing_package = optional(bool, false)
runtime = optional(string, "python3.12")
s3_bucket = optional(string)
s3_existing_package = optional(map(string))
s3_prefix = optional(string)
store_on_s3 = optional(bool, false)
timeout = optional(number, 300)
})
{} no
log_level Log level for lambda string "INFO" no
max_workers Number of worker threads to use to process delete number 20 no
tags Tags for resource map(string) {} no

Outputs

No outputs.

CLI Option

Steps to run via the CLI

  1. Install and configure aws cli.
  2. Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can assume the role and run commands from)
  3. Review the options for the script and run

Script Options

Supported Environment Variables:
    'LOG_LEVEL': defaults to 'info'
        - set the desired log level ('error', 'warning', 'info' or 'debug')

    'DRY_RUN': defaults to 'true'
        - set whether actions should be simulated or live
        - value of 'true' (case insensitive) will be simulated.

    'MAX_WORKERS': defaults to '20'
        -sets max number of worker threads to run simultaneously.

    'AWS_STS_REGIONAL_ENDPOINTS': defaults to 'regional'
        -sets AWS STS endpoint resolution logic for boto3.
        - helpful when using opt-in AWS regions

options:
  -h, --help            show this help message and exit

required arguments:
  --target-account-id TARGET_ACCOUNT_ID
                        Account number to delete default VPC resources in

  --assume-role-arn ASSUME_ROLE_ARN
                        ARN of IAM role to assume in the target account (case sensitive)
  OR
  --assume-role-name ASSUME_ROLE_NAME
                        Name of IAM role to assume in the target account (case sensitive)

usage: delete_default_vpc.py [-h] --target-account-id TARGET_ACCOUNT_ID (--assume-role-arn ASSUME_ROLE_ARN | --assume-role-name ASSUME_ROLE_NAME)

Sample steps to execute in venv

mkdir vpc_env
python3 -m venv vpc_env
source vpc_env/bin/activate
python3 -m pip install -U pip
pip3 install -r src/requirements.txt
python3 src/delete_default_vpc.py --target-account-id=<TARGET ACCT ID> (--assume-role-arn=<ROLE ARN TO ASSUME> | --assume-role-name=<ROLE NAME TO ASSUME>)
deactivate
rm -rf vpc_env

About

Terraform module for a lambda function that deletes default VPCs in all regions when an account is added to an AWS Organization

Resources

License

Stars

Watchers

Forks

Packages

No packages published