Skip to content

Disable default VPC access

Posted on:August 12, 2023 at 12:00 AM

AWS best practice to not use the default VPC

You should never use default VPC resources for production solution. This pulumi configuration disable all access inside default VPC in all AWS regions.

import pulumi
import pulumi_aws as aws

def disable_default_vpc(
        default_tags: dict = None,
        vpc_name: str = None,
        security_group_name: str = None,
        network_acl_name: str = None,
        route_table_name: str = None,
        exclude_regions: list = (),
        include_regions: list = ()
) -> None:

    if exclude_regions and include_regions:
        raise Exception("You can't define both include and exclude regions")

    providers = list()

    for region in aws.get_regions().names:
        if (not exclude_regions and not include_regions) or \
                (include_regions and region in include_regions) or \
                (not include_regions and region not in exclude_regions):
            providers.append(
                {
                    "provider": aws.Provider(f"provider-{region}", region=region),
                    "region": region
                }
            )

    if vpc_name is None:
        vpc_name = "default-vpc"
    if security_group_name is None:
        security_group_name = "default-security-group"
    if network_acl_name is None:
        network_acl_name = "default-network-acl"
    if route_table_name is None:
        route_table_name = "default-route-table"
    for provider in providers:
        current_region = provider["region"]
        default_vpc = aws.ec2.DefaultVpc(
            resource_name=f"{vpc_name}-{current_region}",
            enable_dns_hostnames=True,
            enable_dns_support=True,
            opts=pulumi.ResourceOptions(
                provider=provider["provider"],
            ),
            tags=default_tags | {
                "Name": "default-vpc",
            },
        )

        aws.ec2.DefaultSecurityGroup(
            resource_name=f"{security_group_name}-{current_region}",
            vpc_id=default_vpc.id,
            ingress=[
            ],
            egress=[
            ],
            opts=pulumi.ResourceOptions(
                provider=provider["provider"]
            ),
            tags=default_tags | {
                "Name": "default-sg"
            }
        )

        aws.ec2.DefaultNetworkAcl(
            resource_name=f"{network_acl_name}-{current_region}",
            default_network_acl_id=default_vpc.default_network_acl_id,
            subnet_ids=None,
            ingress=[
            ],
            egress=[
            ],
            opts=pulumi.ResourceOptions(
                ignore_changes=[
                    "subnet_ids"
                ]
            ),
            tags=default_tags | {
                "Name": "default-nacl"
            }
        )

        aws.ec2.DefaultRouteTable(
            resource_name=f"{route_table_name}-{current_region}",
            default_route_table_id=default_vpc.default_route_table_id,
            routes=[
            ],
            opts=pulumi.ResourceOptions(
                ignore_changes=[
                    "subnet_ids"
                ]
            ),
        )