wiki'd

by JoKeru

Remove all AWS default VPCs using CLI

It's a good DevOps practice to have all your active infrastructure under your total control. Amazon creates for you a default VPC in every region they have, even though you'd probably use only one (or two for disaster recovery). Since this VPC was not created by your code, you cannot maintain it.

This also poses a security concern because the VPC has an Internet Gateway attached so you (or most probably someone else) could easily expose the entire account to the world.

So here's a bash script that will remove all the default VPCs across all regions using some simple AWS CLI commands (you also need to have jq installed):

#!/usr/bin/env bash

if [ "$AWS_PROFILE" = "" ]; then
  echo "No AWS_PROFILE set"
  exit 1
fi


for region in $(aws ec2 describe-regions --region eu-west-1 | jq -r .Regions[].RegionName); do

  echo "* Region ${region}"

  # get default vpc
  vpc=$(aws ec2 --region ${region} \
    describe-vpcs --filter Name=isDefault,Values=true \
    | jq -r .Vpcs[0].VpcId)

  if [ "${vpc}" = "null" ]; then
    echo "No default vpc found"
    continue
  fi
  echo "Found default vpc ${vpc}"

  # get internet gateway
  igw=$(aws ec2 --region ${region} \
    describe-internet-gateways --filter Name=attachment.vpc-id,Values=${vpc} \
    | jq -r .InternetGateways[0].InternetGatewayId)
  if [ "${igw}" != "null" ]; then
    echo "Detaching internet gateway ${igw}"
    aws ec2 --region ${region} \
      detach-internet-gateway --internet-gateway-id ${igw} --vpc-id ${vpc}
    echo "Deleting internet gateway ${igw}"
    aws ec2 --region ${region} \
      delete-internet-gateway --internet-gateway-id ${igw}
  fi

  # get subnets
  subnets=$(aws ec2 --region ${region} \
    describe-subnets --filters Name=vpc-id,Values=${vpc} \
    | jq -r .Subnets[].SubnetId)
  if [ "${subnets}" != "null" ]; then
    for subnet in ${subnets}; do
      echo "Deleting subnet ${subnet}"
      aws ec2 --region ${region} \
        delete-subnet --subnet-id ${subnet}
    done
  fi

  # https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html
  # - You can't delete the main route table
  # - You can't delete the default network acl
  # - You can't delete the default security group

  # delete default vpc
  echo "Deleting vpc ${vpc}"
  aws ec2 --region ${region} \
    delete-vpc --vpc-id ${vpc}

done

So far I have not found a reason to restore the default VPC, but in case you need it:

aws ec2 --region ${region} create-default-vpc

You cannot have more than one default VPC per region.

Comments