🔧 Move Lambda to VPC (#5535)

* 🔧 Move Lambda to VPC * 🔧 Add security groups * 🎨 Update names and descriptions * 🔧 Update Lambdas to use specific security groups * WIP * Correct typo * 🔧 Add Secrets Manager VPC Endpoint * Update terraform/environments/analytical-platform-ingestion/lambda-functions.tf Co-authored-by: Jacob Woffenden <[email protected]> * Update all egress ranges Signed-off-by: Jacob Woffenden <[email protected]> --------- Signed-off-by: Jacob Woffenden <[email protected]> Co-authored-by: Jacob Woffenden <[email protected]>
ministryofjustice · Apr 3, 2024 · 532a4f5 · 532a4f5
1 parent cfe8b4f
commit 532a4f5
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 6 deletions.
diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf
@@ -1 +1,7 @@
 data "aws_availability_zones" "available" {}
+
+data "aws_prefix_list" "s3" {
+  name = "com.amazonaws.eu-west-2.s3"
+
+  depends_on = [module.vpc_endpoints]
+}
diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf
@@ -47,7 +47,7 @@ locals {
       transfer_image_version = "0.0.2"
 
       /* Target Buckets */
-      target_buckets = ["dev-ingestion-testing"]
+      target_buckets = []
 
       /* Transfer Server */
       transfer_server_hostname               = "sftp.ingestion.analytical-platform.service.justice.gov.uk"

diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf
@@ -2,7 +2,7 @@ module "definition_upload_lambda" {
   #checkov:skip=CKV_TF_1:Module is from Terraform registry
 
   source  = "terraform-aws-modules/lambda/aws"
-  version = "7.2.1"
+  version = "7.2.5"
 
   publish        = true
   create_package = false
@@ -14,6 +14,10 @@ module "definition_upload_lambda" {
   timeout       = 900
   image_uri     = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:${local.environment_configuration.scan_image_version}"
 
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.definition_upload_lambda_security_group.security_group_id]
+  attach_network_policy  = true
+
   environment_variables = {
     MODE                         = "definition-upload",
     CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id
@@ -56,7 +60,7 @@ module "scan_lambda" {
   #checkov:skip=CKV_TF_1:Module is from Terraform registry
 
   source  = "terraform-aws-modules/lambda/aws"
-  version = "7.2.1"
+  version = "7.2.5"
 
   publish        = true
   create_package = false
@@ -69,6 +73,10 @@ module "scan_lambda" {
   timeout                = 900
   image_uri              = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-scan:${local.environment_configuration.scan_image_version}"
 
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.scan_lambda_security_group.security_group_id]
+  attach_network_policy  = true
+
   environment_variables = {
     MODE                         = "scan",
     CLAMAV_DEFINITON_BUCKET_NAME = module.definitions_bucket.s3_bucket_id
@@ -127,19 +135,23 @@ module "transfer_lambda" {
   #checkov:skip=CKV_TF_1:Module is from Terraform registry
 
   source  = "terraform-aws-modules/lambda/aws"
-  version = "7.2.1"
+  version = "7.2.5"
 
   publish        = true
   create_package = false
 
   function_name          = "transfer"
-  description            = ""
+  description            = "Transfers files from processed S3 to target S3"
   package_type           = "Image"
   memory_size            = 2048
   ephemeral_storage_size = 10240
   timeout                = 900
   image_uri              = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/analytical-platform-ingestion-transfer:${local.environment_configuration.transfer_image_version}"
 
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.transfer_lambda_security_group.security_group_id]
+  attach_network_policy  = true
+
   environment_variables = {
     PROCESSED_BUCKET_NAME = module.processed_bucket.s3_bucket_id
   }

diff --git a/terraform/environments/analytical-platform-ingestion/security-groups.tf b/terraform/environments/analytical-platform-ingestion/security-groups.tf
@@ -10,3 +10,57 @@ resource "aws_security_group" "transfer_server" {
   name        = "transfer-server"
   vpc_id      = module.vpc.vpc_id
 }
+
+module "definition_upload_lambda_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.application_name}-${local.environment}-definition-upload-lambda"
+  description = "Security Group for Definition Upload Lambda"
+
+  vpc_id = module.vpc.vpc_id
+
+  egress_cidr_blocks     = ["0.0.0.0/0"]
+  egress_rules           = ["all-all"]
+  egress_prefix_list_ids = [data.aws_prefix_list.s3.id]
+
+  tags = local.tags
+}
+
+module "transfer_lambda_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.application_name}-${local.environment}-transfer-lambda"
+  description = "Security Group for Transfer Lambda"
+
+  vpc_id = module.vpc.vpc_id
+
+  egress_cidr_blocks     = ["0.0.0.0/0"]
+  egress_rules           = ["all-all"]
+  egress_prefix_list_ids = [data.aws_prefix_list.s3.id]
+
+  tags = local.tags
+}
+
+module "scan_lambda_security_group" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.application_name}-${local.environment}-scan-lambda"
+  description = "Security Group for Scan Lambda"
+
+  vpc_id = module.vpc.vpc_id
+
+  egress_cidr_blocks     = ["0.0.0.0/0"]
+  egress_rules           = ["all-all"]
+  egress_prefix_list_ids = [data.aws_prefix_list.s3.id]
+
+  tags = local.tags
+}
diff --git a/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf b/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf
@@ -39,6 +39,15 @@ module "vpc_endpoints" {
         local.tags,
         { Name = format("%s-s3-vpc-endpoint", local.application_name) }
       )
-    }
+    },
+    secretsmanager = {
+      service             = "secretsmanager"
+      service_type        = "Interface"
+      private_dns_enabled = true
+      tags = merge(
+        local.tags,
+        { Name = format("%s-secretsmanager-vpc-endpoint", local.application_name) }
+      )
+    },
   }
 }