[NDR-234] Virus Scanner upgrade and on-demand lambda-VPC attachment (#404)

chrisbloe · robg-nhs · web-flow · commit fa19e0bdafd2 · 2025-09-03T12:38:29.000+01:00
* [NDR-234] Virus Scanner upgrade and on-demand lambda-VPC attachment

* Fix vpc_security_group_ids indexing in Terraform config

* Fix formatting of version line in virusscanner.tf

* Rename AWS IAM policy data source for VPC access

* Format variable definitions in variable.tf

---------

Co-authored-by: robg-nhs &lt;rob.gaskin@nhs.net&gt;
diff --git a/infrastructure/lambda-document-upload-check.tf b/infrastructure/lambda-document-upload-check.tf
@@ -10,6 +10,7 @@ module "document_upload_check_lambda" {
     aws_iam_policy.ssm_access_policy.policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = null
@@ -26,6 +27,8 @@ module "document_upload_check_lambda" {
   lambda_timeout                = 900
   is_gateway_integration_needed = false
   is_invoked_from_gateway       = false
+  vpc_subnet_ids                = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? module.ndr-vpc-ui.private_subnets : []
+  vpc_security_group_ids        = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? [data.aws_security_groups.virus_scanner_api.ids[0]] : []
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-bulk-staging-store,
@@ -34,6 +37,16 @@ module "document_upload_check_lambda" {
   ]
 }
 
+data "aws_iam_policy" "aws_lambda_vpc_access_execution_role" {
+  arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+data "aws_security_groups" "virus_scanner_api" {
+  filter {
+    name   = "description"
+    values = ["Security Group for CloudStorageSec Api Agent"]
+  }
+}
 
 resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {
   count  = 1
@@ -53,4 +66,3 @@ resource "aws_lambda_permission" "document_upload_check_lambda" {
   principal     = "s3.amazonaws.com"
   source_arn    = "arn:aws:s3:::${module.ndr-bulk-staging-store.bucket_id}"
 }
-
diff --git a/infrastructure/modules/lambda/main.tf b/infrastructure/modules/lambda/main.tf
@@ -11,20 +11,34 @@ resource "aws_lambda_function" "lambda" {
   memory_size                    = var.memory_size
   reserved_concurrent_executions = var.reserved_concurrent_executions
   kms_key_arn                    = aws_kms_key.lambda.arn
+
   ephemeral_storage {
     size = var.lambda_ephemeral_storage
   }
+
   environment {
     variables = var.lambda_environment_variables
   }
+  
+  vpc_config {
+    subnet_ids         = var.vpc_subnet_ids
+    security_group_ids = var.vpc_security_group_ids
+  }
+
   layers = local.lambda_layers
+
   lifecycle {
     ignore_changes = [
       # These are required as Lambdas are deployed via the CI/CD pipelines
       source_code_hash,
       layers
     ]
   }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.default_policies,
+    aws_iam_role_policy_attachment.lambda_execution_policy
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "lambda_logs" {
diff --git a/infrastructure/modules/lambda/variable.tf b/infrastructure/modules/lambda/variable.tf
@@ -118,3 +118,14 @@ variable "kms_deletion_window" {
   default     = 30
 }
 
+variable "vpc_subnet_ids" {
+  description = "List of subnet IDs associated with the Lambda function, if it sits within a VPC."
+  type        = list(string)
+  default     = []
+}
+
+variable "vpc_security_group_ids" {
+  description = "List of security group IDs associated with the Lambda function, if it sits within a VPC."
+  type        = list(string)
+  default     = []
+}
diff --git a/infrastructure/virusscanner.tf b/infrastructure/virusscanner.tf
@@ -68,7 +68,7 @@ module "cloud_storage_security" {
   count = local.is_production ? 1 : 0
 
   source                       = "cloudstoragesec/cloud-storage-security/aws"
-  version                      = "1.8.7+css9.01.003"
+  version                      = "1.8.8+css9.02.000"                             # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
   cidr                         = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available
   email                        = data.aws_ssm_parameter.cloud_security_admin_email.value
   subnet_a_id                  = aws_subnet.virus_scanning_a[0].id
