[NDR-234] Move lambda-document-upload-check into VPC

Author: robg-test

infrastructure/lambda-document-upload-check.tf

@@ -10,6 +10,7 @@ module "document_upload_check_lambda" {
     aws_iam_policy.ssm_access_policy.policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy
   ]
   rest_api_id       = null
   http_methods      = null
@@ -25,6 +26,8 @@ module "document_upload_check_lambda" {
   lambda_timeout                = 900
   is_gateway_integration_needed = false
   is_invoked_from_gateway       = false
+  vpc_subnet_ids                = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? module.ndr-vpc-ui.private_subnets : []
+  vpc_security_group_ids        = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? [data.aws_security_groups.virus_scanner_api.ids[0]] : []
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-bulk-staging-store,
@@ -33,6 +36,16 @@ module "document_upload_check_lambda" {
   ]
 }
 
+data "aws_iam_policy" "aws_lambda_vpc_access_execution_role" {
+  arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+data "aws_security_groups" "virus_scanner_api" {
+  filter {
+    name   = "description"
+    values = ["Security Group for CloudStorageSec Api Agent"]
+  }
+}
 
 resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {
   count  = 1
@@ -51,4 +64,5 @@ resource "aws_lambda_permission" "document_upload_check_lambda" {
   function_name = module.document_upload_check_lambda[0].function_name
   principal     = "s3.amazonaws.com"
   source_arn    = "arn:aws:s3:::${module.ndr-bulk-staging-store.bucket_id}"
-}
+}
+

infrastructure/modules/lambda/main.tf

@@ -10,20 +10,34 @@ resource "aws_lambda_function" "lambda" {
   timeout                        = var.lambda_timeout
   memory_size                    = var.memory_size
   reserved_concurrent_executions = var.reserved_concurrent_executions
+
   ephemeral_storage {
     size = var.lambda_ephemeral_storage
   }
+
   environment {
     variables = var.lambda_environment_variables
   }
+
+  vpc_config {
+    subnet_ids         = var.vpc_subnet_ids
+    security_group_ids = var.vpc_security_group_ids
+  }
+
   layers = local.lambda_layers
+
   lifecycle {
     ignore_changes = [
       # These are required as Lambdas are deployed via the CI/CD pipelines
       source_code_hash,
       layers
     ]
   }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.default_policies,
+    aws_iam_role_policy_attachment.lambda_execution_policy
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "lambda_logs" {

infrastructure/modules/lambda/variable.tf

@@ -111,3 +111,16 @@ variable "extra_lambda_layers" {
   type    = list(string)
   default = ["arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:53"]
 }
+
+variable "vpc_subnet_ids" {
+  description = "List of subnet IDs associated with the Lambda function, if it sits within a VPC."
+  type        = list(string)
+  default     = []
+}
+
+variable "vpc_security_group_ids" {
+  description = "List of security group IDs associated with the Lambda function, if it sits within a VPC."
+  type        = list(string)
+  default     = []
+}
+