add sg

Author: alexnuttall

infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf

@@ -0,0 +1,29 @@
+resource "aws_security_group" "allow_sftp_egress" {
+  name        = "${local.csi}-sftp-egress"
+  vpc_id      = module.vpc.vpc_id
+  description = "Security group for allowing outbound traffic to SFTP"
+
+  tags = {
+    Name = "${local.csi}-sftp-egress"
+  }
+}
+
+resource "aws_security_group_rule" "allow_sftp_egress_ssh" {
+  description       = "Allow SFTP egress within VPC on port 22"
+  type              = "egress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.allow_sftp_egress.id
+}
+
+resource "aws_security_group_rule" "allow_sftp_egress_https" {
+  description       = "Allow SFTP egress within VPC on port 443"
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.allow_sftp_egress.id
+}

infrastructure/terraform/components/app/data_vpc_account_vpc.tf

@@ -0,0 +1,25 @@
+
+data "aws_vpc" "account_vpc" {
+  tags = {
+    Component = "acct"
+  }
+}
+
+data "aws_subnets" "account_vpc_private_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.account_vpc.id]
+  }
+
+  tags = {
+    Tier = "Private"
+  }
+}
+
+data "aws_security_group" "account_vpc_sg_allow_sftp_egress" {
+  vpc_id = data.aws_vpc.account_vpc.id
+
+  tags = {
+    Name = "${data.aws_vpc.account_vpc.tags["Project"]}-${data.aws_vpc.account_vpc.tags["Environment"]}-acct-vpc-sftp-egress"
+  }
+}

infrastructure/terraform/components/sandbox/data_vpc_account_vpc.tf

@@ -21,6 +21,16 @@ module "lambda_send_letter_proof" {
     TEMPLATES_TABLE_NAME    = aws_dynamodb_table.templates.name
     NODE_OPTIONS            = "--enable-source-maps",
   }
+
+  vpc = {
+    id         = data.aws_vpc.account_vpc.id
+    cidr_block = data.aws_vpc.account_vpc.cidr_block
+    subnet_ids = data.aws_subnets.account_vpc_private_subnets.ids
+  }
+
+  security_group_ids = [
+    data.aws_security_group.account_vpc_sg_allow_sftp_egress.id
+  ]
 }
 
 data "aws_iam_policy_document" "send_letter_proof" {

infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf

@@ -18,4 +18,13 @@ resource "aws_lambda_function" "main" {
       target_arn = var.dead_letter_target_arn
     }
   }
+
+  dynamic "vpc_config" {
+    for_each = var.vpc != null ? [1] : []
+
+    content {
+      subnet_ids         = var.vpc.subnet_ids
+      security_group_ids = var.security_group_ids
+    }
+  }
 }

infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf

@@ -58,3 +58,17 @@ variable "dead_letter_target_arn" {
   type        = string
   default     = null
 }
+
+variable "vpc" {
+  description = "VPC details"
+  type = optional(object({
+    id         = string
+    cidr_block = string
+    subnet_ids = set(string)
+  }))
+}
+
+variable "security_group_ids" {
+  type    = list(string)
+  default = []
+}

infrastructure/terraform/modules/lambda-function/lambda_function_main.tf

@@ -1,14 +1,14 @@
 import winston from 'winston';
 import { Writable } from 'node:stream';
 
-const { combine, timestamp, json } = winston.format;
+const { combine, timestamp, json, errors } = winston.format;
 
 export function createMockLogger() {
   const logMessages: { msg?: string } & Record<string, unknown>[] = [];
 
   const logger = winston.createLogger({
     level: 'info',
-    format: combine(timestamp(), json()),
+    format: combine(timestamp(), json(), errors({ stack: true, cause: true })),
     transports: [
       new winston.transports.Stream({
         stream: new Writable({