CCM-9703: sftp vpc config (#441)

Author: alexnuttall

infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf

@@ -7,3 +7,25 @@ resource "aws_security_group" "allow_sftp_egress" {
     Name = "${local.csi}-sftp-egress"
   }
 }
+
+#trivy:ignore:aws-ec2-no-public-egress-sgr
+resource "aws_security_group_rule" "allow_sftp_egress_ssh" {
+  description       = "Allow SFTP egress within VPC on port 22"
+  type              = "egress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.allow_sftp_egress.id
+}
+
+#trivy:ignore:aws-ec2-no-public-egress-sgr
+resource "aws_security_group_rule" "allow_sftp_egress_https" {
+  description       = "Allow SFTP egress within VPC on port 443"
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.allow_sftp_egress.id
+}

infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf

@@ -0,0 +1,24 @@
+data "aws_vpc" "account_vpc" {
+  tags = {
+    Component = "acct"
+  }
+}
+
+data "aws_subnets" "account_vpc_private_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.account_vpc.id]
+  }
+
+  tags = {
+    Subnet = "Private"
+  }
+}
+
+data "aws_security_group" "account_vpc_sg_allow_sftp_egress" {
+  vpc_id = data.aws_vpc.account_vpc.id
+
+  tags = {
+    Name = "${data.aws_vpc.account_vpc.tags["Project"]}-${data.aws_vpc.account_vpc.tags["Environment"]}-acct-sftp-egress"
+  }
+}

infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf

@@ -32,6 +32,13 @@ module "lambda_send_letter_proof" {
       maximum_concurrency = 5
     }
   }
+
+  vpc = {
+    id                 = data.aws_vpc.account_vpc.id
+    cidr_block         = data.aws_vpc.account_vpc.cidr_block
+    subnet_ids         = data.aws_subnets.account_vpc_private_subnets.ids
+    security_group_ids = [data.aws_security_group.account_vpc_sg_allow_sftp_egress.id]
+  }
 }
 
 data "aws_iam_policy_document" "send_letter_proof" {

infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf

@@ -22,6 +22,13 @@ module "lambda_sftp_poll" {
 
   timeout     = 60 * 10
   memory_size = 2048
+
+  vpc = {
+    id                 = data.aws_vpc.account_vpc.id
+    cidr_block         = data.aws_vpc.account_vpc.cidr_block
+    subnet_ids         = data.aws_subnets.account_vpc_private_subnets.ids
+    security_group_ids = [data.aws_security_group.account_vpc_sg_allow_sftp_egress.id]
+  }
 }
 
 data "aws_iam_policy_document" "sftp_poll" {

infrastructure/terraform/modules/lambda-function/iam_role_lambda_execution_role.tf

@@ -14,6 +14,12 @@ resource "aws_iam_role_policy_attachment" "lambda_execution" {
   policy_arn = aws_iam_policy.lambda_execution_policy.arn
 }
 
+resource "aws_iam_role_policy_attachment" "lambda_function_vpc" {
+  count      = var.vpc == null ? 0 : 1
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
 data "aws_iam_policy_document" "lambda_service_trust_policy" {
   statement {
     sid    = "LambdaAssumeRole"