add config

alexnuttall · alexnuttall · commit f64735674e14 · 2025-04-25T15:56:00.000+01:00
diff --git a/infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf b/infrastructure/terraform/components/acct/security_group_allow_sftp_egress.tf
@@ -7,3 +7,25 @@ resource "aws_security_group" "allow_sftp_egress" {
     Name = "${local.csi}-sftp-egress"
   }
 }
+
+#trivy:ignore:aws-ec2-no-public-egress-sgr
+resource "aws_security_group_rule" "allow_sftp_egress_ssh" {
+  description       = "Allow SFTP egress within VPC on port 22"
+  type              = "egress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.allow_sftp_egress.id
+}
+
+#trivy:ignore:aws-ec2-no-public-egress-sgr
+resource "aws_security_group_rule" "allow_sftp_egress_https" {
+  description       = "Allow SFTP egress within VPC on port 443"
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.allow_sftp_egress.id
+}
diff --git a/infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf b/infrastructure/terraform/modules/backend-api/data_vpc_account_vpc.tf
@@ -0,0 +1,24 @@
+data "aws_vpc" "account_vpc" {
+  tags = {
+    Component = "acct"
+  }
+}
+
+data "aws_subnets" "account_vpc_private_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.account_vpc.id]
+  }
+
+  tags = {
+    Tier = "Private"
+  }
+}
+
+data "aws_security_group" "account_vpc_sg_allow_sftp_egress" {
+  vpc_id = data.aws_vpc.account_vpc.id
+
+  tags = {
+    Name = "${data.aws_vpc.account_vpc.tags["Project"]}-${data.aws_vpc.account_vpc.tags["Environment"]}-acct-vpc-sftp-egress"
+  }
+}
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf
@@ -32,6 +32,13 @@ module "lambda_send_letter_proof" {
       maximum_concurrency = 5
     }
   }
+
+  vpc = {
+    id                 = data.aws_vpc.account_vpc.id
+    cidr_block         = data.aws_vpc.account_vpc.cidr_block
+    subnet_ids         = data.aws_subnets.account_vpc_private_subnets
+    security_group_ids = [aws_security_group.aws_security_group.account_vpc_sg_allow_sftp_egress.id]
+  }
 }
 
 data "aws_iam_policy_document" "send_letter_proof" {

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,13 @@ module "lambda_send_letter_proof" {`
`32`	`32`	`maximum_concurrency = 5`
`33`	`33`	`}`
`34`	`34`	`}`
	`35`	`+`
	`36`	`+ vpc = {`
	`37`	`+ id = data.aws_vpc.account_vpc.id`
	`38`	`+ cidr_block = data.aws_vpc.account_vpc.cidr_block`
	`39`	`+ subnet_ids = data.aws_subnets.account_vpc_private_subnets`
	`40`	`+ security_group_ids = [aws_security_group.aws_security_group.account_vpc_sg_allow_sftp_egress.id]`
	`41`	`+ }`
`35`	`42`	`}`
`36`	`43`
`37`	`44`	`data "aws_iam_policy_document" "send_letter_proof" {`