Merge pull request #697 from pagopa/feat/update-sg-lambda-assertion

uolter · web-flow · commit 80de2e51f3b4 · 2025-04-07T17:21:21.000+02:00
feat: Update sg lambda assertion
diff --git a/src/infra/dev/eu-south-1/main.tf b/src/infra/dev/eu-south-1/main.tf
@@ -284,6 +284,7 @@ module "backend" {
     vpc_id                            = module.network.vpc_id
     vpc_subnet_ids                    = module.network.intra_subnets_ids
     vpc_s3_prefix_id                  = module.network.vpc_endpoints["s3"]["prefix_list_id"]
+    vpc_tls_security_group_id         = module.network.security_group_vpc_tls_id
     cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days
   }
 
diff --git a/src/infra/modules/backend/README.md b/src/infra/modules/backend/README.md
@@ -193,6 +193,7 @@
 | [aws_sqs_queue.pipe_dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_ssm_parameter.key_pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_vpc_security_group_egress_rule.client_registration_sec_group_egress_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_egress_rule.https_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [random_integer.bucket_lambda_code_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
 | [aws_iam_policy_document.assertion_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.client_registration_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -210,7 +211,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account id. | `string` | n/a | yes |
-| <a name="input_assertion_lambda"></a> [assertion\_lambda](#input\_assertion\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    s3_assertion_bucket_arn           = string<br>    kms_assertion_key_arn             = string<br>    environment_variables             = map(string)<br>    cloudwatch_logs_retention_in_days = number<br>    vpc_s3_prefix_id                  = string<br>    vpc_subnet_ids                    = list(string)<br>    vpc_id                            = string<br>  })</pre> | n/a | yes |
+| <a name="input_assertion_lambda"></a> [assertion\_lambda](#input\_assertion\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    s3_assertion_bucket_arn           = string<br>    kms_assertion_key_arn             = string<br>    environment_variables             = map(string)<br>    cloudwatch_logs_retention_in_days = number<br>    vpc_s3_prefix_id                  = string<br>    vpc_tls_security_group_id         = string<br>    vpc_subnet_ids                    = list(string)<br>    vpc_id                            = string<br>  })</pre> | n/a | yes |
 | <a name="input_aws_caller_identity"></a> [aws\_caller\_identity](#input\_aws\_caller\_identity) | n/a | `string` | `""` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region. | `string` | n/a | yes |
 | <a name="input_client_alarm"></a> [client\_alarm](#input\_client\_alarm) | n/a | <pre>object({<br>    namespace = string<br>    clients = list(object({<br>      client_id     = string<br>      friendly_name = string<br>    }))<br>  })</pre> | `null` | no |
diff --git a/src/infra/modules/backend/lambda.tf b/src/infra/modules/backend/lambda.tf
@@ -499,6 +499,7 @@ data "aws_iam_policy_document" "assertion_lambda" {
   }
 }
 
+
 module "security_group_lambda_assertion" {
   source  = "terraform-aws-modules/security-group/aws"
   version = "4.17.2"
@@ -518,10 +519,21 @@ module "security_group_lambda_assertion" {
   egress_rules = ["https-443-tcp"]
 }
 
+
+resource "aws_vpc_security_group_egress_rule" "https_rule" {
+  security_group_id            = module.security_group_lambda_assertion.security_group_id
+  from_port                    = 443
+  ip_protocol                  = "tcp"
+  to_port                      = 443
+  referenced_security_group_id = var.assertion_lambda.vpc_tls_security_group_id
+}
+
 resource "aws_sqs_queue" "dlq_lambda_assertion" {
   name = format("%s-dlq", var.assertion_lambda.name)
 }
 
+
+
 module "assertion_lambda" {
   source                 = "terraform-aws-modules/lambda/aws"
   version                = "7.4.0"
diff --git a/src/infra/modules/backend/variables.tf b/src/infra/modules/backend/variables.tf
@@ -236,6 +236,7 @@ variable "assertion_lambda" {
     environment_variables             = map(string)
     cloudwatch_logs_retention_in_days = number
     vpc_s3_prefix_id                  = string
+    vpc_tls_security_group_id         = string
     vpc_subnet_ids                    = list(string)
     vpc_id                            = string
   })
diff --git a/src/infra/prod/eu-central-1/main.tf b/src/infra/prod/eu-central-1/main.tf
@@ -250,6 +250,7 @@ module "backend" {
     vpc_id                            = module.network.vpc_id
     vpc_subnet_ids                    = module.network.intra_subnets_ids
     vpc_s3_prefix_id                  = module.network.vpc_endpoints["s3"]["prefix_list_id"]
+    vpc_tls_security_group_id         = module.network.security_group_vpc_tls_id
     cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days
   }
 
diff --git a/src/infra/prod/eu-south-1/main.tf b/src/infra/prod/eu-south-1/main.tf
@@ -294,6 +294,7 @@ module "backend" {
     vpc_id                            = module.network.vpc_id
     vpc_subnet_ids                    = module.network.intra_subnets_ids
     vpc_s3_prefix_id                  = module.network.vpc_endpoints["s3"]["prefix_list_id"]
+    vpc_tls_security_group_id         = module.network.security_group_vpc_tls_id
     cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days
   }
 
diff --git a/src/infra/uat/eu-south-1/main.tf b/src/infra/uat/eu-south-1/main.tf
@@ -278,6 +278,7 @@ module "backend" {
     vpc_id                            = module.network.vpc_id
     vpc_subnet_ids                    = module.network.intra_subnets_ids
     vpc_s3_prefix_id                  = module.network.vpc_endpoints["s3"]["prefix_list_id"]
+    vpc_tls_security_group_id         = module.network.security_group_vpc_tls_id
     cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days
   }
   idp_metadata_lambda = {
diff --git a/src/oneid/oneid-lambda-assertion/index.py b/src/oneid/oneid-lambda-assertion/index.py
@@ -46,7 +46,7 @@ def publish_metric(value: float, metric_name: str) -> None:
             'MetricName': metric_name,
             'Value': float(value),
             'Unit': 'Count',
-            'StorageResolution': 60,
+            'StorageResolution': 60
         }]
     )    
        

Original file line number	Diff line number	Diff line change
`@@ -284,6 +284,7 @@ module "backend" {`
`284`	`284`	`vpc_id = module.network.vpc_id`
`285`	`285`	`vpc_subnet_ids = module.network.intra_subnets_ids`
`286`	`286`	`vpc_s3_prefix_id = module.network.vpc_endpoints["s3"]["prefix_list_id"]`
	`287`	`+ vpc_tls_security_group_id = module.network.security_group_vpc_tls_id`
`287`	`288`	`cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days`
`288`	`289`	`}`
`289`	`290`
Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,7 @@ module "backend" {`
`250`	`250`	`vpc_id = module.network.vpc_id`
`251`	`251`	`vpc_subnet_ids = module.network.intra_subnets_ids`
`252`	`252`	`vpc_s3_prefix_id = module.network.vpc_endpoints["s3"]["prefix_list_id"]`
	`253`	`+ vpc_tls_security_group_id = module.network.security_group_vpc_tls_id`
`253`	`254`	`cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days`
`254`	`255`	`}`
`255`	`256`
Original file line number	Diff line number	Diff line change
`@@ -294,6 +294,7 @@ module "backend" {`
`294`	`294`	`vpc_id = module.network.vpc_id`
`295`	`295`	`vpc_subnet_ids = module.network.intra_subnets_ids`
`296`	`296`	`vpc_s3_prefix_id = module.network.vpc_endpoints["s3"]["prefix_list_id"]`
	`297`	`+ vpc_tls_security_group_id = module.network.security_group_vpc_tls_id`
`297`	`298`	`cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days`
`298`	`299`	`}`
`299`	`300`
Original file line number	Diff line number	Diff line change
`@@ -278,6 +278,7 @@ module "backend" {`
`278`	`278`	`vpc_id = module.network.vpc_id`
`279`	`279`	`vpc_subnet_ids = module.network.intra_subnets_ids`
`280`	`280`	`vpc_s3_prefix_id = module.network.vpc_endpoints["s3"]["prefix_list_id"]`
	`281`	`+ vpc_tls_security_group_id = module.network.security_group_vpc_tls_id`
`281`	`282`	`cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days`
`282`	`283`	`}`
`283`	`284`	`idp_metadata_lambda = {`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ def publish_metric(value: float, metric_name: str) -> None:`
`46`	`46`	`'MetricName': metric_name,`
`47`	`47`	`'Value': float(value),`
`48`	`48`	`'Unit': 'Count',`
`49`		`- 'StorageResolution': 60,`
	`49`	`+ 'StorageResolution': 60`
`50`	`50`	`}]`
`51`	`51`	`)`
`52`	`52`