PYIC-2327

Exported DynamoDB KMS key from core-back and imported it into deploy-delete-user-data. Also added all of the vpc connections to deploy-delete-user-data lambda, so that it operates through the dev platform vpc. modified: deploy-delete-user-data/template.yaml modified: deploy/template.yaml
govuk-one-login · Jan 27, 2023 · 6ad27ff · 6ad27ff
1 parent 95a8042
commit 6ad27ff
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 5 deletions.
diff --git a/deploy-delete-user-data/template.yaml b/deploy-delete-user-data/template.yaml
@@ -6,11 +6,11 @@ Description: >-
 Parameters:
   Environment:
     Type: String
-# VpcStackName:
-#   Description: >
-#     The name of the stack that defines the VPC in which this container will
-#     run.
-#   Type: String
+  VpcStackName:
+   Description: >
+     The name of the stack that defines the VPC in which this container will
+     run.
+   Type: String
   CodeSigningConfigArn:
     Type: String
     Description: >
@@ -50,6 +50,27 @@ Mappings:
       production: "" #arn to be provided by auth
 
 Resources:
+  LambdaSecurityGroup:
+    Type: "AWS::EC2::SecurityGroup"
+    Properties:
+      GroupDescription: >-
+        Core Back Lambda Security Group outbound permissions ruleset
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow outbound HTTPS traffic to Internet - Network Firewall will allow only to CRIs
+          FromPort: 443
+          IpProtocol: tcp
+          ToPort: 443
+      SecurityGroupIngress:
+        - CidrIp:
+            Fn::ImportValue: !Sub ${VpcStackName}-VpcCidr
+          Description: Allow inbound traffic from vpc cidr to port 443
+          FromPort: 443
+          IpProtocol: tcp
+          ToPort: 443
+      VpcId:
+        Fn::ImportValue: !Sub ${VpcStackName}-VpcId
+
   DeleteUserDataFunction:
     Type: AWS::Serverless::Function
     Properties:
@@ -73,6 +94,28 @@ Resources:
         - UseCodeSigning
         - !Ref CodeSigningConfigArn
         - !Ref AWS::NoValue
+      VpcConfig:
+        SubnetIds:
+          - Fn::ImportValue: !Sub ${VpcStackName}-ProtectedSubnetIdA
+          - Fn::ImportValue: !Sub ${VpcStackName}-ProtectedSubnetIdB
+        SecurityGroupIds:
+          - !GetAtt LambdaSecurityGroup.GroupId
+      Policies:
+        - VPCAccessPolicy: { }
+        - Statement:
+            - Sid: EnforceStayinSpecificVpc
+              Effect: Allow
+              Action:
+                - 'lambda:CreateFunction'
+                - 'lambda:UpdateFunctionConfiguration'
+              Resource:
+                - "*"
+              Condition:
+                StringEquals:
+                  "lambda:VpcIds":
+                    - Fn::ImportValue: !Sub ${VpcStackName}-VpcId
+        - KMSDecryptPolicy:
+            KeyId: !ImportValue DynamoDBKmsKey
     Metadata:
       BuildMethod: esbuild
       BuildProperties:

diff --git a/deploy/template.yaml b/deploy/template.yaml
@@ -2339,3 +2339,8 @@ Outputs:
     Export:
       Name: !Sub "IPVCoreExternalAPIGatewayID-${Environment}"
     Value: !Ref IPVCoreExternalAPI
+  DynamoDBKmsKey:
+    Description: Core Back DynamoDB KMS Key Export
+    Value: !Ref DynamoDBKmsKey
+    Export:
+      Name: DynamoDBKmsKey