create security group

anthony-nhs · anthony-nhs · commit 2dfffbaccfd0 · 2025-05-03T15:46:16.000Z
diff --git a/.gitallowed b/.gitallowed
@@ -9,6 +9,7 @@ id-token: write
 # Allow CIDR blocks in CloudFormation templates and related files
 CidrBlock: "10\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2}"
 DestinationCidrBlock: "0\.0\.0\.0/0"
+CidrIp: 127\.0\.0\.1/32
 
 # Java corretto is not a secret
 .*java corretto.*
diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -104,6 +104,15 @@ Resources:
         LogRetentionDays: !Ref LogRetentionDays
         ExecutePolicyExportName: FHIRValidatorNHSDigitalExecuteLambdaPolicyArn
 
+  sgwithoutegress:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Limits security group egress traffic
+      SecurityGroupEgress:
+        - CidrIp: 127.0.0.1/32
+          IpProtocol: "-1"
+      VpcId: vpc-078cd165c7acf6f63
+
   FHIRValidatorNHSDigital:
     Type: AWS::Serverless::Function
     Properties:
@@ -122,6 +131,8 @@ Resources:
       Layers:
         - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:56"
       VpcConfig:
+        SecurityGroupIds:
+          - !Ref sgwithoutegress
         SubnetIds:
           - subnet-0df16e0ac5f81607f
           - subnet-0fee41653b358c179
@@ -135,7 +146,6 @@ Resources:
       guard:
         SuppressedRules:
           - LAMBDA_DLQ_CHECK
-          - LAMBDA_INSIDE_VPC
           - LAMBDA_CONCURRENCY_CHECK
 
   Alarms:
