Web Proxy Integration Without Public Egress Dependencies

[mafitconsulting]

Describe the outcome you'd like Im seeking the ability to configure the use of a web proxy for managing public egress traffic within the Terraform AWS Control Tower Account Factory project. Currently, the solution necessitates the configuration of public egress resources like internet gateways, NAT gateways, and public subnets. However, in organizations that prioritize security best practices, this approach is not practical. Therefore, I would like to propose the capability to enable the use of a web proxy without the requirement to provision public egress resources.

Based on my understanding of the product, only the CodeBuild jobs should need access to the internet. However, the Lambda function code that utilises the AuthClient class from the aft-commons package attempts to access the public STS endpoint. This behaviour can be modified to align with our desired configuration.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

While there is no immediate problem, we have taken the initiative to fork the module and refactor the Terraform code to enable us to use the product as described above.

Additional context

1. Allow for optional usage of public egress resources.
2. Enable optional configuration for a web proxy. If enabled, this would involve creating a web proxy VPC endpoint (VPCE), Route53 records, and a VPCE security group.
3. Offer optional support for a web proxy and the AWS_STS_REGIONAL_ENDPOINTS environment variable for all relevant Lambda functions.

[Sanjan611]

Thanks @mafitconsulting , I've added an item in our backlog to explore this further.