Run in VPC behind proxy

[tenjaa]

Hi, we would love to use this library but we have some corporate restrictions.

• Internet access is only possible via an authenticated proxy. In https://github.com/awslabs/cdk-serverless-clamscan/blob/e74080d7ad1ce5fe127cfd60f4bd0101eaab913a/assets/lambda/code/download_defs/lambda.py#L81 you are already editing the freshclam.conf. Here needs to be the proxy information added.

Something like.

f.write("\nHTTPProxyServer $proxyServer")
f.write("\nHTTPProxyPort $proxyPort")
f.write("\nHTTPProxyUsername $proxyUsername")
f.write("\nHTTPProxyPassword $proxyPassword")

• Every Lambda must run in a VPC. We have this covert with via an Aspect but an option to configure it would be nice to have.

Would you be open for a PR?

[dontirun]

PRs are great! Let's talk about this first.

Every Lambda must run in a VPC.

Disregarding the authenticated proxy for a moment, this part could be accomplished by

1. Creating an Internet Gateway on the the VPC
2. Creating a NAT Gateway on the VPC
3. Moving the Lambda to a private subnet

Internet access is only possible via an authenticated proxy

This part is a little tricky. Having a fleet of proxies running just for this solution would detract from the serverless aspect of it, not to mention that the proxy setup would be custom.

[tenjaa]

It is a company wide proxy that is mandatory to use for everyone. So the proxy is already there and we would love to make this solution work with it.

My proposal would be something like:

const sc = new ServerlessClamscan(this, 'rClamscan', {
      buckets: bucketList,
      proxy: {
            user: string,
            password: string,
            url: string,
            port: number
      }
    });

[dontirun]

I think the interface should be something more like

const sc = new ServerlessClamscan(this, 'rClamscan', {
      buckets: bucketList,
      vpcOnlyMode: {
            enabled: true,
            proxy: {
               userSecret: secret,
               passwordSecret: secret,
               url: string,
               port: number
           }
      }
    });

This gives flexibility to those who need a VPC only mode with and without a proxy.

Let's discuss the proxy setup. The VPC currently does not currently have an Internet Gateway, NAT Gateway, Peering Connections, VGW Gateway, etc. Can you provide more information on the proposed setup to connect to the proxy?

[tenjaa]

I think we are talking about two different things.

This library should not create a proxy or vpc. We get a vpc that has a custom vpc endpoint allowing it connect to a proxy that already exists. It will never be possible to reach the internet directly.

[dontirun]

I think this is related to #138

Currently, this construct creates a VPC with specific configurations. Due to those configurations it's not a simple change to allow for an existing VPC.

I mentioned this in the linked issue, but I have concerns about mutating already existing resources as that may cause unintended consequences for other resources that rely on them.

[tenjaa]

Ahh ok, guess I was not understanding your point. Well then it is for us the same as in the issue you linked, we will have to adapt it to our specific needs. Thanks!