feat: Support placing the lambda into a VPC (#1078)

* feat: Support placing the lambda into a VPC

* docs: Add documentation for SopsSyncProviderProps

* docs: Add example for lambda networking configuration

README.md

@@ -127,6 +127,28 @@ const secret = new SopsSecret(this, 'SopsComplexSecretJSON', {
 });
 ```
 
+
+### Use a VPC for the Lambda Function
+
+Internally, SopsSync uses a lambda function. In some environments it may be necessary to place this lambda function into a VPC and configure subnets and/or security groups for it.
+This can be done by creating a custom `SopsSyncProvider`, setting the required networking configuration and passing it to the secret like this:
+
+```typescript
+// Create the provider
+const provider = new SopsSyncProvider(this, 'CustomSopsSyncProvider', {
+  vpc: myVpc,
+  vpcSubnets: subnetSelection,
+  securityGroups: [mySecurityGroup],
+});
+// create the secret and pass the the provider to it
+const secret = new SopsSecret(this, 'SopsSecret', {
+  sopsProvider: provider,
+  secretName: 'myCoolSecret',
+  sopsFilePath: 'secrets/sopsfile-encrypted.json',
+});
+```
+
+
 ### UploadType: INLINE / ASSET
 
 I decided, that the default behavior should be "INLINE" because of the following consideration:
@@ -247,4 +269,4 @@ The problem this Construct addresses is so good, already two other implementatio
 
 ## License
 
-The Apache-2.0 license. Please have a look at the [LICENSE](LICENSE) and [LICENSE-3RD-PARTY](LICENSE-3RD-PARTY).
+The Apache-2.0 license. Please have a look at the [LICENSE](LICENSE) and [LICENSE-3RD-PARTY](LICENSE-3RD-PARTY).

src/SopsSync.ts

@@ -9,6 +9,7 @@ import {
   CustomResource,
   FileSystem,
 } from 'aws-cdk-lib';
+import { ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2';
 import {
   IGrantable,
   IRole,
@@ -169,10 +170,34 @@ export interface SopsSyncProps extends SopsSyncOptions {
   readonly encryptionKey?: IKey;
 }
 
+/**
+ * Configuration options for a custom SopsSyncProvider.
+ */
+export interface SopsSyncProviderProps {
+  /**
+   * VPC network to place Lambda network interfaces.
+   *
+   * @default - Lambda function is not placed within a VPC.
+   */
+  readonly vpc?: IVpc;
+  /**
+   * Where to place the network interfaces within the VPC.
+   *
+   * @default - Subnets will be chosen automatically.
+   */
+  readonly vpcSubnets?: SubnetSelection;
+  /**
+   * Only if `vpc` is supplied: The list of security groups to associate with the Lambda's network interfaces.
+   *
+   * @default - A dedicated security group will be created for the lambda function.
+   */
+  readonly securityGroups?: ISecurityGroup[];
+}
+
 export class SopsSyncProvider extends SingletonFunction implements IGrantable {
   private sopsAgeKeys: SecretValue[];
 
-  constructor(scope: Construct, id?: string) {
+  constructor(scope: Construct, id?: string, props?: SopsSyncProviderProps) {
     super(scope, id ?? 'SopsSyncProvider', {
       code: Code.fromAsset(
         scope.node.tryGetContext('sops_sync_provider_asset_path') ||
@@ -190,6 +215,9 @@ export class SopsSyncProvider extends SingletonFunction implements IGrantable {
             ),
         }),
       },
+      vpc: props?.vpc,
+      vpcSubnets: props?.vpcSubnets,
+      securityGroups: props?.securityGroups,
     });
     this.sopsAgeKeys = [];
   }