infrastructure updates

infrastructure/cdk/lib/condition-check-lambda-stack.ts

@@ -3,6 +3,7 @@ import * as lambda from "aws-cdk-lib/aws-lambda";
 import * as iam from "aws-cdk-lib/aws-iam";
 import * as scheduler from "aws-cdk-lib/aws-scheduler";
 import * as sqs from "aws-cdk-lib/aws-sqs";
+import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { Construct } from "constructs";
 import * as path from "path";
 
@@ -36,6 +37,16 @@ interface ConditionCheckLambdaStackProps extends cdk.StackProps {
    * Whether emails are enabled
    */
   emailEnabled?: boolean;
+
+  /**
+   * VPC for Lambda function (required for network isolation)
+   */
+  vpc: ec2.IVpc;
+
+  /**
+   * Security group for Lambda function
+   */
+  lambdaSecurityGroup: ec2.ISecurityGroup;
 }
 
 export class ConditionCheckLambdaStack extends cdk.Stack {
@@ -73,6 +84,8 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
       sesFromEmail,
       sesFromName = "Village Share",
       emailEnabled = true,
+      vpc,
+      lambdaSecurityGroup,
     } = props;
 
     // Dead Letter Queue for failed Lambda invocations
@@ -126,6 +139,13 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
       })
     );
 
+    // VPC permissions - use AWS managed policy for Lambda VPC access
+    lambdaRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName(
+        "service-role/AWSLambdaVPCAccessExecutionRole"
+      )
+    );
+
     // Lambda function
     this.lambdaFunction = new lambda.Function(
       this,
@@ -171,6 +191,12 @@ export class ConditionCheckLambdaStack extends cdk.Stack {
         deadLetterQueue: this.deadLetterQueue,
         retryAttempts: 2,
         description: "Sends condition check reminder emails for rentals",
+        // VPC configuration for network isolation
+        vpc,
+        vpcSubnets: {
+          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+        },
+        securityGroups: [lambdaSecurityGroup],
       }
     );