From 691531a1c34079f892b35ea497398af6fc2a49a4 Mon Sep 17 00:00:00 2001
From: philmcmahon <philip.mcmahon@theguardian.com>
Date: Mon, 11 Mar 2024 10:50:20 +0000
Subject: [PATCH] Disable outbound access from worker security group

---
 .../transcription-service.test.ts.snap        | 50 +++++++++++++++++--
 packages/cdk/lib/transcription-service.ts     |  2 +-
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/packages/cdk/lib/__snapshots__/transcription-service.test.ts.snap b/packages/cdk/lib/__snapshots__/transcription-service.test.ts.snap
index 6b120dc..c573b26 100644
--- a/packages/cdk/lib/__snapshots__/transcription-service.test.ts.snap
+++ b/packages/cdk/lib/__snapshots__/transcription-service.test.ts.snap
@@ -660,9 +660,24 @@ exports[`The TranscriptionService stack matches the snapshot 1`] = `
         "GroupDescription": "TranscriptionService/TranscriptionServiceWorkerSGTranscriptionserviceworker",
         "SecurityGroupEgress": [
           {
-            "CidrIp": "0.0.0.0/0",
-            "Description": "Allow all outbound traffic by default",
-            "IpProtocol": "-1",
+            "Description": {
+              "Fn::Join": [
+                "",
+                [
+                  "from ",
+                  {
+                    "Fn::ImportValue": "internet-enabled-vpc-AWSEndpointSecurityGroup",
+                  },
+                  ":443",
+                ],
+              ],
+            },
+            "DestinationSecurityGroupId": {
+              "Fn::ImportValue": "internet-enabled-vpc-AWSEndpointSecurityGroup",
+            },
+            "FromPort": 443,
+            "IpProtocol": "tcp",
+            "ToPort": 443,
           },
         ],
         "Tags": [
@@ -693,6 +708,35 @@ exports[`The TranscriptionService stack matches the snapshot 1`] = `
       },
       "Type": "AWS::EC2::SecurityGroup",
     },
+    "TranscriptionServiceWorkerSGTranscriptionserviceworkertoIndirectPeer44380412F57": {
+      "Properties": {
+        "Description": {
+          "Fn::Join": [
+            "",
+            [
+              "to ",
+              {
+                "Ref": "S3PrefixListIdParameter",
+              },
+              ":443",
+            ],
+          ],
+        },
+        "DestinationPrefixListId": {
+          "Ref": "S3PrefixListIdParameter",
+        },
+        "FromPort": 443,
+        "GroupId": {
+          "Fn::GetAtt": [
+            "TranscriptionServiceWorkerSGTranscriptionserviceworker6EE23C91",
+            "GroupId",
+          ],
+        },
+        "IpProtocol": "tcp",
+        "ToPort": 443,
+      },
+      "Type": "AWS::EC2::SecurityGroupEgress",
+    },
     "TranscriptionWorkerASGCAE69A98": {
       "Properties": {
         "AutoScalingGroupName": "transcription-service-workers-TEST",
diff --git a/packages/cdk/lib/transcription-service.ts b/packages/cdk/lib/transcription-service.ts
index 89fb380..9976a94 100644
--- a/packages/cdk/lib/transcription-service.ts
+++ b/packages/cdk/lib/transcription-service.ts
@@ -341,7 +341,7 @@ export class TranscriptionService extends GuStack {
 			{
 				app: workerApp,
 				vpc,
-				allowAllOutbound: true,
+				allowAllOutbound: false,
 			},
 		);