fix(lambda): Function allows specifying vpcSubnets without vpc (#21369)

This is almost certainly never something that a user would intend. As-is, `vpcSubnets` does nothing if `vpc` is unspecified, so the Lambda Function would have no interfaces placed in a VPC. This is unlikely to be what a user would have expected if they passed a set of private subnets. This should be an error to prevent users from accidentally thinking they've put a Lambda Function into a VPC. If throwing an Error is a breaking change and not acceptable, then perhaps at least a Warning Annotation should be added in this case. This is motivated by the feedback received during review of #21357. ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Aug 4, 2022 · e9233fa · e9233fa
1 parent a2bb263
commit e9233fa
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts
@@ -1094,7 +1094,12 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
       throw new Error('Cannot configure \'securityGroup\' or \'allowAllOutbound\' without configuring a VPC');
     }
 
-    if (!props.vpc) { return undefined; }
+    if (!props.vpc) {
+      if (props.vpcSubnets) {
+        throw new Error('Cannot configure \'vpcSubnets\' without configuring a VPC');
+      }
+      return undefined;
+    }
 
     if (props.securityGroup && props.allowAllOutbound !== undefined) {
       throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');

diff --git a/packages/@aws-cdk/aws-lambda/test/vpc-lambda.test.ts b/packages/@aws-cdk/aws-lambda/test/vpc-lambda.test.ts
@@ -323,6 +323,21 @@ describe('lambda + vpc', () => {
       });
     }).toThrow(/Lambda Functions in a public subnet/);
   });
+
+  test('specifying vpcSubnets without a vpc throws an Error', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    expect(() => {
+      new lambda.Function(stack, 'Function', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'index.handler',
+        runtime: lambda.Runtime.NODEJS_14_X,
+        vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE },
+      });
+    }).toThrow('Cannot configure \'vpcSubnets\' without configuring a VPC');
+  });
 });
 
 class SomethingConnectable implements ec2.IConnectable {