-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(lambda): missing Lambda VPC and security validation #26528
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
Exemption Request. |
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
The following PR adds validation for the case when `allowAllOutbound` and `securityGroups` are specified at the same time in `FunctionOptions`. #26528 (#27157) According to related issues and discussions, this PR causes existing Lambda deployments to fail. However, since this change has already been merged and I think it is the correct change, I did not fix the validation process but added documentation to clarify the behavior. Relates to #28170, #27669 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When we are using the Security group without VPC for @aws-cdk/aws-lambda package it was working well but when we have migrate it to the aws-cdk-lib/aws-lambda package we are getting following error message, Kindly suggest the possible solution for it. |
Hi @mbhaalalhhaexchange ✋ |
Hi @lpizzinidev , It was working fine with aws cdk v1 library (@aws-cdk/aws-lambda). So, why it is changed it in aws cdk v2 library (aws-cdk-lib/aws-lambda) ? |
@mbhaalalhhaexchange |
Hi @lpizzinidev , ` super(scope, id, {
|
@mbhaalalhhaexchange You can either:
|
Hi @lpizzinidev , It is understandable this changes is introduced in AWS CDK V2 right ? |
Yep.
Both parameters are still optional, we just added validation as specifying If you don't need to change your implementation, you can remove the |
Hi @lpizzinidev , We can understand that but we want to make sure like same code should be work with AWS CDK V2 as well but due to this validation , also need to modify code and i am feeling worry about for future overheads. |
After doing some research , some articles are claiming that AWS Team has introduced this change due to security concerns but here I do not see any security concerns. If we do not pass to VPC and only want to pass security groups then it should allow. This condition is forcing us to do required changes in our code. What's your thoughts on this ? |
Hi @lpizzinidev , What's your thoughts on this ? |
@mbhaalalhhaexchange |
Hi @lpizzinidev , It is understood but it is strange that AWS has silently ignored in v1. It was not expected that they have forgot to add such type of validations. |
Specifying the
securityGroups
property requires avpc
.This fix adds validation for the case when a
vpc
is not specified, butsecurityGroups
is.It also adds validation for the case when both
securityGroups
andallowAllOutbound
are specified (allowAllOutbound
should be configured in the SGs).Question for the reviewers
How should we handle the case of an empty list in
securityGroups
? (egsecurityGroups: []
)Closes #26508.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license