aws · mergify · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
@@ -1236,14 +1236,15 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
       throw new Error('Only one of the function props, securityGroup or securityGroups, is allowed');
     }
 
+    const hasSecurityGroups = props.securityGroups && props.securityGroups.length > 0;
     if (!props.vpc) {
       if (props.allowAllOutbound !== undefined) {
         throw new Error('Cannot configure \'allowAllOutbound\' without configuring a VPC');
       }
       if (props.securityGroup) {
         throw new Error('Cannot configure \'securityGroup\' without configuring a VPC');
       }
-      if (props.securityGroups) {
+      if (hasSecurityGroups) {
         throw new Error('Cannot configure \'securityGroups\' without configuring a VPC');
       }
       if (props.vpcSubnets) {
@@ -1252,17 +1253,18 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
       return undefined;
     }
 
-    if (props.securityGroup && props.allowAllOutbound !== undefined) {
-      throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
-    }
-
-    if (props.securityGroups && props.allowAllOutbound !== undefined) {
-      throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
+    if (props.allowAllOutbound !== undefined) {
+      if (props.securityGroup) {
+        throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
+      }
+      if (hasSecurityGroups) {
+        throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
+      }
     }
 
     let securityGroups: ec2.ISecurityGroup[];
 
-    if (props.securityGroups) {
+    if (hasSecurityGroups) {
       securityGroups = props.securityGroups;
     } else {
       const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {

diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
@@ -3518,6 +3518,50 @@ describe('VPC configuration', () => {
       allowAllOutbound: false,
     })).toThrow(/Configure 'allowAllOutbound' directly on the supplied SecurityGroups./);
   });
+
+  test('with VPC and empty securityGroups creates a default security group', () => {
+    const stack = new cdk.Stack();
+
+    const vpc = new ec2.Vpc(stack, 'Vpc', {
+      maxAzs: 3,
+      natGateways: 1,
+    });
+    new lambda.Function(stack, 'MyLambda', {
+      vpc,
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.PYTHON_3_9,
+      securityGroups: [],
+    });
+
+    Template.fromStack(stack).resourceCountIs('AWS::EC2::SecurityGroup', 1);
+  });
+
+  test('with no VPC and empty securityGroups', () => {
+    const stack = new cdk.Stack();
+    expect(() => new lambda.Function(stack, 'MyLambda', {
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.PYTHON_3_9,
+      securityGroups: [],
+    })).not.toThrow();
+  });
+
+  test('with empty securityGroups and allowAllOutbound', () => {
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Vpc', {
+      maxAzs: 3,
+      natGateways: 1,
+    });
+    expect(() => new lambda.Function(stack, 'MyLambda', {
+      vpc,
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.PYTHON_3_9,
+      securityGroups: [],
+      allowAllOutbound: false,
+    })).not.toThrow();
+  });
 });
 
 function newTestLambda(scope: constructs.Construct) {