Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(lambda): ignore empty securityGroups property #27157

Merged
merged 2 commits into from
Sep 15, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions packages/aws-cdk-lib/aws-lambda/lib/function.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1236,14 +1236,15 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
throw new Error('Only one of the function props, securityGroup or securityGroups, is allowed');
}

const hasSecurityGroups = props.securityGroups && props.securityGroups.length > 0;
if (!props.vpc) {
if (props.allowAllOutbound !== undefined) {
throw new Error('Cannot configure \'allowAllOutbound\' without configuring a VPC');
}
if (props.securityGroup) {
throw new Error('Cannot configure \'securityGroup\' without configuring a VPC');
}
if (props.securityGroups) {
if (hasSecurityGroups) {
throw new Error('Cannot configure \'securityGroups\' without configuring a VPC');
}
if (props.vpcSubnets) {
Expand All @@ -1252,17 +1253,18 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
return undefined;
}

if (props.securityGroup && props.allowAllOutbound !== undefined) {
throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
}

if (props.securityGroups && props.allowAllOutbound !== undefined) {
throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
if (props.allowAllOutbound !== undefined) {
if (props.securityGroup) {
throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
}
if (hasSecurityGroups) {
throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
}
}

let securityGroups: ec2.ISecurityGroup[];

if (props.securityGroups) {
if (hasSecurityGroups) {
securityGroups = props.securityGroups;
} else {
const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
Expand Down
44 changes: 44 additions & 0 deletions packages/aws-cdk-lib/aws-lambda/test/function.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3518,6 +3518,50 @@ describe('VPC configuration', () => {
allowAllOutbound: false,
})).toThrow(/Configure 'allowAllOutbound' directly on the supplied SecurityGroups./);
});

test('with VPC and empty securityGroups creates a default security group', () => {
const stack = new cdk.Stack();

const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
new lambda.Function(stack, 'MyLambda', {
vpc,
code: new lambda.InlineCode('foo'),
handler: 'index.handler',
runtime: lambda.Runtime.PYTHON_3_9,
securityGroups: [],
});

Template.fromStack(stack).resourceCountIs('AWS::EC2::SecurityGroup', 1);
});

test('with no VPC and empty securityGroups', () => {
const stack = new cdk.Stack();
expect(() => new lambda.Function(stack, 'MyLambda', {
code: new lambda.InlineCode('foo'),
handler: 'index.handler',
runtime: lambda.Runtime.PYTHON_3_9,
securityGroups: [],
})).not.toThrow();
});

test('with empty securityGroups and allowAllOutbound', () => {
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
expect(() => new lambda.Function(stack, 'MyLambda', {
vpc,
code: new lambda.InlineCode('foo'),
handler: 'index.handler',
runtime: lambda.Runtime.PYTHON_3_9,
securityGroups: [],
allowAllOutbound: false,
})).not.toThrow();
});
});

function newTestLambda(scope: constructs.Construct) {
Expand Down