refactor(lambda): ignore empty securityGroups property (#27157)

Changes the checks on `securityGroups` to avoid throwing errors, if `vpc` is not specified, or create a default security group when an empty array is passed. Closes #27147. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Sep 15, 2023 · f1948a9 · f1948a9
1 parent 3eda572
commit f1948a9
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 8 deletions.
diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
@@ -1236,14 +1236,15 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
  throw new Error('Only one of the function props, securityGroup or securityGroups, is allowed');
  }
 
+ const hasSecurityGroups = props.securityGroups && props.securityGroups.length > 0;
  if (!props.vpc) {
  if (props.allowAllOutbound !== undefined) {
  throw new Error('Cannot configure \'allowAllOutbound\' without configuring a VPC');
  }
  if (props.securityGroup) {
  throw new Error('Cannot configure \'securityGroup\' without configuring a VPC');
  }
- if (props.securityGroups) {
+ if (hasSecurityGroups) {
  throw new Error('Cannot configure \'securityGroups\' without configuring a VPC');
  }
  if (props.vpcSubnets) {
@@ -1252,17 +1253,18 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
  return undefined;
  }
 
- if (props.securityGroup && props.allowAllOutbound !== undefined) {
- throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
- }
-
- if (props.securityGroups && props.allowAllOutbound !== undefined) {
- throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
+ if (props.allowAllOutbound !== undefined) {
+ if (props.securityGroup) {
+ throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
+ }
+ if (hasSecurityGroups) {
+ throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
+ }
  }
 
  let securityGroups: ec2.ISecurityGroup[];
 
- if (props.securityGroups) {
+ if (hasSecurityGroups) {
  securityGroups = props.securityGroups;
  } else {
  const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {

diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
@@ -3518,6 +3518,50 @@ describe('VPC configuration', () => {
  allowAllOutbound: false,
  })).toThrow(/Configure 'allowAllOutbound' directly on the supplied SecurityGroups./);
  });
+
+ test('with VPC and empty securityGroups creates a default security group', () => {
+ const stack = new cdk.Stack();
+
+ const vpc = new ec2.Vpc(stack, 'Vpc', {
+ maxAzs: 3,
+ natGateways: 1,
+ });
+ new lambda.Function(stack, 'MyLambda', {
+ vpc,
+ code: new lambda.InlineCode('foo'),
+ handler: 'index.handler',
+ runtime: lambda.Runtime.PYTHON_3_9,
+ securityGroups: [],
+ });
+
+ Template.fromStack(stack).resourceCountIs('AWS::EC2::SecurityGroup', 1);
+ });
+
+ test('with no VPC and empty securityGroups', () => {
+ const stack = new cdk.Stack();
+ expect(() => new lambda.Function(stack, 'MyLambda', {
+ code: new lambda.InlineCode('foo'),
+ handler: 'index.handler',
+ runtime: lambda.Runtime.PYTHON_3_9,
+ securityGroups: [],
+ })).not.toThrow();
+ });
+
+ test('with empty securityGroups and allowAllOutbound', () => {
+ const stack = new cdk.Stack();
+ const vpc = new ec2.Vpc(stack, 'Vpc', {
+ maxAzs: 3,
+ natGateways: 1,
+ });
+ expect(() => new lambda.Function(stack, 'MyLambda', {
+ vpc,
+ code: new lambda.InlineCode('foo'),
+ handler: 'index.handler',
+ runtime: lambda.Runtime.PYTHON_3_9,
+ securityGroups: [],
+ allowAllOutbound: false,
+ })).not.toThrow();
+ });
 });
 
 function newTestLambda(scope: constructs.Construct) {