From f1948a91badd5ba6dd69878102eb89d90918301a Mon Sep 17 00:00:00 2001
From: Luca Pizzini <lpizzini7@gmail.com>
Date: Fri, 15 Sep 2023 17:28:37 +0200
Subject: [PATCH] refactor(lambda): ignore empty securityGroups property
 (#27157)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes the checks on `securityGroups` to avoid throwing errors, if `vpc` is not specified, or create a default security group when an empty array is passed.

Closes #27147.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../aws-cdk-lib/aws-lambda/lib/function.ts    | 18 ++++----
 .../aws-lambda/test/function.test.ts          | 44 +++++++++++++++++++
 2 files changed, 54 insertions(+), 8 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
index 7e54ed57ff324..49474a936b89c 100644
--- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts
+++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
@@ -1236,6 +1236,7 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
       throw new Error('Only one of the function props, securityGroup or securityGroups, is allowed');
     }
 
+    const hasSecurityGroups = props.securityGroups && props.securityGroups.length > 0;
     if (!props.vpc) {
       if (props.allowAllOutbound !== undefined) {
         throw new Error('Cannot configure \'allowAllOutbound\' without configuring a VPC');
@@ -1243,7 +1244,7 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
       if (props.securityGroup) {
         throw new Error('Cannot configure \'securityGroup\' without configuring a VPC');
       }
-      if (props.securityGroups) {
+      if (hasSecurityGroups) {
         throw new Error('Cannot configure \'securityGroups\' without configuring a VPC');
       }
       if (props.vpcSubnets) {
@@ -1252,17 +1253,18 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett
       return undefined;
     }
 
-    if (props.securityGroup && props.allowAllOutbound !== undefined) {
-      throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
-    }
-
-    if (props.securityGroups && props.allowAllOutbound !== undefined) {
-      throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
+    if (props.allowAllOutbound !== undefined) {
+      if (props.securityGroup) {
+        throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.');
+      }
+      if (hasSecurityGroups) {
+        throw new Error('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.');
+      }
     }
 
     let securityGroups: ec2.ISecurityGroup[];
 
-    if (props.securityGroups) {
+    if (hasSecurityGroups) {
       securityGroups = props.securityGroups;
     } else {
       const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
index 135ef3e27606a..e465f07f78e9c 100644
--- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
+++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
@@ -3518,6 +3518,50 @@ describe('VPC configuration', () => {
       allowAllOutbound: false,
     })).toThrow(/Configure 'allowAllOutbound' directly on the supplied SecurityGroups./);
   });
+
+  test('with VPC and empty securityGroups creates a default security group', () => {
+    const stack = new cdk.Stack();
+
+    const vpc = new ec2.Vpc(stack, 'Vpc', {
+      maxAzs: 3,
+      natGateways: 1,
+    });
+    new lambda.Function(stack, 'MyLambda', {
+      vpc,
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.PYTHON_3_9,
+      securityGroups: [],
+    });
+
+    Template.fromStack(stack).resourceCountIs('AWS::EC2::SecurityGroup', 1);
+  });
+
+  test('with no VPC and empty securityGroups', () => {
+    const stack = new cdk.Stack();
+    expect(() => new lambda.Function(stack, 'MyLambda', {
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.PYTHON_3_9,
+      securityGroups: [],
+    })).not.toThrow();
+  });
+
+  test('with empty securityGroups and allowAllOutbound', () => {
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Vpc', {
+      maxAzs: 3,
+      natGateways: 1,
+    });
+    expect(() => new lambda.Function(stack, 'MyLambda', {
+      vpc,
+      code: new lambda.InlineCode('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.PYTHON_3_9,
+      securityGroups: [],
+      allowAllOutbound: false,
+    })).not.toThrow();
+  });
 });
 
 function newTestLambda(scope: constructs.Construct) {