feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

ashishdhingra · 2024-08-02T21:49:15Z

Issue # (if applicable)

Reason for this change

SecurityGroupProps supports allowAllIpv6Outbound property. The existing Lambda FunctionOptions only supports allowAllOutbound, which is used in configureVpc() while creating a new SecurityGroup here.

Description of changes

Added new property allowAllIpv6Outbound to FunctionOptions.

Description of how you validated changes

Added unit and integration tests.

Checklist

My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

aws-cdk-automation

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

packages/aws-cdk-lib/aws-lambda/lib/function.ts

packages/aws-cdk-lib/aws-lambda/test/function.test.ts

packages/aws-cdk-lib/aws-lambda/lib/function.ts

packages/aws-cdk-lib/aws-lambda/README.md

pahud

Just some minor nit

packages/aws-cdk-lib/aws-lambda/test/function.test.ts

pahud · 2024-08-05T23:57:34Z

Question - what happens if allowAllOutbound: false with allowAllIpv6Outbound: true? Is it allowed?

packages/aws-cdk-lib/aws-lambda/README.md

Pull request has been modified.

ashishdhingra · 2024-08-06T06:49:55Z

Question - what happens if allowAllOutbound: false with allowAllIpv6Outbound: true? Is it allowed?

@pahud I will test it tomorrow with ec2.SecurityGroup. As per my understanding, it would not add outbound rule for IPv4.

pahud

generally LGTM except for some nit

packages/aws-cdk-lib/aws-lambda/README.md

pahud

we are not really deploying vpc in unit tests so I prefer to keep the code as simple as possible

packages/aws-cdk-lib/aws-lambda/test/function.test.ts

Pull request has been modified.

ashishdhingra · 2024-08-06T17:23:51Z

Question - what happens if allowAllOutbound: false with allowAllIpv6Outbound: true? Is it allowed?

@pahud I will test it tomorrow with ec2.SecurityGroup. As per my understanding, it would not add outbound rule for IPv4.

@pahud Using the code new ec2.SecurityGroup(this, 'mySecurityGroup', { vpc, allowAllOutbound: false, allowAllIpv6Outbound: true}); results below in the CloudFormation template:

  mySecurityGroup6B1044D0:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: CdktestStack/mySecurityGroup
      SecurityGroupEgress:
        - CidrIp: 255.255.255.255/32
          Description: Disallow all traffic
          FromPort: 252
          IpProtocol: icmp
          ToPort: 86
        - CidrIpv6: ::/0
          Description: Allow all outbound ipv6 traffic by default
          IpProtocol: "-1"
      VpcId:
        Ref: myVpc3CC7CF9E
    Metadata:
      aws:cdk:path: CdktestStack/mySecurityGroup/Resource

Below is deployed Security Group:

Thanks,
Ashish

lpizzinidev

Thanks 👍

lpizzinidev · 2024-08-07T16:00:05Z

packages/aws-cdk-lib/aws-lambda/README.md

+## Outbound traffic
+By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6). This is controlled by `allowAllOutbound` in function properties, which has a default value of `true`.
+
+To allow outbound IPv6 traffic by default, explicitly set `allowAllIpv6Outbound` to `true` in function properties as shown below (the default value for `allowAllIpv6Outbound` is `false`):
+```ts


Suggested change

## Outbound traffic

By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6). This is controlled by `allowAllOutbound` in function properties, which has a default value of `true`.

To allow outbound IPv6 traffic by default, explicitly set `allowAllIpv6Outbound` to `true` in function properties as shown below (the default value for `allowAllIpv6Outbound` is `false`):

```ts

## Outbound traffic

By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6).

You can override the default behavior by setting the `allowAllOutbound` property to `false`.

To allow outbound IPv6 traffic by default, explicitly set the `allowAllIpv6Outbound` property to `true`, as shown below.

The default value for `allowAllIpv6Outbound` is `false`.

```ts

mergify · 2024-09-06T19:38:28Z

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

aws-cdk-automation · 2024-09-06T20:22:50Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 1dae9bd
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2024-09-06T20:23:14Z

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

github-actions · 2024-09-06T20:23:33Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 labels Aug 2, 2024

aws-cdk-automation requested a review from a team August 2, 2024 21:49

aws-cdk-automation previously requested changes Aug 2, 2024

View reviewed changes

amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from e7ec65a to 660f7bb Compare August 2, 2024 22:57

ashishdhingra requested a review from aws-cdk-automation August 2, 2024 22:58

amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from af797b7 to b59fbc9 Compare August 3, 2024 10:24

aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 3, 2024

lpizzinidev suggested changes Aug 3, 2024

View reviewed changes

aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 3, 2024

github-actions bot mentioned this pull request Aug 5, 2024

Weekly PR metrics report #31022

Closed

ashishdhingra force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from fb094a6 to d02ed91 Compare August 5, 2024 21:10

amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch 2 times, most recently from dbd79a9 to 57b6abc Compare August 5, 2024 22:25

ashishdhingra requested a review from lpizzinidev August 5, 2024 22:31

amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from 57b6abc to 3fa4d8c Compare August 5, 2024 23:24

pahud previously requested changes Aug 5, 2024

View reviewed changes

packages/aws-cdk-lib/aws-lambda/test/function.test.ts Outdated Show resolved Hide resolved

packages/aws-cdk-lib/aws-lambda/test/function.test.ts Outdated Show resolved Hide resolved

packages/aws-cdk-lib/aws-lambda/test/function.test.ts Outdated Show resolved Hide resolved

pahud reviewed Aug 6, 2024

View reviewed changes

packages/aws-cdk-lib/aws-lambda/README.md Outdated Show resolved Hide resolved

packages/aws-cdk-lib/aws-lambda/README.md Outdated Show resolved Hide resolved

amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from 3fa4d8c to f834cb2 Compare August 6, 2024 06:47

ashishdhingra requested a review from pahud August 6, 2024 06:50

pahud requested changes Aug 6, 2024

View reviewed changes

packages/aws-cdk-lib/aws-lambda/README.md Outdated Show resolved Hide resolved

pahud previously requested changes Aug 6, 2024

View reviewed changes

amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from f834cb2 to 57d5f9c Compare August 6, 2024 17:10

ashishdhingra requested a review from pahud August 6, 2024 17:24

ashishdhingra added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 6, 2024

aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 6, 2024

ashishdhingra force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from 57d5f9c to e8b5620 Compare August 6, 2024 17:47

lpizzinidev approved these changes Aug 7, 2024

View reviewed changes

ashishdhingra added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 21, 2024

mergify bot added the contribution/core This is a PR that came from AWS. label Aug 21, 2024

aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 21, 2024

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions

3410455

ashishdhingra force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from e8b5620 to 3410455 Compare August 27, 2024 21:31

github-actions bot mentioned this pull request Sep 1, 2024

Monthly PR metrics report #31279

Open

go-to-k mentioned this pull request Sep 3, 2024

prlint: a review label doesn't appear when a PR is approved if there are too many comments #31294

Closed

1 task

samson-keung approved these changes Sep 6, 2024

View reviewed changes

Merge branch 'main' into lambda-allowAllIpv6Outbound-issue30994

1dae9bd

mergify bot merged commit fa55194 into aws:main Sep 6, 2024
10 checks passed

github-actions bot locked as resolved and limited conversation to collaborators Sep 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

ashishdhingra commented Aug 2, 2024

aws-cdk-automation left a comment

pahud left a comment

pahud commented Aug 5, 2024

ashishdhingra commented Aug 6, 2024

pahud left a comment

pahud left a comment

ashishdhingra commented Aug 6, 2024

lpizzinidev left a comment

lpizzinidev Aug 7, 2024

mergify bot commented Sep 6, 2024

aws-cdk-automation commented Sep 6, 2024

mergify bot commented Sep 6, 2024

github-actions bot commented Sep 6, 2024

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

Conversation

ashishdhingra commented Aug 2, 2024

Issue # (if applicable)

Reason for this change

Description of changes

Description of how you validated changes

Checklist

aws-cdk-automation left a comment

Choose a reason for hiding this comment

pahud left a comment

Choose a reason for hiding this comment

pahud commented Aug 5, 2024

ashishdhingra commented Aug 6, 2024

pahud left a comment

Choose a reason for hiding this comment

pahud left a comment

Choose a reason for hiding this comment

ashishdhingra commented Aug 6, 2024

lpizzinidev left a comment

Choose a reason for hiding this comment

lpizzinidev Aug 7, 2024

Choose a reason for hiding this comment

mergify bot commented Sep 6, 2024

aws-cdk-automation commented Sep 6, 2024

AWS CodeBuild CI Report

mergify bot commented Sep 6, 2024

github-actions bot commented Sep 6, 2024