in packages/aws-cdk-lib/aws-lambda/lib/function.ts [1517:1615]
private configureVpc(props: FunctionProps): CfnFunction.VpcConfigProperty | undefined {
if (props.securityGroup && props.securityGroups) {
throw new ValidationError('Only one of the function props, securityGroup or securityGroups, is allowed', this);
}
const hasSecurityGroups = props.securityGroups && props.securityGroups.length > 0;
if (!props.vpc) {
if (props.allowAllOutbound !== undefined) {
throw new ValidationError('Cannot configure \'allowAllOutbound\' without configuring a VPC', this);
}
if (props.securityGroup) {
throw new ValidationError('Cannot configure \'securityGroup\' without configuring a VPC', this);
}
if (hasSecurityGroups) {
throw new ValidationError('Cannot configure \'securityGroups\' without configuring a VPC', this);
}
if (props.vpcSubnets) {
throw new ValidationError('Cannot configure \'vpcSubnets\' without configuring a VPC', this);
}
if (props.ipv6AllowedForDualStack) {
throw new ValidationError('Cannot configure \'ipv6AllowedForDualStack\' without configuring a VPC', this);
}
if (props.allowAllIpv6Outbound !== undefined) {
throw new ValidationError('Cannot configure \'allowAllIpv6Outbound\' without configuring a VPC', this);
}
return undefined;
}
if (props.allowAllOutbound !== undefined) {
if (props.securityGroup) {
throw new ValidationError('Configure \'allowAllOutbound\' directly on the supplied SecurityGroup.', this);
}
if (hasSecurityGroups) {
throw new ValidationError('Configure \'allowAllOutbound\' directly on the supplied SecurityGroups.', this);
}
}
if (props.allowAllIpv6Outbound !== undefined) {
if (props.securityGroup) {
throw new ValidationError('Configure \'allowAllIpv6Outbound\' directly on the supplied SecurityGroup.', this);
}
if (hasSecurityGroups) {
throw new ValidationError('Configure \'allowAllIpv6Outbound\' directly on the supplied SecurityGroups.', this);
}
}
let securityGroups: ec2.ISecurityGroup[];
if (hasSecurityGroups) {
securityGroups = props.securityGroups;
} else {
const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
vpc: props.vpc,
description: 'Automatic security group for Lambda Function ' + Names.uniqueId(this),
allowAllOutbound: props.allowAllOutbound,
allowAllIpv6Outbound: props.allowAllIpv6Outbound,
});
securityGroups = [securityGroup];
}
this._connections = new ec2.Connections({ securityGroups });
if (props.filesystem) {
if (props.filesystem.config.connections) {
this.connections.allowTo(
props.filesystem.config.connections,
props.filesystem.config.connections.defaultPort ?? ec2.Port.tcp(efs.FileSystem.DEFAULT_PORT),
);
}
}
const ipv6AllowedForDualStack = props.ipv6AllowedForDualStack;
const allowPublicSubnet = props.allowPublicSubnet ?? false;
const selectedSubnets = props.vpc.selectSubnets(props.vpcSubnets);
const publicSubnetIds = new Set(props.vpc.publicSubnets.map(s => s.subnetId));
for (const subnetId of selectedSubnets.subnetIds) {
if (publicSubnetIds.has(subnetId) && !allowPublicSubnet) {
throw new ValidationError('Lambda Functions in a public subnet can NOT access the internet. ' +
'If you are aware of this limitation and would still like to place the function in a public subnet, set `allowPublicSubnet` to true', this);
}
}
this.node.addDependency(selectedSubnets.internetConnectivityEstablished);
// List can't be empty here, if we got this far you intended to put your Lambda
// in subnets. We're going to guarantee that we get the nice error message by
// making VpcNetwork do the selection again.
if (props.ipv6AllowedForDualStack !== undefined) {
return {
ipv6AllowedForDualStack: ipv6AllowedForDualStack,
subnetIds: selectedSubnets.subnetIds,
securityGroupIds: securityGroups.map(sg => sg.securityGroupId),
};
} else {
return {
subnetIds: selectedSubnets.subnetIds,
securityGroupIds: securityGroups.map(sg => sg.securityGroupId),
};
}
}