Skip to content

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 6, 2024
Merged

feat(lambda): added new property allowAllIpv6Outbound to FunctionOptions #31013

merged 2 commits into from
Sep 6, 2024

Conversation

@ashishdhingra
Copy link
Contributor

@ashishdhingra ashishdhingra commented Aug 2, 2024

Issue # (if applicable)

Closes #30994.

Reason for this change

SecurityGroupProps supports allowAllIpv6Outbound property. The existing Lambda FunctionOptions only supports allowAllOutbound, which is used in configureVpc() while creating a new SecurityGroup here.

Description of changes

Added new property allowAllIpv6Outbound to FunctionOptions.

Description of how you validated changes

Added unit and integration tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 labels Aug 2, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team August 2, 2024 21:49
aws-cdk-automation
aws-cdk-automation previously requested changes Aug 2, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@amazon-codecatalyst amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from e7ec65a to 660f7bb Compare August 2, 2024 22:57
@aws-cdk-automation aws-cdk-automation dismissed their stale review August 2, 2024 22:59

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@amazon-codecatalyst amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from af797b7 to b59fbc9 Compare August 3, 2024 10:24
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 3, 2024
lpizzinidev
lpizzinidev suggested changes Aug 3, 2024
View reviewed changes
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Aug 3, 2024
@github-actions github-actions bot mentioned this pull request Aug 5, 2024
Closed
@ashishdhingra ashishdhingra force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from fb094a6 to d02ed91 Compare August 5, 2024 21:10
@amazon-codecatalyst amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch 2 times, most recently from dbd79a9 to 57b6abc Compare August 5, 2024 22:25
@amazon-codecatalyst amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from 57b6abc to 3fa4d8c Compare August 5, 2024 23:24
pahud
pahud previously requested changes Aug 5, 2024
View reviewed changes
Copy link
Contributor

@pahud pahud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor nit

@pahud
Copy link
Contributor

pahud commented Aug 5, 2024

Question - what happens if allowAllOutbound: false with allowAllIpv6Outbound: true? Is it allowed?

pahud
pahud reviewed Aug 6, 2024
View reviewed changes
@amazon-codecatalyst amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from 3fa4d8c to f834cb2 Compare August 6, 2024 06:47
@mergify mergify bot dismissed pahud’s stale review August 6, 2024 06:48

Pull request has been modified.

@ashishdhingra
Copy link
Contributor Author

ashishdhingra commented Aug 6, 2024

Question - what happens if allowAllOutbound: false with allowAllIpv6Outbound: true? Is it allowed?

@pahud I will test it tomorrow with ec2.SecurityGroup. As per my understanding, it would not add outbound rule for IPv4.

@ashishdhingra ashishdhingra requested a review from pahud August 6, 2024 06:50
pahud
pahud requested changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@pahud pahud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally LGTM except for some nit

pahud
pahud previously requested changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@pahud pahud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are not really deploying vpc in unit tests so I prefer to keep the code as simple as possible

@amazon-codecatalyst amazon-codecatalyst bot force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from f834cb2 to 57d5f9c Compare August 6, 2024 17:10
@mergify mergify bot dismissed pahud’s stale review August 6, 2024 17:10

Pull request has been modified.

@ashishdhingra
Copy link
Contributor Author

ashishdhingra commented Aug 6, 2024

Question - what happens if allowAllOutbound: false with allowAllIpv6Outbound: true? Is it allowed?

@pahud I will test it tomorrow with ec2.SecurityGroup. As per my understanding, it would not add outbound rule for IPv4.

@pahud Using the code new ec2.SecurityGroup(this, 'mySecurityGroup', { vpc, allowAllOutbound: false, allowAllIpv6Outbound: true}); results below in the CloudFormation template:

  mySecurityGroup6B1044D0:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: CdktestStack/mySecurityGroup
      SecurityGroupEgress:
        - CidrIp: 255.255.255.255/32
          Description: Disallow all traffic
          FromPort: 252
          IpProtocol: icmp
          ToPort: 86
        - CidrIpv6: ::/0
          Description: Allow all outbound ipv6 traffic by default
          IpProtocol: "-1"
      VpcId:
        Ref: myVpc3CC7CF9E
    Metadata:
      aws:cdk:path: CdktestStack/mySecurityGroup/Resource

Below is deployed Security Group:
Screenshot 2024-08-06 at 10 22 57 AM

Thanks,
Ashish

@ashishdhingra ashishdhingra requested a review from pahud August 6, 2024 17:24
@ashishdhingra ashishdhingra added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 6, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 6, 2024
@ashishdhingra ashishdhingra force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from 57d5f9c to e8b5620 Compare August 6, 2024 17:47
lpizzinidev
lpizzinidev approved these changes Aug 7, 2024
View reviewed changes
Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

packages/aws-cdk-lib/aws-lambda/README.md
Comment on lines +1146 to +1216
## Outbound traffic
By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6). This is controlled by `allowAllOutbound` in function properties, which has a default value of `true`.

To allow outbound IPv6 traffic by default, explicitly set `allowAllIpv6Outbound` to `true` in function properties as shown below (the default value for `allowAllIpv6Outbound` is `false`):
```ts
Copy link
Contributor

@lpizzinidev lpizzinidev Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Outbound traffic
By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6). This is controlled by `allowAllOutbound` in function properties, which has a default value of `true`.
To allow outbound IPv6 traffic by default, explicitly set `allowAllIpv6Outbound` to `true` in function properties as shown below (the default value for `allowAllIpv6Outbound` is `false`):
```ts
## Outbound traffic
By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6).
You can override the default behavior by setting the `allowAllOutbound` property to `false`.
To allow outbound IPv6 traffic by default, explicitly set the `allowAllIpv6Outbound` property to `true`, as shown below.
The default value for `allowAllIpv6Outbound` is `false`.
```ts

@ashishdhingra ashishdhingra added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 21, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 21, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 21, 2024
@ashishdhingra ashishdhingra force-pushed the lambda-allowAllIpv6Outbound-issue30994 branch from e8b5620 to 3410455 Compare August 27, 2024 21:31
@github-actions github-actions bot mentioned this pull request Sep 1, 2024
Closed
@go-to-k go-to-k mentioned this pull request Sep 3, 2024
Closed
1 task
@mergify
Copy link
Contributor

mergify bot commented Sep 6, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Sep 6, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 1dae9bd
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit fa55194 into aws:main Sep 6, 2024
@mergify
Copy link
Contributor

mergify bot commented Sep 6, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions
Copy link
Contributor

github-actions bot commented Sep 6, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aws-cdk-automation aws-cdk-automation Awaiting requested review from aws-cdk-automation

@pahud pahud Awaiting requested review from pahud

2 more reviewers

@lpizzinidev lpizzinidev lpizzinidev approved these changes

@samson-keung samson-keung samson-keung approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-cdk-lib/aws-lambda: Add allowAllIpv6Outbound option to lambda function props

5 participants

@ashishdhingra @pahud @aws-cdk-automation @lpizzinidev @samson-keung