Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-cdk: cdk ls throws RuntimeError: Configure 'allowAllOutbound' directly on the supplied SecurityGroups. #28170

Open
badaldavda8 opened this issue Nov 28, 2023 · 7 comments
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@badaldavda8
Copy link

Describe the bug

We have the gitlab cicd pipeline which runs a docker based out of python-3.8-alpine image.

We perform cdk ls operation and it fails with following error:

fn = alambda.DockerImageFunction(
  File "/usr/local/lib/python3.8/site-packages/jsii/_runtime.py", line 118, in __call__
    inst = super(JSIIMeta, cast(JSIIMeta, cls)).__call__(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/aws_cdk/aws_lambda/__init__.py", line 26367, in __init__
    jsii.create(self.__class__, self, [scope, id, props])
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 334, in create
    response = self.provider.create(
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 365, in create
    return self._process.send(request, CreateResponse)
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 342, in send
    raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: Configure 'allowAllOutbound' directly on the supplied SecurityGroups.
Subprocess exited with error 1

On removing allowAllOutbound from my SecurityGroups, it works as expected.

allowAllOutbound with a value of true is supposed to be the default anyway.

Similar Discussion here - #27669

Expected Behavior

Since its default value, it should not be failing anyway on explicitly specifying it.

Current Behavior

fn = alambda.DockerImageFunction(
  File "/usr/local/lib/python3.8/site-packages/jsii/_runtime.py", line 118, in __call__
    inst = super(JSIIMeta, cast(JSIIMeta, cls)).__call__(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/aws_cdk/aws_lambda/__init__.py", line 26367, in __init__
    jsii.create(self.__class__, self, [scope, id, props])
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 334, in create
    response = self.provider.create(
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 365, in create
    return self._process.send(request, CreateResponse)
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 342, in send
    raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: Configure 'allowAllOutbound' directly on the supplied SecurityGroups.
Subprocess exited with error 1

Reproduction Steps

Won't be able to share complete code -

Docker image from python 3.8-alpine

Add/Install npm, cdk cli, aws-cdk-lib

Create a Security Group for a lambda function and use allow_all_outboud= True. If will fail

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.110.1

Framework Version

No response

Node.js Version

v18.18.2

OS

Linux Alpine Image

Language

Python

Language Version

Python 3.8.18

Other information

python3 --version
Python 3.8.18
node --version
v18.18.2
aws --version
aws-cli/2.13.5 Python/3.11.6 Linux/5.15.0-1049-aws source/x86_64.alpine.3 prompt/off

cdk --version
2.110.1

npm --version
9.6.6

Note: The issue is seen only when cdk ls is run inside the docker container and not locally.

@badaldavda8 badaldavda8 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 28, 2023
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Nov 28, 2023
@gshpychka
Copy link
Contributor

Can you share a relevant code snippet?

@badaldavda8
Copy link
Author

Sure, I will share it with you by tomorrow evening IST. Thanks!

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 29, 2023
@badaldavda8
Copy link
Author

Dockerfile -

FROM python:3.8-alpine
RUN apk add --no-cache \
    alpine-sdk \
    curl \
    ruby \
    ruby-dev\
    nodejs \
    npm \
    aws-cli

# Install dependencies
RUN npm install -g aws-cdk@latest
RUN gem install cfn-nag
RUN pip install pip \
    && pip install pyyaml \
    && pip install setuptools \
    && pip install aws_cdk_lib==2.89.0 \
    && pip install aws-cdk.lambda-layer-kubectl-v23==2.0.3 \
    && pip install aws-cdk.lambda-layer-kubectl-v24==2.0.107 \
    && pip install aws-cdk.lambda-layer-kubectl-v27==2.0.0 \
    && pip install boto3==1.24.28 \
    && pip install requests \
    && pip install cdk-eks-karpenter

RUN python3 --version

RUN node --version
RUN npm --version
RUN aws --version
RUN cdk --version
ENTRYPOINT ["/bin/bash"]

Python CDK Code Snippet for Lambda Function -

def __init__(
        self,
        *,
        vpc: ec2.IVpc,
        fnSecurityGroups: List[ec2.ISecurityGroup],
        fnTimeout: cdk.Duration,
        fnCode: alambda.DockerImageCode,
        fnLogRetention: logs.RetentionDays,
        fnMemorySize: int,
        config: any,
    ):
        self.vpc = vpc
        self.fnSecurityGroups = fnSecurityGroups
        self.fnTimeout = fnTimeout
        self.fnCode = fnCode
        self.fnLogRetention = fnLogRetention
        self.fnMemorySize = fnMemorySize
        self.config = config

fn = alambda.DockerImageFunction(
            self,
            "ResourceInitializerFn",
            memory_size=props.fnMemorySize,
            function_name=f"{id}-ResInit{stack.stack_name}",
            code=props.fnCode,
            vpc=props.vpc,
            security_groups=sgList,
            timeout=props.fnTimeout,
            log_retention=props.fnLogRetention,
            allow_all_outbound=True,
        )

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 30, 2023
@gshpychka
Copy link
Contributor

You are not setting allowAllOutbound directly on the security groups in the code snippet - you're setting it on the function. Are you saying that it works fine when you remove that line?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort labels Nov 30, 2023
Copy link

github-actions bot commented Dec 2, 2023

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Dec 2, 2023
@badaldavda8
Copy link
Author

You are not setting allowAllOutbound directly on the security groups in the code snippet - you're setting it on the function. Are you saying that it works fine when you remove that line?

Correct. If I remove it, everything works fine. Even though the default is supposed to be True

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Dec 2, 2023
@sakurai-ryo
Copy link
Contributor

Hi @badaldavda8
I created PR to add documentation to clarify this behavior.
#28367

mergify bot pushed a commit that referenced this issue Dec 15, 2023
The following PR adds validation for the case when `allowAllOutbound` and `securityGroups` are specified at the same time in `FunctionOptions`.
#26528
(#27157)

According to related issues and discussions, this PR causes existing Lambda deployments to fail.
However, since this change has already been merged and I think it is the correct change, I did not fix the validation process but added documentation to clarify the behavior.

Relates to #28170, #27669 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Development

No branches or pull requests

5 participants