ec2: Cannot configure 'securityGroups' without configuring a VPC

[mbhaalalhhaexchange]

Status

Investigating (Default)

What is the issue?

I have migrated my CDK code from CDK V1 to CDK V2 and installed the aws-cdk-lib package and made the changes into the files for imports.

Now, I am synthesizing my stack with cdk synth command and my stack is failed with Cannot configure 'securityGroups' without configuring a VPC error message.

Earlier with AWS CDK V1, I was not getting this type of bug, but it is started after the CDK V2 migration.

Error message

Cannot configure 'securityGroups' without configuring a VPC

What is the impact?

Earlier with AWS CDK V1 @aws-cdk package this issue was not coming but when code is migrated to aws-cdk-lib this issue has been started.
Actually , we are creating the lambda Cloudwatch logs for which we are putting it in security group but we do not want to assign VPC to it.

Workaround

No response

Who is affected?

Our entire CDK stack is impacted due to this and we are not able to migrate our code from AWS CDK V1 to AWS CDK V2 version.

How do I resolve this?

TBD

Related issues

No response

[pahud]

Can you share code snippets for that?

[mbhaalalhhaexchange]

Yes kindly refer below code that was using with aws cdk v1 with @aws-cdk/aws-lambda package and aws cdk v2 with aws-cdk-lib/aws-lambda package,

   super(scope, id, {
  ...props,
  **vpc: undefined,**  // here we are not passing
  code: resolve(__dirname, '..', 'dist', 'src'),
  lambdas: lambdas.map((lambda) => ({
    ...lambda,
    environment: {
      ...(lambda.environment || {}),
      DB_SECRET_ARN: props.dbSecretArn,
      LOGGING_LEVEL: 'debug',
      SQS_CALL_INFO_QUEUE: props.sqsCallInfoQueue.queueUrl
    },
    **securityGroups: [props.securityGroup],**  // here we are passing security group
    policyStatements: [
      ...(lambda.policyStatements || []),
      new PolicyStatement({
        actions: ['secretsmanager:GetSecretValue'],
        resources: [props.dbSecretArn]
      }),
      new PolicyStatement({
        actions: ['kms:Decrypt'],
        resources: [props.dbSecretKmsKeyArn]
      }),
      new PolicyStatement({
        actions: ['cloudwatch:PutMetricData'],
        resources: ['*']
      }),
      new PolicyStatement({
        actions: ['sqs:SendMessage'],
        resources: [props.sqsCallInfoQueue.queueArn]
      }),
      new PolicyStatement({
        actions: ['connect:StartOutboundVoiceContact'],
        resources: ['*']
      })
    ],
    memorySize: lambda.memorySize || 512,
    retryAttempts: 0,
    lambdaTimeout: lambda?.lambdaTimeout || 8,
    runtime: Runtime.NODEJS_18_X
  })),
  layer: {
    folderPath: resolve(__dirname, '..', 'dist', 'lambdaLayer'),
    compatibleRuntimes: [Runtime.NODEJS_18_X]
  }

});

[pahud]

Cannot configure 'securityGroups' without configuring a VPC

This error generate indicates you can't just specify security groups with vpc undefined.

Please check this doc string:

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts

Lines 199 to 205 in 79c7796

	/**
	* The security group of this Lambda, if in a VPC.
	*
	* This needs to be given in order to support allowing connections
	* to this Lambda.
	*/
	readonly securityGroup?: ec2.ISecurityGroup;

securityGroup is used when lambda function is in a VPC and you need to specify the vpc prop.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.