aws-cdk: cdk ls throws RuntimeError: Configure 'allowAllOutbound' directly on the supplied SecurityGroups.

[badaldavda8]

Describe the bug

We have the gitlab cicd pipeline which runs a docker based out of python-3.8-alpine image.

We perform cdk ls operation and it fails with following error:

fn = alambda.DockerImageFunction(
  File "/usr/local/lib/python3.8/site-packages/jsii/_runtime.py", line 118, in __call__
    inst = super(JSIIMeta, cast(JSIIMeta, cls)).__call__(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/aws_cdk/aws_lambda/__init__.py", line 26367, in __init__
    jsii.create(self.__class__, self, [scope, id, props])
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 334, in create
    response = self.provider.create(
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 365, in create
    return self._process.send(request, CreateResponse)
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 342, in send
    raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: Configure 'allowAllOutbound' directly on the supplied SecurityGroups.
Subprocess exited with error 1

On removing allowAllOutbound from my SecurityGroups, it works as expected.

allowAllOutbound with a value of true is supposed to be the default anyway.

Similar Discussion here - #27669

Expected Behavior

Since its default value, it should not be failing anyway on explicitly specifying it.

Current Behavior

fn = alambda.DockerImageFunction(
  File "/usr/local/lib/python3.8/site-packages/jsii/_runtime.py", line 118, in __call__
    inst = super(JSIIMeta, cast(JSIIMeta, cls)).__call__(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/aws_cdk/aws_lambda/__init__.py", line 26367, in __init__
    jsii.create(self.__class__, self, [scope, id, props])
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 334, in create
    response = self.provider.create(
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 365, in create
    return self._process.send(request, CreateResponse)
  File "/usr/local/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 342, in send
    raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: Configure 'allowAllOutbound' directly on the supplied SecurityGroups.
Subprocess exited with error 1

Reproduction Steps

Won't be able to share complete code -

Docker image from python 3.8-alpine

Add/Install npm, cdk cli, aws-cdk-lib

Create a Security Group for a lambda function and use allow_all_outboud= True. If will fail

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.110.1

Framework Version

No response

Node.js Version

v18.18.2

OS

Linux Alpine Image

Language

Python

Language Version

Python 3.8.18

Other information

python3 --version
Python 3.8.18
node --version
v18.18.2
aws --version
aws-cli/2.13.5 Python/3.11.6 Linux/5.15.0-1049-aws source/x86_64.alpine.3 prompt/off

cdk --version
2.110.1

npm --version
9.6.6

Note: The issue is seen only when cdk ls is run inside the docker container and not locally.

[gshpychka]

Can you share a relevant code snippet?

[badaldavda8]

Sure, I will share it with you by tomorrow evening IST. Thanks!

[badaldavda8]

Dockerfile -

FROM python:3.8-alpine
RUN apk add --no-cache \
    alpine-sdk \
    curl \
    ruby \
    ruby-dev\
    nodejs \
    npm \
    aws-cli

# Install dependencies
RUN npm install -g aws-cdk@latest
RUN gem install cfn-nag
RUN pip install pip \
    && pip install pyyaml \
    && pip install setuptools \
    && pip install aws_cdk_lib==2.89.0 \
    && pip install aws-cdk.lambda-layer-kubectl-v23==2.0.3 \
    && pip install aws-cdk.lambda-layer-kubectl-v24==2.0.107 \
    && pip install aws-cdk.lambda-layer-kubectl-v27==2.0.0 \
    && pip install boto3==1.24.28 \
    && pip install requests \
    && pip install cdk-eks-karpenter

RUN python3 --version

RUN node --version
RUN npm --version
RUN aws --version
RUN cdk --version
ENTRYPOINT ["/bin/bash"]

Python CDK Code Snippet for Lambda Function -

def __init__(
        self,
        *,
        vpc: ec2.IVpc,
        fnSecurityGroups: List[ec2.ISecurityGroup],
        fnTimeout: cdk.Duration,
        fnCode: alambda.DockerImageCode,
        fnLogRetention: logs.RetentionDays,
        fnMemorySize: int,
        config: any,
    ):
        self.vpc = vpc
        self.fnSecurityGroups = fnSecurityGroups
        self.fnTimeout = fnTimeout
        self.fnCode = fnCode
        self.fnLogRetention = fnLogRetention
        self.fnMemorySize = fnMemorySize
        self.config = config

fn = alambda.DockerImageFunction(
            self,
            "ResourceInitializerFn",
            memory_size=props.fnMemorySize,
            function_name=f"{id}-ResInit{stack.stack_name}",
            code=props.fnCode,
            vpc=props.vpc,
            security_groups=sgList,
            timeout=props.fnTimeout,
            log_retention=props.fnLogRetention,
            allow_all_outbound=True,
        )

[gshpychka]

You are not setting allowAllOutbound directly on the security groups in the code snippet - you're setting it on the function. Are you saying that it works fine when you remove that line?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.