aws-lambda: from_security_group_id returns object of invalid type

[jcmonteiro]

Describe the bug

The returned object from SecurityGroup.from_security_group_id when used in DockerImageFunction fails to pass the typeguard check in the check_type function.

This error wasn't present when using typeguard version 4.0.0. It used to throw warnings but not errors. The warning is pasted below.

<redacted-path>/lib/python3.12/site-packages/aws_cdk/aws_lambda/__init__.py:1526: UserWarning: Typeguard cannot check the ISecurityGroup protocol because it is a non-runtime protocol. If you would like to type check this protocol, please use @typing.runtime_checkable
  typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore

The error appears with typeguard version 4.3.0. The error message is pasted below.

Sequence[aws_cdk.aws_ec2.ISecurityGroup]: item 0 is not compatible with the ISecurityGroup protocol because it has no method named '__jsii_proxy_class__'
NoneType: is not an instance of NoneType

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The type check should succeed.

Current Behavior

The type check fails and so does cdk deploy or cdk synth.

Reproduction Steps

1. Install typeguard version 4.3.0 in your environment.
2. Try to cdk synth the Stack defined below.

import os

from aws_cdk import App, Environment, Stack
from aws_cdk.aws_ec2 import SecurityGroup, Vpc
from aws_cdk.aws_lambda import DockerImageCode, DockerImageFunction
from constructs import Construct


class AppStack(Stack):
    def __init__(self, scope: Construct, id: str, env: Environment) -> None:
        super().__init__(scope=scope, id=id, env=env)

        sec_group = SecurityGroup.from_security_group_id(
            scope=self,
            id="LambdaSecurityGroup",
            security_group_id="sg-123456",
        )

        vpc = Vpc.from_lookup(
            scope=self,
            id="LambdaVPC",
            vpc_name="MyVPC",
        )

        self.lambda_function = DockerImageFunction(
            scope=self,
            id="AppLambda",
            function_name="AppLambda",
            description="Handles requests for the Design Brief API",
            memory_size=1024,
            code=DockerImageCode.from_image_asset(
                directory=".",
                file="./lambda.Dockerfile",
                build_secrets={"GITHUB_TOKEN": "type=env"},
            ),
            security_groups=[sec_group],
            vpc=vpc,
        )


app = App()
AppStack(
    scope=app,
    id="DummyStack",
    env=Environment(account=os.getenv("CDK_DEFAULT_ACCOUNT"), region="eu-west-1"),
)

app.synth()

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.162.1

Framework Version

No response

Node.js Version

v22.9.0

OS

Mac

Language

Python

Language Version

Python 3.12.4

Other information

No response

[pahud]

related to #4658

moving to JSII repo.

[mrgrain]

typeguard-4.3.0 is not currently supported due to an issue with how protocols are now checked in the latest version. We will are investigating this, but cannot currently provide an ETA.

Our main priority is that users are not unintentionally blocked by this. @jcmonteiro From your description ot sounds like you were explicitly declaring a dependency on typeguard 4.3.0 (as opposed to automatically receiving this version as a transitive dependency). Can you confirm this if this was the case?

[jcmonteiro]

I actually got the dependency via transitivity. I mentioned explicitly stating the version to make it easier to reproduce.

In fact, upon checking the changes to my Poetry lock file, I noticed that a particular commit caused "typeguard" to bump from 2.13 to 4.3. That was due to a cascade of upgrades allowed by the fact that aws-cdk-asset-kubectl-v20 declared support for typeguard = ">=2.13.3,<5.0.0"

[mrgrain]

Thanks @jcmonteiro Looks like there are a few more packages that need their version constraint updated.

[mrgrain]

But will close this here as a duplicate of #4658 and track it over there.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.