fix(lambda): circular dependencies when EFS and Lambda are deployed i… · aws/aws-cdk@6e9045f

Commit

fix(lambda): circular dependencies when EFS and Lambda are deployed i…

…n separate stacks (#28560)

This PR fixed an error when deploying EFS and Lambda in separate stacks.

## Cause of the bug
Currently, when using EFS from Lambda, deploying EFS and Lambda in separate stacks creates incorrect resource dependencies and cannot be deployed correctly.
This error is caused by adding a security group setting in the Function construct to allow EFS and Lambda to communicate correctly.
By calling the `Connections.allowDefaultPortFrom` method of the Filesystem in the LambdaStack, IngressRule is created in the scope of the EfsStack.
Note that the `remoteRule` flag is false when calling `SecurityGroupBase.addIngressRule` at this time.
https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-lambda/lib/function.ts#L1416
https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/connections.ts#L157
https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/security-group.ts#L84

Here is the minimal code to reproduce this error without EFS and Lambda.
```ts
#!/usr/bin/env node
import 'source-map-support/register';
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';

export class EfsStack extends Stack {
    public vpc: ec2.Vpc;
    public efsSg: ec2.SecurityGroup;

    constructor(scope: Construct, id: string, props?: StackProps) {
      super(scope, id, props);

      this.vpc = new ec2.Vpc(this, 'Vpc');

      this.efsSg = new ec2.SecurityGroup(this, 'SecurityGroup', {
        vpc: this.vpc,
        allowAllOutbound: true,
      });
    }
}

interface LambdaStackProps extends StackProps {
    vpc: ec2.Vpc;
    efsSg: ec2.SecurityGroup;
}

export class LambdaStack extends Stack {
    constructor(scope: Construct, id: string, props: LambdaStackProps) {
      super(scope, id, props);

      const lambdaSg = new ec2.SecurityGroup(this, 'SecurityGroup', {
        vpc: props.vpc,
        allowAllOutbound: true,
      });

      // Since `remoteRule` flag is set to false here, IngressRule is deployed in EfsStack scope.
      props.efsSg.addIngressRule(lambdaSg, ec2.Port.tcp(2049), '', false);
    }
}

const app = new App();
const efsStack = new EfsStack(app, 'EfsStack');
const lambdaStack = new LambdaStack(app, 'LambdaStack', {
    vpc: efsStack.vpc,
    efsSg: efsStack.efsSg,
});
```

By calling the `SecurityGroupBase.addIngressRule` method with the `remoteRule` flag true, the IngressRule will be deployed in the scope of the Lambda stack and the deployment will complete successfully.

## Changes
Fixed the SecurityGroup Rule configuration part in the Function construct to fix this error.
By changing the Function construct to call the `Connections.allowTo` method, the `remoteRule` flag is set to true when `allowTo` method calls `allowFrom` method and the EFS Security Group Ingress Rule will be correctly created in the scope of the Lambda stack.
https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/connections.ts#L139
https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/connections.ts#L141

Closes #18759

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*