From 7c62d6809cbdeee251c8ff31e22db7d0ff85aba2 Mon Sep 17 00:00:00 2001
From: sakurai-ryo <58683719+sakurai-ryo@users.noreply.github.com>
Date: Fri, 15 Dec 2023 10:47:00 +0900
Subject: [PATCH] docs(lambda): clarify FunctionOptions.allowAllOutbound
 property (#28367)

The following PR adds validation for the case when `allowAllOutbound` and `securityGroups` are specified at the same time in `FunctionOptions`.
https://github.com/aws/aws-cdk/pull/26528
(https://github.com/aws/aws-cdk/pull/27157)

According to related issues and discussions, this PR causes existing Lambda deployments to fail.
However, since this change has already been merged and I think it is the correct change, I did not fix the validation process but added documentation to clarify the behavior.

Relates to #28170, #27669

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-lambda/lib/function.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
index 356be758b9a7c..2a7d151a23c8e 100644
--- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts
+++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
@@ -260,6 +260,9 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * If set to false, you must individually add traffic rules to allow the
    * Lambda to connect to network targets.
    *
+   * Do not specify this property if the `securityGroups` or `securityGroup` property is set.
+   * Instead, configure `allowAllOutbound` directly on the security group.
+   *
    * @default true
    */
   readonly allowAllOutbound?: boolean;