aws-cdk-lib 2.155.0__py3-none-any.whl → 2.157.0__py3-none-any.whl

aws_cdk/aws_lambda/__init__.py

@@ -1304,6 +1304,29 @@ fn = lambda_.Function(self, "Lambda_with_IPv6_VPC",
 )
 ```
 
+## Outbound traffic
+
+By default, when creating a Lambda function, it would add a security group outbound rule to allow sending all network traffic (except IPv6). This is controlled by `allowAllOutbound` in function properties, which has a default value of `true`.
+
+To allow outbound IPv6 traffic by default, explicitly set `allowAllIpv6Outbound` to `true` in function properties as shown below (the default value for `allowAllIpv6Outbound` is `false`):
+
+```python
+import aws_cdk.aws_ec2 as ec2
+
+
+vpc = ec2.Vpc(self, "Vpc")
+
+fn = lambda_.Function(self, "LambdaWithIpv6Outbound",
+    code=lambda_.InlineCode("def main(event, context): pass"),
+    handler="index.main",
+    runtime=lambda_.Runtime.PYTHON_3_9,
+    vpc=vpc,
+    allow_all_ipv6_outbound=True
+)
+```
+
+Do not specify `allowAllOutbound` or `allowAllIpv6Outbound` property if the `securityGroups` or `securityGroup` property is set. Instead, configure these properties directly on the security group.
+
 ## Ephemeral Storage
 
 You can configure ephemeral storage on a function to control the amount of storage it gets for reading
@@ -6126,12 +6149,14 @@ class CfnFunction(
 
     To create a function, you need a `deployment package <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html>`_ and an `execution role <https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html>`_ . The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.
 
-    You set the package type to ``Image`` if the deployment package is a `container image <https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html>`_ . For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties.
+    You set the package type to ``Image`` if the deployment package is a `container image <https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html>`_ . For these functions, include the URI of the container image in the Amazon ECR registry in the ```ImageUri`` property of the ``Code`` property <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html#cfn-lambda-function-code-imageuri>`_ . You do not need to specify the handler and runtime properties.
 
-    You set the package type to ``Zip`` if the deployment package is a `.zip file archive <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip>`_ . For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and runtime properties. For a Python example, see `Deploy Python Lambda functions with .zip file archives <https://docs.aws.amazon.com/lambda/latest/dg/python-package.html>`_ .
+    You set the package type to ``Zip`` if the deployment package is a `.zip file archive <https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip>`_ . For these functions, specify the Amazon S3 location of your .zip file in the ``Code`` property. Alternatively, for Node.js and Python functions, you can define your function inline in the ```ZipFile`` property of the ``Code`` property <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html#cfn-lambda-function-code-zipfile>`_ . In both cases, you must also specify the handler and runtime properties.
 
     You can use `code signing <https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html>`_ if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with ``UpdateFunctionCode`` , Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.
 
+    When you update a ``AWS::Lambda::Function`` resource, CloudFormation calls the `UpdateFunctionConfiguration <https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html>`_ and `UpdateFunctionCode <https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html>`_ Lambda APIs under the hood. Because these calls happen sequentially, and invocations can happen between these calls, your function may encounter errors in the time between the calls. For example, if you remove an environment variable, and the code that references that environment variable in the same CloudFormation update, you may see invocation errors related to a missing environment variable. To work around this, you can invoke your function against a version or alias by default, rather than the ``$LATEST`` version.
+
     Note that you configure `provisioned concurrency <https://docs.aws.amazon.com/lambda/latest/dg/provisioned-concurrency.html>`_ on a ``AWS::Lambda::Version`` or a ``AWS::Lambda::Alias`` .
 
     For a complete introduction to Lambda functions, see `What is Lambda? <https://docs.aws.amazon.com/lambda/latest/dg/lambda-welcome.html>`_ in the *Lambda developer guide.*
@@ -9573,7 +9598,7 @@ class CfnUrl(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param auth_type: The type of authentication that your function URL uses. Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Security and auth model for Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
-        :param target_function_arn: The name of the Lambda function. **Name formats** - *Function name* - ``my-function`` . - *Function ARN* - ``arn:aws:lambda:us-west-2:123456789012:function:my-function`` . - *Partial ARN* - ``123456789012:function:my-function`` . The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
+        :param target_function_arn: The name of the Lambda function. **Name formats** - *Function name* - ``my-function`` . - *Function ARN* - ``lambda: : :function:my-function`` . - *Partial ARN* - ``:function:my-function`` . The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
         :param cors: The `Cross-Origin Resource Sharing (CORS) <https://docs.aws.amazon.com/https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_ settings for your function URL.
         :param invoke_mode: Use one of the following options:. - ``BUFFERED`` – This is the default option. Lambda invokes your function using the ``Invoke`` API operation. Invocation results are available when the payload is complete. The maximum payload size is 6 MB. - ``RESPONSE_STREAM`` – Your function streams payload results as they become available. Lambda invokes your function using the ``InvokeWithResponseStream`` API operation. The maximum response payload size is 20 MB, however, you can `request a quota increase <https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html>`_ .
         :param qualifier: The alias name.
@@ -9893,7 +9918,7 @@ class CfnUrlProps:
         '''Properties for defining a ``CfnUrl``.
 
         :param auth_type: The type of authentication that your function URL uses. Set to ``AWS_IAM`` if you want to restrict access to authenticated users only. Set to ``NONE`` if you want to bypass IAM authentication to create a public endpoint. For more information, see `Security and auth model for Lambda function URLs <https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html>`_ .
-        :param target_function_arn: The name of the Lambda function. **Name formats** - *Function name* - ``my-function`` . - *Function ARN* - ``arn:aws:lambda:us-west-2:123456789012:function:my-function`` . - *Partial ARN* - ``123456789012:function:my-function`` . The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
+        :param target_function_arn: The name of the Lambda function. **Name formats** - *Function name* - ``my-function`` . - *Function ARN* - ``lambda: : :function:my-function`` . - *Partial ARN* - ``:function:my-function`` . The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
         :param cors: The `Cross-Origin Resource Sharing (CORS) <https://docs.aws.amazon.com/https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`_ settings for your function URL.
         :param invoke_mode: Use one of the following options:. - ``BUFFERED`` – This is the default option. Lambda invokes your function using the ``Invoke`` API operation. Invocation results are available when the payload is complete. The maximum payload size is 6 MB. - ``RESPONSE_STREAM`` – Your function streams payload results as they become available. Lambda invokes your function using the ``InvokeWithResponseStream`` API operation. The maximum response payload size is 20 MB, however, you can `request a quota increase <https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html>`_ .
         :param qualifier: The alias name.
@@ -9960,8 +9985,8 @@ class CfnUrlProps:
 
         **Name formats** - *Function name* - ``my-function`` .
 
-        - *Function ARN* - ``arn:aws:lambda:us-west-2:123456789012:function:my-function`` .
-        - *Partial ARN* - ``123456789012:function:my-function`` .
+        - *Function ARN* - ``lambda:  :  :function:my-function`` .
+        - *Partial ARN* - ``:function:my-function`` .
 
         The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
 
@@ -14120,6 +14145,7 @@ class FunctionAttributes:
         "on_success": "onSuccess",
         "retry_attempts": "retryAttempts",
         "adot_instrumentation": "adotInstrumentation",
+        "allow_all_ipv6_outbound": "allowAllIpv6Outbound",
         "allow_all_outbound": "allowAllOutbound",
         "allow_public_subnet": "allowPublicSubnet",
         "application_log_level": "applicationLogLevel",
@@ -14174,6 +14200,7 @@ class FunctionOptions(EventInvokeConfigOptions):
         on_success: typing.Optional["IDestination"] = None,
         retry_attempts: typing.Optional[jsii.Number] = None,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -14225,7 +14252,8 @@ class FunctionOptions(EventInvokeConfigOptions):
         :param on_success: The destination for successful invocations. Default: - no destination
         :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum: 0 Maximum: 2 Default: 2
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -14314,6 +14342,7 @@ class FunctionOptions(EventInvokeConfigOptions):
                     exec_wrapper=lambda_.AdotLambdaExecWrapper.REGULAR_HANDLER,
                     layer_version=adot_layer_version
                 ),
+                allow_all_ipv6_outbound=False,
                 allow_all_outbound=False,
                 allow_public_subnet=False,
                 application_log_level="applicationLogLevel",
@@ -14399,6 +14428,7 @@ class FunctionOptions(EventInvokeConfigOptions):
             check_type(argname="argument on_success", value=on_success, expected_type=type_hints["on_success"])
             check_type(argname="argument retry_attempts", value=retry_attempts, expected_type=type_hints["retry_attempts"])
             check_type(argname="argument adot_instrumentation", value=adot_instrumentation, expected_type=type_hints["adot_instrumentation"])
+            check_type(argname="argument allow_all_ipv6_outbound", value=allow_all_ipv6_outbound, expected_type=type_hints["allow_all_ipv6_outbound"])
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
             check_type(argname="argument allow_public_subnet", value=allow_public_subnet, expected_type=type_hints["allow_public_subnet"])
             check_type(argname="argument application_log_level", value=application_log_level, expected_type=type_hints["application_log_level"])
@@ -14453,6 +14483,8 @@ class FunctionOptions(EventInvokeConfigOptions):
             self._values["retry_attempts"] = retry_attempts
         if adot_instrumentation is not None:
             self._values["adot_instrumentation"] = adot_instrumentation
+        if allow_all_ipv6_outbound is not None:
+            self._values["allow_all_ipv6_outbound"] = allow_all_ipv6_outbound
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
         if allow_public_subnet is not None:
@@ -14593,9 +14625,25 @@ class FunctionOptions(EventInvokeConfigOptions):
         result = self._values.get("adot_instrumentation")
         return typing.cast(typing.Optional[AdotInstrumentationConfig], result)
 
+    @builtins.property
+    def allow_all_ipv6_outbound(self) -> typing.Optional[builtins.bool]:
+        '''Whether to allow the Lambda to send all ipv6 network traffic.
+
+        If set to true, there will only be a single egress rule which allows all
+        outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the
+        Lambda to connect to network targets using ipv6.
+
+        Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set.
+        Instead, configure ``allowAllIpv6Outbound`` directly on the security group.
+
+        :default: false
+        '''
+        result = self._values.get("allow_all_ipv6_outbound")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def allow_all_outbound(self) -> typing.Optional[builtins.bool]:
-        '''Whether to allow the Lambda to send all network traffic.
+        '''Whether to allow the Lambda to send all network traffic (except ipv6).
 
         If set to false, you must individually add traffic rules to allow the
         Lambda to connect to network targets.
@@ -15135,6 +15183,7 @@ class FunctionOptions(EventInvokeConfigOptions):
         "on_success": "onSuccess",
         "retry_attempts": "retryAttempts",
         "adot_instrumentation": "adotInstrumentation",
+        "allow_all_ipv6_outbound": "allowAllIpv6Outbound",
         "allow_all_outbound": "allowAllOutbound",
         "allow_public_subnet": "allowPublicSubnet",
         "application_log_level": "applicationLogLevel",
@@ -15192,6 +15241,7 @@ class FunctionProps(FunctionOptions):
         on_success: typing.Optional["IDestination"] = None,
         retry_attempts: typing.Optional[jsii.Number] = None,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -15245,7 +15295,8 @@ class FunctionProps(FunctionOptions):
         :param on_success: The destination for successful invocations. Default: - no destination
         :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum: 0 Maximum: 2 Default: 2
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -15334,6 +15385,7 @@ class FunctionProps(FunctionOptions):
             check_type(argname="argument on_success", value=on_success, expected_type=type_hints["on_success"])
             check_type(argname="argument retry_attempts", value=retry_attempts, expected_type=type_hints["retry_attempts"])
             check_type(argname="argument adot_instrumentation", value=adot_instrumentation, expected_type=type_hints["adot_instrumentation"])
+            check_type(argname="argument allow_all_ipv6_outbound", value=allow_all_ipv6_outbound, expected_type=type_hints["allow_all_ipv6_outbound"])
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
             check_type(argname="argument allow_public_subnet", value=allow_public_subnet, expected_type=type_hints["allow_public_subnet"])
             check_type(argname="argument application_log_level", value=application_log_level, expected_type=type_hints["application_log_level"])
@@ -15395,6 +15447,8 @@ class FunctionProps(FunctionOptions):
             self._values["retry_attempts"] = retry_attempts
         if adot_instrumentation is not None:
             self._values["adot_instrumentation"] = adot_instrumentation
+        if allow_all_ipv6_outbound is not None:
+            self._values["allow_all_ipv6_outbound"] = allow_all_ipv6_outbound
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
         if allow_public_subnet is not None:
@@ -15535,9 +15589,25 @@ class FunctionProps(FunctionOptions):
         result = self._values.get("adot_instrumentation")
         return typing.cast(typing.Optional[AdotInstrumentationConfig], result)
 
+    @builtins.property
+    def allow_all_ipv6_outbound(self) -> typing.Optional[builtins.bool]:
+        '''Whether to allow the Lambda to send all ipv6 network traffic.
+
+        If set to true, there will only be a single egress rule which allows all
+        outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the
+        Lambda to connect to network targets using ipv6.
+
+        Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set.
+        Instead, configure ``allowAllIpv6Outbound`` directly on the security group.
+
+        :default: false
+        '''
+        result = self._values.get("allow_all_ipv6_outbound")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def allow_all_outbound(self) -> typing.Optional[builtins.bool]:
-        '''Whether to allow the Lambda to send all network traffic.
+        '''Whether to allow the Lambda to send all network traffic (except ipv6).
 
         If set to false, you must individually add traffic rules to allow the
         Lambda to connect to network targets.
@@ -20587,6 +20657,7 @@ class S3Code(Code, metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_lambda.S3
         "on_success": "onSuccess",
         "retry_attempts": "retryAttempts",
         "adot_instrumentation": "adotInstrumentation",
+        "allow_all_ipv6_outbound": "allowAllIpv6Outbound",
         "allow_all_outbound": "allowAllOutbound",
         "allow_public_subnet": "allowPublicSubnet",
         "application_log_level": "applicationLogLevel",
@@ -20646,6 +20717,7 @@ class SingletonFunctionProps(FunctionProps):
         on_success: typing.Optional[IDestination] = None,
         retry_attempts: typing.Optional[jsii.Number] = None,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -20702,7 +20774,8 @@ class SingletonFunctionProps(FunctionProps):
         :param on_success: The destination for successful invocations. Default: - no destination
         :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum: 0 Maximum: 2 Default: 2
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -20776,6 +20849,7 @@ class SingletonFunctionProps(FunctionProps):
             check_type(argname="argument on_success", value=on_success, expected_type=type_hints["on_success"])
             check_type(argname="argument retry_attempts", value=retry_attempts, expected_type=type_hints["retry_attempts"])
             check_type(argname="argument adot_instrumentation", value=adot_instrumentation, expected_type=type_hints["adot_instrumentation"])
+            check_type(argname="argument allow_all_ipv6_outbound", value=allow_all_ipv6_outbound, expected_type=type_hints["allow_all_ipv6_outbound"])
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
             check_type(argname="argument allow_public_subnet", value=allow_public_subnet, expected_type=type_hints["allow_public_subnet"])
             check_type(argname="argument application_log_level", value=application_log_level, expected_type=type_hints["application_log_level"])
@@ -20840,6 +20914,8 @@ class SingletonFunctionProps(FunctionProps):
             self._values["retry_attempts"] = retry_attempts
         if adot_instrumentation is not None:
             self._values["adot_instrumentation"] = adot_instrumentation
+        if allow_all_ipv6_outbound is not None:
+            self._values["allow_all_ipv6_outbound"] = allow_all_ipv6_outbound
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
         if allow_public_subnet is not None:
@@ -20982,9 +21058,25 @@ class SingletonFunctionProps(FunctionProps):
         result = self._values.get("adot_instrumentation")
         return typing.cast(typing.Optional[AdotInstrumentationConfig], result)
 
+    @builtins.property
+    def allow_all_ipv6_outbound(self) -> typing.Optional[builtins.bool]:
+        '''Whether to allow the Lambda to send all ipv6 network traffic.
+
+        If set to true, there will only be a single egress rule which allows all
+        outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the
+        Lambda to connect to network targets using ipv6.
+
+        Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set.
+        Instead, configure ``allowAllIpv6Outbound`` directly on the security group.
+
+        :default: false
+        '''
+        result = self._values.get("allow_all_ipv6_outbound")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def allow_all_outbound(self) -> typing.Optional[builtins.bool]:
-        '''Whether to allow the Lambda to send all network traffic.
+        '''Whether to allow the Lambda to send all network traffic (except ipv6).
 
         If set to false, you must individually add traffic rules to allow the
         Lambda to connect to network targets.
@@ -23527,6 +23619,7 @@ class CodeSigningConfig(
         "on_success": "onSuccess",
         "retry_attempts": "retryAttempts",
         "adot_instrumentation": "adotInstrumentation",
+        "allow_all_ipv6_outbound": "allowAllIpv6Outbound",
         "allow_all_outbound": "allowAllOutbound",
         "allow_public_subnet": "allowPublicSubnet",
         "application_log_level": "applicationLogLevel",
@@ -23582,6 +23675,7 @@ class DockerImageFunctionProps(FunctionOptions):
         on_success: typing.Optional[IDestination] = None,
         retry_attempts: typing.Optional[jsii.Number] = None,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -23634,7 +23728,8 @@ class DockerImageFunctionProps(FunctionOptions):
         :param on_success: The destination for successful invocations. Default: - no destination
         :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum: 0 Maximum: 2 Default: 2
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -23702,6 +23797,7 @@ class DockerImageFunctionProps(FunctionOptions):
             check_type(argname="argument on_success", value=on_success, expected_type=type_hints["on_success"])
             check_type(argname="argument retry_attempts", value=retry_attempts, expected_type=type_hints["retry_attempts"])
             check_type(argname="argument adot_instrumentation", value=adot_instrumentation, expected_type=type_hints["adot_instrumentation"])
+            check_type(argname="argument allow_all_ipv6_outbound", value=allow_all_ipv6_outbound, expected_type=type_hints["allow_all_ipv6_outbound"])
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
             check_type(argname="argument allow_public_subnet", value=allow_public_subnet, expected_type=type_hints["allow_public_subnet"])
             check_type(argname="argument application_log_level", value=application_log_level, expected_type=type_hints["application_log_level"])
@@ -23759,6 +23855,8 @@ class DockerImageFunctionProps(FunctionOptions):
             self._values["retry_attempts"] = retry_attempts
         if adot_instrumentation is not None:
             self._values["adot_instrumentation"] = adot_instrumentation
+        if allow_all_ipv6_outbound is not None:
+            self._values["allow_all_ipv6_outbound"] = allow_all_ipv6_outbound
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
         if allow_public_subnet is not None:
@@ -23899,9 +23997,25 @@ class DockerImageFunctionProps(FunctionOptions):
         result = self._values.get("adot_instrumentation")
         return typing.cast(typing.Optional[AdotInstrumentationConfig], result)
 
+    @builtins.property
+    def allow_all_ipv6_outbound(self) -> typing.Optional[builtins.bool]:
+        '''Whether to allow the Lambda to send all ipv6 network traffic.
+
+        If set to true, there will only be a single egress rule which allows all
+        outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the
+        Lambda to connect to network targets using ipv6.
+
+        Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set.
+        Instead, configure ``allowAllIpv6Outbound`` directly on the security group.
+
+        :default: false
+        '''
+        result = self._values.get("allow_all_ipv6_outbound")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def allow_all_outbound(self) -> typing.Optional[builtins.bool]:
-        '''Whether to allow the Lambda to send all network traffic.
+        '''Whether to allow the Lambda to send all network traffic (except ipv6).
 
         If set to false, you must individually add traffic rules to allow the
         Lambda to connect to network targets.
@@ -25637,6 +25751,7 @@ class SingletonFunction(
         handler: builtins.str,
         runtime: Runtime,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -25694,7 +25809,8 @@ class SingletonFunction(
         :param handler: The name of the method within your code that Lambda calls to execute your function. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/foundation-progmodel.html. Use ``Handler.FROM_IMAGE`` when defining a function from a Docker image. NOTE: If you specify your source code as inline text by specifying the ZipFile property within the Code property, specify index.function_name as the handler.
         :param runtime: The runtime environment for the Lambda function that you are uploading. For valid values, see the Runtime property in the AWS Lambda Developer Guide. Use ``Runtime.FROM_IMAGE`` when defining a function from a Docker image.
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -25753,6 +25869,7 @@ class SingletonFunction(
             handler=handler,
             runtime=runtime,
             adot_instrumentation=adot_instrumentation,
+            allow_all_ipv6_outbound=allow_all_ipv6_outbound,
             allow_all_outbound=allow_all_outbound,
             allow_public_subnet=allow_public_subnet,
             application_log_level=application_log_level,
@@ -26626,6 +26743,7 @@ class Function(
         handler: builtins.str,
         runtime: Runtime,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -26681,7 +26799,8 @@ class Function(
         :param handler: The name of the method within your code that Lambda calls to execute your function. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/foundation-progmodel.html. Use ``Handler.FROM_IMAGE`` when defining a function from a Docker image. NOTE: If you specify your source code as inline text by specifying the ZipFile property within the Code property, specify index.function_name as the handler.
         :param runtime: The runtime environment for the Lambda function that you are uploading. For valid values, see the Runtime property in the AWS Lambda Developer Guide. Use ``Runtime.FROM_IMAGE`` when defining a function from a Docker image.
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -26738,6 +26857,7 @@ class Function(
             handler=handler,
             runtime=runtime,
             adot_instrumentation=adot_instrumentation,
+            allow_all_ipv6_outbound=allow_all_ipv6_outbound,
             allow_all_outbound=allow_all_outbound,
             allow_public_subnet=allow_public_subnet,
             application_log_level=application_log_level,
@@ -27421,6 +27541,7 @@ class DockerImageFunction(
         *,
         code: DockerImageCode,
         adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -27474,7 +27595,8 @@ class DockerImageFunction(
         :param id: -
         :param code: The source code of your Lambda function. You can point to a file in an Amazon Simple Storage Service (Amazon S3) bucket or specify your source code as inline text.
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -27529,6 +27651,7 @@ class DockerImageFunction(
         props = DockerImageFunctionProps(
             code=code,
             adot_instrumentation=adot_instrumentation,
+            allow_all_ipv6_outbound=allow_all_ipv6_outbound,
             allow_all_outbound=allow_all_outbound,
             allow_public_subnet=allow_public_subnet,
             application_log_level=application_log_level,
@@ -29557,6 +29680,7 @@ def _typecheckingstub__59918bb957d892739733c7a5849db990615fe5329709ad7ba703e0ee4
     on_success: typing.Optional[IDestination] = None,
     retry_attempts: typing.Optional[jsii.Number] = None,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -29611,6 +29735,7 @@ def _typecheckingstub__94e70d11aa3c53737d418dbb9983973dfc06dbdef5c8cc30613cc3c6d
     on_success: typing.Optional[IDestination] = None,
     retry_attempts: typing.Optional[jsii.Number] = None,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -30109,6 +30234,7 @@ def _typecheckingstub__68a03ec9f866a29c77aabcf8328c63a49511790fa9714874f255b3292
     on_success: typing.Optional[IDestination] = None,
     retry_attempts: typing.Optional[jsii.Number] = None,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -30361,6 +30487,7 @@ def _typecheckingstub__04dd97f4b18c00e7ee0981f2428664401ae0b75dbda6102ea3ef53d08
     on_success: typing.Optional[IDestination] = None,
     retry_attempts: typing.Optional[jsii.Number] = None,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -30620,6 +30747,7 @@ def _typecheckingstub__e7b766bff13bb7266787cec9bebb600187e19c1672e530bb9cfa31649
     handler: builtins.str,
     runtime: Runtime,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -30837,6 +30965,7 @@ def _typecheckingstub__724895b6b59aaf2b678ef25f2beca19fb114fc04ff6b37edef28e12b3
     handler: builtins.str,
     runtime: Runtime,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -30981,6 +31110,7 @@ def _typecheckingstub__368a49fe1f866c7ea7986c57b6f8488d0fddea8f62bf05ec1ed7eb09b
     *,
     code: DockerImageCode,
     adot_instrumentation: typing.Optional[typing.Union[AdotInstrumentationConfig, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,

aws_cdk/aws_lambda_nodejs/__init__.py

@@ -1556,6 +1556,7 @@ class NodejsFunction(
         project_root: typing.Optional[builtins.str] = None,
         runtime: typing.Optional[_Runtime_b4eaa844] = None,
         adot_instrumentation: typing.Optional[typing.Union[_AdotInstrumentationConfig_7c38d65d, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -1616,7 +1617,8 @@ class NodejsFunction(
         :param project_root: The path to the directory containing project config files (``package.json`` or ``tsconfig.json``). Default: - the directory containing the ``depsLockFilePath``
         :param runtime: The runtime environment. Only runtimes of the Node.js family are supported. Default: ``Runtime.NODEJS_LATEST`` if the ``@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion`` feature flag is enabled, otherwise ``Runtime.NODEJS_16_X``
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -1678,6 +1680,7 @@ class NodejsFunction(
             project_root=project_root,
             runtime=runtime,
             adot_instrumentation=adot_instrumentation,
+            allow_all_ipv6_outbound=allow_all_ipv6_outbound,
             allow_all_outbound=allow_all_outbound,
             allow_public_subnet=allow_public_subnet,
             application_log_level=application_log_level,
@@ -1739,6 +1742,7 @@ class NodejsFunction(
         "on_success": "onSuccess",
         "retry_attempts": "retryAttempts",
         "adot_instrumentation": "adotInstrumentation",
+        "allow_all_ipv6_outbound": "allowAllIpv6Outbound",
         "allow_all_outbound": "allowAllOutbound",
         "allow_public_subnet": "allowPublicSubnet",
         "application_log_level": "applicationLogLevel",
@@ -1801,6 +1805,7 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
         on_success: typing.Optional[_IDestination_40f19de4] = None,
         retry_attempts: typing.Optional[jsii.Number] = None,
         adot_instrumentation: typing.Optional[typing.Union[_AdotInstrumentationConfig_7c38d65d, typing.Dict[builtins.str, typing.Any]]] = None,
+        allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
         allow_all_outbound: typing.Optional[builtins.bool] = None,
         allow_public_subnet: typing.Optional[builtins.bool] = None,
         application_log_level: typing.Optional[builtins.str] = None,
@@ -1860,7 +1865,8 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
         :param on_success: The destination for successful invocations. Default: - no destination
         :param retry_attempts: The maximum number of times to retry when the function returns an error. Minimum: 0 Maximum: 2 Default: 2
         :param adot_instrumentation: Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation. Default: - No ADOT instrumentation
-        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
+        :param allow_all_ipv6_outbound: Whether to allow the Lambda to send all ipv6 network traffic. If set to true, there will only be a single egress rule which allows all outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets using ipv6. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllIpv6Outbound`` directly on the security group. Default: false
+        :param allow_all_outbound: Whether to allow the Lambda to send all network traffic (except ipv6). If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets. Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set. Instead, configure ``allowAllOutbound`` directly on the security group. Default: true
         :param allow_public_subnet: Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet. Default: false
         :param application_log_level: (deprecated) Sets the application log level for the function. Default: "INFO"
         :param application_log_level_v2: Sets the application log level for the function. Default: ApplicationLogLevel.INFO
@@ -1943,6 +1949,7 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
             check_type(argname="argument on_success", value=on_success, expected_type=type_hints["on_success"])
             check_type(argname="argument retry_attempts", value=retry_attempts, expected_type=type_hints["retry_attempts"])
             check_type(argname="argument adot_instrumentation", value=adot_instrumentation, expected_type=type_hints["adot_instrumentation"])
+            check_type(argname="argument allow_all_ipv6_outbound", value=allow_all_ipv6_outbound, expected_type=type_hints["allow_all_ipv6_outbound"])
             check_type(argname="argument allow_all_outbound", value=allow_all_outbound, expected_type=type_hints["allow_all_outbound"])
             check_type(argname="argument allow_public_subnet", value=allow_public_subnet, expected_type=type_hints["allow_public_subnet"])
             check_type(argname="argument application_log_level", value=application_log_level, expected_type=type_hints["application_log_level"])
@@ -2005,6 +2012,8 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
             self._values["retry_attempts"] = retry_attempts
         if adot_instrumentation is not None:
             self._values["adot_instrumentation"] = adot_instrumentation
+        if allow_all_ipv6_outbound is not None:
+            self._values["allow_all_ipv6_outbound"] = allow_all_ipv6_outbound
         if allow_all_outbound is not None:
             self._values["allow_all_outbound"] = allow_all_outbound
         if allow_public_subnet is not None:
@@ -2163,9 +2172,25 @@ class NodejsFunctionProps(_FunctionOptions_328f4d39):
         result = self._values.get("adot_instrumentation")
         return typing.cast(typing.Optional[_AdotInstrumentationConfig_7c38d65d], result)
 
+    @builtins.property
+    def allow_all_ipv6_outbound(self) -> typing.Optional[builtins.bool]:
+        '''Whether to allow the Lambda to send all ipv6 network traffic.
+
+        If set to true, there will only be a single egress rule which allows all
+        outbound ipv6 traffic. If set to false, you must individually add traffic rules to allow the
+        Lambda to connect to network targets using ipv6.
+
+        Do not specify this property if the ``securityGroups`` or ``securityGroup`` property is set.
+        Instead, configure ``allowAllIpv6Outbound`` directly on the security group.
+
+        :default: false
+        '''
+        result = self._values.get("allow_all_ipv6_outbound")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def allow_all_outbound(self) -> typing.Optional[builtins.bool]:
-        '''Whether to allow the Lambda to send all network traffic.
+        '''Whether to allow the Lambda to send all network traffic (except ipv6).
 
         If set to false, you must individually add traffic rules to allow the
         Lambda to connect to network targets.
@@ -3006,6 +3031,7 @@ def _typecheckingstub__ece177829b26ef102d4080d730f168e29d7d310d1518738839cd3fc82
     project_root: typing.Optional[builtins.str] = None,
     runtime: typing.Optional[_Runtime_b4eaa844] = None,
     adot_instrumentation: typing.Optional[typing.Union[_AdotInstrumentationConfig_7c38d65d, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,
@@ -3064,6 +3090,7 @@ def _typecheckingstub__2da45b394f0332be0f6d6b7468d9fb54961953d56265da69955d36ffa
     on_success: typing.Optional[_IDestination_40f19de4] = None,
     retry_attempts: typing.Optional[jsii.Number] = None,
     adot_instrumentation: typing.Optional[typing.Union[_AdotInstrumentationConfig_7c38d65d, typing.Dict[builtins.str, typing.Any]]] = None,
+    allow_all_ipv6_outbound: typing.Optional[builtins.bool] = None,
     allow_all_outbound: typing.Optional[builtins.bool] = None,
     allow_public_subnet: typing.Optional[builtins.bool] = None,
     application_log_level: typing.Optional[builtins.str] = None,