npm - @intentius/chant-lexicon-aws - Versions diffs - 0.0.5 → 0.0.8 - Mend

@intentius/chant-lexicon-aws 0.0.5 → 0.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/README.md +9 -425
package/dist/integrity.json +7 -7
package/dist/manifest.json +1 -1
package/dist/meta.json +3767 -3706
package/dist/rules/ext001.ts +2 -4
package/dist/rules/s3-encryption.ts +2 -3
package/dist/skills/chant-aws.md +72 -0
package/dist/types/index.d.ts +57174 -57070
package/package.json +2 -2
package/src/codegen/__snapshots__/snapshot.test.ts.snap +18 -18
package/src/codegen/docs.ts +104 -349
package/src/codegen/generate.ts +2 -14
package/src/codegen/package.ts +2 -0
package/src/codegen/sam.ts +11 -11
package/src/codegen/typecheck.test.ts +1 -1
package/src/generated/index.d.ts +57174 -57070
package/src/generated/index.ts +1356 -1351
package/src/generated/lexicon-aws.json +3767 -3706
package/src/import/generator.test.ts +5 -5
package/src/import/generator.ts +4 -4
package/src/import/roundtrip-fixtures.test.ts +8 -28
package/src/import/roundtrip.test.ts +5 -5
package/src/integration.test.ts +21 -21
package/src/lint/post-synth/ext001.ts +2 -4
package/src/lint/rules/rules.test.ts +8 -8
package/src/lint/rules/s3-encryption.ts +2 -3
package/src/lsp/completions.ts +2 -0
package/src/lsp/hover.ts +2 -0
package/src/nested-stack.ts +1 -1
package/src/plugin.test.ts +13 -15
package/src/plugin.ts +126 -149
package/src/serializer.test.ts +42 -43
package/src/serializer.ts +7 -16
package/src/spec/parse.ts +2 -2
package/dist/skills/aws-cloudformation.md +0 -41
package/src/codegen/rollback.test.ts +0 -80
package/src/codegen/rollback.ts +0 -20

package/src/plugin.ts CHANGED Viewed

@@ -1,4 +1,6 @@
+import { createRequire } from "module";
 import type { LexiconPlugin, IntrinsicDef, SkillDefinition } from "@intentius/chant/lexicon";
+const require = createRequire(import.meta.url);
 import type { LintRule } from "@intentius/chant/lint/rule";
 import type { PostSynthCheck } from "@intentius/chant/lint/post-synth";
 import type { TemplateParser } from "@intentius/chant/import/parser";
@@ -54,68 +56,67 @@ export const awsPlugin: LexiconPlugin = {
   initTemplates(): Record<string, string> {
     return {
-      "_.ts": `export * from "./config";\n`,
       "config.ts": `/**
  * Shared bucket configuration — encryption, versioning, public access
  */
-import * as aws from "@intentius/chant-lexicon-aws";
+import { ServerSideEncryptionByDefault, ServerSideEncryptionRule, BucketEncryption, PublicAccessBlockConfiguration, VersioningConfiguration } from "@intentius/chant-lexicon-aws";
 // Encryption default — AES256 server-side encryption
-export const encryptionDefault = new aws.ServerSideEncryptionByDefault({
-  sseAlgorithm: "AES256",
+export const encryptionDefault = new ServerSideEncryptionByDefault({
+  SSEAlgorithm: "AES256",
 });
 // Encryption rule wrapping the default
-export const encryptionRule = new aws.ServerSideEncryptionRule({
-  serverSideEncryptionByDefault: encryptionDefault,
+export const encryptionRule = new ServerSideEncryptionRule({
+  ServerSideEncryptionByDefault: encryptionDefault,
 });
 // Bucket encryption configuration
-export const bucketEncryption = new aws.BucketEncryption({
-  serverSideEncryptionConfiguration: [encryptionRule],
+export const bucketEncryption = new BucketEncryption({
+  ServerSideEncryptionConfiguration: [encryptionRule],
 });
 // Public access block — deny all public access
-export const publicAccessBlock = new aws.PublicAccessBlockConfiguration({
-  blockPublicAcls: true,
-  blockPublicPolicy: true,
-  ignorePublicAcls: true,
-  restrictPublicBuckets: true,
+export const publicAccessBlock = new PublicAccessBlockConfiguration({
+  BlockPublicAcls: true,
+  BlockPublicPolicy: true,
+  IgnorePublicAcls: true,
+  RestrictPublicBuckets: true,
 });
 // Versioning — enabled
-export const versioningEnabled = new aws.VersioningConfiguration({
-  status: "Enabled",
+export const versioningEnabled = new VersioningConfiguration({
+  Status: "Enabled",
 });
 `,
       "data-bucket.ts": `/**
  * Data bucket — primary storage with encryption and versioning
  */
-import * as aws from "@intentius/chant-lexicon-aws";
-import * as _ from "./_";
+import { Bucket, Sub, AWS } from "@intentius/chant-lexicon-aws";
+import { versioningEnabled, bucketEncryption, publicAccessBlock } from "./config";
-export const dataBucket = new aws.Bucket({
-  bucketName: aws.Sub\`\${aws.AWS.StackName}-data\`,
-  versioningConfiguration: _.versioningEnabled,
-  bucketEncryption: _.bucketEncryption,
-  publicAccessBlockConfiguration: _.publicAccessBlock,
+export const dataBucket = new Bucket({
+  BucketName: Sub\`\${AWS.StackName}-\${AWS.AccountId}-data\`,
+  VersioningConfiguration: versioningEnabled,
+  BucketEncryption: bucketEncryption,
+  PublicAccessBlockConfiguration: publicAccessBlock,
 });
 `,
       "logs-bucket.ts": `/**
  * Logs bucket — log delivery with encryption and versioning
  */
-import * as aws from "@intentius/chant-lexicon-aws";
-import * as _ from "./_";
+import { Bucket, Sub, AWS } from "@intentius/chant-lexicon-aws";
+import { versioningEnabled, bucketEncryption, publicAccessBlock } from "./config";
-export const logsBucket = new aws.Bucket({
-  bucketName: aws.Sub\`\${aws.AWS.StackName}-logs\`,
-  accessControl: "LogDeliveryWrite",
-  versioningConfiguration: _.versioningEnabled,
-  bucketEncryption: _.bucketEncryption,
-  publicAccessBlockConfiguration: _.publicAccessBlock,
+export const logsBucket = new Bucket({
+  BucketName: Sub\`\${AWS.StackName}-\${AWS.AccountId}-logs\`,
+  AccessControl: "LogDeliveryWrite",
+  VersioningConfiguration: versioningEnabled,
+  BucketEncryption: bucketEncryption,
+  PublicAccessBlockConfiguration: publicAccessBlock,
 });
 `,
     };
@@ -185,18 +186,9 @@ export const logsBucket = new aws.Bucket({
   async validate(options?: { verbose?: boolean }): Promise<void> {
     const { validate } = await import("./validate");
+    const { printValidationResult } = await import("@intentius/chant/codegen/validate");
     const result = await validate();
-    for (const check of result.checks) {
-      const status = check.ok ? "OK" : "FAIL";
-      const msg = check.error ? ` — ${check.error}` : "";
-      console.error(`  [${status}] ${check.name}${msg}`);
-    }
-    if (!result.success) {
-      throw new Error("Validation failed");
-    }
-    console.error("All validation checks passed.");
+    printValidationResult(result);
   },
   async coverage(options?: { verbose?: boolean; minOverall?: number }): Promise<void> {
@@ -227,75 +219,29 @@ export const logsBucket = new aws.Bucket({
   async package(options?: { verbose?: boolean; force?: boolean }): Promise<void> {
     const { packageLexicon } = await import("./codegen/package");
-    const { writeFileSync, mkdirSync } = await import("fs");
+    const { writeBundleSpec } = await import("@intentius/chant/codegen/package");
     const { join, dirname } = await import("path");
     const { fileURLToPath } = await import("url");
     const { spec, stats } = await packageLexicon({ verbose: options?.verbose, force: options?.force });
-    // Write manifest and artifacts to dist/
     const pkgDir = dirname(dirname(fileURLToPath(import.meta.url)));
     const distDir = join(pkgDir, "dist");
-    mkdirSync(join(distDir, "types"), { recursive: true });
-    mkdirSync(join(distDir, "rules"), { recursive: true });
-    mkdirSync(join(distDir, "skills"), { recursive: true });
-    writeFileSync(join(distDir, "manifest.json"), JSON.stringify(spec.manifest, null, 2));
-    writeFileSync(join(distDir, "meta.json"), spec.registry);
-    writeFileSync(join(distDir, "types", "index.d.ts"), spec.typesDTS);
-    for (const [name, content] of spec.rules) {
-      writeFileSync(join(distDir, "rules", name), content);
-    }
-    for (const [name, content] of spec.skills) {
-      writeFileSync(join(distDir, "skills", name), content);
-    }
-    // Write integrity.json if available
-    if (spec.integrity) {
-      writeFileSync(join(distDir, "integrity.json"), JSON.stringify(spec.integrity, null, 2));
-    }
+    writeBundleSpec(spec, distDir);
     console.error(`Packaged ${stats.resources} resources, ${stats.ruleCount} rules, ${stats.skillCount} skills`);
-    // Produce .tgz via bun pm pack
-    const packProc = Bun.spawn(["bun", "pm", "pack"], {
-      cwd: pkgDir,
-      stdout: "pipe",
-      stderr: "pipe",
-    });
-    const packOut = await new Response(packProc.stdout).text();
-    const packErr = await new Response(packProc.stderr).text();
-    const packExit = await packProc.exited;
+    // Produce .tgz via pack command
+    const { getRuntime } = await import("@intentius/chant/runtime-adapter");
+    const rt = getRuntime();
+    const { stdout: packOut, stderr: packErr, exitCode: packExit } = await rt.spawn(
+      rt.commands.packCmd,
+      { cwd: pkgDir },
+    );
     if (packExit === 0) {
       console.error(`Tarball: ${packOut.trim()}`);
     } else {
-      console.error(`bun pm pack failed: ${packErr}`);
-    }
-  },
-  async rollback(options?: { restore?: string; verbose?: boolean }): Promise<void> {
-    const { listSnapshots, restoreSnapshot } = await import("./codegen/rollback");
-    const { join, dirname } = await import("path");
-    const { fileURLToPath } = await import("url");
-    const pkgDir = dirname(dirname(fileURLToPath(import.meta.url)));
-    const snapshotsDir = join(pkgDir, ".snapshots");
-    if (options?.restore) {
-      const generatedDir = join(pkgDir, "src", "generated");
-      restoreSnapshot(String(options.restore), generatedDir);
-      console.error(`Restored snapshot: ${options.restore}`);
-    } else {
-      const snapshots = listSnapshots(snapshotsDir);
-      if (snapshots.length === 0) {
-        console.error("No snapshots available.");
-      } else {
-        console.error(`Available snapshots (${snapshots.length}):`);
-        for (const s of snapshots) {
-          console.error(`  ${s.timestamp}  ${s.resourceCount} resources  ${s.path}`);
-        }
-      }
+      console.error(`${rt.commands.packCmd.join(" ")} failed: ${packErr}`);
     }
   },
@@ -307,49 +253,80 @@ export const logsBucket = new aws.Bucket({
   skills(): SkillDefinition[] {
     return [
       {
-        name: "aws-cloudformation",
-        description: "AWS CloudFormation best practices and common patterns",
+        name: "chant-aws",
+        description: "AWS CloudFormation template management — workflows, patterns, and troubleshooting",
         content: `---
-name: aws-cloudformation
-description: AWS CloudFormation best practices and common patterns
+skill: chant-aws
+description: Build, validate, and deploy CloudFormation templates from a chant project
+user-invocable: true
 ---
-# AWS CloudFormation with Chant
+# Deploying CloudFormation from Chant
+This project defines CloudFormation resources as TypeScript in \`src/\`. Use these steps to build, validate, and deploy.
+## Build the template
+\`\`\`bash
+chant build src/ --output stack.json
+\`\`\`
+## Validate before deploying
+\`\`\`bash
+chant lint src/
+aws cloudformation validate-template --template-body file://stack.json
+\`\`\`
+## Deploy a new stack
+\`\`\`bash
+aws cloudformation deploy \\
+  --template-file stack.json \\
+  --stack-name <stack-name> \\
+  --capabilities CAPABILITY_NAMED_IAM
+\`\`\`
+Add \`--parameter-overrides Key=Value\` if the template has parameters.
+## Update an existing stack
-## Common Resource Types
+1. Edit the TypeScript source
+2. Rebuild: \`chant build src/ --output stack.json\`
+3. Preview changes:
+   \`\`\`bash
+   aws cloudformation create-change-set \\
+     --stack-name <stack-name> \\
+     --template-body file://stack.json \\
+     --change-set-name update-$(date +%s) \\
+     --capabilities CAPABILITY_NAMED_IAM
+   aws cloudformation describe-change-set \\
+     --stack-name <stack-name> \\
+     --change-set-name update-<id>
+   \`\`\`
+4. Execute: \`aws cloudformation execute-change-set --stack-name <stack-name> --change-set-name update-<id>\`
-- \`AWS::S3::Bucket\` — Object storage
-- \`AWS::Lambda::Function\` — Serverless compute
-- \`AWS::DynamoDB::Table\` — NoSQL database
-- \`AWS::IAM::Role\` — Identity and access management
-- \`AWS::SNS::Topic\` — Pub/sub messaging
-- \`AWS::SQS::Queue\` — Message queue
-- \`AWS::EC2::SecurityGroup\` — Network firewall rules
+Or deploy directly: \`aws cloudformation deploy --template-file stack.json --stack-name <stack-name> --capabilities CAPABILITY_NAMED_IAM\`
-## Intrinsic Functions
+## Delete a stack
-- \`Sub\` — String interpolation with \`\${}\` syntax
-- \`Ref\` — Reference a resource or parameter
-- \`GetAtt\` — Get a resource attribute (e.g. ARN)
-- \`If\` — Conditional value based on a condition
-- \`Join\` — Join strings with a delimiter
-- \`Select\` — Pick an item from a list by index
+\`\`\`bash
+aws cloudformation delete-stack --stack-name <stack-name>
+aws cloudformation wait stack-delete-complete --stack-name <stack-name>
+\`\`\`
-## Pseudo Parameters
+## Check stack status
-- \`AWS::StackName\` — Name of the current stack
-- \`AWS::Region\` — Current deployment region
-- \`AWS::AccountId\` — Current AWS account ID
-- \`AWS::Partition\` — Partition (aws, aws-cn, aws-us-gov)
+\`\`\`bash
+aws cloudformation describe-stacks --stack-name <stack-name>
+aws cloudformation describe-stack-events --stack-name <stack-name> --max-items 10
+\`\`\`
-## Best Practices
+## Troubleshooting deploy failures
-1. **Always enable encryption** — Use \`BucketEncryption\` for S3, \`SSESpecification\` for DynamoDB
-2. **Block public access** — Set \`PublicAccessBlockConfiguration\` on all S3 buckets
-3. **Use least-privilege IAM** — Avoid \`*\` in IAM policy actions and resources
-4. **Enable versioning** — Turn on \`VersioningConfiguration\` for data buckets
-5. **Use Sub for dynamic names** — \`Sub\\\`\\\${AWS::StackName}-suffix\\\`\` for unique naming
-6. **Share config via barrel files** — Put common settings in \`_.ts\` and import as \`* as _\`
+- Check events: \`aws cloudformation describe-stack-events --stack-name <stack-name>\`
+- Rollback stuck: \`aws cloudformation continue-update-rollback --stack-name <stack-name>\`
+- Drift: \`aws cloudformation detect-stack-drift --stack-name <stack-name>\`
 `,
         triggers: [
           { type: "file-pattern", value: "**/*.aws.ts" },
@@ -453,31 +430,31 @@ description: AWS CloudFormation best practices and common patterns
         description: "AWS S3 bucket with versioning and encryption",
         mimeType: "text/typescript",
         async handler(): Promise<string> {
-          return `import * as aws from "@intentius/chant-lexicon-aws";
+          return `import { ServerSideEncryptionByDefault, ServerSideEncryptionRule, BucketEncryption, VersioningConfiguration, Bucket, Sub, AWS } from "@intentius/chant-lexicon-aws";
 // Encryption configuration
-export const encryptionDefault = new aws.ServerSideEncryptionByDefault({
-  sseAlgorithm: "AES256",
+export const encryptionDefault = new ServerSideEncryptionByDefault({
+  SSEAlgorithm: "AES256",
 });
-export const encryptionRule = new aws.ServerSideEncryptionRule({
-  serverSideEncryptionByDefault: encryptionDefault,
+export const encryptionRule = new ServerSideEncryptionRule({
+  ServerSideEncryptionByDefault: encryptionDefault,
 });
-export const bucketEncryption = new aws.BucketEncryption({
-  serverSideEncryptionConfiguration: [encryptionRule],
+export const bucketEncryption = new BucketEncryption({
+  ServerSideEncryptionConfiguration: [encryptionRule],
 });
 // Versioning
-export const versioningEnabled = new aws.VersioningConfiguration({
-  status: "Enabled",
+export const versioningEnabled = new VersioningConfiguration({
+  Status: "Enabled",
 });
-// Create a versioned bucket with encryption
-export const dataBucket = new aws.Bucket({
-  bucketName: aws.Sub\`\${aws.AWS.StackName}-data\`,
-  versioningConfiguration: versioningEnabled,
-  bucketEncryption: bucketEncryption,
+// Create a versioned bucket with encryption (AccountId ensures global uniqueness)
+export const dataBucket = new Bucket({
+  BucketName: Sub\`\${AWS.StackName}-\${AWS.AccountId}-data\`,
+  VersioningConfiguration: versioningEnabled,
+  BucketEncryption: bucketEncryption,
 });
 `;
         },
@@ -488,17 +465,17 @@ export const dataBucket = new aws.Bucket({
         description: "Using AttrRefs for cross-resource references",
         mimeType: "text/typescript",
         async handler(): Promise<string> {
-          return `import * as aws from "@intentius/chant-lexicon-aws";
+          return `import { Bucket, VersioningConfiguration, Role } from "@intentius/chant-lexicon-aws";
 // Create a bucket
-export const dataBucket = new aws.Bucket({
-  bucketName: "my-data-bucket",
-  versioningConfiguration: new aws.VersioningConfiguration({ status: "Enabled" }),
+export const dataBucket = new Bucket({
+  BucketName: "my-data-bucket",
+  VersioningConfiguration: new VersioningConfiguration({ Status: "Enabled" }),
 });
 // Create a role that references the bucket's ARN
-export const role = new aws.Role({
-  assumeRolePolicyDocument: {
+export const role = new Role({
+  AssumeRolePolicyDocument: {
     Version: "2012-10-17",
     Statement: [{
       Effect: "Allow",

package/src/serializer.test.ts CHANGED Viewed

@@ -18,9 +18,9 @@ class MockBucket implements Declarable {
   readonly lexicon = "aws";
   readonly entityType = "AWS::S3::Bucket";
   readonly arn: AttrRef;
-  readonly props: { bucketName?: string; versioningConfiguration?: { status: string } };
+  readonly props: { BucketName?: string; VersioningConfiguration?: { Status: string } };
-  constructor(props: { bucketName?: string; versioningConfiguration?: { status: string } } = {}) {
+  constructor(props: { BucketName?: string; VersioningConfiguration?: { Status: string } } = {}) {
     this.props = props;
     this.arn = new AttrRef(this, "Arn");
   }
@@ -57,7 +57,7 @@ describe("awsSerializer.serialize", () => {
   test("serializes resources", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "my-bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "my-bucket" }));
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -86,8 +86,8 @@ describe("awsSerializer.serialize", () => {
   test("serializes nested properties", () => {
     const entities = new Map<string, Declarable>();
     entities.set("MyBucket", new MockBucket({
-      bucketName: "my-bucket",
-      versioningConfiguration: { status: "Enabled" },
+      BucketName: "my-bucket",
+      VersioningConfiguration: { Status: "Enabled" },
     }));
     const output = awsSerializer.serialize(entities);
@@ -98,21 +98,20 @@ describe("awsSerializer.serialize", () => {
     });
   });
-  test("converts property names to PascalCase", () => {
+  test("passes through property names verbatim", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "test" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "test" }));
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
     expect(template.Resources.MyBucket.Properties.BucketName).toBeDefined();
-    expect(template.Resources.MyBucket.Properties.bucketName).toBeUndefined();
   });
   test("handles multiple resources", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("DataBucket", new MockBucket({ bucketName: "data-bucket" }));
-    entities.set("LogsBucket", new MockBucket({ bucketName: "logs-bucket" }));
+    entities.set("DataBucket", new MockBucket({ BucketName: "data-bucket" }));
+    entities.set("LogsBucket", new MockBucket({ BucketName: "logs-bucket" }));
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -125,7 +124,7 @@ describe("awsSerializer.serialize", () => {
   test("handles resources and parameters together", () => {
     const entities = new Map<string, Declarable>();
     entities.set("Env", new Parameter("String"));
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -154,9 +153,9 @@ class MockEncryption implements Declarable {
   readonly lexicon = "aws";
   readonly entityType = "AWS::S3::Bucket.BucketEncryption";
   readonly kind = "property" as const;
-  readonly props: { serverSideEncryptionConfiguration: unknown[] };
+  readonly props: { ServerSideEncryptionConfiguration: unknown[] };
-  constructor(props: { serverSideEncryptionConfiguration: unknown[] }) {
+  constructor(props: { ServerSideEncryptionConfiguration: unknown[] }) {
     this.props = props;
   }
 }
@@ -164,14 +163,14 @@ class MockEncryption implements Declarable {
 describe("property-kind Declarables", () => {
   test("property-kind Declarables are inlined into parent properties", () => {
     const encryption = new MockEncryption({
-      serverSideEncryptionConfiguration: [
-        { serverSideEncryptionByDefault: { sseAlgorithm: "AES256" } },
+      ServerSideEncryptionConfiguration: [
+        { ServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } },
       ],
     });
-    const bucket = new MockBucket({ bucketName: "my-bucket" });
+    const bucket = new MockBucket({ BucketName: "my-bucket" });
     // Manually set encryption as a prop
-    (bucket.props as Record<string, unknown>).encryption = encryption;
+    (bucket.props as Record<string, unknown>).BucketEncryption = encryption;
     const entities = new Map<string, Declarable>();
     entities.set("DataEncryption", encryption);
@@ -181,23 +180,23 @@ describe("property-kind Declarables", () => {
     const template = JSON.parse(output);
     // Encryption should be inlined, not a Ref
-    expect(template.Resources.MyBucket.Properties.Encryption).toEqual({
+    expect(template.Resources.MyBucket.Properties.BucketEncryption).toEqual({
       ServerSideEncryptionConfiguration: [
-        { ServerSideEncryptionByDefault: { SseAlgorithm: "AES256" } },
+        { ServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } },
       ],
     });
   });
   test("property-kind Declarables do NOT appear as standalone Resources", () => {
     const encryption = new MockEncryption({
-      serverSideEncryptionConfiguration: [
-        { serverSideEncryptionByDefault: { sseAlgorithm: "AES256" } },
+      ServerSideEncryptionConfiguration: [
+        { ServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } },
       ],
     });
     const entities = new Map<string, Declarable>();
     entities.set("DataEncryption", encryption);
-    entities.set("MyBucket", new MockBucket({ bucketName: "my-bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "my-bucket" }));
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -207,16 +206,16 @@ describe("property-kind Declarables", () => {
   });
   test("resource-kind Declarables still emit Ref when referenced", () => {
-    const sourceBucket = new MockBucket({ bucketName: "source" });
+    const sourceBucket = new MockBucket({ BucketName: "source" });
     class MockConfig implements Declarable {
       readonly [DECLARABLE_MARKER] = true as const;
       readonly lexicon = "aws";
       readonly entityType = "AWS::S3::ReplicationDestination";
-      readonly props: { bucket: Declarable };
+      readonly props: { Bucket: Declarable };
-      constructor(bucket: Declarable) {
-        this.props = { bucket };
+      constructor(Bucket: Declarable) {
+        this.props = { Bucket };
       }
     }
@@ -233,7 +232,7 @@ describe("property-kind Declarables", () => {
 describe("intrinsic serialization", () => {
   test("handles AttrRef in properties", () => {
-    const source = new MockBucket({ bucketName: "source" });
+    const source = new MockBucket({ BucketName: "source" });
     // Set the logical name on the AttrRef before using it
     (source.arn as Record<string, unknown>)._setLogicalName("SourceBucket");
@@ -241,10 +240,10 @@ describe("intrinsic serialization", () => {
       readonly [DECLARABLE_MARKER] = true as const;
       readonly lexicon = "aws";
       readonly entityType = "AWS::S3::ReplicationConfiguration";
-      readonly props: { sourceArn: AttrRef };
+      readonly props: { SourceArn: AttrRef };
-      constructor(sourceArn: AttrRef) {
-        this.props = { sourceArn };
+      constructor(SourceArn: AttrRef) {
+        this.props = { SourceArn };
       }
     }
@@ -256,14 +255,14 @@ describe("intrinsic serialization", () => {
     const template = JSON.parse(output);
     expect(template.Resources.Replication.Properties.SourceArn).toEqual({
-      "Fn::GetAttr": ["SourceBucket", "Arn"],
+      "Fn::GetAtt": ["SourceBucket", "Arn"],
     });
   });
 });
 describe("LexiconOutput serialization", () => {
   test("generates CF Outputs section for LexiconOutputs", () => {
-    const bucket = new MockBucket({ bucketName: "data-bucket" });
+    const bucket = new MockBucket({ BucketName: "data-bucket" });
     const lexiconOutput = new LexiconOutput(bucket.arn, "DataBucketArn");
     lexiconOutput._setSourceEntity("dataBucket");
@@ -275,13 +274,13 @@ describe("LexiconOutput serialization", () => {
     expect(template.Outputs).toBeDefined();
     expect(template.Outputs.DataBucketArn).toEqual({
-      Value: { "Fn::GetAttr": ["dataBucket", "Arn"] },
+      Value: { "Fn::GetAtt": ["dataBucket", "Arn"] },
     });
   });
   test("generates multiple CF Outputs", () => {
-    const dataBucket = new MockBucket({ bucketName: "data-bucket" });
-    const logsBucket = new MockBucket({ bucketName: "logs-bucket" });
+    const dataBucket = new MockBucket({ BucketName: "data-bucket" });
+    const logsBucket = new MockBucket({ BucketName: "logs-bucket" });
     const dataOutput = new LexiconOutput(dataBucket.arn, "DataBucketArn");
     dataOutput._setSourceEntity("dataBucket");
@@ -298,16 +297,16 @@ describe("LexiconOutput serialization", () => {
     expect(template.Outputs).toBeDefined();
     expect(Object.keys(template.Outputs)).toHaveLength(2);
     expect(template.Outputs.DataBucketArn.Value).toEqual({
-      "Fn::GetAttr": ["dataBucket", "Arn"],
+      "Fn::GetAtt": ["dataBucket", "Arn"],
     });
     expect(template.Outputs.LogsBucketArn.Value).toEqual({
-      "Fn::GetAttr": ["logsBucket", "Arn"],
+      "Fn::GetAtt": ["logsBucket", "Arn"],
     });
   });
   test("omits Outputs section when no LexiconOutputs provided", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
     const result = awsSerializer.serialize(entities);
     const template = JSON.parse(result);
@@ -317,7 +316,7 @@ describe("LexiconOutput serialization", () => {
   test("omits Outputs section when empty LexiconOutputs array", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
     const result = awsSerializer.serialize(entities, []);
     const template = JSON.parse(result as string);
@@ -430,7 +429,7 @@ describe("nested stack serialization", () => {
       Resources: {},
     });
-    const bucket = new MockBucket({ bucketName: "data" });
+    const bucket = new MockBucket({ BucketName: "data" });
     const entities = new Map<string, Declarable>();
     entities.set("network", stack as unknown as Declarable);
@@ -446,7 +445,7 @@ describe("nested stack serialization", () => {
   test("without nested stacks returns plain string", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
     const result = awsSerializer.serialize(entities);
     expect(typeof result).toBe("string");
@@ -460,7 +459,7 @@ describe("nested stack serialization", () => {
         subnet: { Type: "AWS::EC2::Subnet" },
       },
       Outputs: {
-        subnetId: { Value: { "Fn::GetAttr": ["subnet", "SubnetId"] } },
+        subnetId: { Value: { "Fn::GetAtt": ["subnet", "SubnetId"] } },
       },
     });
@@ -472,7 +471,7 @@ describe("nested stack serialization", () => {
       entityType: "AWS::Lambda::Function",
       kind: "resource" as const,
       props: {
-        vpcConfig: { subnetIds: [subnetRef] },
+        VpcConfig: { SubnetIds: [subnetRef] },
       },
     } as unknown as Declarable;