PyPI - konokenj.cdk-api-mcp-server - Versions diffs - 0.28.0__py3-none-any.whl → 0.30.0__py3-none-any.whl - Mend

konokenj.cdk-api-mcp-server 0.28.0py3-none-any.whl → 0.30.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of konokenj.cdk-api-mcp-server might be problematic. Click here for more details.

Files changed (45) hide show

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-lambda/integ.log-retention.ts CHANGED Viewed

@@ -4,7 +4,11 @@ import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { STANDARD_NODEJS_RUNTIME } from '../../config';
-const app = new cdk.App();
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
 const stack = new cdk.Stack(app, 'aws-cdk-lambda-log-retention');
@@ -13,6 +17,7 @@ new lambda.Function(stack, 'OneWeek', {
   handler: 'index.handler',
   runtime: STANDARD_NODEJS_RUNTIME,
   logRetention: logs.RetentionDays.ONE_WEEK,
+  logRemovalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 new lambda.Function(stack, 'OneMonth', {
@@ -20,6 +25,7 @@ new lambda.Function(stack, 'OneMonth', {
   handler: 'index.handler',
   runtime: STANDARD_NODEJS_RUNTIME,
   logRetention: logs.RetentionDays.ONE_MONTH,
+  logRemovalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 new lambda.Function(stack, 'OneYear', {
@@ -27,10 +33,10 @@ new lambda.Function(stack, 'OneYear', {
   handler: 'index.handler',
   runtime: STANDARD_NODEJS_RUNTIME,
   logRetention: logs.RetentionDays.ONE_YEAR,
+  logRemovalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 new IntegTest(app, 'LambdaLogRetentionInteg', {
   testCases: [stack],
   diffAssets: true,
 });
-app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-lambda-event-sources/README.md CHANGED Viewed

@@ -445,6 +445,74 @@ myFunction.addEventSource(new ManagedKafkaEventSource({
 }));
 ```
+Set a confluent or self-managed schema registry to de-serialize events from the event source. Note, this will similarly work for `SelfManagedKafkaEventSource` but the example only shows setup for `ManagedKafkaEventSource`.
+```ts
+import { ManagedKafkaEventSource, ConfluentSchemaRegistry } from 'aws-cdk-lib/aws-lambda-event-sources';
+import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
+// Your MSK cluster arn
+declare const clusterArn: string;
+// The Kafka topic you want to subscribe to
+const topic = 'some-cool-topic';
+const secret = new Secret(this, 'Secret', { secretName: 'AmazonMSK_KafkaSecret' });
+declare const myFunction: lambda.Function;
+myFunction.addEventSource(new ManagedKafkaEventSource({
+  clusterArn,
+  topic,
+  startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+  provisionedPollerConfig: {
+    minimumPollers: 1,
+    maximumPollers: 3,
+  },
+  schemaRegistryConfig: new ConfluentSchemaRegistry({
+    schemaRegistryUri: 'https://example.com',
+    eventRecordFormat: lambda.EventRecordFormat.JSON,
+    authenticationType: lambda.KafkaSchemaRegistryAccessConfigType.BASIC_AUTH,
+    secret: secret,
+    schemaValidationConfigs: [{ attribute: lambda.KafkaSchemaValidationAttribute.KEY }],
+  }),
+}));
+```
+Set Glue schema registry to de-serialize events from the event source. Note, this will similarly work for `SelfManagedKafkaEventSource` but the example only shows setup for `ManagedKafkaEventSource`.
+```ts
+import { CfnRegistry } from 'aws-cdk-lib/aws-glue';
+import { ManagedKafkaEventSource, GlueSchemaRegistry } from 'aws-cdk-lib/aws-lambda-event-sources';
+// Your MSK cluster arn
+declare const clusterArn: string;
+// The Kafka topic you want to subscribe to
+const topic = 'some-cool-topic';
+// Your Glue Schema Registry
+const glueRegistry = new CfnRegistry(this, 'Registry', {
+  name: 'schema-registry',
+  description: 'Schema registry for event source',
+});
+declare const myFunction: lambda.Function;
+myFunction.addEventSource(new ManagedKafkaEventSource({
+  clusterArn,
+  topic,
+  startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+  provisionedPollerConfig: {
+    minimumPollers: 1,
+    maximumPollers: 3,
+  },
+  schemaRegistryConfig: new GlueSchemaRegistry({
+    schemaRegistry: glueRegistry,
+    eventRecordFormat: lambda.EventRecordFormat.JSON,
+    schemaValidationConfigs: [{ attribute: lambda.KafkaSchemaValidationAttribute.KEY }],
+  }),
+}));
+```
 ## Roadmap
 Eventually, this module will support all the event sources described under

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-lambda-event-sources/integ.kafka-schema-registry.ts ADDED Viewed

@@ -0,0 +1,186 @@
+import { TestFunction } from './test-function';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import {
+  SelfManagedKafkaEventSource,
+  AuthenticationMethod,
+  GlueSchemaRegistry,
+  ConfluentSchemaRegistry,
+} from 'aws-cdk-lib/aws-lambda-event-sources';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { App, StackProps, Stack, SecretValue } from 'aws-cdk-lib';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { CfnRegistry } from 'aws-cdk-lib/aws-glue';
+// Self-Managed Kafka Stack with Schema Registry
+export class SmkGlueSchemaRegistryStack extends Stack {
+  constructor(scope: App, id: string, props?: StackProps) {
+    super(scope, id, props);
+    // Create a Lambda function
+    const testLambdaFunction = new TestFunction(this, 'GlueFunction');
+    // Create dummy certificates for authentication
+    const dummyCertString = `-----BEGIN CERTIFICATE-----
+    MIIE5DCCAsygAwIBAgIRAPJdwaFaNRrytHBto0j5BA0wDQYJKoZIhvcNAQELBQAw
+    cmUuiAii9R0=
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIFgjCCA2qgAwIBAgIQdjNZd6uFf9hbNC5RdfmHrzANBgkqhkiG9w0BAQsFADBb
+    c8PH3PSoAaRwMMgOSA2ALJvbRz8mpg==
+    -----END CERTIFICATE-----"
+    `;
+    const dummyPrivateKey = `-----BEGIN ENCRYPTED PRIVATE KEY-----
+    zp2mwJn2NYB7AZ7+imp0azDZb+8YG2aUCiyqb6PnnA==
+    -----END ENCRYPTED PRIVATE KEY-----`;
+    // Create secrets for Kafka authentication
+    const rootCASecret = new secretsmanager.Secret(this, 'GlueRootCASecret', {
+      secretObjectValue: {
+        certificate: SecretValue.unsafePlainText(dummyCertString),
+      },
+    });
+    const clientCertificatesSecret = new secretsmanager.Secret(this, 'GlueClientCertSecret', {
+      secretObjectValue: {
+        certificate: SecretValue.unsafePlainText(dummyCertString),
+        privateKey: SecretValue.unsafePlainText(dummyPrivateKey),
+      },
+    });
+    // Grant read permissions to the Lambda function
+    rootCASecret.grantRead(testLambdaFunction);
+    clientCertificatesSecret.grantRead(testLambdaFunction);
+    // Create a Glue Schema Registry
+    const glueRegistry = new CfnRegistry(this, 'SchemaRegistry', {
+      name: 'smk-glue-test-schema-registry',
+      description: 'Schema registry for SMK integration tests',
+    });
+    // Define Kafka bootstrap servers
+    const bootstrapServers = [
+      'kafka-broker-1:9092',
+      'kafka-broker-2:9092',
+      'kafka-broker-3:9092',
+    ];
+    // Common configuration for SMK event sources
+    const commonConfig = {
+      bootstrapServers,
+      secret: clientCertificatesSecret,
+      authenticationMethod: AuthenticationMethod.CLIENT_CERTIFICATE_TLS_AUTH,
+      rootCACertificate: rootCASecret,
+      startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+    };
+    // SMK with Glue Schema Registry
+    testLambdaFunction.addEventSource(new SelfManagedKafkaEventSource({
+      ...commonConfig,
+      topic: 'test-topic-smk-glue',
+      consumerGroupId: 'test-consumer-group-smk-glue',
+      provisionedPollerConfig: {
+        minimumPollers: 1,
+        maximumPollers: 3,
+      },
+      schemaRegistryConfig: new GlueSchemaRegistry({
+        schemaRegistry: glueRegistry,
+        eventRecordFormat: lambda.EventRecordFormat.JSON,
+        schemaValidationConfigs: [{ attribute: lambda.KafkaSchemaValidationAttribute.KEY }],
+      }),
+    }));
+  }
+}
+// Self-Managed Kafka Stack with Schema Registry
+export class SmkConfluentSchemaRegistryStack extends Stack {
+  constructor(scope: App, id: string, props?: StackProps) {
+    super(scope, id, props);
+    // Create a Lambda function
+    const testLambdaFunction = new TestFunction(this, 'ConfluentFunction');
+    // Create dummy certificates for authentication
+    const dummyCertString = `-----BEGIN CERTIFICATE-----
+    MIIE5DCCAsygAwIBAgIRAPJdwaFaNRrytHBto0j5BA0wDQYJKoZIhvcNAQELBQAw
+    cmUuiAii9R0=
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIFgjCCA2qgAwIBAgIQdjNZd6uFf9hbNC5RdfmHrzANBgkqhkiG9w0BAQsFADBb
+    c8PH3PSoAaRwMMgOSA2ALJvbRz8mpg==
+    -----END CERTIFICATE-----"
+    `;
+    const dummyPrivateKey = `-----BEGIN ENCRYPTED PRIVATE KEY-----
+    zp2mwJn2NYB7AZ7+imp0azDZb+8YG2aUCiyqb6PnnA==
+    -----END ENCRYPTED PRIVATE KEY-----`;
+    // Create secrets for Kafka authentication
+    const rootCASecret = new secretsmanager.Secret(this, 'ConfluentRootCASecret', {
+      secretObjectValue: {
+        certificate: SecretValue.unsafePlainText(dummyCertString),
+      },
+    });
+    const clientCertificatesSecret = new secretsmanager.Secret(this, 'ConfluentClientCertSecret', {
+      secretObjectValue: {
+        certificate: SecretValue.unsafePlainText(dummyCertString),
+        privateKey: SecretValue.unsafePlainText(dummyPrivateKey),
+      },
+    });
+    // Grant read permissions to the Lambda function
+    rootCASecret.grantRead(testLambdaFunction);
+    clientCertificatesSecret.grantRead(testLambdaFunction);
+    // Define Kafka bootstrap servers
+    const bootstrapServers = [
+      'kafka-broker-1:9092',
+      'kafka-broker-2:9092',
+      'kafka-broker-3:9092',
+    ];
+    // Common configuration for SMK event sources
+    const commonConfig = {
+      bootstrapServers,
+      secret: clientCertificatesSecret,
+      authenticationMethod: AuthenticationMethod.CLIENT_CERTIFICATE_TLS_AUTH,
+      rootCACertificate: rootCASecret,
+      startingPosition: lambda.StartingPosition.TRIM_HORIZON,
+    };
+    // SMK with Confluent Schema Registry
+    testLambdaFunction.addEventSource(new SelfManagedKafkaEventSource({
+      ...commonConfig,
+      topic: 'test-topic-smk-confluent',
+      consumerGroupId: 'test-consumer-group-smk-confluent',
+      provisionedPollerConfig: {
+        minimumPollers: 1,
+        maximumPollers: 3,
+      },
+      schemaRegistryConfig: new ConfluentSchemaRegistry({
+        schemaRegistryUri: 'https://schema-registry.example.com',
+        eventRecordFormat: lambda.EventRecordFormat.JSON,
+        authenticationType: lambda.KafkaSchemaRegistryAccessConfigType.BASIC_AUTH,
+        secret: clientCertificatesSecret,
+        schemaValidationConfigs: [{ attribute: lambda.KafkaSchemaValidationAttribute.KEY }],
+      }),
+    }));
+  }
+}
+// Create the app and stacks
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
+  },
+});
+const glueStack = new SmkGlueSchemaRegistryStack(app, 'lambda-event-source-glue-schema-registry');
+const confluentStack = new SmkConfluentSchemaRegistryStack(app, 'lambda-event-source-confluent-schema-registry');
+// Create the integration tests
+new IntegTest(app, 'SchemaRegistryInteg', {
+  testCases: [glueStack, confluentStack],
+});
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/README.md CHANGED Viewed

@@ -147,19 +147,6 @@ new rds.DatabaseCluster(this, 'DatabaseCluster', {
 });
 ```
-To configure [the life cycle type of the cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/extended-support.html), use the `engineLifecycleSupport` property:
-```ts
-declare const vpc: ec2.IVpc;
-new rds.DatabaseCluster(this, 'DatabaseCluster', {
-  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_07_0 }),
-  writer: rds.ClusterInstance.serverlessV2('writerInstance'),
-  vpc,
-  engineLifecycleSupport: rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT,
-});
-```
 ### Updating the database instances in a cluster
 Database cluster instances may be updated in bulk or on a rolling basis.
@@ -1576,6 +1563,29 @@ new rds.DatabaseCluster(this, 'Cluster', {
 });
 ```
+## Extended Support
+With Amazon RDS Extended Support, you can continue running your database on a major engine version past the RDS end of
+standard support date for an additional cost. To configure the life cycle type, use the `engineLifecycleSupport` property:
+```ts
+declare const vpc: ec2.IVpc;
+new rds.DatabaseCluster(this, 'DatabaseCluster', {
+  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_07_0 }),
+  writer: rds.ClusterInstance.serverlessV2('writerInstance'),
+  vpc,
+  engineLifecycleSupport: rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT,
+});
+new rds.DatabaseInstance(this, 'DatabaseInstance', {
+  engine: rds.DatabaseInstanceEngine.mysql({ version: rds.MysqlEngineVersion.VER_8_0_39 }),
+  instanceType: ec2.InstanceType.of(ec2.InstanceClass.R7G, ec2.InstanceSize.LARGE),
+  vpc,
+  engineLifecycleSupport: rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT_DISABLED,
+});
+```
 ## Importing existing DatabaseInstance
 ### Lookup DatabaseInstance by instanceIdentifier

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/integ.cluster-snapshot.ts CHANGED Viewed

@@ -1,14 +1,10 @@
-import * as path from 'path';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
-import * as iam from 'aws-cdk-lib/aws-iam';
-import * as lambda from 'aws-cdk-lib/aws-lambda';
-import { App, ArnFormat, CustomResource, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
-import * as cr from 'aws-cdk-lib/custom-resources';
+import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as rds from 'aws-cdk-lib/aws-rds';
 import { ClusterInstance } from 'aws-cdk-lib/aws-rds';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
-import { STANDARD_NODEJS_RUNTIME } from '../../config';
+import { ClusterSnapshoter } from './snapshoter';
 class TestStack extends Stack {
   constructor(scope: Construct, id: string, props?: StackProps) {
@@ -34,7 +30,7 @@ class TestStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
-    const snapshoter = new Snapshoter(this, 'Snapshoter', {
+    const snapshoter = new ClusterSnapshoter(this, 'Snapshoter', {
       cluster,
       snapshotIdentifier: 'cdk-integ-cluster-snapshot',
     });
@@ -58,69 +54,6 @@ class TestStack extends Stack {
   }
 }
-interface SnapshoterProps {
-  readonly cluster: rds.IDatabaseCluster;
-  readonly snapshotIdentifier: string;
-}
-class Snapshoter extends Construct {
-  public readonly snapshotArn: string;
-  constructor(scope: Construct, id: string, props: SnapshoterProps) {
-    super(scope, id);
-    const clusterArn = Stack.of(this).formatArn({
-      service: 'rds',
-      resource: 'cluster',
-      resourceName: props.cluster.clusterIdentifier,
-      arnFormat: ArnFormat.COLON_RESOURCE_NAME,
-    });
-    const snapshotArn = Stack.of(this).formatArn({
-      service: 'rds',
-      resource: 'cluster-snapshot',
-      resourceName: props.snapshotIdentifier,
-      arnFormat: ArnFormat.COLON_RESOURCE_NAME,
-    });
-    const code = lambda.Code.fromAsset(path.join(__dirname, 'snapshot-handler'), { exclude: ['*.ts'] });
-    const onEventHandler = new lambda.Function(this, 'OnEventHandler', {
-      code,
-      runtime: STANDARD_NODEJS_RUNTIME,
-      handler: 'index.onEventHandler',
-    });
-    onEventHandler.addToRolePolicy(new iam.PolicyStatement({
-      actions: ['rds:CreateDBClusterSnapshot', 'rds:DeleteDBClusterSnapshot'],
-      resources: [clusterArn, snapshotArn],
-    }));
-    const isCompleteHandler = new lambda.Function(this, 'IsCompleteHandler', {
-      code,
-      runtime: STANDARD_NODEJS_RUNTIME,
-      handler: 'index.isCompleteHandler',
-    });
-    isCompleteHandler.addToRolePolicy(new iam.PolicyStatement({
-      actions: ['rds:DescribeDBClusterSnapshots'],
-      resources: [clusterArn, snapshotArn],
-    }));
-    const provider = new cr.Provider(this, 'SnapshotProvider', {
-      onEventHandler,
-      isCompleteHandler,
-    });
-    const customResource = new CustomResource(this, 'Snapshot', {
-      resourceType: 'Custom::Snapshoter',
-      serviceToken: provider.serviceToken,
-      properties: {
-        DBClusterIdentifier: props.cluster.clusterIdentifier,
-        DBClusterSnapshotIdentifier: props.snapshotIdentifier,
-      },
-    });
-    this.snapshotArn = customResource.getAttString('DBClusterSnapshotArn');
-  }
-}
 const app = new App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
@@ -133,4 +66,3 @@ new IntegTest(app, 'ClusterSnapshotInteg', {
   testCases: [stack],
   diffAssets: true,
 });
-app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/integ.instance-engine-lifecycle-support.ts ADDED Viewed

@@ -0,0 +1,53 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { App, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import * as rds from 'aws-cdk-lib/aws-rds';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { InstanceSnapshoter } from './snapshoter';
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true,
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const stack = new Stack(app, 'cdk-instance-engine-lifecycle-support');
+const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 2, natGateways: 1, restrictDefaultSecurityGroup: false });
+const engine = rds.DatabaseInstanceEngine.mysql({ version: rds.MysqlEngineVersion.VER_8_4_5 });
+const instanceType = ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL);
+const sourceInstance = new rds.DatabaseInstance(stack, 'Instance', {
+  engine,
+  instanceType,
+  vpc,
+  removalPolicy: RemovalPolicy.DESTROY,
+  engineLifecycleSupport: rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT,
+});
+const snapshoter = new InstanceSnapshoter(stack, 'Snapshoter', {
+  instance: sourceInstance,
+  snapshotIdentifier: 'cdk-instance-engine-lifecycle-support-snapshot',
+});
+const restoredInstance = new rds.DatabaseInstanceFromSnapshot(stack, 'FromSnapshot', {
+  snapshotIdentifier: snapshoter.snapshotArn,
+  engine,
+  instanceType,
+  vpc,
+  removalPolicy: RemovalPolicy.DESTROY,
+  engineLifecycleSupport: rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT_DISABLED,
+});
+new rds.DatabaseInstanceReadReplica(stack, 'ReadReplica', {
+  sourceDatabaseInstance: restoredInstance,
+  instanceType,
+  vpc,
+  removalPolicy: RemovalPolicy.DESTROY,
+  engineLifecycleSupport: rds.EngineLifecycleSupport.OPEN_SOURCE_RDS_EXTENDED_SUPPORT_DISABLED,
+});
+new IntegTest(app, 'cdk-instance-engine-lifecycle-support-test', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3/README.md CHANGED Viewed

@@ -156,6 +156,22 @@ bucket.grantReadWrite(myLambda);
 Will give the Lambda's execution role permissions to read and write
 from the bucket.
+### Understanding "grant" Methods
+The S3 construct library provides several grant methods for the `Bucket` resource, but two of them have a special behavior. This two accept an `objectsKeyPattern` parameter to restrict granted permissions to specific resources:
+- `grantRead`
+- `grantReadWrite`
+When examining the synthesized policy, you'll notice it includes both your specified object key patterns and the bucket itself.
+This is by design. Some permissions (like `s3:ListBucket`) apply at the bucket level, while others (like `s3:GetObject`) apply to specific objects.
+Specifically, the [`s3:ListBucket` action operates on bucket resources](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-bucket)
+and requires the bucket ARN to work properly. This might be seen as a bug, giving the impression that more permissions were granted than the ones you intended, but the reality is that the policy does not ignore your `objectsKeyPattern` - object-specific actions like `s3:GetObject`
+will still be limited to the resources defined in your pattern.
+If you need to restrict the `s3:ListBucket` action to specific paths, you can add a `Condition` to your policy that limits the `objectsKeyPattern` to specific folders. For more details and examples, see the [AWS documentation on bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-folders).
 ## AWS Foundational Security Best Practices
 ### Enforcing SSL

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-notifications/integ.bucket-notifications.ts CHANGED Viewed

@@ -1,106 +1,68 @@
-import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as cdk from 'aws-cdk-lib';
-import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
-import { STANDARD_NODEJS_RUNTIME } from '../../../config';
-import * as constructs from 'constructs';
 import * as integ from '@aws-cdk/integ-tests-alpha';
+import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
 const app = new cdk.App({
   postCliContext: {
-    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
     '@aws-cdk/aws-s3:keepNotificationInImportedBucket': false,
   },
 });
-const stack = new cdk.Stack(app, 'cdk-integ-lambda-bucket-s3-notifications');
+const stack = new cdk.Stack(app, 'sqs-bucket-notifications');
-const bucketA = new s3.Bucket(stack, 'MyBucket', {
+const bucket1 = new s3.Bucket(stack, 'Bucket1', {
   removalPolicy: cdk.RemovalPolicy.DESTROY,
 });
+const queue = new sqs.Queue(stack, 'MyQueue');
-const fn = new lambda.Function(stack, 'MyFunction', {
-  runtime: STANDARD_NODEJS_RUNTIME,
-  handler: 'index.handler',
-  code: lambda.Code.fromInline(`exports.handler = ${handler.toString()}`),
-});
+bucket1.addObjectCreatedNotification(new s3n.SqsDestination(queue));
-const bucketB = new s3.Bucket(stack, 'YourBucket', {
+const bucket2 = new s3.Bucket(stack, 'Bucket2', {
   removalPolicy: cdk.RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
 });
+bucket2.addObjectCreatedNotification(new s3n.SqsDestination(queue), { suffix: '.png' });
-bucketB.addEventNotification(s3.EventType.OBJECT_REMOVED, new s3n.LambdaDestination(fn));
-const c1 = new constructs.Construct(stack, 'Construct1');
-const unmanagedBucket = s3.Bucket.fromBucketName(c1, 'IntegUnmanagedBucket1', bucketA.bucketName);
-unmanagedBucket.addObjectCreatedNotification(new s3n.LambdaDestination(fn), { prefix: 'TEST1/', suffix: '.png' });
-unmanagedBucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(fn), { prefix: 'TEST2/' });
+const encryptedQueue = new sqs.Queue(stack, 'EncryptedQueue', { encryption: sqs.QueueEncryption.KMS });
+bucket1.addObjectRemovedNotification(new s3n.SqsDestination(encryptedQueue));
-/* eslint-disable no-console */
-function handler(event: any, _context: any, callback: any) {
-  console.log(JSON.stringify(event, undefined, 2));
-  return callback(null, event);
-}
+const bucket3 = new s3.Bucket(stack, 'Bucket3WithSkipDestinationValidation', {
+  notificationsSkipDestinationValidation: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+});
+const queueWithIncorrectS3Permissions = new sqs.Queue(stack, 'MyQueueWithIncorrectS3Permissions');
+queueWithIncorrectS3Permissions.addToResourcePolicy(
+  new cdk.aws_iam.PolicyStatement({
+    effect: cdk.aws_iam.Effect.DENY,
+    actions: ['sqs:SendMessage'],
+    principals: [new cdk.aws_iam.ServicePrincipal('s3.amazonaws.com')],
+    resources: [queueWithIncorrectS3Permissions.queueArn],
+  }));
+bucket3.addEventNotification(s3.EventType.OBJECT_TAGGING_PUT, new s3n.SqsDestination(queueWithIncorrectS3Permissions));
-const integTest = new integ.IntegTest(app, 'LambdaBucketNotificationsTest', {
-  cdkCommandOptions: {
-    deploy: {
-      args: {
-        rollback: false,
-      },
-    },
-  },
+const integTest = new integ.IntegTest(app, 'SQSBucketNotificationsTest', {
   testCases: [stack],
   diffAssets: true,
 });
-const getNotifications = integTest.assertions
-  .awsApiCall('S3', 'getBucketNotificationConfiguration', {
-    Bucket: unmanagedBucket.bucketName,
-  });
-getNotifications.provider.addToRolePolicy({
-  Effect: 'Allow',
-  Action: ['s3:GetBucketNotification'],
-  Resource: ['*'],
-});
+integTest.assertions
+  // First remove the test notifications
+  .awsApiCall('SQS', 'purgeQueue', {
+    QueueUrl: queue.queueUrl,
+  })
+  .next(integTest.assertions
+    .awsApiCall('S3', 'putObject', {
+      Bucket: bucket2.bucketName,
+      Key: 'image.png',
+      Body: 'Some content',
+    }))
+  .next(integTest.assertions
+    .awsApiCall('SQS', 'receiveMessage', {
+      QueueUrl: queue.queueUrl,
+      WaitTimeSeconds: 20,
+    })
+    .assertAtPath('Messages.0.Body.Records.0.s3.object.key', integ.ExpectedResult.stringLikeRegexp('image\\.png')));
-getNotifications.expect(integ.ExpectedResult.objectLike({
-  LambdaFunctionConfigurations: [
-    {
-      Events: [
-        's3:ObjectCreated:*',
-      ],
-      Filter: {
-        Key: {
-          FilterRules: [
-            {
-              Name: 'Prefix',
-              Value: 'TEST1/',
-            },
-            {
-              Name: 'Suffix',
-              Value: '.png',
-            },
-          ],
-        },
-      },
-    },
-    {
-      Events: [
-        's3:ObjectCreated:*',
-      ],
-      Filter: {
-        Key: {
-          FilterRules: [
-            {
-              Name: 'Prefix',
-              Value: 'TEST2/',
-            },
-          ],
-        },
-      },
-    },
-  ],
-}));
 app.synth();

konokenj.cdk-api-mcp-server 0.28.0__py3-none-any.whl → 0.30.0__py3-none-any.whl

Potentially problematic release.

konokenj.cdk-api-mcp-server 0.28.0py3-none-any.whl → 0.30.0py3-none-any.whl