konokenj.cdk-api-mcp-server 0.41.0__py3-none-any.whl → 0.42.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-integrations/integ.sqs.ts

@@ -1,85 +1,72 @@
-import * as apigwv2 from 'aws-cdk-lib/aws-apigatewayv2';
+import { HttpMethod, PassthroughBehavior, WebSocketApi, WebSocketStage } from 'aws-cdk-lib/aws-apigatewayv2';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
-import { App, Stack } from 'aws-cdk-lib';
-import { HttpSqsIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
-import * as integ from '@aws-cdk/integ-tests-alpha';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { App, Stack, Aws } from 'aws-cdk-lib';
+import { WebSocketAwsIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 
-const app = new App();
-const stack = new Stack(app, 'sqs-integration');
+/*
+ * Stack verification steps:
+ * 1. Verify manually that the integration has type "AWS"
+ */
 
-const queue = new sqs.Queue(stack, 'Queue');
+const app = new App();
+const stack = new Stack(app, 'integ-aws-websocket-sqs-integration');
 
-const httpApi = new apigwv2.HttpApi(stack, 'Api');
-httpApi.addRoutes({
-  path: '/default',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('defaultIntegration', {
-    queue,
-  }),
-});
-httpApi.addRoutes({
-  path: '/send-message',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('sendMessageIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_SEND_MESSAGE,
-  }),
-});
-httpApi.addRoutes({
-  path: '/receive-message',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('receiveMessageIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_RECEIVE_MESSAGE,
-  }),
-});
-httpApi.addRoutes({
-  path: '/delete-message',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('deleteMessageIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_DELETE_MESSAGE,
-  }),
+const sqsMessageQueue = new sqs.Queue(stack, 'MessageSQSQueue', {
+  fifo: true,
+  queueName: 'MessageSQSQueue.fifo',
 });
-httpApi.addRoutes({
-  path: '/purge-queue',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('purgeQueueIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_PURGE_QUEUE,
-  }),
+
+// API Gateway WebSocket API
+const webSocketApi = new WebSocketApi(stack, 'webSocketApi', {
+  description: 'Send websocket data to SQS which is then processed by a Lambda 2',
+  routeSelectionExpression: '$request.body.action',
 });
 
-const integTest = new integ.IntegTest(app, 'SqsIntegrationIntegTest', {
-  testCases: [stack],
+// Optionally, create a WebSocket stage
+new WebSocketStage(stack, 'DevStage', {
+  webSocketApi: webSocketApi,
+  stageName: 'dev',
+  autoDeploy: true,
 });
 
-const defaultAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/default`, {
-    body: JSON.stringify({ MessageBody: 'Hello World!' }),
-    method: 'POST',
-  },
-);
-defaultAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
+// IAM Role for API Gateway
+const webSocketApiRole = new iam.Role(stack, 'webSocketApiRole', {
+  assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'),
+});
 
-const sendMessageAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/send-message`, {
-    body: JSON.stringify({ MessageBody: 'Hello World!' }),
-    method: 'POST',
-  },
+webSocketApiRole.addToPolicy(
+  new iam.PolicyStatement({
+    actions: ['sqs:SendMessage'],
+    effect: iam.Effect.ALLOW,
+    resources: [sqsMessageQueue.queueArn],
+  }),
 );
-sendMessageAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
 
-const receiveMessageAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/receive-message`, {
-    method: 'POST',
-  },
-);
-receiveMessageAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
+webSocketApi.addRoute('$default', {
+  integration: new WebSocketAwsIntegration('SQSSendMessage', {
+    integrationUri: `arn:aws:apigateway:${Aws.REGION}:sqs:path/${Aws.ACCOUNT_ID}/${sqsMessageQueue.queueName}`,
+    integrationMethod: HttpMethod.POST,
+    credentialsRole: webSocketApiRole,
+    passthroughBehavior: PassthroughBehavior.NEVER,
+    templateSelectionExpression: '\\$default',
+    requestTemplates: {
+      $default: 'Action=SendMessage&MessageGroupId=$input.path(\'$.MessageGroupId\')&MessageDeduplicationId=$context.requestId&MessageAttribute.1.Name=connectionId&MessageAttribute.1.Value.StringValue=$context.connectionId&MessageAttribute.1.Value.DataType=String&MessageAttribute.2.Name=requestId&MessageAttribute.2.Value.StringValue=$context.requestId&MessageAttribute.2.Value.DataType=String&MessageBody=$input.json(\'$\')',
+    },
+    requestParameters: {
+      'integration.request.header.Content-Type': '\'application/x-www-form-urlencoded\'',
+    },
+  }),
+});
 
-const purgeQueueAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/purge-queue`, {
-    method: 'POST',
+new IntegTest(app, 'apigatewayv2-aws-integration-sqs-integ-test', {
+  testCases: [stack],
+  cdkCommandOptions: {
+    deploy: {
+      args: {
+        rollback: true,
+      },
+    },
   },
-);
-purgeQueueAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-codepipeline-actions/integ.pipeline-elastic-beanstalk-deploy.ts

@@ -85,7 +85,7 @@ const beanstalkEnv = new elasticbeanstalk.CfnEnvironment(stack, 'beanstlk-env',
   applicationName: beanstalkApp.applicationName!,
   environmentName: 'codepipeline-test-env',
   // see https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.nodejs
-  solutionStackName: '64bit Amazon Linux 2023 v6.5.2 running Node.js 20',
+  solutionStackName: '64bit Amazon Linux 2023 v6.6.2 running Node.js 20',
   optionSettings: [
     {
       namespace: 'aws:autoscaling:launchconfiguration',

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cognito/README.md

@@ -1004,6 +1004,17 @@ const userPoolClient = new cognito.UserPoolClient(this, 'UserPoolClient', {
 });
 ```
 
+[Refresh token rotation](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation)
+can be configured to enable automatic rotation of refresh tokens. By default, refresh token rotation is disabled. When the refreshTokenRotationGracePeriod is 0, the grace period is disabled and a successful request immediately invalidates the submitted refresh token. 
+
+```ts
+const pool = new cognito.UserPool(this, 'Pool');
+pool.addClient('app-client', {
+  // ...
+  refreshTokenRotationGracePeriod: Duration.seconds(40)
+});
+```
+
 See [Adding user device and session data to API requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint) for more information.
 
 ### Resource Servers

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cognito/integ.user-pool-client-explicit-props.ts

@@ -43,6 +43,7 @@ const client = userpool.addClient('myuserpoolclient', {
   },
   preventUserExistenceErrors: true,
   authSessionValidity: Duration.minutes(3),
+  refreshTokenRotationGracePeriod: Duration.seconds(45),
   writeAttributes: (new ClientAttributes()).withStandardAttributes(
     {
       address: true,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/README.md

@@ -17,7 +17,9 @@ By default, `TableV2` will create a single table in the main deployment region r
 ```ts
 const table = new dynamodb.TableV2(this, 'Table', {
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
-  contributorInsights: true,
+  contributorInsightsSpecification: {
+    enabled: true,
+  },
   tableClass: dynamodb.TableClass.STANDARD_INFREQUENT_ACCESS,
   pointInTimeRecoverySpecification: {
     pointInTimeRecoveryEnabled: true,
@@ -66,12 +68,12 @@ globalTable.addReplica({ region: 'us-east-2', deletionProtection: true });
 ```
 
 The following properties are configurable on a per-replica basis, but will be inherited from the `TableV2` properties if not specified:
-* contributorInsights
+* contributorInsightsSpecification
 * deletionProtection
 * pointInTimeRecoverySpecification
 * tableClass
 * readCapacity (only configurable if the `TableV2` billing mode is `PROVISIONED`)
-* globalSecondaryIndexes (only `contributorInsights` and `readCapacity`)
+* globalSecondaryIndexes (only `contributorInsightsSpecification` and `readCapacity`)
 
 The following example shows how to define properties on a per-replica basis:
 
@@ -83,7 +85,9 @@ const stack = new cdk.Stack(app, 'Stack', { env: { region: 'us-west-2' } });
 
 const globalTable = new dynamodb.TableV2(stack, 'GlobalTable', {
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
-  contributorInsights: true,
+  contributorInsightsSpecification: {
+    enabled: true,
+  },
   pointInTimeRecoverySpecification: {
       pointInTimeRecoveryEnabled: true,
   },
@@ -97,7 +101,9 @@ const globalTable = new dynamodb.TableV2(stack, 'GlobalTable', {
     },
     {
       region: 'us-east-2',
-      contributorInsights: false,
+      contributorInsightsSpecification: {
+        enabled: false,
+      },
     },
   ],
 });
@@ -443,7 +449,7 @@ const table = new dynamodb.TableV2(this, 'Table', {
 });
 ```
 
-All `globalSecondaryIndexes` for replica tables are inherited from the primary table. You can configure `contributorInsights` and `readCapacity` for each `globalSecondaryIndex` on a per-replica basis:
+All `globalSecondaryIndexes` for replica tables are inherited from the primary table. You can configure `contributorInsightsSpecification` and `readCapacity` for each `globalSecondaryIndex` on a per-replica basis:
 
 ```ts
 import * as cdk from 'aws-cdk-lib';
@@ -453,7 +459,9 @@ const stack = new cdk.Stack(app, 'Stack', { env: { region: 'us-west-2' } });
 
 const globalTable = new dynamodb.TableV2(stack, 'GlobalTable', {
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
-  contributorInsights: true,
+  contributorInsightsSpecification: {
+    enabled: true,
+  },
   billing: dynamodb.Billing.provisioned({
     readCapacity: dynamodb.Capacity.fixed(10),
     writeCapacity: dynamodb.Capacity.autoscaled({ maxCapacity: 10 }),
@@ -484,7 +492,9 @@ const globalTable = new dynamodb.TableV2(stack, 'GlobalTable', {
       region: 'us-east-2',
       globalSecondaryIndexOptions: {
         gsi2: {
-          contributorInsights: false,
+          contributorInsightsSpecification: {
+            enabled: false,
+          },
         },
       },
     },
@@ -605,25 +615,40 @@ const table = new dynamodb.TableV2(this, 'Table', {
 
 ## Contributor Insights
 
-Enabling `contributorInsights` for `TableV2` will provide information about the most accessed and throttled items in a table or `globalSecondaryIndex`. DynamoDB delivers this information to you via CloudWatch Contributor Insights rules, reports, and graphs of report data.
+Enabling `contributorInsightSpecification` for `TableV2` will provide information about the most accessed and throttled or throttled only items in a table or `globalSecondaryIndex`. DynamoDB delivers this information to you via CloudWatch Contributor Insights rules, reports, and graphs of report data.
+
+By default, Contributor Insights for DynamoDB monitors all requests, including both the most accessed and most throttled items.  
+To limit the scope to only the most accessed or only the most throttled items, use the optional `mode` parameter.
+
+- To monitor all traffic on a table or index, set `mode` to `ContributorInsightsMode.ACCESSED_AND_THROTTLED_KEYS`.
+- To monitor only throttled traffic on a table or index, set `mode` to `ContributorInsightsMode.THROTTLED_KEYS`. 
+
 
 ```ts
 const table = new dynamodb.TableV2(this, 'Table', {
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
-  contributorInsights: true,
+  contributorInsightsSpecification: {
+    enabled: true,
+    mode: dynamodb.ContributorInsightsMode.ACCESSED_AND_THROTTLED_KEYS,
+  },
 });
 ```
 
-When you use `Table`, you can enable contributor insights for a table or specific global secondary index by setting `contributorInsightsEnabled` to `true`.
+When you use `Table`, you can enable contributor insights for a table or specific global secondary index by setting `contributorInsightsSpecification` parameter `enabled` to `true`.
 
 ```ts
 const table = new dynamodb.Table(this, 'Table', {
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
-  contributorInsightsEnabled: true, // for a table
+  contributorInsightsSpecification: { // for a table
+    enabled: true,
+    mode: dynamodb.ContributorInsightsMode.THROTTLED_KEYS, // only emit throttling events
+  },
 });
 
 table.addGlobalSecondaryIndex({
-  contributorInsightsEnabled: true, // for a specific global secondary index
+  contributorInsightsSpecification: { // for a specific global secondary index
+    enabled: true,
+  },
   indexName: 'gsi',
   partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb-v2.cci.ts

@@ -0,0 +1,49 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new App();
+
+class TestStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    new dynamodb.TableV2(this, 'TableV2', {
+      partitionKey: { name: 'hashKey', type: dynamodb.AttributeType.STRING },
+      sortKey: { name: 'sortKey', type: dynamodb.AttributeType.NUMBER },
+      globalSecondaryIndexes: [
+        {
+          indexName: 'gsi',
+          partitionKey: { name: 'gsiHashKey', type: dynamodb.AttributeType.STRING },
+        },
+      ],
+      contributorInsightsSpecification: {
+        enabled: true,
+        mode: dynamodb.ContributorInsightsMode.ACCESSED_AND_THROTTLED_KEYS,
+      },
+      replicas: [
+        {
+          region: 'eu-west-2',
+          contributorInsightsSpecification: {
+            enabled: false,
+          },
+          globalSecondaryIndexOptions: {
+            gsi: {
+              contributorInsightsSpecification: {
+                enabled: true,
+                mode: dynamodb.ContributorInsightsMode.THROTTLED_KEYS,
+              },
+            },
+          },
+        },
+      ],
+    });
+  }
+}
+
+const stack = new TestStack(app, 'CCI-Integ-Test', { env: { region: 'eu-west-1' } });
+
+new IntegTest(app, 'table-v2-CCI-test', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.cci.ts

@@ -0,0 +1,27 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new App();
+
+class TestStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    new dynamodb.Table(this, 'TableV2', {
+      partitionKey: { name: 'hashKey', type: dynamodb.AttributeType.STRING },
+      sortKey: { name: 'sortKey', type: dynamodb.AttributeType.NUMBER },
+      contributorInsightsSpecification: {
+        enabled: true,
+        mode: dynamodb.ContributorInsightsMode.ACCESSED_AND_THROTTLED_KEYS,
+      },
+    });
+  }
+}
+
+const stack = new TestStack(app, 'CCI-Integ-Test-TableV1', { env: { region: 'eu-west-1' } });
+
+new IntegTest(app, 'table-v1-CCI-test', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.contirubtor-insights-for-gsi.ts

@@ -24,12 +24,16 @@ const table = new Table(stack, TABLE, {
 });
 
 table.addGlobalSecondaryIndex({
-  contributorInsightsEnabled: true,
+  contributorInsightsSpecification: {
+    enabled: true,
+  },
   indexName: GSI_TEST_CASE_1,
   partitionKey: GSI_PARTITION_KEY,
 });
 table.addGlobalSecondaryIndex({
-  contributorInsightsEnabled: false,
+  contributorInsightsSpecification: {
+    enabled: false,
+  },
   indexName: GSI_TEST_CASE_2,
   partitionKey: GSI_PARTITION_KEY,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.table-v2-global.ts

@@ -19,7 +19,9 @@ class TestStack extends Stack {
         writeCapacity: Capacity.autoscaled({ maxCapacity: 20, targetUtilizationPercent: 60, seedCapacity: 10 }),
       }),
       encryption: TableEncryptionV2.awsManagedKey(),
-      contributorInsights: true,
+      contributorInsightsSpecification: {
+        enabled: true,
+      },
       pointInTimeRecovery: true,
       tableClass: TableClass.STANDARD_INFREQUENT_ACCESS,
       timeToLiveAttribute: 'attr',
@@ -49,7 +51,9 @@ class TestStack extends Stack {
           readCapacity: Capacity.autoscaled({ minCapacity: 5, maxCapacity: 25 }),
           globalSecondaryIndexOptions: {
             gsi2: {
-              contributorInsights: false,
+              contributorInsightsSpecification: {
+                enabled: false,
+              },
             },
           },
           tags: [{ key: 'USE2ReplicaTagKey', value: 'USE2ReplicaTagValue' }],
@@ -57,7 +61,9 @@ class TestStack extends Stack {
         {
           region: 'us-west-2',
           tableClass: TableClass.STANDARD,
-          contributorInsights: false,
+          contributorInsightsSpecification: {
+            enabled: false,
+          },
           globalSecondaryIndexOptions: {
             gsi1: {
               readCapacity: Capacity.fixed(15),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/README.md

@@ -1970,6 +1970,9 @@ const volumeFromSnapshot = new ecs.ServiceManagedVolume(this, 'EBSVolume', {
     snapShotId: 'snap-066877671789bd71b',
     volumeType: ec2.EbsDeviceVolumeType.GP3,
     fileSystemType: ecs.FileSystemType.XFS,
+    // Specifies the Amazon EBS Provisioned Rate for Volume Initialization.
+    // Valid range is between 100 and 300 MiB/s.
+    volumeInitializationRate: Size.mebibytes(200),
   },
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.ebs-volume-initialization-rate.ts

@@ -0,0 +1,80 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+
+/*
+ * This integration test demonstrates how to use EBS volume initialization rate
+ * with Service Managed Volumes.
+ *
+ * To run this test with a real EBS snapshot:
+ * 1. Create an EBS volume:
+ *    aws ec2 create-volume --size 1 --volume-type gp3 --availability-zone us-east-1a
+ * 2. Create a snapshot from the volume:
+ *    aws ec2 create-snapshot --volume-id vol-xxxxxxxxx --description "Test snapshot"
+ * 3. Wait for snapshot completion:
+ *    aws ec2 wait snapshot-completed --snapshot-ids snap-xxxxxxxxx
+ * 4. Set the environment variable SNAPSHOT_ID to the snapshot ID:
+ *    export SNAPSHOT_ID=snap-xxxxxxxxx
+ */
+
+const snapShotId = process.env.SNAPSHOT_ID ?? 'snap-123456789abcdef0';
+
+class TestStack extends cdk.Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const vpc = new ec2.Vpc(this, 'Vpc', {
+      maxAzs: 1,
+      restrictDefaultSecurityGroup: false,
+    });
+
+    const cluster = new ecs.Cluster(this, 'FargateCluster', {
+      vpc,
+    });
+
+    const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef');
+
+    const container = taskDefinition.addContainer('web', {
+      image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+      portMappings: [{
+        containerPort: 80,
+        protocol: ecs.Protocol.TCP,
+      }],
+    });
+
+    const volume = new ecs.ServiceManagedVolume(this, 'EBSVolume', {
+      name: 'ebs1',
+      managedEBSVolume: {
+        volumeType: ec2.EbsDeviceVolumeType.GP3,
+        size: cdk.Size.gibibytes(1),
+        fileSystemType: ecs.FileSystemType.EXT4,
+        volumeInitializationRate: cdk.Size.mebibytes(200),
+        snapShotId: snapShotId,
+      },
+    });
+
+    volume.mountIn(container, {
+      containerPath: '/var/lib',
+      readOnly: false,
+    });
+
+    taskDefinition.addVolume(volume);
+
+    const service = new ecs.FargateService(this, 'FargateService', {
+      cluster,
+      taskDefinition,
+      desiredCount: 1,
+    });
+
+    service.addVolume(volume);
+  }
+}
+
+const app = new cdk.App();
+const stack = new TestStack(app, 'integ-aws-ecs-ebs-volume-initialization-rate');
+
+new integ.IntegTest(app, 'EBSVolumeInitializationRate', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs-patterns/README.md

@@ -70,6 +70,8 @@ Fargate services will use the `LATEST` platform version by default, but you can
 
 Fargate services use the default VPC Security Group unless one or more are provided using the `securityGroups` property in the constructor.
 
+**Security Considerations**: When using custom security groups on your load balancer, the `openListener` property controls whether the load balancer listener allows traffic from anywhere on the internet (0.0.0.0/0). By default, `openListener` is `true`, but it will automatically default to `false` when custom security groups are detected, preventing unintended internet exposure. You can always explicitly set `openListener: true` to override this behavior if needed.
+
 By setting `redirectHTTP` to true, CDK will automatically create a listener on port 80 that redirects HTTP traffic to the HTTPS port.
 
 If you specify the option `recordType` you can decide if you want the construct to use CNAME or Route53-Aliases as record sets.