konokenj.cdk-api-mcp-server 0.41.0__py3-none-any.whl → 0.43.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs-patterns/integ.alb-fargate-service-smart-defaults.ts

@@ -0,0 +1,143 @@
+/**
+ * Integration test for the conditional openListener behavior in ApplicationLoadBalancedFargateService.
+ *
+ * This test validates the security feature that automatically sets openListener to false when custom
+ * security groups are detected on the load balancer, preventing unintended internet exposure.
+ *
+ * Test scenarios:
+ * 1. DefaultService: No custom security groups provided
+ *    - Expected: openListener defaults to true, creates 0.0.0.0/0 ingress rules
+ *    - Validates: Default behavior when CDK manages all security groups
+ *
+ * 2. ExplicitOpenService: Explicit openListener: true
+ *    - Expected: Creates 0.0.0.0/0 ingress rules regardless of other settings
+ *    - Validates: Explicit override functionality works correctly
+ *
+ * 3. ExplicitClosedService: Explicit openListener: false
+ *    - Expected: Does NOT create 0.0.0.0/0 ingress rules
+ *    - Validates: Explicit closed listener prevents internet access
+ *
+ * 4. ConditionalWithCustomSG: Custom security groups + no explicit openListener
+ *    - Expected: Conditional behavior kicks in, openListener defaults to false
+ *    - Validates: Core feature - prevents 0.0.0.0/0 rules when custom SGs detected
+ *
+ * The test uses AWS SDK calls to verify actual security group configurations in deployed resources,
+ * ensuring the feature works correctly in real AWS environments.
+ */
+
+import { Vpc, SecurityGroup, Port } from 'aws-cdk-lib/aws-ec2';
+import { Cluster, ContainerImage } from 'aws-cdk-lib/aws-ecs';
+import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import { App, Stack, Duration } from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { ApplicationLoadBalancedFargateService } from 'aws-cdk-lib/aws-ecs-patterns';
+
+const app = new App({
+  postCliContext: {
+    // Enable the feature flag for this test
+    '@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener': true,
+  },
+});
+
+const stack = new Stack(app, 'aws-ecs-integ-alb-fg-smart-defaults');
+const vpc = new Vpc(stack, 'Vpc', { maxAzs: 3, natGateways: 1, restrictDefaultSecurityGroup: false });
+const cluster = new Cluster(stack, 'Cluster', { vpc });
+
+// Test case 1: Service with conditional default (no openListener specified)
+// CDK creates load balancer, should default to openListener: true (no custom security groups)
+new ApplicationLoadBalancedFargateService(stack, 'SmartDefaultService', {
+  cluster,
+  memoryLimitMiB: 512,
+  taskImageOptions: {
+    image: ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  },
+  // No openListener specified - should default to true since no custom security groups
+});
+
+// Test case 2: Service with explicit openListener: true
+new ApplicationLoadBalancedFargateService(stack, 'ExplicitOpenService', {
+  cluster,
+  memoryLimitMiB: 512,
+  taskImageOptions: {
+    image: ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  },
+  openListener: true, // Should create 0.0.0.0/0 rules
+  listenerPort: 8080,
+});
+
+// Test case 3: Service with explicit openListener: false
+new ApplicationLoadBalancedFargateService(stack, 'ExplicitClosedService', {
+  cluster,
+  memoryLimitMiB: 512,
+  taskImageOptions: {
+    image: ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  },
+  openListener: false, // Should NOT create 0.0.0.0/0 rules
+  listenerPort: 9090,
+});
+
+// Test case 4: Service with custom security groups (conditional default should apply)
+const customSecurityGroup = new SecurityGroup(stack, 'CustomSecurityGroup', {
+  vpc,
+  description: 'Custom security group for load balancer',
+});
+
+// Add a custom rule to the security group
+customSecurityGroup.addIngressRule(
+  customSecurityGroup,
+  Port.tcp(80),
+  'Allow HTTP from custom security group',
+);
+
+const customLoadBalancer = new ApplicationLoadBalancer(stack, 'CustomLoadBalancer', {
+  vpc,
+  internetFacing: true,
+  securityGroup: customSecurityGroup,
+});
+
+// This should use conditional default (openListener: false) because custom security groups are detected
+new ApplicationLoadBalancedFargateService(stack, 'SmartDefaultWithCustomSG', {
+  cluster,
+  memoryLimitMiB: 512,
+  taskImageOptions: {
+    image: ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  },
+  loadBalancer: customLoadBalancer,
+  // No openListener specified - should default to false due to custom security groups
+});
+
+const integTest = new integ.IntegTest(app, 'albFargateServiceSmartDefaultsTest', {
+  testCases: [stack],
+});
+
+// Validate the core conditional behavior by checking the custom security group
+// This confirms that when custom security groups are provided, the conditional default prevents
+// creating overly permissive 0.0.0.0/0 ingress rules
+// Assert that the custom security group only contains self-referencing rules (no 0.0.0.0/0)
+// This validates the feature prevents unintended internet exposure
+integTest.assertions.awsApiCall('EC2', 'describeSecurityGroups', {
+  GroupIds: [customSecurityGroup.securityGroupId],
+}).expect(integ.ExpectedResult.objectLike({
+  SecurityGroups: [
+    {
+      IpPermissions: integ.Match.arrayWith([
+        integ.Match.objectLike({
+          FromPort: 80,
+          ToPort: 80,
+          // Verify only security group references exist, no public internet access (0.0.0.0/0)
+          UserIdGroupPairs: integ.Match.arrayWith([
+            integ.Match.objectLike({
+              GroupId: customSecurityGroup.securityGroupId,
+            }),
+          ]),
+          // Ensure no IpRanges with 0.0.0.0/0 are present
+          IpRanges: [],
+        }),
+      ]),
+    },
+  ],
+})).waitForAssertions({
+  totalTimeout: Duration.minutes(5),
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events/README.md

@@ -332,6 +332,28 @@ new events.EventBus(this, 'Bus', {
 });
 ```
 
-**Note**: Archives and schema discovery are not supported for event buses encrypted using a customer managed key.
-To enable archives or schema discovery on an event bus, choose to use an AWS owned key.
-For more information, see [KMS key options for event bus encryption](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-at-rest-key-options.html).
+To use a customer managed key for an archive, use the `kmsKey` attribute. 
+
+Note: When you attach a customer managed key to either an EventBus or an Archive, a policy that allows EventBridge to interact with your resource will be added. 
+
+```ts
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Archive, EventBus } from 'aws-cdk-lib/aws-events';
+
+const stack = new Stack();
+
+declare const kmsKey: kms.IKey;
+
+const eventBus = new EventBus(stack, 'Bus');
+
+const archive = new Archive(stack, 'Archive', {
+  kmsKey: kmsKey,
+  sourceEventBus: eventBus,
+  eventPattern: {
+    source: ['aws.ec2']
+  },
+});
+```
+
+To enable archives or schema discovery on an event bus, customers has the choice of using either an AWS owned key or a customer managed key.
+For more information, see [KMS key options for event bus encryption](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption-at-rest-key-options.html).

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events/integ.archive-customer-managed-key.ts

@@ -0,0 +1,23 @@
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { App, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { Archive, EventBus } from 'aws-cdk-lib/aws-events';
+
+const app = new App();
+const stack = new Stack(app, 'archive-customer-managed-key');
+
+const kmsKey = new kms.Key(stack, 'KmsKey', {
+  removalPolicy: RemovalPolicy.DESTROY,
+});
+
+new Archive(stack, 'Archive', {
+  kmsKey: kmsKey,
+  sourceEventBus: EventBus.fromEventBusName(stack, 'DefaultEventBus', 'default'),
+  eventPattern: {
+    source: ['test'],
+  },
+});
+
+new IntegTest(app, 'archive-customer-managed-key-test', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events-targets/README.md

@@ -15,6 +15,7 @@ Currently supported are:
   - [Start a StepFunctions state machine](#start-a-stepfunctions-state-machine)
   - [Queue a Batch job](#queue-a-batch-job)
   - [Invoke an API Gateway REST API](#invoke-an-api-gateway-rest-api)
+  - [Invoke an AWS API](#invoke-an-aws-api)
   - [Invoke an API Destination](#invoke-an-api-destination)
   - [Invoke an AppSync GraphQL API](#invoke-an-appsync-graphql-api)
   - [Put an event on an EventBridge bus](#put-an-event-on-an-eventbridge-bus)
@@ -333,6 +334,67 @@ declare const rule: events.Rule;
 rule.addTarget(new targets.ApiGatewayV2(httpApi));
 ```
 
+## Invoke an AWS API
+
+Use the `AwsApi` target to make direct AWS API calls from EventBridge rules. This is useful for invoking AWS services that don't have a dedicated EventBridge target.
+
+### Basic Usage
+
+The following example shows how to update an ECS service when a rule is triggered:
+
+```ts
+const rule = new events.Rule(this, 'Rule', {
+  schedule: events.Schedule.rate(Duration.hours(1)),
+});
+
+rule.addTarget(new targets.AwsApi({
+  service: 'ECS',
+  action: 'updateService',
+  parameters: {
+    service: 'my-service',
+    forceNewDeployment: true,
+  },
+}));
+```
+
+### IAM Permissions
+
+By default, the AwsApi target automatically creates the necessary IAM permissions based on the service and action you specify. The permission format follows the pattern: `service:Action`.
+
+For example:
+
+- `ECS` service with `updateService` action → `ecs:UpdateService` permission
+- `RDS` service with `createDBSnapshot` action → `rds:CreateDBSnapshot` permission
+
+### Custom IAM Policy
+
+In some cases, you may need to provide a custom IAM policy statement, especially when:
+
+- You need to restrict permissions to specific resources (instead of `*`)
+- The service requires additional permissions beyond the main action
+- You want more granular control over the permissions
+
+```ts
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+declare const rule: events.Rule;
+declare const bucket: s3.Bucket;
+
+rule.addTarget(new targets.AwsApi({
+  service: 's3',
+  action: 'GetBucketEncryption',
+  parameters: {
+    Bucket: bucket.bucketName,
+  },
+  policyStatement: new iam.PolicyStatement({
+    effect: iam.Effect.ALLOW,
+    actions: ['s3:GetEncryptionConfiguration'],
+    resources: [bucket.bucketArn],
+  }),
+}));
+```
+
 ## Invoke an API Destination
 
 Use the `targets.ApiDestination` target to trigger an external API. You need to
@@ -636,7 +698,7 @@ rule.addTarget(new targets.RedshiftQuery(workgroup.attrWorkgroupWorkgroupArn, {
 
 ## Publish to an SNS Topic
 
-Use the `SnsTopic` target to publish to an SNS Topic. 
+Use the `SnsTopic` target to publish to an SNS Topic.
 
 The code snippet below creates the scheduled event rule that publishes to an SNS Topic using a resource policy.
 
@@ -664,4 +726,4 @@ const rule = new events.Rule(this, 'Rule', {
 });
 
 rule.addTarget(new targets.SnsTopic(topic, { authorizeUsingRole: true }));
-```
+```

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/README.md

@@ -418,6 +418,24 @@ To apply changes of the cluster, such as engine version, in the next scheduled m
 
 For details, see [Modifying an Amazon Aurora DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Modifying.html).
 
+### Retaining Automated Backups
+
+By default, when a database cluster is deleted, automated backups are removed immediately unless an AWS Backup policy specifies a point-in-time restore rule. You can control this behavior using the `deleteAutomatedBackups` property:
+
+```ts
+declare const vpc: ec2.IVpc;
+// Retain automated backups after cluster deletion
+new rds.DatabaseCluster(this, 'Database', {
+  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_01_0 }),
+  writer: rds.ClusterInstance.provisioned('writer'),
+  vpc,
+  deleteAutomatedBackups: false,
+});
+```
+
+When set to `false`, automated backups are retained according to the configured retention period after the cluster is deleted. When set to `true` or not specified (default), automated backups are deleted immediately when the cluster is deleted.
+Detail about this feature can be found in the [AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.Retaining.html).
+
 ### Migrating from instanceProps
 
 Creating instances in a `DatabaseCluster` using `instanceProps` & `instances` is

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/integ.cluster.ts

@@ -63,6 +63,7 @@ class TestStack extends cdk.Stack {
       parameterGroup: params,
       storageEncryptionKey: kmsKey,
       autoMinorVersionUpgrade: false,
+      deleteAutomatedBackups: false,
     });
 
     cluster.connections.allowDefaultPortFromAnyIpv4('Open to the world');
@@ -100,4 +101,3 @@ const stackWithFeatureFlag = new TestStack(appWithFeatureFlag, 'aws-cdk-rds-inte
 new IntegTest(appWithFeatureFlag, 'test-rds-cluster-with-feature-flag', {
   testCases: [stackWithFeatureFlag],
 });
-appWithFeatureFlag.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-assets/integ.assets.bundling.docker-opts.ts

@@ -9,7 +9,10 @@ const stack = new Stack(app, 'cdk-integ-assets-bundling-docker-opts');
 new assets.Asset(stack, 'BundledAsset', {
   path: path.join(__dirname, 'markdown-asset'), // /asset-input and working directory in the container
   bundling: {
-    image: DockerImage.fromBuild(path.join(__dirname, 'alpine-markdown')), // Build an image
+    // Build an image
+    image: DockerImage.fromBuild(path.join(__dirname, 'alpine-markdown'), {
+      platform: 'linux/amd64',
+    }),
     command: [
       'sh', '-c', `
         markdown index.md > /asset-output/index.html

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/README.md

@@ -325,6 +325,24 @@ new s3deploy.BucketDeployment(this, 'DeployWithInvalidation', {
 });
 ```
 
+By default, the deployment will wait for invalidation to succeed to complete. This will poll Cloudfront for a maximum of 13 minutes to check for a successful invalidation. The drawback to this is that the deployment will fail if invalidation fails or if it takes longer than 13 minutes. As a workaround, there is the option `waitForDistributionInvalidation`, which can be set to false to skip waiting for the invalidation, but this can be risky as invalidation errors will not be reported.
+
+```ts
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+
+declare const bucket: s3.IBucket;
+declare const distribution: cloudfront.IDistribution;
+
+new s3deploy.BucketDeployment(this, 'DeployWithInvalidation', {
+  sources: [s3deploy.Source.asset('./website-dist')],
+  destinationBucket: bucket,
+  distribution,
+  distributionPaths: ['/images/*.png'],
+  // Invalidate cache but don't wait or verify that invalidation has completed successfully.
+  waitForDistributionInvalidation: false
+});
+```
+
 ## Signed Content Payloads
 
 By default, deployment uses streaming uploads which set the `x-amz-content-sha256`

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-sns/README.md

@@ -121,6 +121,7 @@ declare const fn: lambda.Function;
 
 // Lambda should receive only message matching the following conditions on message body:
 // color: 'red' or 'orange'
+// store: property must not be present
 myTopic.addSubscription(new subscriptions.LambdaSubscription(fn, {
   filterPolicyWithMessageBody: {
     background: sns.FilterOrPolicy.policy({
@@ -128,6 +129,7 @@ myTopic.addSubscription(new subscriptions.LambdaSubscription(fn, {
         allowlist: ['red', 'orange'],
       })),
     }),
+    store: sns.FilterOrPolicy.filter(sns.SubscriptionFilter.notExistsFilter()),
   },
 }));
 ```

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-sns-subscriptions/integ.sns-sqs-subscription-filter.ts

@@ -0,0 +1,75 @@
+import * as sns from 'aws-cdk-lib/aws-sns';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import * as cdk from 'aws-cdk-lib';
+import { IntegTest, ExpectedResult } from '@aws-cdk/integ-tests-alpha';
+import * as subs from 'aws-cdk-lib/aws-sns-subscriptions';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'sns-sqs-subscription-filter');
+
+const topic = new sns.Topic(stack, 'MyTopic');
+
+const queue1 = new sqs.Queue(stack, 'MyQueue1');
+const queue2 = new sqs.Queue(stack, 'MyQueue2');
+
+topic.addSubscription(new subs.SqsSubscription(queue1, {
+  filterPolicyWithMessageBody: {
+    background: sns.Policy.policy({
+      color: sns.Filter.filter(sns.SubscriptionFilter.stringFilter({
+        allowlist: ['red', 'green'],
+      })),
+    }),
+    price: sns.Filter.filter(sns.SubscriptionFilter.numericFilter({
+      allowlist: [100, 200],
+    })),
+    store: sns.Filter.filter(sns.SubscriptionFilter.existsFilter()),
+  },
+  rawMessageDelivery: true,
+}));
+
+topic.addSubscription(new subs.SqsSubscription(queue2, {
+  filterPolicyWithMessageBody: {
+    background: sns.Policy.policy({
+      color: sns.Filter.filter(sns.SubscriptionFilter.stringFilter({
+        denylist: ['red', 'green'],
+      })),
+    }),
+    price: sns.Filter.filter(sns.SubscriptionFilter.numericFilter({
+      betweenStrict: { start: 100, stop: 200 },
+    })),
+    store: sns.Filter.filter(sns.SubscriptionFilter.notExistsFilter()),
+  },
+  rawMessageDelivery: true,
+}));
+
+const integTest = new IntegTest(app, 'SNS Subscription filters', {
+  testCases: [stack],
+});
+
+const message1 = JSON.stringify({ background: { color: 'green' }, price: 200, store: 'fans' }); // matches queue1 subscription filter
+const message2 = JSON.stringify({ background: { color: 'blue' }, price: 150 }); // matches queue2 subscription filter
+
+// publish messages to SNS topic
+integTest.assertions.awsApiCall('SNS', 'publish', {
+  Message: message1,
+  TopicArn: topic.topicArn,
+});
+integTest.assertions.awsApiCall('SNS', 'publish', {
+  Message: message2,
+  TopicArn: topic.topicArn,
+});
+
+// check messages arrived at expected destination queue
+integTest.assertions.awsApiCall('SQS', 'receiveMessage', {
+  QueueUrl: queue1.queueUrl,
+  WaitTimeSeconds: 20,
+}).expect(ExpectedResult.objectLike({
+  Messages: [{ Body: message1 }],
+}));
+integTest.assertions.awsApiCall('SQS', 'receiveMessage', {
+  QueueUrl: queue2.queueUrl,
+  WaitTimeSeconds: 20,
+}).expect(ExpectedResult.objectLike({
+  Messages: [{ Body: message2 }],
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-sns-subscriptions/integ.sns-sqs.ts

@@ -3,50 +3,31 @@ import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as cdk from 'aws-cdk-lib';
 import { IntegTest, ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import * as subs from 'aws-cdk-lib/aws-sns-subscriptions';
-class SnsToSqsStack extends cdk.Stack {
-  topic: sns.Topic;
-  queue: sqs.Queue;
-  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
-    super(scope, id, props);
-    this.topic = new sns.Topic(this, 'MyTopic');
-    const queueStack = new cdk.Stack(app, 'QueueStack');
-    this.queue = new sqs.Queue(queueStack, 'MyQueue');
-    this.topic.addSubscription(new subs.SqsSubscription(this.queue, {
-      filterPolicyWithMessageBody: {
-        background: sns.Policy.policy({
-          color: sns.Filter.filter(sns.SubscriptionFilter.stringFilter({
-            allowlist: ['red', 'green'],
-            denylist: ['white', 'orange'],
-          })),
-        }),
-        price: sns.Filter.filter(sns.SubscriptionFilter.numericFilter({
-          allowlist: [100, 200],
-          between: { start: 300, stop: 350 },
-          greaterThan: 500,
-          lessThan: 1000,
-          betweenStrict: { start: 2000, stop: 3000 },
-        })),
-      },
-    }));
-  }
-}
-// Beginning of the test suite
+
 const app = new cdk.App();
-const stack = new SnsToSqsStack(app, 'SnsToSqsStack');
+
+const stack = new cdk.Stack(app, 'SnsToSqsStack');
+
+const topic = new sns.Topic(stack, 'MyTopic');
+
+const queue = new sqs.Queue(stack, 'MyQueue');
+
+topic.addSubscription(new subs.SqsSubscription(queue, { rawMessageDelivery: true }));
+
 const integTest = new IntegTest(app, 'SNS Subscriptions', {
-  testCases: [
-    stack,
-  ],
+  testCases: [stack],
 });
+
+const message = JSON.stringify({ color: 'green', price: 200 });
+
 integTest.assertions.awsApiCall('SNS', 'publish', {
-  Message: '{ background: { color: \'green\' }, price: 200 }',
-  TopicArn: stack.topic.topicArn,
+  Message: message,
+  TopicArn: topic.topicArn,
 });
-const message = integTest.assertions.awsApiCall('SQS', 'receiveMessage', {
-  QueueUrl: stack.queue.queueUrl,
+
+integTest.assertions.awsApiCall('SQS', 'receiveMessage', {
+  QueueUrl: queue.queueUrl,
   WaitTimeSeconds: 20,
-});
-message.expect(ExpectedResult.objectLike({
-  Messages: [{ Body: '{color: "green", price: 200}' }],
+}).expect(ExpectedResult.objectLike({
+  Messages: [{ Body: message }],
 }));
-app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-stepfunctions-tasks/integ.evaluate-expression-nodejs22.ts

@@ -0,0 +1,27 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
+
+class TestStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const task = new tasks.EvaluateExpression(this, 'Task', {
+      expression: '$.a + $.b',
+      runtime: lambda.Runtime.NODEJS_22_X,
+    });
+
+    new sfn.StateMachine(this, 'StateMachine', {
+      definition: task,
+    });
+  }
+}
+
+const app = new App();
+
+new integ.IntegTest(app, 'EvaluateExpressionNodejs22', {
+  testCases: [new TestStack(app, 'evaluate-expression-nodejs22')],
+});