konokenj.cdk-api-mcp-server 0.48.0__py3-none-any.whl → 0.57.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-opensearchservice/integ.opensearch.ebs.ts

@@ -7,7 +7,7 @@ class TestStack extends Stack {
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
 
-    const instanceTypes = ['i4g.large.search', 'i4i.xlarge.search', 'r7gd.xlarge.search'];
+    const instanceTypes = ['i4g.large.search', 'i4i.xlarge.search', 'r7gd.xlarge.search', 'r8gd.medium.search'];
 
     instanceTypes.forEach((instanceType, index) => {
       new opensearch.Domain(this, `Domain${index + 1}`, {

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-opensearchservice/integ.opensearch.min.ts

@@ -11,6 +11,7 @@ class TestStack extends Stack {
       opensearch.EngineVersion.OPENSEARCH_2_13,
       opensearch.EngineVersion.OPENSEARCH_2_15,
       opensearch.EngineVersion.OPENSEARCH_2_17,
+      opensearch.EngineVersion.OPENSEARCH_3_1,
     ];
 
     // deploy opensearch domain with minimal configuration

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/README.md

@@ -1204,7 +1204,7 @@ const cluster = new rds.DatabaseCluster(this, 'Database', {
   }),
   writer: rds.ClusterInstance.provisioned('writer'),
   vpc,
-  cloudwatchLogsExports: ['error', 'general', 'slowquery', 'audit'], // Export all available MySQL-based logs
+  cloudwatchLogsExports: ['error', 'general', 'slowquery', 'audit', 'instance', 'iam-db-auth-error'], // Export all available MySQL-based logs
   cloudwatchLogsRetention: logs.RetentionDays.THREE_MONTHS, // Optional - default is to never expire logs
   cloudwatchLogsRetentionRole: myLogsPublishingRole, // Optional - a role will be created if not provided
   // ...

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/integ.cluster-cloudwatch-logs-exports.ts

@@ -0,0 +1,56 @@
+import * as cdk from 'aws-cdk-lib/core';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as rds from 'aws-cdk-lib/aws-rds';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'CloudWatchLogsExportsStack');
+const vpc = new ec2.Vpc(stack, 'VPC');
+
+const mysql = new rds.DatabaseCluster(stack, 'DatabaseClusterMysql', {
+  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_09_0 }),
+  writer: rds.ClusterInstance.serverlessV2('writerInstance'),
+  vpc,
+  cloudwatchLogsExports: ['error', 'general', 'slowquery', 'audit', 'instance', 'iam-db-auth-error'],
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+});
+
+const postgresql = new rds.DatabaseCluster(stack, 'DatabaseClusterPostgresql', {
+  engine: rds.DatabaseClusterEngine.auroraPostgres({ version: rds.AuroraPostgresEngineVersion.VER_16_4 }),
+  writer: rds.ClusterInstance.serverlessV2('writerInstance'),
+  vpc,
+  cloudwatchLogsExports: ['postgresql', 'iam-db-auth-error', 'instance'],
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+});
+
+const integ = new IntegTest(app, 'CloudWatchLogsExportsStackInteg', {
+  testCases: [stack],
+});
+
+integ.assertions.awsApiCall('RDS', 'describeDBClusters', {
+  DBClusterIdentifier: mysql.clusterIdentifier,
+}).expect(ExpectedResult.objectLike({
+  DBClusters: [{
+    EnabledCloudwatchLogsExports: [
+      'audit',
+      'error',
+      'general',
+      'iam-db-auth-error',
+      'instance',
+      'slowquery',
+    ],
+  }],
+}));
+
+integ.assertions.awsApiCall('RDS', 'describeDBClusters', {
+  DBClusterIdentifier: postgresql.clusterIdentifier,
+}).expect(ExpectedResult.objectLike({
+  DBClusters: [{
+    EnabledCloudwatchLogsExports: [
+      'iam-db-auth-error',
+      'instance',
+      'postgresql',
+    ],
+  }],
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/integ.cluster-data-api-to-imported-cluster.ts

@@ -14,7 +14,7 @@ const stack = new cdk.Stack(app, 'cluster-data-api-to-imported-cluster');
 const vpc = new ec2.Vpc(stack, 'VPC');
 
 const func = new lambda.Function(stack, 'Function', {
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   handler: 'index.handler',
   code: lambda.Code.fromInline('exports.handler = async (event) => { return "hello"; }'),
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-rds/integ.cluster-data-api.ts

@@ -14,7 +14,7 @@ const stack = new cdk.Stack(app, 'cluster-data-api');
 const vpc = new ec2.Vpc(stack, 'VPC');
 
 const fucntion = new lambda.Function(stack, 'Function', {
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   handler: 'index.handler',
   code: lambda.Code.fromInline('exports.handler = async (event) => { return "hello"; }'),
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-route53/README.md

@@ -367,40 +367,40 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
   roleName: 'MyDelegationRole',
   // The other account
   assumedBy: new iam.AccountPrincipal('12345678901'),
-  // You can scope down this role policy to be least privileged.
-  // If you want the other account to be able to manage specific records,
-  // you can scope down by resource and/or normalized record names
-  inlinePolicies: {
-    crossAccountPolicy: new iam.PolicyDocument({
-      statements: [
-        new iam.PolicyStatement({
-          sid: 'ListHostedZonesByName',
-          effect: iam.Effect.ALLOW,
-          actions: ['route53:ListHostedZonesByName'],
-          resources: ['*'],
-        }),
-        new iam.PolicyStatement({
-          sid: 'GetHostedZoneAndChangeResourceRecordSets',
-          effect: iam.Effect.ALLOW,
-          actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSets'],
-          // This example assumes the RecordSet subdomain.somexample.com
-          // is contained in the HostedZone
-          resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'],
-          conditions: {
-            'ForAllValues:StringLike': {
-              'route53:ChangeResourceRecordSetsNormalizedRecordNames': [
-                'subdomain.someexample.com',
-              ],
-            },
-          },
-        }),
-      ],
-    }),
-  },
 });
 parentZone.grantDelegation(crossAccountRole);
 ```
 
+To restrict the records that can be created with the delegation IAM role, use the optional `delegatedZoneNames` property in the delegation options,
+which enforces the `route53:ChangeResourceRecordSetsNormalizedRecordNames` condition key for record names that match those hosted zone names.
+The `delegatedZoneNames` list may only consist of hosted zones names that are subzones of the parent hosted zone.
+
+If the delegated zone name contains an unresolved token,
+it must resolve to a zone name that satisfies the requirements according to the documentation:
+https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/specifying-conditions-route53.html#route53_rrset_conditionkeys_normalization
+
+> All letters must be lowercase.
+> The DNS name must be without the trailing dot.
+> Characters other than a–z, 0–9, - (hyphen), _ (underscore), and . (period, as a delimiter between labels) must use escape codes in the format \three-digit octal code. For example, \052 is the octal code for character *.
+
+This feature allows you to better follow the minimum permissions privilege principle:
+
+```ts
+const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
+  zoneName: 'someexample.com',
+});
+
+declare const betaCrossAccountRole: iam.Role;
+parentZone.grantDelegation(betaCrossAccountRole, {
+    delegatedZoneNames: ['beta.someexample.com'],
+});
+
+declare const prodCrossAccountRole: iam.Role;
+parentZone.grantDelegation(prodCrossAccountRole, {
+    delegatedZoneNames: ['prod.someexample.com'],
+});
+```
+
 In the account containing the child zone to be delegated:
 
 ```ts
@@ -540,7 +540,8 @@ const zone = route53.HostedZone.fromHostedZoneAttributes(this, 'MyZone', {
 ```
 
 Alternatively, use the `HostedZone.fromHostedZoneId` to import hosted zones if
-you know the ID and the retrieval for the `zoneName` is undesirable.
+you know the ID and the retrieval for the `zoneName` is undesirable. 
+Note that any records created with a hosted zone obtained this way must have their name be fully qualified
 
 ```ts
 const zone = route53.HostedZone.fromHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
@@ -558,6 +559,18 @@ const zoneFromAttributes = route53.PublicHostedZone.fromPublicHostedZoneAttribut
 const zoneFromId = route53.PublicHostedZone.fromPublicHostedZoneId(this, 'MyZone', 'ZOJJZC49E0EPZ');
 ```
 
+You can import a Private Hosted Zone with `PrivateHostedZone.fromPrivateHostedZoneId` and `PrivateHostedZone.fromPrivateHostedZoneAttributes` methods:
+
+```ts
+const privateZoneFromAttributes = route53.PrivateHostedZone.fromPrivateHostedZoneAttributes(this, 'MyPrivateZone', {
+  zoneName: 'example.local',
+  hostedZoneId: 'ZOJJZC49E0EPZ',
+});
+
+// Does not know zoneName  
+const privateZoneFromId = route53.PrivateHostedZone.fromPrivateHostedZoneId(this, 'MyPrivateZone', 'ZOJJZC49E0EPZ');
+```
+
 You can use `CrossAccountZoneDelegationRecord` on imported Hosted Zones with the `grantDelegation` method:
 
 ```ts

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-route53/integ.private-hosted-zone-from-attributes.ts

@@ -0,0 +1,41 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as cdk from 'aws-cdk-lib';
+import * as route53 from 'aws-cdk-lib/aws-route53';
+import { PrivateHostedZone } from 'aws-cdk-lib/aws-route53';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'aws-cdk-route53-integ');
+
+const vpc = new ec2.Vpc(stack, 'VPC', { maxAzs: 1, restrictDefaultSecurityGroup: false });
+
+const privateZone = new PrivateHostedZone(stack, 'PrivateZone', {
+  zoneName: 'aws-cdk.dev', vpc,
+});
+
+const expectPrivateHostedZone = route53.PrivateHostedZone.fromHostedZoneAttributes(stack, 'ExpectPrivateHostedZone', {
+  hostedZoneId: privateZone.hostedZoneId,
+  zoneName: privateZone.zoneName,
+});
+
+const integTest = new IntegTest(app, 'AwsCdkRoute53IntegTest', {
+  testCases: [stack],
+  diffAssets: false,
+});
+
+const hostedZoneApiCall = integTest.assertions.awsApiCall('Route53', 'getHostedZone', {
+  Id: expectPrivateHostedZone.hostedZoneId,
+});
+
+hostedZoneApiCall.expect(
+  ExpectedResult.objectLike({
+    HostedZone: {
+      Id: expectPrivateHostedZone.hostedZoneId,
+      Name: expectPrivateHostedZone.zoneName,
+    },
+  }),
+);
+
+app.synth();
+

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-route53/integ.zone-delegation-iam-stack.ts

@@ -0,0 +1,66 @@
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import * as route53 from 'aws-cdk-lib/aws-route53';
+import { Construct } from 'constructs';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+class ZoneDelegationIamStack extends cdk.Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const parentZone = new route53.PublicHostedZone(this, 'ParentZone', {
+      zoneName: 'uniqueexample.com',
+    });
+
+    const trusteeRoleArns = this.formatArn({
+      service: 'iam',
+      region: '',
+      resource: 'role',
+      resourceName: 'ZoneDelegationStack-*',
+    });
+
+    const delegationRole = new iam.Role(this, 'ZoneDelegationRole', {
+      roleName: 'ExampleDelegationRole',
+      assumedBy: new iam.AccountRootPrincipal().withConditions({
+        ArnLike: {
+          'aws:PrincipalArn': trusteeRoleArns,
+        },
+      }),
+    });
+
+    const delegationGrant = parentZone.grantDelegation(delegationRole, {
+      delegatedZoneNames: [
+        'sub1.uniqueexample.com',
+        'sub2_*$.uniqueexample.com', // should result in octal codes in iam condition
+      ],
+    });
+
+    const subZone = new route53.PublicHostedZone(this, 'SubZone', {
+      zoneName: 'sub1.uniqueexample.com',
+    });
+
+    new route53.CrossAccountZoneDelegationRecord(subZone, 'ZoneDelegation', {
+      delegatedZone: subZone,
+      parentHostedZoneName: parentZone.zoneName,
+      delegationRole: delegationRole,
+    }).node.addDependency(delegationGrant);
+
+    const subZoneWithSpecialChars = new route53.PublicHostedZone(this, 'SubZoneSpecialChars', {
+      zoneName: 'sub2_*$.uniqueexample.com',
+    });
+
+    new route53.CrossAccountZoneDelegationRecord(subZoneWithSpecialChars, 'ZoneDelegation', {
+      delegatedZone: subZoneWithSpecialChars,
+      parentHostedZoneName: parentZone.zoneName,
+      delegationRole: delegationRole,
+    }).node.addDependency(delegationGrant);
+  }
+}
+
+const app = new cdk.App();
+
+const stack = new ZoneDelegationIamStack(app, 'ZoneDelegationStack');
+
+new IntegTest(app, 'ZoneDelegationIam', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/README.md

@@ -1,6 +1,5 @@
 # AWS S3 Deployment Construct Library
 
-
 This library allows populating an S3 bucket with the contents of .zip files
 from other S3 buckets or from local disk.
 
@@ -83,7 +82,7 @@ User: *** is not authorized to perform: kms:Decrypt on the resource associated w
 because no identity-based policy allows the kms:Decrypt action
 ```
 
-When this happens, users can use the public `handlerRole` property of `BucketDeployment` to manually 
+When this happens, users can use the public `handlerRole` property of `BucketDeployment` to manually
 add the KMS permissions:
 
 ```ts
@@ -375,6 +374,7 @@ resource handler.
 > of memory and storage size.
 
 ## JSON-Aware Source Processing
+
 When using `Source.jsonData` with CDK Tokens (references to construct properties), you may need to enable the escaping option. This is particularly important when the referenced properties might contain special characters that require proper JSON escaping (like double quotes, line breaks, etc.).
 
 ```ts
@@ -462,7 +462,7 @@ to make from placeholders in a local file which will be resolved during deployme
 is especially useful in situations like creating an API from a spec file, where users might
 want to reference other CDK resources they have created.
 
-The syntax for template variables is `{{ variableName }}` in your local file. Then, you would 
+The syntax for template variables is `{{ variableName }}` in your local file. Then, you would
 specify the substitutions in CDK like this:
 
 ```ts
@@ -486,7 +486,7 @@ new s3deploy.DeployTimeSubstitutedFile(this, 'MyFile', {
 ```
 
 Nested variables, like `{{ {{ foo }} }}` or `{{ foo {{ bar }} }}`, are not supported by this
-construct. In the first case of a single variable being is double nested `{{ {{ foo }} }}`, only 
+construct. In the first case of a single variable being is double nested `{{ {{ foo }} }}`, only
 the `{{ foo }}` would be replaced by the substitution, and the extra brackets would remain in the file.
 In the second case of two nexted variables `{{ foo {{ bar }} }}`, only the `{{ bar }}` would be replaced
 in the file.
@@ -533,6 +533,67 @@ new cdk.CfnOutput(this, 'ObjectKey', {
 });
 ```
 
+## Specifying a Custom VPC, Subnets, and Security Groups in BucketDeployment
+
+By default, the AWS CDK BucketDeployment construct runs in a publicly accessible environment. However, for enhanced security and compliance, you may need to deploy your assets from within a VPC while restricting network access through custom subnets and security groups.
+
+### Using a Custom VPC
+
+To deploy assets within a private network, specify the vpc property in BucketDeploymentProps. This ensures that the deployment Lambda function executes within your specified VPC.
+
+```ts
+const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+const bucket = new s3.Bucket(this, 'MyBucket');
+
+new s3deploy.BucketDeployment(this, 'DeployToS3', {
+    destinationBucket: bucket,
+    vpc: vpc, 
+    sources: [s3deploy.Source.asset('./website')],
+});
+```
+
+### Specifying Subnets for Deployment
+
+By default, when you specify a VPC, the BucketDeployment function is deployed in the private subnets of that VPC.
+However, you can customize the subnet selection using the vpcSubnets property.
+
+```ts
+const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+const bucket = new s3.Bucket(this, 'MyBucket');
+
+new s3deploy.BucketDeployment(this, 'DeployToS3', {
+    destinationBucket: bucket,
+    vpc: vpc,
+    vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
+    sources: [s3deploy.Source.asset('./website')],
+});
+```
+
+### Defining Custom Security Groups
+
+For enhanced network security, you can now specify custom security groups in BucketDeploymentProps.
+This allows fine-grained control over ingress and egress rules for the deployment Lambda function.
+
+```ts
+const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+const bucket = new s3.Bucket(this, 'MyBucket');
+
+const securityGroup = new ec2.SecurityGroup(this, 'CustomSG', {
+    vpc: vpc,
+    description: 'Allow HTTPS outbound access',
+    allowAllOutbound: false,
+});
+
+securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443), 'Allow HTTPS traffic');
+
+new s3deploy.BucketDeployment(this, 'DeployWithSecurityGroup', {
+    destinationBucket: bucket,
+    vpc: vpc,
+    securityGroups: [securityGroup],
+    sources: [s3deploy.Source.asset('./website')],
+});
+```
+
 ## Notes
 
 - This library uses an AWS CloudFormation custom resource which is about 10MiB in

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-big-response.ts

@@ -11,6 +11,12 @@ import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 
 const numFiles = 50;
 
+/**
+ * Integration test for bucket deployment with many sources (big response):
+ * - Tests deployment with 50 source files to validate response size handling
+ * - Uses increased memory limit (2048MB) for large deployments
+ * - Validates that objectKeys output is disabled when outputObjectKeys is false
+ */
 class TestBucketDeployment extends cdk.Stack {
   public readonly destinationBucket: s3.IBucket;
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -21,9 +27,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
+    // Create multiple source files to test big response handling
     const sources = [];
     for (let i = 0; i < numFiles; i++) {
       const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'tmpcdk'));
+      process.on('exit', () => {
+        fs.rmSync(tempDir, { force: true, recursive: true });
+      });
+
       fs.mkdirSync(tempDir, { recursive: true });
       const fileName = `${i+1}.txt`;
       const filePath = path.join(tempDir, fileName);
@@ -31,17 +42,17 @@ class TestBucketDeployment extends cdk.Stack {
       sources.push(s3deploy.Source.asset(tempDir));
     }
 
-    const deploymentBucket = new s3deploy.BucketDeployment(this, 'DeployMe', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithManySources', {
       sources: sources,
       destinationBucket: this.destinationBucket,
       memoryLimit: 2048,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
       outputObjectKeys: false,
     });
 
     new CfnOutput(this, 'customResourceData', {
       value: Fn.sub('Object Keys are${keys}', {
-        keys: Fn.join(',', deploymentBucket.objectKeys),
+        keys: Fn.join(',', deployment.objectKeys),
       }),
     });
   }
@@ -54,12 +65,12 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployments-too-many-sources');
 
-const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployment-big-response', {
   testCases: [testCase],
   diffAssets: true,
 });
 
-// Assert that DeployMeWithoutExtractingFilesOnDestination deploys a zip file to bucket4
+// Assert that all files were successfully deployed
 for (let i = 0; i < numFiles; i++) {
   const apiCall = integTest.assertions.awsApiCall('S3', 'getObject', {
     Bucket: testCase.destinationBucket.bucketName,
@@ -73,7 +84,7 @@ for (let i = 0; i < numFiles; i++) {
   apiCall.assertAtPath('Body', ExpectedResult.stringLikeRegexp(`This is file number ${i + 1}`));
 }
 
-// Assert that there is no object keys returned from the custom resource
+// Assert that objectKeys output is empty when outputObjectKeys is false
 const describe = integTest.assertions.awsApiCall('CloudFormation', 'describeStacks', {
   StackName: 'test-bucket-deployments-too-many-sources',
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cloudfront.ts

@@ -1,27 +1,29 @@
 import * as path from 'path';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as cdk from 'aws-cdk-lib';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
 
-class TestBucketDeployment extends cdk.Stack {
-  constructor(scope: cdk.App, id: string) {
-    super(scope, id);
+/**
+ * Integration test for bucket deployment with CloudFront distribution invalidation:
+ * - Deploys files to S3 bucket behind CloudFront distribution
+ * - Tests that CloudFront cache invalidation works with bucket deployments
+ */
+class TestBucketDeploymentCloudFront extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
-    const bucket = new s3.Bucket(this, 'Destination3', {
+    const bucket = new s3.Bucket(this, 'Destination', {
       removalPolicy: cdk.RemovalPolicy.DESTROY,
       autoDeleteObjects: true, // needed for integration test cleanup
     });
-    const distribution = new cloudfront.CloudFrontWebDistribution(this, 'Distribution', {
-      originConfigs: [
-        {
-          s3OriginSource: {
-            s3BucketSource: bucket,
-          },
-          behaviors: [{ isDefaultBehavior: true }],
-        },
-      ],
+    const distribution = new cloudfront.Distribution(this, 'Distribution', {
+      defaultBehavior: {
+        origin: origins.S3BucketOrigin.withOriginAccessControl(bucket),
+      },
     });
 
     new s3deploy.BucketDeployment(this, 'DeployWithInvalidation', {
@@ -29,7 +31,7 @@ class TestBucketDeployment extends cdk.Stack {
       destinationBucket: bucket,
       distribution,
       distributionPaths: ['/images/*.png'],
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
   }
 }
@@ -41,10 +43,10 @@ const app = new cdk.App({
   },
 });
 
-const stack = new TestBucketDeployment(app, 'test-bucket-deployments-1');
+const testCase = new TestBucketDeploymentCloudFront(app, 'test-bucket-deployment-cloudfront');
 
-new IntegTest(app, 'TestBucketDeploymentInteg', {
-  testCases: [stack],
+new integ.IntegTest(app, 'integ-test-bucket-deployment-cloudfront', {
+  testCases: [testCase],
   diffAssets: true,
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-nested-stack-source.ts

@@ -6,6 +6,12 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 
+/**
+ * Integration test for bucket deployment with cross-nested-stack references:
+ * - Tests that Source.jsonData() can use values from resources in nested stacks
+ * - Validates that cross-nested-stack token resolution works correctly
+ * - Tests token substitution across nested stack boundaries
+ */
 class ResourceNestedStack extends NestedStack {
   userPool: UserPool;
   constructor (scope: Construct, id: string, props: NestedStackProps = {}) {
@@ -23,7 +29,7 @@ class DeploymentNestedStack extends NestedStack {
   constructor (scope: Construct, id: string, props: DeploymentNestedStackProps) {
     super(scope, id, props);
     this.bucket = new Bucket(this, 'Bucket');
-    new BucketDeployment(this, 'Deployment', {
+    new BucketDeployment(this, 'DeployWithCrossNestedStackSource', {
       destinationBucket: this.bucket,
       sources: [
         Source.jsonData('appconfig.json', { userPoolId: props.userPool.userPoolId }),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-stack-source.ts

@@ -6,6 +6,11 @@ import { Construct } from 'constructs';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 
+/**
+ * Integration test for bucket deployment with cross-stack references:
+ * - Tests that Source.data() can use values from resources in other stacks
+ * - Validates that cross-stack token resolution works correctly
+ */
 class Stack2 extends Stack {
   userPool: UserPool;
 
@@ -21,7 +26,7 @@ class Stack1 extends Stack {
   constructor (scope: Construct, id: string, props: { userPool: UserPool }) {
     super(scope, id);
     this.bucket = new Bucket(this, 'bucket');
-    new BucketDeployment(this, 'XXXXXXXXXX', {
+    new BucketDeployment(this, 'DeployWithCrossStackSource', {
       destinationBucket: this.bucket,
       sources: [
         Source.data('test.txt', props.userPool.userPoolId),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-stack-ssm-source.ts

@@ -5,6 +5,12 @@ import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 
+/**
+ * Integration test for bucket deployment with cross-stack SSM parameter references:
+ * - Tests that SSM StringListParameter tokens are resolved in Source.jsonData()
+ * - Validates cross-nested-stack parameter references work correctly
+ * - Tests that parameter values are properly serialized in JSON output
+ */
 class SsmStack extends cdk.NestedStack {
   public readonly ssmParam: ssm.StringListParameter;
 
@@ -38,7 +44,7 @@ class S3Stack extends cdk.NestedStack {
       autoDeleteObjects: true,
     });
 
-    new s3deploy.BucketDeployment(this, 'ReproDeployment', {
+    new s3deploy.BucketDeployment(this, 'DeployWithSsmParameter', {
       sources: [
         s3deploy.Source.jsonData('config.json', {
           subnets: readParam.stringListValue,