konokenj.cdk-api-mcp-server 0.48.0__py3-none-any.whl → 0.57.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-data.ts

@@ -1,76 +1,105 @@
 import { Bucket } from 'aws-cdk-lib/aws-s3';
-import { App, CfnOutput, RemovalPolicy, Stack, Token } from 'aws-cdk-lib';
+import { App, CfnOutput, RemovalPolicy, Stack, StackProps, Token } from 'aws-cdk-lib';
 import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as path from 'path';
+import { Construct } from 'constructs';
 
-const app = new App({
-  postCliContext: {
-    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-  },
-});
-const stack = new Stack(app, 'TestBucketDeploymentContent');
-const bucket = new Bucket(stack, 'Bucket', {
-  removalPolicy: RemovalPolicy.DESTROY, // Allow bucket deletion
-  autoDeleteObjects: true, // Delete objects when bucket is deleted
-});
+/**
+ * Integration test for bucket deployment with various data source types:
+ * - Tests Source.data(), Source.jsonData(), and Source.yamlData() methods
+ * - Validates token substitution in JSON and YAML files
+ * - Tests proper escaping of special characters (quotes) in JSON files
+ * - Tests addSource() method for dynamically adding sources
+ * - Validates empty string handling
+ */
+class TestBucketDeploymentData extends Stack {
+  public readonly bucket: Bucket;
 
-const file1 = Source.data('file1.txt', 'boom');
-const file2 = Source.data('path/to/file2.txt', `bam! ${bucket.bucketName}`);
-const file3 = Source.jsonData('my-json/config.json', { website_url: bucket.bucketWebsiteUrl });
-const file4 = Source.yamlData('my-yaml/config.yaml', { website_url: bucket.bucketWebsiteUrl });
-const file5 = Source.jsonData('my-json/config2.json', { bucket_domain_name: bucket.bucketWebsiteDomainName });
-
-// Add new test case for secret value with quotes
-const secret = new secretsmanager.Secret(stack, 'TestSecret', {
-  generateSecretString: {
-    secretStringTemplate: JSON.stringify({
-      value: 'test"with"quotes',
-    }),
-    generateStringKey: 'password',
-  },
-});
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
 
-// Store secret in SSM (workaround for #21503)
-const param = new ssm.StringParameter(stack, 'SecretParam', {
-  stringValue: secret.secretValueFromJson('value').unsafeUnwrap(),
-});
+    this.bucket = new Bucket(this, 'Bucket', {
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
 
-const tokenizedValue = param.stringValue; // This should be a Token
-new CfnOutput(stack, 'IsToken', { value: Token.isUnresolved(tokenizedValue).toString() });
-new CfnOutput(stack, 'SecretValue', { value: tokenizedValue });
+    // Test various data source types with different content
+    const file1 = Source.data('file1.txt', 'boom');
+    const file2 = Source.data('path/to/file2.txt', `bam! ${this.bucket.bucketName}`);
+    const file3 = Source.jsonData('my-json/config.json', { website_url: this.bucket.bucketWebsiteUrl });
+    const file4 = Source.yamlData('my-yaml/config.yaml', { website_url: this.bucket.bucketWebsiteUrl });
+    const file5 = Source.jsonData('my-json/config2.json', { bucket_domain_name: this.bucket.bucketWebsiteDomainName });
 
-// Add new file with secret value that needs proper escaping
-const file6 = Source.jsonData('my-json/secret-config.json', {
-  secret_value: tokenizedValue, // Using the tokenized value explicitly
-}, { escape: true });
-const file7 = Source.yamlData('my-yaml/secret-config.yaml', {
-  secret_value: tokenizedValue,
-});
+    // Test secret value with quotes that need escaping
+    const secret = new secretsmanager.Secret(this, 'TestSecret', {
+      generateSecretString: {
+        secretStringTemplate: JSON.stringify({
+          value: 'test"with"quotes',
+        }),
+        generateStringKey: 'password',
+      },
+    });
 
-const deployment = new BucketDeployment(stack, 'DeployMeHere', {
-  destinationBucket: bucket,
-  sources: [file1, file2],
-  destinationKeyPrefix: 'deploy/here/',
-  retainOnDelete: false, // default is true, which will block the integration test cleanup
-});
-deployment.addSource(file3);
-deployment.addSource(file4);
-deployment.addSource(file5);
-deployment.addSource(file6);
-deployment.addSource(file7);
+    // Store secret in SSM (workaround for #21503)
+    const param = new ssm.StringParameter(this, 'SecretParam', {
+      stringValue: secret.secretValueFromJson('value').unsafeUnwrap(),
+    });
+
+    const tokenizedValue = param.stringValue; // This should be a Token
+    new CfnOutput(this, 'IsToken', { value: Token.isUnresolved(tokenizedValue).toString() });
+    new CfnOutput(this, 'SecretValue', { value: tokenizedValue });
+
+    // Test proper escaping of quotes in JSON
+    const file6 = Source.jsonData('my-json/secret-config.json', {
+      secret_value: tokenizedValue,
+    }, { escape: true });
+    // Test YAML file (which doesn't require escaping)
+    const file7 = Source.yamlData('my-yaml/secret-config.yaml', {
+      secret_value: tokenizedValue,
+    });
 
-new CfnOutput(stack, 'BucketName', { value: bucket.bucketName });
+    // Test empty string handling
+    const file8 = Source.data('file8.txt', '');
 
-const integ = new IntegTest(app, 'integ-test-bucket-deployment-data', {
-  testCases: [stack],
+    // Test null JSON data value
+    const file9 = Source.jsonData('my-json/config-with-null.json', { hello: 'there', goodbye: null });
+
+    const deployment = new BucketDeployment(this, 'DeployWithDataSources', {
+      destinationBucket: this.bucket,
+      sources: [file1, file2],
+      destinationKeyPrefix: 'deploy/here/',
+      retainOnDelete: false,
+    });
+    // Test addSource() method
+    deployment.addSource(file3);
+    deployment.addSource(file4);
+    deployment.addSource(file5);
+    deployment.addSource(file6);
+    deployment.addSource(file7);
+    deployment.addSource(file8);
+    deployment.addSource(file9);
+
+    new CfnOutput(this, 'BucketName', { value: this.bucket.bucketName });
+  }
+}
+
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
 });
+const testCase = new TestBucketDeploymentData(app, 'test-bucket-deployment-data');
 
-// Add assertions to verify the JSON file
-const assertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
-  Bucket: bucket.bucketName,
+const integTest = new IntegTest(app, 'integ-test-bucket-deployment-data', {
+  testCases: [testCase],
+});
+
+// Assert that addSource() successfully adds the data source alongside the asset source
+const assertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
   Key: path.join('deploy/here', 'my-json/secret-config.json'),
 });
 
@@ -80,9 +109,20 @@ assertionProvider.expect(ExpectedResult.objectLike({
   Body: '{"secret_value":"test\\"with\\"quotes"}',
 }));
 
+// Assert that JSON data with a null value is represented properly
+const jsonNullAssertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
+  Key: path.join('deploy/here', 'my-json/config-with-null.json'),
+});
+
+// Verify the content is valid JSON and both null and non-null fields are present
+jsonNullAssertionProvider.expect(ExpectedResult.objectLike({
+  Body: '{"hello":"there","goodbye":null}',
+}));
+
 // Add assertions to verify the YAML file
-const yamlAssertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
-  Bucket: bucket.bucketName,
+const yamlAssertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
   Key: path.join('deploy/here', 'my-yaml/secret-config.yaml'),
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-deployed-bucket.ts

@@ -5,6 +5,11 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 
+/**
+ * Integration test for deployedBucket property:
+ * - Tests that deployedBucket provides access to bucket after deployment completes
+ * - Validates that bucket properties like bucketWebsiteUrl can be accessed via deployedBucket
+ */
 class TestBucketDeployment extends cdk.Stack {
   public readonly bucket: s3.IBucket;
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -16,13 +21,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    const deploy = new s3deploy.BucketDeployment(this, 'DeployMe5', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithDeployedBucket', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website-second'))],
       destinationBucket: this.bucket,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
 
-    this.exportValue(deploy.deployedBucket.bucketWebsiteUrl, {
+    // Export the website URL accessed via deployedBucket property
+    this.exportValue(deployment.deployedBucket.bucketWebsiteUrl, {
       name: 'WebsiteUrl',
     });
   }
@@ -35,7 +41,7 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployment-deployed-bucket');
 
-new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+new integ.IntegTest(app, 'integ-test-bucket-deployment-deployed-bucket', {
   testCases: [testCase],
   diffAssets: true,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-large-file.ts

@@ -10,19 +10,29 @@ import * as fs from 'fs';
 import * as crypto from 'crypto';
 import * as os from 'os';
 
+/**
+ * Integration test for bucket deployment with large files:
+ * - Tests deployment of large files (10MB JSON and text files)
+ * - Validates that large file uploads work correctly
+ * - Tests token substitution and escaping in large deployments
+ * - Validates both escaped and unescaped JSON handling
+ */
 const app = new App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
   },
 });
-const stack = new Stack(app, 'TestBucketDeploymentLargeFile');
+const stack = new Stack(app, 'test-bucket-deployment-large-file');
 const bucket = new Bucket(stack, 'Bucket', {
-  removalPolicy: RemovalPolicy.DESTROY, // Allow bucket deletion
-  autoDeleteObjects: true, // Delete objects when bucket is deleted
+  removalPolicy: RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
 });
 
 // Create a temporary directory for our large files
 const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cdk-large-files-'));
+process.on('exit', () => {
+  fs.rmSync(tempDir, { force: true, recursive: true });
+});
 
 // Generate a large JSON file (10MB) programmatically
 const largeJsonFilePath = path.join(tempDir, 'large-file.json');
@@ -153,7 +163,7 @@ const noEscapeFileWithMarker = Source.jsonData('my-json/secret-config-no-escape.
 });
 
 // Deploy the large files
-new BucketDeployment(stack, 'DeployLargeFiles', {
+new BucketDeployment(stack, 'DeployWithLargeFiles', {
   destinationBucket: bucket,
   sources: [largeJsonSource, largeTextSource, fileWithMarker, noEscapeFileWithMarker],
   retainOnDelete: false,
@@ -161,12 +171,12 @@ new BucketDeployment(stack, 'DeployLargeFiles', {
 
 new CfnOutput(stack, 'BucketName', { value: bucket.bucketName });
 
-const integ = new IntegTest(app, 'integ-test-bucket-deployment-large-file', {
+const integTest = new IntegTest(app, 'integ-test-bucket-deployment-large-file', {
   testCases: [stack],
 });
 
-// Add assertions to verify the JSON file
-const assertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
+// Assert that escaped JSON is properly escaped
+const assertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: bucket.bucketName,
   Key: 'my-json/secret-config.json',
 });
@@ -177,7 +187,8 @@ assertionProvider.expect(ExpectedResult.objectLike({
   Body: '{"secret_value":"test\\"with\\"quotes"}',
 }));
 
-integ.assertions.awsApiCall('S3', 'getObject', {
+// Assert that unescaped JSON works without escape option
+integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: bucket.bucketName,
   Key: 'my-json/secret-config-no-escape.json',
 }).expect(ExpectedResult.objectLike({
@@ -185,8 +196,8 @@ integ.assertions.awsApiCall('S3', 'getObject', {
   Body: '{"secret_value":"test"with"quotes"}',
 }));
 
-// Verify the large JSON file was deployed successfully
-const jsonAssertionProvider = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+// Assert that large JSON file was deployed successfully
+const jsonAssertionProvider = integTest.assertions.awsApiCall('S3', 'listObjectsV2', {
   Bucket: bucket.bucketName,
   Prefix: 'large-file.json',
   MaxKeys: 1,
@@ -211,8 +222,8 @@ if (jsonAssertionProvider instanceof AwsApiCall && jsonAssertionProvider.waiterP
   });
 }
 
-// Verify the large text file was deployed successfully
-const textAssertionProvider = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+// Assert that large text file was deployed successfully
+const textAssertionProvider = integTest.assertions.awsApiCall('S3', 'listObjectsV2', {
   Bucket: bucket.bucketName,
   Prefix: 'large-file.txt',
   MaxKeys: 1,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-loggroup.ts

@@ -6,6 +6,11 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 
+/**
+ * Integration test for bucket deployment with custom log group:
+ * - Lambda function writes logs to a custom CloudWatch Log Group
+ * - Tests that custom log groups work correctly with bucket deployments
+ */
 class TestBucketDeployment extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
@@ -17,14 +22,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    new s3deploy.BucketDeployment(this, 'DeployMe', {
+    new s3deploy.BucketDeployment(this, 'DeployWithCustomLogGroup', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
       destinationBucket,
       logGroup: new logs.LogGroup(this, 'LogGroup', {
         retention: logs.RetentionDays.ONE_DAY,
         removalPolicy: cdk.RemovalPolicy.DESTROY, // cleanup integ test
       }),
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
   }
 }

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-efs.ts

@@ -0,0 +1,77 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with security groups and EFS:
+ * - Lambda function runs in VPC with EFS filesystem and custom security group
+ * - Tests that security groups work correctly with EFS-enabled deployments
+ */
+class TestBucketDeploymentSecurityGroupsEfs extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security group with allow all outbound
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
+      vpc,
+      description: 'Security group - allow all outbound',
+      allowAllOutbound: true,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with EFS storage and security groups
+    new s3deploy.BucketDeployment(this, 'DeployWithEfsAndSecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'efs-sg/',
+      useEfs: true,
+      vpc,
+      securityGroups: [securityGroup],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupsEfs(app, 'test-bucket-deployment-security-groups-efs');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-efs', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-empty.ts

@@ -0,0 +1,69 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with empty security groups array:
+ * - Lambda function runs in VPC with explicitly empty security groups array
+ * - Tests that empty security groups array is handled correctly
+ */
+class TestBucketDeploymentEmptySecurityGroups extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with empty security groups array
+    new s3deploy.BucketDeployment(this, 'DeployWithEmptySecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'empty-sg/',
+      vpc,
+      securityGroups: [],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentEmptySecurityGroups(app, 'test-bucket-deployment-security-groups-empty');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-empty', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-multiple.ts

@@ -0,0 +1,89 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with multiple security groups:
+ * - Lambda function runs in VPC with multiple security groups attached
+ * - Tests that deployments work with multiple security groups having different configurations
+ */
+class TestBucketDeploymentSecurityGroupsMultiple extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security groups with different configurations
+    const sg1 = new ec2.SecurityGroup(this, 'SecurityGroup1', {
+      vpc,
+      description: 'Security group 1 - allow all outbound',
+      allowAllOutbound: true,
+    });
+
+    const sg2 = new ec2.SecurityGroup(this, 'SecurityGroup2', {
+      vpc,
+      description: 'Security group 2 - restrictive outbound',
+      allowAllOutbound: false,
+    });
+
+    // Allow HTTPS outbound for S3 access
+    sg2.addEgressRule(
+      ec2.Peer.anyIpv4(),
+      ec2.Port.tcp(443),
+      'Allow HTTPS outbound for S3 access',
+    );
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with multiple security groups
+    new s3deploy.BucketDeployment(this, 'DeployWithMultipleSecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'multiple-sg/',
+      vpc,
+      securityGroups: [sg1, sg2],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupsMultiple(app, 'test-bucket-deployment-security-groups-multiple');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-multiple', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-single.ts

@@ -0,0 +1,77 @@
+/// !cdk-integ * pragma:enable-lookups
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with single security group:
+ * - Lambda function runs in VPC with a single custom security group
+ * - Tests that explicit security group assignment works correctly
+ */
+class TestBucketDeploymentSecurityGroupSingle extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, {
+      ...props,
+    });
+
+    // Create a VPC inline
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security group with explicit outbound rules for S3 access
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup1', {
+      vpc,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    // Test deployment with single security group
+    new s3deploy.BucketDeployment(this, 'DeployWithSingleSecurityGroup', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'single-sg/',
+      vpc: vpc,
+      securityGroups: [securityGroup],
+      retainOnDelete: false,
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupSingle(app, 'test-bucket-deployment-security-groups-single');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-single', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();