PyPI - konokenj.cdk-api-mcp-server - Versions diffs - 0.49.0__py3-none-any.whl → 0.51.0__py3-none-any.whl - Mend

konokenj.cdk-api-mcp-server 0.49.0py3-none-any.whl → 0.51.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of konokenj.cdk-api-mcp-server might be problematic. Click here for more details.

Files changed (68) hide show

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.add-to-resource-policy.ts ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * Integration test for DynamoDB Table.addToResourcePolicy() method
+ *
+ * This test validates the fix for issue #35062: "(aws-dynamodb): `addToResourcePolicy` has no effect"
+ *
+ * WHAT WE'RE TESTING:
+ * - The addToResourcePolicy() method was broken - it had "no effect" when called
+ * - Resource policies weren't being added to the CloudFormation template
+ * - This created a security gap where developers thought they were securing tables but policies weren't applied
+ *
+ * TEST VALIDATION:
+ * 1. Creates DynamoDB tables with different resource policy configurations
+ * 2. Tests both wildcard resources (for auto-generated names) and scoped resources (for explicit names)
+ * 3. Verifies policies get added to CloudFormation templates with correct structure
+ * 4. Ensures both patterns work without circular dependencies
+ *
+ * @see https://github.com/aws/aws-cdk/issues/35062
+ */
+import { App, Fn, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+export class TestStack extends Stack {
+  public readonly wildcardTable: dynamodb.Table;
+  public readonly scopedTable: dynamodb.Table;
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+    // TEST 1: Table with wildcard resource policy (auto-generated name)
+    // This is the standard pattern to avoid circular dependencies
+    this.wildcardTable = new dynamodb.Table(this, 'WildcardTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+    // Add resource policy with wildcard resources
+    this.wildcardTable.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem', 'dynamodb:PutItem', 'dynamodb:Query'],
+      principals: [new iam.AccountRootPrincipal()],
+      resources: ['*'], // Use wildcard to avoid circular dependency - standard pattern for resource policies
+    }));
+    // TEST 2: Table with scoped resource policy (explicit table name)
+    // This demonstrates how to use scoped resources when table name is known at synthesis time
+    this.scopedTable = new dynamodb.Table(this, 'ScopedTable', {
+      tableName: 'my-explicit-scoped-table', // Explicit name enables scoped ARN construction
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+    // Add resource policy with properly scoped resource using explicit table name
+    // This works because table name is known at synthesis time (no circular dependency)
+    this.scopedTable.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem', 'dynamodb:Query'],
+      principals: [new iam.AccountRootPrincipal()],
+      // Use CloudFormation intrinsic function to construct table ARN with known table name
+      resources: [Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table')],
+    }));
+  }
+}
+// Test Setup
+const app = new App();
+const stack = new TestStack(app, 'add-to-resource-policy-test-stack');
+// Integration Test Configuration
+new IntegTest(app, 'add-to-resource-policy-integ-test', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.policy.ts CHANGED Viewed

@@ -38,7 +38,27 @@ export class TestStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
-    this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'));
+    // IMPORTANT: Cross-account grants with auto-generated table names create circular dependencies
+    //
+    // WHY NOT this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'))?
+    // - Cross-account principals cannot have policies attached to them
+    // - Grant falls back to adding a resource policy to the table
+    // - Resource policy tries to reference this.tableArn (the table's own ARN)
+    // - This creates a circular dependency: Table → ResourcePolicy → Table ARN → Table
+    // - CloudFormation fails with "Circular dependency between resources"
+    //
+    // SOLUTIONS:
+    // 1. Use addToResourcePolicy with wildcard resources (this approach)
+    // 2. Use explicit table names: tableName: 'my-table-name' (enables scoped resources)
+    // 3. Use same-account principals (grants go to principal policy, not resource policy)
+    //
+    this.tableTwo.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:*'],
+      // we need a valid account for cross-account principal otherwise it won't deploy
+      // this account is from fact-table.ts
+      principals: [new iam.AccountPrincipal('127311923021')],
+      resources: ['*'], // Wildcard avoids circular dependency - same pattern as KMS
+    }));
   }
 }

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ec2/integ.vpc-flow-logs.ts CHANGED Viewed

@@ -72,6 +72,10 @@ class TestStack extends Stack {
       destination: FlowLogDestination.toS3(),
     });
+    vpc.addFlowLog('FlowLogsCloudwatch', {
+      destination: FlowLogDestination.toCloudWatchLogs(),
+    });
     const bucket = new s3.Bucket(this, 'Bucket', {
       removalPolicy: RemovalPolicy.DESTROY,
       autoDeleteObjects: true,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecr/README.md CHANGED Viewed

@@ -121,12 +121,51 @@ By using these methods, you can grant specific operational permissions on the EC
 ### Image tag immutability
-You can set tag immutability on images in our repository using the `imageTagMutability` construct prop.
+You can set tag immutability on images in your repository using the `imageTagMutability` construct prop.
 ```ts
 new ecr.Repository(this, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
 ```
+#### Image tag mutability with exclusion filters
+ECR supports more granular control over image tag mutability by allowing you to specify exclusion filters. This enables you to make your repository immutable while allowing specific tag patterns to remain mutable (or vice versa).
+There are two new mutability options that work with exclusion filters:
+- `MUTABLE_WITH_EXCLUSION`: Tags are mutable by default, except those matching the exclusion filters
+- `IMMUTABLE_WITH_EXCLUSION`: Tags are immutable by default, except those matching the exclusion filters
+Use `ImageTagMutabilityExclusionFilter.wildcard()` to create filters with wildcard patterns:
+```ts
+// Make all tags immutable except for those starting with 'dev-' or 'test-'
+new ecr.Repository(this, 'Repo', {
+  imageTagMutability: ecr.TagMutability.IMMUTABLE_WITH_EXCLUSION,
+  imageTagMutabilityExclusionFilters: [
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('dev-*'),
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('test-*'),
+  ],
+});
+```
+```ts
+// Make all tags mutable except for production releases
+new ecr.Repository(this, 'Repo', {
+  imageTagMutability: ecr.TagMutability.MUTABLE_WITH_EXCLUSION,
+  imageTagMutabilityExclusionFilters: [
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('prod-*'),
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('release-v*'),
+  ],
+});
+```
+##### Exclusion filter pattern rules
+- Patterns can contain alphanumeric characters, dots (.), underscores (_), hyphens (-), and asterisks (*) as wildcards
+- Maximum pattern length is 128 characters
+- You can specify up to 5 exclusion filters per repository
 ### Encryption
 By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. For more control over the encryption for your Amazon ECR repositories, you can use server-side encryption with KMS keys stored in AWS Key Management Service (AWS KMS). Read more about this feature in the [ECR Developer Guide](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html).

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecr/integ.tag-mutability-exclusion.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import * as cdk from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'aws-ecr-tag-mutability-exclusion-stack');
+new ecr.Repository(stack, 'ImmutableRepoWithExclusions', {
+  imageTagMutability: ecr.TagMutability.IMMUTABLE_WITH_EXCLUSION,
+  imageTagMutabilityExclusionFilters: [
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('dev-*'),
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('test-*'),
+  ],
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  emptyOnDelete: true,
+});
+new ecr.Repository(stack, 'MutableRepoWithExclusions', {
+  imageTagMutability: ecr.TagMutability.MUTABLE_WITH_EXCLUSION,
+  imageTagMutabilityExclusionFilters: [
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('prod-*'),
+    ecr.ImageTagMutabilityExclusionFilter.wildcard('release-v*'),
+  ],
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  emptyOnDelete: true,
+});
+new IntegTest(app, 'cdk-ecr-tag-mutability-exclusion-test', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/README.md CHANGED Viewed

@@ -1687,6 +1687,9 @@ const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(this, 'MICap
   propagateTags: ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER,
 });
+// Optionally configure security group rules using IConnectable interface
+miCapacityProvider.connections.allowFrom(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(80));
 // Add the capacity provider to the cluster
 cluster.addManagedInstancesCapacityProvider(miCapacityProvider);

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.managedinstances-capacity-provider.ts CHANGED Viewed

@@ -24,7 +24,7 @@ const infrastructureRole = new iam.Role(stack, 'InfrastructureRole', {
   roleName: 'AmazonECSInfrastructureRoleForOmakase',
   assumedBy: new iam.ServicePrincipal('ecs.amazonaws.com'),
   managedPolicies: [
-    iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
+    iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInfrastructureRolePolicyForManagedInstances'),
   ],
 });
@@ -32,7 +32,7 @@ const instanceRole = new iam.Role(stack, 'InstanceRole', {
   roleName: 'AmazonECSInstanceRoleForOmakase',
   assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
   managedPolicies: [
-    iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
+    iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInstanceRolePolicyForManagedInstances'),
   ],
 });
@@ -63,6 +63,9 @@ const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(stack, 'Mana
   },
 });
+// Configure security group rules using IConnectable interface
+miCapacityProvider.connections.allowFrom(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(80));
 // Add FMI capacity provider to cluster
 cluster.addManagedInstancesCapacityProvider(miCapacityProvider);
 cluster.addDefaultCapacityProviderStrategy([
@@ -106,7 +109,6 @@ new ecs.FargateService(stack, 'ManagedInstancesService', {
 new integ.IntegTest(app, 'ManagedInstancesCapacityProviders', {
   testCases: [stack],
-  regions: ['us-west-2'],
 });
 app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.managedinstances-no-default-capacity-provider.ts ADDED Viewed

@@ -0,0 +1,107 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm': true,
+    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
+    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
+  },
+});
+const stack = new cdk.Stack(app, 'integ-managedinstances-no-default-capacity-provider');
+const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 2, restrictDefaultSecurityGroup: false });
+const cluster = new ecs.Cluster(stack, 'ManagedInstancesCluster', {
+  vpc,
+});
+// Create IAM roles required for FMI following Omakase specifications
+const infrastructureRole = new iam.Role(stack, 'InfrastructureRole', {
+  roleName: 'InfrastructureRole',
+  assumedBy: new iam.ServicePrincipal('ecs.amazonaws.com'),
+  managedPolicies: [
+    iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInfrastructureRolePolicyForManagedInstances'),
+  ],
+});
+const instanceRole = new iam.Role(stack, 'InstanceRole', {
+  roleName: 'InstanceRole',
+  assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
+  managedPolicies: [
+    iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInstanceRolePolicyForManagedInstances'),
+  ],
+});
+infrastructureRole.grantPassRole(instanceRole);
+const instanceProfile = new iam.InstanceProfile(stack, 'InstanceProfile', {
+  instanceProfileName: 'InstanceProfile',
+  role: instanceRole,
+});
+// Create a security group for FMI instances
+const fmiSecurityGroup = new ec2.SecurityGroup(stack, 'ManagedInstancesSecurityGroup', {
+  vpc,
+  description: 'Security group for ManagedInstances capacity provider instances',
+  allowAllOutbound: true,
+});
+// Create MI Capacity Provider
+const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(stack, 'ManagedInstancesCapacityProvider', {
+  infrastructureRole: infrastructureRole,
+  ec2InstanceProfile: instanceProfile,
+  subnets: vpc.privateSubnets,
+  securityGroups: [fmiSecurityGroup],
+  propagateTags: ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER,
+  instanceRequirements: {
+    vCpuCountMin: 1,
+    memoryMin: cdk.Size.gibibytes(2),
+    cpuManufacturers: [ec2.CpuManufacturer.INTEL],
+    acceleratorManufacturers: [ec2.AcceleratorManufacturer.NVIDIA],
+  },
+});
+// Add FMI capacity provider to cluster
+cluster.addManagedInstancesCapacityProvider(miCapacityProvider);
+// Create a task definition compatible with Managed Instances and Fargate
+const taskDefinition = new ecs.TaskDefinition(stack, 'TaskDef', {
+  compatibility: ecs.Compatibility.FARGATE_AND_MANAGED_INSTANCES,
+  cpu: '256',
+  memoryMiB: '512',
+  networkMode: ecs.NetworkMode.AWS_VPC,
+});
+taskDefinition.addContainer('web', {
+  image: ecs.ContainerImage.fromRegistry('public.ecr.aws/docker/library/httpd:2.4'),
+  memoryLimitMiB: 512,
+  portMappings: [
+    {
+      containerPort: 80,
+      protocol: ecs.Protocol.TCP,
+    },
+  ],
+});
+// Create a service using the MI capacity provider
+new ecs.FargateService(stack, 'ManagedInstancesService', {
+  cluster,
+  taskDefinition,
+  capacityProviderStrategies: [
+    {
+      capacityProvider: miCapacityProvider.capacityProviderName,
+      weight: 1,
+    },
+  ],
+  desiredCount: 1,
+});
+new integ.IntegTest(app, 'ManagedInstancesCapacityProviders', {
+  testCases: [stack],
+  regions: ['us-west-2'],
+});
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs-patterns/integ.alb-fargate-service-public-private-switch.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import * as ecsPatterns from 'aws-cdk-lib/aws-ecs-patterns';
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'aws-ecs-integ-alb-fargate-public-private-switch');
+const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 2, restrictDefaultSecurityGroup: false });
+const cluster = new ecs.Cluster(stack, 'FargateCluster', { vpc });
+// Test private load balancer (the problematic case from the issue)
+new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'PrivateALBFargateService', {
+  cluster,
+  memoryLimitMiB: 1024,
+  cpu: 512,
+  publicLoadBalancer: false, // This should create ECSPrivate target group
+  taskImageOptions: {
+    image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  },
+});
+// Test public load balancer for comparison
+new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'PublicALBFargateService', {
+  cluster,
+  memoryLimitMiB: 1024,
+  cpu: 512,
+  publicLoadBalancer: true, // This should create ECS target group
+  taskImageOptions: {
+    image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  },
+});
+new integ.IntegTest(app, 'ALBFargatePublicPrivateSwitchTest', {
+  testCases: [stack],
+  allowDestroy: [
+    'PrivateALBFargateServiceLB3F43693F',
+    'PrivateALBFargateServiceLBPublicListenerECSPrivateGroup81AA5B8B',
+    'PublicALBFargateServiceLBBDD839E7',
+    'PublicALBFargateServiceLBPublicListenerECSGroupD991EA00',
+  ],
+});
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2/README.md CHANGED Viewed

@@ -338,17 +338,13 @@ Balancers:
 ```ts
 declare const vpc: ec2.Vpc;
 declare const asg: autoscaling.AutoScalingGroup;
-declare const sg1: ec2.ISecurityGroup;
-declare const sg2: ec2.ISecurityGroup;
 // Create the load balancer in a VPC. 'internetFacing' is 'false'
 // by default, which creates an internal load balancer.
 const lb = new elbv2.NetworkLoadBalancer(this, 'LB', {
   vpc,
   internetFacing: true,
-  securityGroups: [sg1],
 });
-lb.addSecurityGroup(sg2);
 // Add a listener on a particular port.
 const listener = lb.addListener('Listener', {
@@ -362,6 +358,40 @@ listener.addTargets('AppFleet', {
 });
 ```
+### Security Groups for Network Load Balancer
+By default, Network Load Balancers (NLB) have a security group associated with them.
+This is controlled by the feature flag `@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault`.
+When this flag is enabled (the default for new projects), a security group will be automatically created and attached to the NLB unless you explicitly provide your own security groups via the `securityGroups` property.
+If you wish to create an NLB without any security groups, you can set the `disableSecurityGroups` property to `true`. When this property is set, no security group will be associated with the NLB, regardless of the feature flag.
+```ts
+declare const vpc: ec2.IVpc;
+const nlb = new elbv2.NetworkLoadBalancer(this, 'LB', {
+  vpc,
+  // To disable security groups for this NLB
+  disableSecurityGroups: true,
+});
+```
+If you want to use your own security groups, provide them via the `securityGroups` property:
+```ts
+declare const vpc: ec2.IVpc;
+declare const sg1: ec2.ISecurityGroup;
+declare const sg2: ec2.ISecurityGroup;
+const nlb = new elbv2.NetworkLoadBalancer(this, 'LB', {
+  vpc,
+  // Provide your own security groups
+  securityGroups: [sg1],
+});
+// Add another security group to the NLB
+nlb.addSecurityGroup(sg2);
+```
 ### Enforce security group inbound rules on PrivateLink traffic for a Network Load Balancer
 You can indicate whether to evaluate inbound security group rules for traffic

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2/integ.alb-lambda-multi-value-headers.ts CHANGED Viewed

@@ -19,7 +19,7 @@ const vpc = new ec2.Vpc(stack, 'VPC', {
 });
 const fn = new lambda.Function(stack, 'Function', {
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   handler: 'index.handler',
   code: lambda.Code.fromInline(`
     exports.handler = async (event) => {

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2/integ.alb.oidc.ts CHANGED Viewed

@@ -186,7 +186,7 @@ const signinFunction = new lambda.Function(testCase, 'Signin', {
   functionName: 'cdk-integ-alb-oidc-signin-handler',
   code: lambda.Code.fromAsset('alb-oidc-signin-handler', { exclude: ['*.ts'] }),
   handler: 'index.handler',
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   environment: {
     TEST_USERNAME: testUser.username,
     TEST_PASSWORD: testUser.password,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2/integ.nlb.security-group.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import { ExpectedResult, IntegTest, Match } from '@aws-cdk/integ-tests-alpha';
+import { Stack, aws_ec2 as ec2, aws_elasticloadbalancingv2 as elbv2, App } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+class TestStack extends Stack {
+  public readonly lbWithSg: elbv2.NetworkLoadBalancer;
+  public readonly lbWithSg2: elbv2.NetworkLoadBalancer;
+  public readonly lbWithoutSg: elbv2.NetworkLoadBalancer;
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+    const vpc = new ec2.Vpc(this, 'Stack', {
+      maxAzs: 1,
+      natGateways: 0,
+    });
+    this.lbWithSg = new elbv2.NetworkLoadBalancer(this, 'NlbWithSecurityGroup', {
+      vpc,
+    });
+    this.lbWithSg2 = new elbv2.NetworkLoadBalancer(this, 'NlbWithSecurityGroup2', {
+      vpc,
+      securityGroups: [new ec2.SecurityGroup(this, 'SecurityGroup', {
+        vpc,
+        allowAllOutbound: true,
+      })],
+    });
+    this.lbWithSg.connections.allowTo(this.lbWithSg2, ec2.Port.tcp(1229));
+    this.lbWithoutSg = new elbv2.NetworkLoadBalancer(this, 'NlbWithoutSecurityGroup', {
+      vpc,
+      disableSecurityGroups: true,
+    });
+  }
+}
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault': true,
+  },
+});
+const stack = new TestStack(app, 'NlbSecurityGroupStack');
+const integ = new IntegTest(app, 'NlbSecurityGroupInteg', {
+  testCases: [stack],
+});
+integ.assertions.awsApiCall('elastic-load-balancing-v2', 'describeLoadBalancers', {
+  LoadBalancerArns: [
+    stack.lbWithSg.loadBalancerArn,
+    stack.lbWithSg2.loadBalancerArn,
+    stack.lbWithoutSg.loadBalancerArn,
+  ],
+}).expect(ExpectedResult.objectLike({
+  LoadBalancers: [
+    Match.objectLike({
+      LoadBalancerArn: stack.lbWithSg.loadBalancerArn,
+      SecurityGroups: Match.arrayWith([
+        Match.stringLikeRegexp('sg-[0-9a-f]{8,17}'),
+      ]),
+    }),
+    Match.objectLike({
+      LoadBalancerArn: stack.lbWithSg2.loadBalancerArn,
+      SecurityGroups: Match.arrayWith([
+        Match.stringLikeRegexp('sg-[0-9a-f]{8,17}'),
+      ]),
+    }),
+    Match.objectLike({
+      LoadBalancerArn: stack.lbWithoutSg.loadBalancerArn,
+      SecurityGroups: undefined,
+    }),
+  ],
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2-actions/integ.cognito.ts CHANGED Viewed

@@ -206,7 +206,7 @@ const signinFunction = new lambda.Function(testCase, 'Signin', {
   functionName: 'cdk-integ-alb-cognito-signin-handler',
   code: lambda.Code.fromAsset('alb-cognito-signin-handler', { exclude: ['*.ts'] }),
   handler: 'index.handler',
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
   environment: {
     TEST_USERNAME: testUser.username,
     TEST_PASSWORD: testUser.password,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events-targets/README.md CHANGED Viewed

@@ -19,6 +19,7 @@ Currently supported are:
   - [Invoke an API Destination](#invoke-an-api-destination)
   - [Invoke an AppSync GraphQL API](#invoke-an-appsync-graphql-api)
   - [Put an event on an EventBridge bus](#put-an-event-on-an-eventbridge-bus)
+  - [Put an event on a Firehose delivery stream](#put-an-event-on-a-firehose-delivery-stream)
   - [Run an ECS Task](#run-an-ecs-task)
     - [Tagging Tasks](#tagging-tasks)
     - [Launch type for ECS Task](#launch-type-for-ecs-task)
@@ -528,6 +529,27 @@ rule.addTarget(new targets.EventBus(
 ));
 ```
+## Put an event on a Firehose delivery stream
+Use the `FirehoseDeliveryStream` target to put event to an Amazon Data Firehose delivery stream.
+The code snippet below creates the scheduled event rule that put events to an Amazon Data Firehose delivery stream.
+```ts
+import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+declare const bucket: s3.Bucket;
+const stream = new firehose.DeliveryStream(this, 'DeliveryStream', {
+  destination: new firehose.S3Bucket(bucket),
+});
+const rule = new events.Rule(this, 'Rule', {
+  schedule: events.Schedule.expression('rate(1 minute)'),
+});
+rule.addTarget(new targets.FirehoseDeliveryStream(stream));
+```
 ## Run an ECS Task
 Use the `EcsTask` target to run an ECS Task.

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events-targets/integ.firehose-delivery-stream.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import * as events from 'aws-cdk-lib/aws-events';
+import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as targets from 'aws-cdk-lib/aws-events-targets';
+import { IntegTest, ExpectedResult, AwsApiCall } from '@aws-cdk/integ-tests-alpha';
+// ---------------------------------
+// Define a rule that triggers a put to a Firehose delivery stream every 1min.
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'aws-cdk-firehose-event-target');
+const bucket = new s3.Bucket(stack, 'firehose-bucket', {
+  autoDeleteObjects: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+});
+const deliveryStream = new firehose.DeliveryStream(stack, 'MyDeliveryStream', {
+  destination: new firehose.S3Bucket(bucket, {
+    bufferingInterval: cdk.Duration.seconds(30),
+  }),
+});
+const event = new events.Rule(stack, 'EveryMinute', {
+  schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
+});
+event.addTarget(new targets.FirehoseDeliveryStream(deliveryStream));
+const testCase = new IntegTest(app, 'firehose-event-target-integ', {
+  testCases: [stack],
+});
+const s3ApiCall = testCase.assertions.awsApiCall('S3', 'listObjectsV2', {
+  Bucket: bucket.bucketName,
+  MaxKeys: 1,
+}).expect(ExpectedResult.objectLike({
+  KeyCount: 1,
+})).waitForAssertions({
+  interval: cdk.Duration.seconds(30),
+  totalTimeout: cdk.Duration.minutes(10),
+});
+if (s3ApiCall instanceof AwsApiCall) {
+  s3ApiCall.waiterProvider?.addToRolePolicy({
+    Effect: 'Allow',
+    Action: ['s3:GetObject', 's3:ListBucket'],
+    Resource: ['*'],
+  });
+}

konokenj.cdk-api-mcp-server 0.49.0__py3-none-any.whl → 0.51.0__py3-none-any.whl

Potentially problematic release.

konokenj.cdk-api-mcp-server 0.49.0py3-none-any.whl → 0.51.0py3-none-any.whl