konokenj.cdk-api-mcp-server 0.50.0__py3-none-any.whl → 0.52.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-codepipeline-actions/integ.pipeline-elastic-beanstalk-deploy.ts

@@ -5,7 +5,7 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 import { IManagedPolicy, ManagedPolicyReference } from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { App, Fn, RemovalPolicy, Stack, UnscopedValidationError } from 'aws-cdk-lib';
+import { App, Fn, RemovalPolicy, ResourceEnvironment, Stack, UnscopedValidationError } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions';
 import { Node } from 'constructs';
@@ -56,6 +56,9 @@ function makePolicy(arn: string): IManagedPolicy {
     get node(): Node {
       throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
     },
+    get env(): ResourceEnvironment {
+      throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+    },
   };
 }
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/README.md

@@ -816,6 +816,59 @@ Using `resourcePolicy` you can add a [resource policy](https://docs.aws.amazon.c
     });
 ```
 
+### Adding Resource Policy Statements Dynamically
+
+You can also add resource policy statements to a table after it's created using the `addToResourcePolicy` method. Following the same pattern as KMS, resource policies use wildcard resources to avoid circular dependencies:
+
+```ts
+const table = new dynamodb.TableV2(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+
+// Standard resource policy (recommended approach)
+table.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['dynamodb:GetItem', 'dynamodb:PutItem', 'dynamodb:Query'],
+  principals: [new iam.AccountRootPrincipal()],
+  resources: ['*'], // Wildcard avoids circular dependency - same pattern as KMS
+}));
+
+// Allow specific service access
+table.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['dynamodb:Query'],
+  principals: [new iam.ServicePrincipal('lambda.amazonaws.com')],
+  resources: ['*'],
+}));
+```
+
+#### Scoped Resource Policies (Advanced)
+
+For scoped resource policies that reference specific table ARNs, you must specify an explicit table name:
+
+```ts
+import { Fn } from 'aws-cdk-lib';
+
+// Table with explicit name enables scoped resource policies
+const table = new dynamodb.TableV2(this, 'Table', {
+  tableName: 'my-explicit-table-name', // Required for scoped resources
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+
+// Now you can use scoped resources
+table.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['dynamodb:GetItem'],
+  principals: [new iam.AccountRootPrincipal()],
+  resources: [
+    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name'),
+    Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name/index/*'),
+  ],
+}));
+```
+
+**Important Limitations:**
+- **Auto-generated table names**: Must use `resources: ['*']` to avoid circular dependencies
+- **Explicit table names**: Enable scoped resources but lose CDK's automatic naming benefits
+- **CloudFormation constraint**: Resource policies cannot reference the resource they're attached to during creation
+
 TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
 To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy.
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.add-to-resource-policy.ts

@@ -0,0 +1,80 @@
+/**
+ * Integration test for DynamoDB Table.addToResourcePolicy() method
+ *
+ * This test validates the fix for issue #35062: "(aws-dynamodb): `addToResourcePolicy` has no effect"
+ *
+ * WHAT WE'RE TESTING:
+ * - The addToResourcePolicy() method was broken - it had "no effect" when called
+ * - Resource policies weren't being added to the CloudFormation template
+ * - This created a security gap where developers thought they were securing tables but policies weren't applied
+ *
+ * TEST VALIDATION:
+ * 1. Creates DynamoDB tables with different resource policy configurations
+ * 2. Tests both wildcard resources (for auto-generated names) and scoped resources (for explicit names)
+ * 3. Verifies policies get added to CloudFormation templates with correct structure
+ * 4. Ensures both patterns work without circular dependencies
+ *
+ * @see https://github.com/aws/aws-cdk/issues/35062
+ */
+
+import { App, Fn, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+export class TestStack extends Stack {
+  public readonly wildcardTable: dynamodb.Table;
+  public readonly scopedTable: dynamodb.Table;
+
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    // TEST 1: Table with wildcard resource policy (auto-generated name)
+    // This is the standard pattern to avoid circular dependencies
+    this.wildcardTable = new dynamodb.Table(this, 'WildcardTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Add resource policy with wildcard resources
+    this.wildcardTable.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem', 'dynamodb:PutItem', 'dynamodb:Query'],
+      principals: [new iam.AccountRootPrincipal()],
+      resources: ['*'], // Use wildcard to avoid circular dependency - standard pattern for resource policies
+    }));
+
+    // TEST 2: Table with scoped resource policy (explicit table name)
+    // This demonstrates how to use scoped resources when table name is known at synthesis time
+    this.scopedTable = new dynamodb.Table(this, 'ScopedTable', {
+      tableName: 'my-explicit-scoped-table', // Explicit name enables scoped ARN construction
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Add resource policy with properly scoped resource using explicit table name
+    // This works because table name is known at synthesis time (no circular dependency)
+    this.scopedTable.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:GetItem', 'dynamodb:Query'],
+      principals: [new iam.AccountRootPrincipal()],
+      // Use CloudFormation intrinsic function to construct table ARN with known table name
+      resources: [Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table')],
+    }));
+  }
+}
+
+// Test Setup
+const app = new App();
+const stack = new TestStack(app, 'add-to-resource-policy-test-stack');
+
+// Integration Test Configuration
+new IntegTest(app, 'add-to-resource-policy-integ-test', {
+  testCases: [stack],
+});
+

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.policy.ts

@@ -38,7 +38,27 @@ export class TestStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
 
-    this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'));
+    // IMPORTANT: Cross-account grants with auto-generated table names create circular dependencies
+    //
+    // WHY NOT this.tableTwo.grantReadData(new iam.AccountPrincipal('123456789012'))?
+    // - Cross-account principals cannot have policies attached to them
+    // - Grant falls back to adding a resource policy to the table
+    // - Resource policy tries to reference this.tableArn (the table's own ARN)
+    // - This creates a circular dependency: Table → ResourcePolicy → Table ARN → Table
+    // - CloudFormation fails with "Circular dependency between resources"
+    //
+    // SOLUTIONS:
+    // 1. Use addToResourcePolicy with wildcard resources (this approach)
+    // 2. Use explicit table names: tableName: 'my-table-name' (enables scoped resources)
+    // 3. Use same-account principals (grants go to principal policy, not resource policy)
+    //
+    this.tableTwo.addToResourcePolicy(new iam.PolicyStatement({
+      actions: ['dynamodb:*'],
+      // we need a valid account for cross-account principal otherwise it won't deploy
+      // this account is from fact-table.ts
+      principals: [new iam.AccountPrincipal('127311923021')],
+      resources: ['*'], // Wildcard avoids circular dependency - same pattern as KMS
+    }));
   }
 }
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ec2/integ.vpc-flow-logs.ts

@@ -72,6 +72,10 @@ class TestStack extends Stack {
       destination: FlowLogDestination.toS3(),
     });
 
+    vpc.addFlowLog('FlowLogsCloudwatch', {
+      destination: FlowLogDestination.toCloudWatchLogs(),
+    });
+
     const bucket = new s3.Bucket(this, 'Bucket', {
       removalPolicy: RemovalPolicy.DESTROY,
       autoDeleteObjects: true,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2/README.md

@@ -338,17 +338,13 @@ Balancers:
 ```ts
 declare const vpc: ec2.Vpc;
 declare const asg: autoscaling.AutoScalingGroup;
-declare const sg1: ec2.ISecurityGroup;
-declare const sg2: ec2.ISecurityGroup;
 
 // Create the load balancer in a VPC. 'internetFacing' is 'false'
 // by default, which creates an internal load balancer.
 const lb = new elbv2.NetworkLoadBalancer(this, 'LB', {
   vpc,
   internetFacing: true,
-  securityGroups: [sg1],
 });
-lb.addSecurityGroup(sg2);
 
 // Add a listener on a particular port.
 const listener = lb.addListener('Listener', {
@@ -362,6 +358,40 @@ listener.addTargets('AppFleet', {
 });
 ```
 
+### Security Groups for Network Load Balancer
+
+By default, Network Load Balancers (NLB) have a security group associated with them.
+This is controlled by the feature flag `@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault`.
+When this flag is enabled (the default for new projects), a security group will be automatically created and attached to the NLB unless you explicitly provide your own security groups via the `securityGroups` property.
+
+If you wish to create an NLB without any security groups, you can set the `disableSecurityGroups` property to `true`. When this property is set, no security group will be associated with the NLB, regardless of the feature flag.
+
+```ts
+declare const vpc: ec2.IVpc;
+
+const nlb = new elbv2.NetworkLoadBalancer(this, 'LB', {
+  vpc,
+  // To disable security groups for this NLB
+  disableSecurityGroups: true,
+});
+```
+
+If you want to use your own security groups, provide them via the `securityGroups` property:
+
+```ts
+declare const vpc: ec2.IVpc;
+declare const sg1: ec2.ISecurityGroup;
+declare const sg2: ec2.ISecurityGroup;
+
+const nlb = new elbv2.NetworkLoadBalancer(this, 'LB', {
+  vpc,
+  // Provide your own security groups
+  securityGroups: [sg1],
+});
+// Add another security group to the NLB
+nlb.addSecurityGroup(sg2);
+```
+
 ### Enforce security group inbound rules on PrivateLink traffic for a Network Load Balancer
 
 You can indicate whether to evaluate inbound security group rules for traffic

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-elasticloadbalancingv2/integ.nlb.security-group.ts

@@ -0,0 +1,70 @@
+import { ExpectedResult, IntegTest, Match } from '@aws-cdk/integ-tests-alpha';
+import { Stack, aws_ec2 as ec2, aws_elasticloadbalancingv2 as elbv2, App } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+
+class TestStack extends Stack {
+  public readonly lbWithSg: elbv2.NetworkLoadBalancer;
+  public readonly lbWithSg2: elbv2.NetworkLoadBalancer;
+  public readonly lbWithoutSg: elbv2.NetworkLoadBalancer;
+
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const vpc = new ec2.Vpc(this, 'Stack', {
+      maxAzs: 1,
+      natGateways: 0,
+    });
+
+    this.lbWithSg = new elbv2.NetworkLoadBalancer(this, 'NlbWithSecurityGroup', {
+      vpc,
+    });
+    this.lbWithSg2 = new elbv2.NetworkLoadBalancer(this, 'NlbWithSecurityGroup2', {
+      vpc,
+      securityGroups: [new ec2.SecurityGroup(this, 'SecurityGroup', {
+        vpc,
+        allowAllOutbound: true,
+      })],
+    });
+    this.lbWithSg.connections.allowTo(this.lbWithSg2, ec2.Port.tcp(1229));
+    this.lbWithoutSg = new elbv2.NetworkLoadBalancer(this, 'NlbWithoutSecurityGroup', {
+      vpc,
+      disableSecurityGroups: true,
+    });
+  }
+}
+
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault': true,
+  },
+});
+const stack = new TestStack(app, 'NlbSecurityGroupStack');
+const integ = new IntegTest(app, 'NlbSecurityGroupInteg', {
+  testCases: [stack],
+});
+integ.assertions.awsApiCall('elastic-load-balancing-v2', 'describeLoadBalancers', {
+  LoadBalancerArns: [
+    stack.lbWithSg.loadBalancerArn,
+    stack.lbWithSg2.loadBalancerArn,
+    stack.lbWithoutSg.loadBalancerArn,
+  ],
+}).expect(ExpectedResult.objectLike({
+  LoadBalancers: [
+    Match.objectLike({
+      LoadBalancerArn: stack.lbWithSg.loadBalancerArn,
+      SecurityGroups: Match.arrayWith([
+        Match.stringLikeRegexp('sg-[0-9a-f]{8,17}'),
+      ]),
+    }),
+    Match.objectLike({
+      LoadBalancerArn: stack.lbWithSg2.loadBalancerArn,
+      SecurityGroups: Match.arrayWith([
+        Match.stringLikeRegexp('sg-[0-9a-f]{8,17}'),
+      ]),
+    }),
+    Match.objectLike({
+      LoadBalancerArn: stack.lbWithoutSg.loadBalancerArn,
+      SecurityGroups: undefined,
+    }),
+  ],
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events-targets/README.md

@@ -19,6 +19,7 @@ Currently supported are:
   - [Invoke an API Destination](#invoke-an-api-destination)
   - [Invoke an AppSync GraphQL API](#invoke-an-appsync-graphql-api)
   - [Put an event on an EventBridge bus](#put-an-event-on-an-eventbridge-bus)
+  - [Put an event on a Firehose delivery stream](#put-an-event-on-a-firehose-delivery-stream)
   - [Run an ECS Task](#run-an-ecs-task)
     - [Tagging Tasks](#tagging-tasks)
     - [Launch type for ECS Task](#launch-type-for-ecs-task)
@@ -528,6 +529,27 @@ rule.addTarget(new targets.EventBus(
 ));
 ```
 
+## Put an event on a Firehose delivery stream
+
+Use the `FirehoseDeliveryStream` target to put event to an Amazon Data Firehose delivery stream.
+
+The code snippet below creates the scheduled event rule that put events to an Amazon Data Firehose delivery stream.
+
+```ts
+import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+declare const bucket: s3.Bucket;
+const stream = new firehose.DeliveryStream(this, 'DeliveryStream', {
+  destination: new firehose.S3Bucket(bucket),
+});
+
+const rule = new events.Rule(this, 'Rule', {
+  schedule: events.Schedule.expression('rate(1 minute)'),
+});
+rule.addTarget(new targets.FirehoseDeliveryStream(stream));
+```
+
 ## Run an ECS Task
 
 Use the `EcsTask` target to run an ECS Task.

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-events-targets/integ.firehose-delivery-stream.ts

@@ -0,0 +1,51 @@
+import * as events from 'aws-cdk-lib/aws-events';
+import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as targets from 'aws-cdk-lib/aws-events-targets';
+import { IntegTest, ExpectedResult, AwsApiCall } from '@aws-cdk/integ-tests-alpha';
+
+// ---------------------------------
+// Define a rule that triggers a put to a Firehose delivery stream every 1min.
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'aws-cdk-firehose-event-target');
+
+const bucket = new s3.Bucket(stack, 'firehose-bucket', {
+  autoDeleteObjects: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+});
+const deliveryStream = new firehose.DeliveryStream(stack, 'MyDeliveryStream', {
+  destination: new firehose.S3Bucket(bucket, {
+    bufferingInterval: cdk.Duration.seconds(30),
+  }),
+});
+
+const event = new events.Rule(stack, 'EveryMinute', {
+  schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
+});
+
+event.addTarget(new targets.FirehoseDeliveryStream(deliveryStream));
+
+const testCase = new IntegTest(app, 'firehose-event-target-integ', {
+  testCases: [stack],
+});
+
+const s3ApiCall = testCase.assertions.awsApiCall('S3', 'listObjectsV2', {
+  Bucket: bucket.bucketName,
+  MaxKeys: 1,
+}).expect(ExpectedResult.objectLike({
+  KeyCount: 1,
+})).waitForAssertions({
+  interval: cdk.Duration.seconds(30),
+  totalTimeout: cdk.Duration.minutes(10),
+});
+
+if (s3ApiCall instanceof AwsApiCall) {
+  s3ApiCall.waiterProvider?.addToRolePolicy({
+    Effect: 'Allow',
+    Action: ['s3:GetObject', 's3:ListBucket'],
+    Resource: ['*'],
+  });
+}

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-iam/integ.managed-policy.ts

@@ -1,6 +1,7 @@
 import { App, Stack } from 'aws-cdk-lib';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { AccountRootPrincipal, Grant, ManagedPolicy, PolicyStatement, Role, User } from 'aws-cdk-lib/aws-iam';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
 
 const app = new App();
 
@@ -34,6 +35,14 @@ policy.attachToRole(role);
 const importedRole = Role.fromRoleArn(stack, 'ImportedRole', role.roleArn);
 policy.attachToRole(importedRole);
 
+// Can be passed to grantInvoke, see https://github.com/aws/aws-cdk/issues/32980
+const func = new lambda.Function(stack, 'Function', {
+  runtime: lambda.Runtime.NODEJS_LATEST,
+  handler: 'index.handler',
+  code: lambda.Code.fromInline('export const handler = async () => null'),
+});
+func.grantInvoke(policy);
+
 new IntegTest(app, 'ManagedPolicyInteg', {
   testCases: [stack],
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-iam/integ.policy.ts

@@ -1,6 +1,7 @@
 import { App, Stack } from 'aws-cdk-lib';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { AccountRootPrincipal, Grant, Policy, PolicyStatement, Role, User } from 'aws-cdk-lib/aws-iam';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
 
 const app = new App();
 
@@ -21,6 +22,14 @@ role.grantAssumeRole(user);
 
 Grant.addToPrincipal({ actions: ['iam:*'], resourceArns: [role.roleArn], grantee: policy2 });
 
+// Can be passed to grantInvoke, see https://github.com/aws/aws-cdk/issues/32980
+const func = new lambda.Function(stack, 'Function', {
+  runtime: lambda.Runtime.NODEJS_LATEST,
+  handler: 'index.handler',
+  code: lambda.Code.fromInline('export const handler = async () => null'),
+});
+func.grantInvoke(policy);
+
 new IntegTest(app, 'PolicyInteg', {
   testCases: [stack],
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-kinesisfirehose/README.md

@@ -483,8 +483,11 @@ Data can be transformed before being delivered to destinations. There are two ty
 data processing for delivery streams: record transformation with AWS Lambda, and record
 format conversion using a schema stored in an AWS Glue table. If both types of data
 processing are configured, then the Lambda transformation is performed first. By default,
-no data processing occurs. This construct library currently only supports data
-transformation with AWS Lambda. See [#15501](https://github.com/aws/aws-cdk/issues/15501)
+no data processing occurs.
+
+This construct library currently only supports data
+transformation with AWS Lambda and some built-in data processors.
+See [#15501](https://github.com/aws/aws-cdk/issues/15501)
 to track the status of adding support for record format conversion.
 
 ### Data transformation with AWS Lambda
@@ -520,7 +523,7 @@ const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction, {
 });
 declare const bucket: s3.Bucket;
 const s3Destination = new firehose.S3Bucket(bucket, {
-  processor: lambdaProcessor,
+  processors: [lambdaProcessor],
 });
 new firehose.DeliveryStream(this, 'Delivery Stream', {
   destination: s3Destination,
@@ -532,6 +535,60 @@ new firehose.DeliveryStream(this, 'Delivery Stream', {
 See: [Data Transformation](https://docs.aws.amazon.com/firehose/latest/dev/data-transformation.html)
 in the *Amazon Data Firehose Developer Guide*.
 
+### Add a new line delimiter when delivering data to Amazon S3
+
+You can specify the `AppendDelimiterToRecordProcessor` built-in processor to add a new line delimiter between records in objects that are delivered to Amazon S3. This can be helpful for parsing objects in Amazon S3.
+For details, see [Use Amazon S3 bucket prefix to deliver data](https://docs.aws.amazon.com/firehose/latest/dev/dynamic-partitioning-s3bucketprefix.html).
+
+```ts
+declare const bucket: s3.Bucket;
+const s3Destination = new firehose.S3Bucket(bucket, {
+  processors: [
+    new firehose.AppendDelimiterToRecordProcessor(),
+  ],
+});
+new firehose.DeliveryStream(this, 'Delivery Stream', {
+  destination: s3Destination,
+});
+```
+
+### Decompress and extract message of CloudWatch Logs
+
+CloudWatch Logs events are sent to Firehose in compressed gzip format. If you want to deliver decompressed log events to Firehose destinations, you can use the `DecompressionProcessor` to automatically decompress CloudWatch Logs.
+For details, see [Send CloudWatch Logs to Firehose](https://docs.aws.amazon.com/firehose/latest/dev/writing-with-cloudwatch-logs.html).
+
+You may also needed to specify `AppendDelimiterToRecordProcessor`
+because decompressed log events record has no trailing newline.
+
+```ts
+declare const bucket: s3.Bucket;
+const s3Destination = new firehose.S3Bucket(bucket, {
+  processors: [
+    new firehose.DecompressionProcessor(),
+    new firehose.AppendDelimiterToRecordProcessor(),
+  ],
+});
+new firehose.DeliveryStream(this, 'Delivery Stream', {
+  destination: s3Destination,
+});
+```
+
+When you enable decompression, you have the option to also enable message extraction. When using message extraction, Firehose filters out all metadata, such as owner, loggroup, logstream, and others from the decompressed CloudWatch Logs records and delivers only the content inside the message fields.
+
+```ts
+declare const bucket: s3.Bucket;
+const s3Destination = new firehose.S3Bucket(bucket, {
+  processors: [
+    new firehose.DecompressionProcessor(),
+    new firehose.CloudWatchLogProcessor({ dataMessageExtraction: true }),
+  ],
+});
+new firehose.DeliveryStream(this, 'Delivery Stream', {
+  destination: s3Destination,
+});
+```
+
+
 ## Specifying an IAM role
 
 The DeliveryStream class automatically creates IAM service roles with all the minimum

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-kinesisfirehose/integ.cloudwatch-logs-processors.ts

@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+import * as path from 'path';
+import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose';
+import * as lambdanodejs from 'aws-cdk-lib/aws-lambda-nodejs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'firehose-delivery-stream-cloudwatch-logs-processors');
+
+const bucket = new s3.Bucket(stack, 'DestinationBucket', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
+});
+
+const dataProcessorFunction = new lambdanodejs.NodejsFunction(stack, 'DataProcessorFunction', {
+  entry: path.join(__dirname, 'lambda-data-processor.js'),
+  timeout: cdk.Duration.minutes(1),
+});
+
+new firehose.DeliveryStream(stack, 'DecompressCloudWatchLogsEntry', {
+  destination: new firehose.S3Bucket(bucket, {
+    processors: [
+      new firehose.DecompressionProcessor(),
+      new firehose.AppendDelimiterToRecordProcessor(),
+      new firehose.LambdaFunctionProcessor(dataProcessorFunction),
+    ],
+  }),
+});
+
+new firehose.DeliveryStream(stack, 'ExtractCloudWatchLogsEntry', {
+  destination: new firehose.S3Bucket(bucket, {
+    processors: [
+      new firehose.DecompressionProcessor(),
+      new firehose.CloudWatchLogProcessor({ dataMessageExtraction: true }),
+      new firehose.LambdaFunctionProcessor(dataProcessorFunction),
+    ],
+  }),
+});
+
+new IntegTest(app, 'integ-tests', {
+  testCases: [stack],
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-lambda/integ.runtime.fromasset.ts

@@ -10,20 +10,35 @@ const app = new App({
 });
 const stack = new Stack(app, 'aws-cdk-lambda-runtime-fromasset');
 
-const lambdaFunction = new Function(stack, 'MyFunction', {
+const lambdaFunctionJava21 = new Function(stack, 'MyFunctionJava21', {
   runtime: Runtime.JAVA_21,
   handler: 'com.mycompany.app.LambdaMethodHandler::handleRequest',
   code: Code.fromAsset(path.join(__dirname, 'my-app-1.0-SNAPSHOT.zip')),
 });
 
+const lambdaFunctionJava25 = new Function(stack, 'MyFunctionJava25', {
+  runtime: Runtime.JAVA_25,
+  handler: 'com.mycompany.app.LambdaMethodHandler::handleRequest',
+  code: Code.fromAsset(path.join(__dirname, 'my-app-1.0-SNAPSHOT.zip')),
+});
+
 const integTest = new integ.IntegTest(app, 'Integ', { testCases: [stack] });
 
-const invoke = integTest.assertions.invokeFunction({
-  functionName: lambdaFunction.functionName,
+const invokeJava21 = integTest.assertions.invokeFunction({
+  functionName: lambdaFunctionJava21.functionName,
+  payload: '123',
+});
+
+invokeJava21.expect(integ.ExpectedResult.objectLike({
+  Payload: '"123"',
+}));
+
+const invokeJava25 = integTest.assertions.invokeFunction({
+  functionName: lambdaFunctionJava25.functionName,
   payload: '123',
 });
 
-invoke.expect(integ.ExpectedResult.objectLike({
+invokeJava25.expect(integ.ExpectedResult.objectLike({
   Payload: '"123"',
 }));
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-lambda/integ.runtime.inlinecode.ts

@@ -55,6 +55,13 @@ const python313 = new Function(stack, 'PYTHON_3_13', {
 });
 new CfnOutput(stack, 'PYTHON_3_13-functionName', { value: python313.functionName });
 
+const python314 = new Function(stack, 'PYTHON_3_14', {
+  code: new InlineCode('def handler(event, context):\n  return "success"'),
+  handler: 'index.handler',
+  runtime: Runtime.PYTHON_3_14,
+});
+new CfnOutput(stack, 'PYTHON_3_14-functionName', { value: python314.functionName });
+
 const node20xfn = new Function(stack, 'NODEJS_20_X', {
   code: new InlineCode('exports.handler = async function(event) { return "success" }'),
   handler: 'index.handler',