konokenj.cdk-api-mcp-server 0.51.0__py3-none-any.whl → 0.53.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cloudfront.ts

@@ -1,27 +1,29 @@
 import * as path from 'path';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as cdk from 'aws-cdk-lib';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
 
-class TestBucketDeployment extends cdk.Stack {
-  constructor(scope: cdk.App, id: string) {
-    super(scope, id);
+/**
+ * Integration test for bucket deployment with CloudFront distribution invalidation:
+ * - Deploys files to S3 bucket behind CloudFront distribution
+ * - Tests that CloudFront cache invalidation works with bucket deployments
+ */
+class TestBucketDeploymentCloudFront extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
-    const bucket = new s3.Bucket(this, 'Destination3', {
+    const bucket = new s3.Bucket(this, 'Destination', {
       removalPolicy: cdk.RemovalPolicy.DESTROY,
       autoDeleteObjects: true, // needed for integration test cleanup
     });
-    const distribution = new cloudfront.CloudFrontWebDistribution(this, 'Distribution', {
-      originConfigs: [
-        {
-          s3OriginSource: {
-            s3BucketSource: bucket,
-          },
-          behaviors: [{ isDefaultBehavior: true }],
-        },
-      ],
+    const distribution = new cloudfront.Distribution(this, 'Distribution', {
+      defaultBehavior: {
+        origin: origins.S3BucketOrigin.withOriginAccessControl(bucket),
+      },
     });
 
     new s3deploy.BucketDeployment(this, 'DeployWithInvalidation', {
@@ -29,7 +31,7 @@ class TestBucketDeployment extends cdk.Stack {
       destinationBucket: bucket,
       distribution,
       distributionPaths: ['/images/*.png'],
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
   }
 }
@@ -41,10 +43,10 @@ const app = new cdk.App({
   },
 });
 
-const stack = new TestBucketDeployment(app, 'test-bucket-deployments-1');
+const testCase = new TestBucketDeploymentCloudFront(app, 'test-bucket-deployment-cloudfront');
 
-new IntegTest(app, 'TestBucketDeploymentInteg', {
-  testCases: [stack],
+new integ.IntegTest(app, 'integ-test-bucket-deployment-cloudfront', {
+  testCases: [testCase],
   diffAssets: true,
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-nested-stack-source.ts

@@ -6,6 +6,12 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 
+/**
+ * Integration test for bucket deployment with cross-nested-stack references:
+ * - Tests that Source.jsonData() can use values from resources in nested stacks
+ * - Validates that cross-nested-stack token resolution works correctly
+ * - Tests token substitution across nested stack boundaries
+ */
 class ResourceNestedStack extends NestedStack {
   userPool: UserPool;
   constructor (scope: Construct, id: string, props: NestedStackProps = {}) {
@@ -23,7 +29,7 @@ class DeploymentNestedStack extends NestedStack {
   constructor (scope: Construct, id: string, props: DeploymentNestedStackProps) {
     super(scope, id, props);
     this.bucket = new Bucket(this, 'Bucket');
-    new BucketDeployment(this, 'Deployment', {
+    new BucketDeployment(this, 'DeployWithCrossNestedStackSource', {
       destinationBucket: this.bucket,
       sources: [
         Source.jsonData('appconfig.json', { userPoolId: props.userPool.userPoolId }),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-stack-source.ts

@@ -6,6 +6,11 @@ import { Construct } from 'constructs';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 
+/**
+ * Integration test for bucket deployment with cross-stack references:
+ * - Tests that Source.data() can use values from resources in other stacks
+ * - Validates that cross-stack token resolution works correctly
+ */
 class Stack2 extends Stack {
   userPool: UserPool;
 
@@ -21,7 +26,7 @@ class Stack1 extends Stack {
   constructor (scope: Construct, id: string, props: { userPool: UserPool }) {
     super(scope, id);
     this.bucket = new Bucket(this, 'bucket');
-    new BucketDeployment(this, 'XXXXXXXXXX', {
+    new BucketDeployment(this, 'DeployWithCrossStackSource', {
       destinationBucket: this.bucket,
       sources: [
         Source.data('test.txt', props.userPool.userPoolId),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-stack-ssm-source.ts

@@ -5,6 +5,12 @@ import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 
+/**
+ * Integration test for bucket deployment with cross-stack SSM parameter references:
+ * - Tests that SSM StringListParameter tokens are resolved in Source.jsonData()
+ * - Validates cross-nested-stack parameter references work correctly
+ * - Tests that parameter values are properly serialized in JSON output
+ */
 class SsmStack extends cdk.NestedStack {
   public readonly ssmParam: ssm.StringListParameter;
 
@@ -38,7 +44,7 @@ class S3Stack extends cdk.NestedStack {
       autoDeleteObjects: true,
     });
 
-    new s3deploy.BucketDeployment(this, 'ReproDeployment', {
+    new s3deploy.BucketDeployment(this, 'DeployWithSsmParameter', {
       sources: [
         s3deploy.Source.jsonData('config.json', {
           subnets: readParam.stringListValue,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-data.ts

@@ -1,80 +1,101 @@
 import { Bucket } from 'aws-cdk-lib/aws-s3';
-import { App, CfnOutput, RemovalPolicy, Stack, Token } from 'aws-cdk-lib';
+import { App, CfnOutput, RemovalPolicy, Stack, StackProps, Token } from 'aws-cdk-lib';
 import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as path from 'path';
+import { Construct } from 'constructs';
 
-const app = new App({
-  postCliContext: {
-    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-  },
-});
-const stack = new Stack(app, 'TestBucketDeploymentContent');
-const bucket = new Bucket(stack, 'Bucket', {
-  removalPolicy: RemovalPolicy.DESTROY, // Allow bucket deletion
-  autoDeleteObjects: true, // Delete objects when bucket is deleted
-});
+/**
+ * Integration test for bucket deployment with various data source types:
+ * - Tests Source.data(), Source.jsonData(), and Source.yamlData() methods
+ * - Validates token substitution in JSON and YAML files
+ * - Tests proper escaping of special characters (quotes) in JSON files
+ * - Tests addSource() method for dynamically adding sources
+ * - Validates empty string handling
+ */
+class TestBucketDeploymentData extends Stack {
+  public readonly bucket: Bucket;
 
-const file1 = Source.data('file1.txt', 'boom');
-const file2 = Source.data('path/to/file2.txt', `bam! ${bucket.bucketName}`);
-const file3 = Source.jsonData('my-json/config.json', { website_url: bucket.bucketWebsiteUrl });
-const file4 = Source.yamlData('my-yaml/config.yaml', { website_url: bucket.bucketWebsiteUrl });
-const file5 = Source.jsonData('my-json/config2.json', { bucket_domain_name: bucket.bucketWebsiteDomainName });
-
-// Add new test case for secret value with quotes
-const secret = new secretsmanager.Secret(stack, 'TestSecret', {
-  generateSecretString: {
-    secretStringTemplate: JSON.stringify({
-      value: 'test"with"quotes',
-    }),
-    generateStringKey: 'password',
-  },
-});
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
 
-// Store secret in SSM (workaround for #21503)
-const param = new ssm.StringParameter(stack, 'SecretParam', {
-  stringValue: secret.secretValueFromJson('value').unsafeUnwrap(),
-});
+    this.bucket = new Bucket(this, 'Bucket', {
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
 
-const tokenizedValue = param.stringValue; // This should be a Token
-new CfnOutput(stack, 'IsToken', { value: Token.isUnresolved(tokenizedValue).toString() });
-new CfnOutput(stack, 'SecretValue', { value: tokenizedValue });
+    // Test various data source types with different content
+    const file1 = Source.data('file1.txt', 'boom');
+    const file2 = Source.data('path/to/file2.txt', `bam! ${this.bucket.bucketName}`);
+    const file3 = Source.jsonData('my-json/config.json', { website_url: this.bucket.bucketWebsiteUrl });
+    const file4 = Source.yamlData('my-yaml/config.yaml', { website_url: this.bucket.bucketWebsiteUrl });
+    const file5 = Source.jsonData('my-json/config2.json', { bucket_domain_name: this.bucket.bucketWebsiteDomainName });
 
-// Add new file with secret value that needs proper escaping
-const file6 = Source.jsonData('my-json/secret-config.json', {
-  secret_value: tokenizedValue, // Using the tokenized value explicitly
-}, { escape: true });
-const file7 = Source.yamlData('my-yaml/secret-config.yaml', {
-  secret_value: tokenizedValue,
-});
+    // Test secret value with quotes that need escaping
+    const secret = new secretsmanager.Secret(this, 'TestSecret', {
+      generateSecretString: {
+        secretStringTemplate: JSON.stringify({
+          value: 'test"with"quotes',
+        }),
+        generateStringKey: 'password',
+      },
+    });
 
-// case for empty string
-const file8 = Source.data('file8.txt', '');
+    // Store secret in SSM (workaround for #21503)
+    const param = new ssm.StringParameter(this, 'SecretParam', {
+      stringValue: secret.secretValueFromJson('value').unsafeUnwrap(),
+    });
 
-const deployment = new BucketDeployment(stack, 'DeployMeHere', {
-  destinationBucket: bucket,
-  sources: [file1, file2],
-  destinationKeyPrefix: 'deploy/here/',
-  retainOnDelete: false, // default is true, which will block the integration test cleanup
-});
-deployment.addSource(file3);
-deployment.addSource(file4);
-deployment.addSource(file5);
-deployment.addSource(file6);
-deployment.addSource(file7);
-deployment.addSource(file8);
+    const tokenizedValue = param.stringValue; // This should be a Token
+    new CfnOutput(this, 'IsToken', { value: Token.isUnresolved(tokenizedValue).toString() });
+    new CfnOutput(this, 'SecretValue', { value: tokenizedValue });
+
+    // Test proper escaping of quotes in JSON
+    const file6 = Source.jsonData('my-json/secret-config.json', {
+      secret_value: tokenizedValue,
+    }, { escape: true });
+    // Test YAML file (which doesn't require escaping)
+    const file7 = Source.yamlData('my-yaml/secret-config.yaml', {
+      secret_value: tokenizedValue,
+    });
+
+    // Test empty string handling
+    const file8 = Source.data('file8.txt', '');
+
+    const deployment = new BucketDeployment(this, 'DeployWithDataSources', {
+      destinationBucket: this.bucket,
+      sources: [file1, file2],
+      destinationKeyPrefix: 'deploy/here/',
+      retainOnDelete: false,
+    });
+    // Test addSource() method
+    deployment.addSource(file3);
+    deployment.addSource(file4);
+    deployment.addSource(file5);
+    deployment.addSource(file6);
+    deployment.addSource(file7);
+    deployment.addSource(file8);
+
+    new CfnOutput(this, 'BucketName', { value: this.bucket.bucketName });
+  }
+}
 
-new CfnOutput(stack, 'BucketName', { value: bucket.bucketName });
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const testCase = new TestBucketDeploymentData(app, 'test-bucket-deployment-data');
 
-const integ = new IntegTest(app, 'integ-test-bucket-deployment-data', {
-  testCases: [stack],
+const integTest = new IntegTest(app, 'integ-test-bucket-deployment-data', {
+  testCases: [testCase],
 });
 
-// Add assertions to verify the JSON file
-const assertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
-  Bucket: bucket.bucketName,
+// Assert that addSource() successfully adds the data source alongside the asset source
+const assertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
   Key: path.join('deploy/here', 'my-json/secret-config.json'),
 });
 
@@ -85,8 +106,8 @@ assertionProvider.expect(ExpectedResult.objectLike({
 }));
 
 // Add assertions to verify the YAML file
-const yamlAssertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
-  Bucket: bucket.bucketName,
+const yamlAssertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
   Key: path.join('deploy/here', 'my-yaml/secret-config.yaml'),
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-deployed-bucket.ts

@@ -5,6 +5,11 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 
+/**
+ * Integration test for deployedBucket property:
+ * - Tests that deployedBucket provides access to bucket after deployment completes
+ * - Validates that bucket properties like bucketWebsiteUrl can be accessed via deployedBucket
+ */
 class TestBucketDeployment extends cdk.Stack {
   public readonly bucket: s3.IBucket;
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -16,13 +21,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    const deploy = new s3deploy.BucketDeployment(this, 'DeployMe5', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithDeployedBucket', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website-second'))],
       destinationBucket: this.bucket,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
 
-    this.exportValue(deploy.deployedBucket.bucketWebsiteUrl, {
+    // Export the website URL accessed via deployedBucket property
+    this.exportValue(deployment.deployedBucket.bucketWebsiteUrl, {
       name: 'WebsiteUrl',
     });
   }
@@ -35,7 +41,7 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployment-deployed-bucket');
 
-new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+new integ.IntegTest(app, 'integ-test-bucket-deployment-deployed-bucket', {
   testCases: [testCase],
   diffAssets: true,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-large-file.ts

@@ -10,15 +10,22 @@ import * as fs from 'fs';
 import * as crypto from 'crypto';
 import * as os from 'os';
 
+/**
+ * Integration test for bucket deployment with large files:
+ * - Tests deployment of large files (10MB JSON and text files)
+ * - Validates that large file uploads work correctly
+ * - Tests token substitution and escaping in large deployments
+ * - Validates both escaped and unescaped JSON handling
+ */
 const app = new App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
   },
 });
-const stack = new Stack(app, 'TestBucketDeploymentLargeFile');
+const stack = new Stack(app, 'test-bucket-deployment-large-file');
 const bucket = new Bucket(stack, 'Bucket', {
-  removalPolicy: RemovalPolicy.DESTROY, // Allow bucket deletion
-  autoDeleteObjects: true, // Delete objects when bucket is deleted
+  removalPolicy: RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
 });
 
 // Create a temporary directory for our large files
@@ -153,7 +160,7 @@ const noEscapeFileWithMarker = Source.jsonData('my-json/secret-config-no-escape.
 });
 
 // Deploy the large files
-new BucketDeployment(stack, 'DeployLargeFiles', {
+new BucketDeployment(stack, 'DeployWithLargeFiles', {
   destinationBucket: bucket,
   sources: [largeJsonSource, largeTextSource, fileWithMarker, noEscapeFileWithMarker],
   retainOnDelete: false,
@@ -161,12 +168,12 @@ new BucketDeployment(stack, 'DeployLargeFiles', {
 
 new CfnOutput(stack, 'BucketName', { value: bucket.bucketName });
 
-const integ = new IntegTest(app, 'integ-test-bucket-deployment-large-file', {
+const integTest = new IntegTest(app, 'integ-test-bucket-deployment-large-file', {
   testCases: [stack],
 });
 
-// Add assertions to verify the JSON file
-const assertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
+// Assert that escaped JSON is properly escaped
+const assertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: bucket.bucketName,
   Key: 'my-json/secret-config.json',
 });
@@ -177,7 +184,8 @@ assertionProvider.expect(ExpectedResult.objectLike({
   Body: '{"secret_value":"test\\"with\\"quotes"}',
 }));
 
-integ.assertions.awsApiCall('S3', 'getObject', {
+// Assert that unescaped JSON works without escape option
+integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: bucket.bucketName,
   Key: 'my-json/secret-config-no-escape.json',
 }).expect(ExpectedResult.objectLike({
@@ -185,8 +193,8 @@ integ.assertions.awsApiCall('S3', 'getObject', {
   Body: '{"secret_value":"test"with"quotes"}',
 }));
 
-// Verify the large JSON file was deployed successfully
-const jsonAssertionProvider = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+// Assert that large JSON file was deployed successfully
+const jsonAssertionProvider = integTest.assertions.awsApiCall('S3', 'listObjectsV2', {
   Bucket: bucket.bucketName,
   Prefix: 'large-file.json',
   MaxKeys: 1,
@@ -211,8 +219,8 @@ if (jsonAssertionProvider instanceof AwsApiCall && jsonAssertionProvider.waiterP
   });
 }
 
-// Verify the large text file was deployed successfully
-const textAssertionProvider = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+// Assert that large text file was deployed successfully
+const textAssertionProvider = integTest.assertions.awsApiCall('S3', 'listObjectsV2', {
   Bucket: bucket.bucketName,
   Prefix: 'large-file.txt',
   MaxKeys: 1,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-loggroup.ts

@@ -6,6 +6,11 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 
+/**
+ * Integration test for bucket deployment with custom log group:
+ * - Lambda function writes logs to a custom CloudWatch Log Group
+ * - Tests that custom log groups work correctly with bucket deployments
+ */
 class TestBucketDeployment extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
@@ -17,14 +22,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    new s3deploy.BucketDeployment(this, 'DeployMe', {
+    new s3deploy.BucketDeployment(this, 'DeployWithCustomLogGroup', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
       destinationBucket,
       logGroup: new logs.LogGroup(this, 'LogGroup', {
         retention: logs.RetentionDays.ONE_DAY,
         removalPolicy: cdk.RemovalPolicy.DESTROY, // cleanup integ test
       }),
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
   }
 }

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-efs.ts

@@ -0,0 +1,77 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with security groups and EFS:
+ * - Lambda function runs in VPC with EFS filesystem and custom security group
+ * - Tests that security groups work correctly with EFS-enabled deployments
+ */
+class TestBucketDeploymentSecurityGroupsEfs extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security group with allow all outbound
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
+      vpc,
+      description: 'Security group - allow all outbound',
+      allowAllOutbound: true,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with EFS storage and security groups
+    new s3deploy.BucketDeployment(this, 'DeployWithEfsAndSecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'efs-sg/',
+      useEfs: true,
+      vpc,
+      securityGroups: [securityGroup],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupsEfs(app, 'test-bucket-deployment-security-groups-efs');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-efs', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-empty.ts

@@ -0,0 +1,69 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with empty security groups array:
+ * - Lambda function runs in VPC with explicitly empty security groups array
+ * - Tests that empty security groups array is handled correctly
+ */
+class TestBucketDeploymentEmptySecurityGroups extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with empty security groups array
+    new s3deploy.BucketDeployment(this, 'DeployWithEmptySecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'empty-sg/',
+      vpc,
+      securityGroups: [],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentEmptySecurityGroups(app, 'test-bucket-deployment-security-groups-empty');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-empty', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();