konokenj.cdk-api-mcp-server 0.52.0__py3-none-any.whl → 0.53.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-deployed-bucket.ts

@@ -5,6 +5,11 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 
+/**
+ * Integration test for deployedBucket property:
+ * - Tests that deployedBucket provides access to bucket after deployment completes
+ * - Validates that bucket properties like bucketWebsiteUrl can be accessed via deployedBucket
+ */
 class TestBucketDeployment extends cdk.Stack {
   public readonly bucket: s3.IBucket;
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -16,13 +21,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    const deploy = new s3deploy.BucketDeployment(this, 'DeployMe5', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithDeployedBucket', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website-second'))],
       destinationBucket: this.bucket,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
 
-    this.exportValue(deploy.deployedBucket.bucketWebsiteUrl, {
+    // Export the website URL accessed via deployedBucket property
+    this.exportValue(deployment.deployedBucket.bucketWebsiteUrl, {
       name: 'WebsiteUrl',
     });
   }
@@ -35,7 +41,7 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployment-deployed-bucket');
 
-new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+new integ.IntegTest(app, 'integ-test-bucket-deployment-deployed-bucket', {
   testCases: [testCase],
   diffAssets: true,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-large-file.ts

@@ -10,15 +10,22 @@ import * as fs from 'fs';
 import * as crypto from 'crypto';
 import * as os from 'os';
 
+/**
+ * Integration test for bucket deployment with large files:
+ * - Tests deployment of large files (10MB JSON and text files)
+ * - Validates that large file uploads work correctly
+ * - Tests token substitution and escaping in large deployments
+ * - Validates both escaped and unescaped JSON handling
+ */
 const app = new App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
   },
 });
-const stack = new Stack(app, 'TestBucketDeploymentLargeFile');
+const stack = new Stack(app, 'test-bucket-deployment-large-file');
 const bucket = new Bucket(stack, 'Bucket', {
-  removalPolicy: RemovalPolicy.DESTROY, // Allow bucket deletion
-  autoDeleteObjects: true, // Delete objects when bucket is deleted
+  removalPolicy: RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
 });
 
 // Create a temporary directory for our large files
@@ -153,7 +160,7 @@ const noEscapeFileWithMarker = Source.jsonData('my-json/secret-config-no-escape.
 });
 
 // Deploy the large files
-new BucketDeployment(stack, 'DeployLargeFiles', {
+new BucketDeployment(stack, 'DeployWithLargeFiles', {
   destinationBucket: bucket,
   sources: [largeJsonSource, largeTextSource, fileWithMarker, noEscapeFileWithMarker],
   retainOnDelete: false,
@@ -161,12 +168,12 @@ new BucketDeployment(stack, 'DeployLargeFiles', {
 
 new CfnOutput(stack, 'BucketName', { value: bucket.bucketName });
 
-const integ = new IntegTest(app, 'integ-test-bucket-deployment-large-file', {
+const integTest = new IntegTest(app, 'integ-test-bucket-deployment-large-file', {
   testCases: [stack],
 });
 
-// Add assertions to verify the JSON file
-const assertionProvider = integ.assertions.awsApiCall('S3', 'getObject', {
+// Assert that escaped JSON is properly escaped
+const assertionProvider = integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: bucket.bucketName,
   Key: 'my-json/secret-config.json',
 });
@@ -177,7 +184,8 @@ assertionProvider.expect(ExpectedResult.objectLike({
   Body: '{"secret_value":"test\\"with\\"quotes"}',
 }));
 
-integ.assertions.awsApiCall('S3', 'getObject', {
+// Assert that unescaped JSON works without escape option
+integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: bucket.bucketName,
   Key: 'my-json/secret-config-no-escape.json',
 }).expect(ExpectedResult.objectLike({
@@ -185,8 +193,8 @@ integ.assertions.awsApiCall('S3', 'getObject', {
   Body: '{"secret_value":"test"with"quotes"}',
 }));
 
-// Verify the large JSON file was deployed successfully
-const jsonAssertionProvider = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+// Assert that large JSON file was deployed successfully
+const jsonAssertionProvider = integTest.assertions.awsApiCall('S3', 'listObjectsV2', {
   Bucket: bucket.bucketName,
   Prefix: 'large-file.json',
   MaxKeys: 1,
@@ -211,8 +219,8 @@ if (jsonAssertionProvider instanceof AwsApiCall && jsonAssertionProvider.waiterP
   });
 }
 
-// Verify the large text file was deployed successfully
-const textAssertionProvider = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
+// Assert that large text file was deployed successfully
+const textAssertionProvider = integTest.assertions.awsApiCall('S3', 'listObjectsV2', {
   Bucket: bucket.bucketName,
   Prefix: 'large-file.txt',
   MaxKeys: 1,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-loggroup.ts

@@ -6,6 +6,11 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 
+/**
+ * Integration test for bucket deployment with custom log group:
+ * - Lambda function writes logs to a custom CloudWatch Log Group
+ * - Tests that custom log groups work correctly with bucket deployments
+ */
 class TestBucketDeployment extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
@@ -17,14 +22,14 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    new s3deploy.BucketDeployment(this, 'DeployMe', {
+    new s3deploy.BucketDeployment(this, 'DeployWithCustomLogGroup', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
       destinationBucket,
       logGroup: new logs.LogGroup(this, 'LogGroup', {
         retention: logs.RetentionDays.ONE_DAY,
         removalPolicy: cdk.RemovalPolicy.DESTROY, // cleanup integ test
       }),
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
   }
 }

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-efs.ts

@@ -0,0 +1,77 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with security groups and EFS:
+ * - Lambda function runs in VPC with EFS filesystem and custom security group
+ * - Tests that security groups work correctly with EFS-enabled deployments
+ */
+class TestBucketDeploymentSecurityGroupsEfs extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security group with allow all outbound
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
+      vpc,
+      description: 'Security group - allow all outbound',
+      allowAllOutbound: true,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with EFS storage and security groups
+    new s3deploy.BucketDeployment(this, 'DeployWithEfsAndSecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'efs-sg/',
+      useEfs: true,
+      vpc,
+      securityGroups: [securityGroup],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupsEfs(app, 'test-bucket-deployment-security-groups-efs');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-efs', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-empty.ts

@@ -0,0 +1,69 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with empty security groups array:
+ * - Lambda function runs in VPC with explicitly empty security groups array
+ * - Tests that empty security groups array is handled correctly
+ */
+class TestBucketDeploymentEmptySecurityGroups extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with empty security groups array
+    new s3deploy.BucketDeployment(this, 'DeployWithEmptySecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'empty-sg/',
+      vpc,
+      securityGroups: [],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentEmptySecurityGroups(app, 'test-bucket-deployment-security-groups-empty');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-empty', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-multiple.ts

@@ -0,0 +1,89 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with multiple security groups:
+ * - Lambda function runs in VPC with multiple security groups attached
+ * - Tests that deployments work with multiple security groups having different configurations
+ */
+class TestBucketDeploymentSecurityGroupsMultiple extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security groups with different configurations
+    const sg1 = new ec2.SecurityGroup(this, 'SecurityGroup1', {
+      vpc,
+      description: 'Security group 1 - allow all outbound',
+      allowAllOutbound: true,
+    });
+
+    const sg2 = new ec2.SecurityGroup(this, 'SecurityGroup2', {
+      vpc,
+      description: 'Security group 2 - restrictive outbound',
+      allowAllOutbound: false,
+    });
+
+    // Allow HTTPS outbound for S3 access
+    sg2.addEgressRule(
+      ec2.Peer.anyIpv4(),
+      ec2.Port.tcp(443),
+      'Allow HTTPS outbound for S3 access',
+    );
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with multiple security groups
+    new s3deploy.BucketDeployment(this, 'DeployWithMultipleSecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'multiple-sg/',
+      vpc,
+      securityGroups: [sg1, sg2],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupsMultiple(app, 'test-bucket-deployment-security-groups-multiple');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-multiple', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-single.ts

@@ -0,0 +1,77 @@
+/// !cdk-integ * pragma:enable-lookups
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with single security group:
+ * - Lambda function runs in VPC with a single custom security group
+ * - Tests that explicit security group assignment works correctly
+ */
+class TestBucketDeploymentSecurityGroupSingle extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, {
+      ...props,
+    });
+
+    // Create a VPC inline
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security group with explicit outbound rules for S3 access
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup1', {
+      vpc,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    // Test deployment with single security group
+    new s3deploy.BucketDeployment(this, 'DeployWithSingleSecurityGroup', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'single-sg/',
+      vpc: vpc,
+      securityGroups: [securityGroup],
+      retainOnDelete: false,
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupSingle(app, 'test-bucket-deployment-security-groups-single');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-single', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-signcontent.ts

@@ -6,6 +6,12 @@ import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { Construct } from 'constructs';
 
+/**
+ * Integration test for bucket deployment with content signing:
+ * - Lambda function signs PutObject payloads before uploading to S3
+ * - Tests signContent flag by enforcing signed payloads via bucket policy
+ * - Successful deployment proves that payloads were properly signed
+ */
 class TestBucketDeployment extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
@@ -15,17 +21,15 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    const deployment = new s3deploy.BucketDeployment(this, 'Deployment', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithSignedContent', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
       destinationBucket: bucket,
       signContent: true,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
 
-    // The above code would be sufficient for an integration test to detect template changes,
-    // and the stack would deploy successfully, but it would not test functionality because
-    // PutObject payload signing is not mandatory unless enforced via custom resource policy.
-    // With this as a dependency, successful deployment proves that the payloads were signed.
+    // PutObject payload signing is not mandatory unless enforced via bucket policy.
+    // With this policy dependency, successful deployment proves that the payloads were signed.
     const policyResult = bucket.addToResourcePolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.DENY,
@@ -53,7 +57,7 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployment-signobject');
 
-new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+new integ.IntegTest(app, 'integ-test-bucket-deployment-signcontent', {
   testCases: [testCase],
   diffAssets: true,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-substitution-with-destination-key.ts

@@ -1,18 +1,25 @@
 import * as path from 'path';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as cdk from 'aws-cdk-lib';
-import { IntegTest, ExpectedResult } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { DeployTimeSubstitutedFile } from 'aws-cdk-lib/aws-s3-deployment';
+import { Construct } from 'constructs';
 import { STANDARD_NODEJS_RUNTIME } from '../../config';
 
-class Test extends cdk.Stack {
+/**
+ * Integration test for DeployTimeSubstitutedFile with custom destination key:
+ * - Tests that custom destinationKey can be specified for the deployed file
+ * - Validates that substitution works correctly with custom destination keys
+ */
+class TestBucketDeploymentSubstitutionWithDestinationKey extends cdk.Stack {
   public readonly bucketName: String;
   public readonly objectKey: String;
   public readonly lambdaArn: String;
 
-  constructor(scope: cdk.App, id: string) {
-    super(scope, id);
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
     const hello = new lambda.Function(this, 'Hello', {
       runtime: STANDARD_NODEJS_RUNTIME,
@@ -21,7 +28,7 @@ class Test extends cdk.Stack {
     });
 
     const bucket = new Bucket(this, 'substitution-bucket');
-    const file = new DeployTimeSubstitutedFile(this, 'Deployment', {
+    const file = new DeployTimeSubstitutedFile(this, 'DeployWithDestinationKey', {
       source: path.join(__dirname, 'sample-file.yaml'),
       destinationBucket: bucket,
       substitutions: {
@@ -43,12 +50,12 @@ const app = new cdk.App({
   },
 });
 
-const testCase = new Test(app, 'test-s3-deploy-substitution-with-destination-key');
-const integ = new IntegTest(app, 'deploy-time-substitution-with-destination-key-integ-test', {
+const testCase = new TestBucketDeploymentSubstitutionWithDestinationKey(app, 'test-bucket-deployment-substitution-with-destination-key');
+const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployment-substitution-with-destination-key', {
   testCases: [testCase],
 });
 
-const apiCall = integ.assertions.awsApiCall('S3', 'getObject', {
+const apiCall = integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: testCase.bucketName,
   Key: 'processed-sample-file.yaml',
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-substitution-with-role.ts

@@ -1,32 +1,47 @@
 import * as path from 'path';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as cdk from 'aws-cdk-lib';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { DeployTimeSubstitutedFile } from 'aws-cdk-lib/aws-s3-deployment';
+import { Construct } from 'constructs';
 
+/**
+ * Integration test for DeployTimeSubstitutedFile with custom execution role:
+ * - Tests that custom IAM roles can be used for the Lambda execution function
+ * - Validates that role configuration works correctly with file substitution
+ */
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
   },
 });
 
-const stack = new cdk.Stack(app, 'cdk-s3-deploy-substitution-with-role');
+class TestBucketDeploymentSubstitutionWithRole extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
-const bucket = new Bucket(stack, 'substitution-bucket');
-const executionRole = new iam.Role(stack, 'execution-role', {
-  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
-});
+    const bucket = new Bucket(this, 'Bucket', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+    const executionRole = new iam.Role(this, 'ExecutionRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
 
-new DeployTimeSubstitutedFile(stack, 'Deployment', {
-  source: path.join(__dirname, 'sample-file.yaml'),
-  destinationBucket: bucket,
-  substitutions: { },
-  role: executionRole,
-});
+    new DeployTimeSubstitutedFile(this, 'DeployWithCustomRole', {
+      source: path.join(__dirname, 'sample-file.yaml'),
+      destinationBucket: bucket,
+      substitutions: { },
+      role: executionRole,
+    });
+  }
+}
+
+const testCase = new TestBucketDeploymentSubstitutionWithRole(app, 'test-bucket-deployment-substitution-with-role');
 
-new IntegTest(app, 'test-s3-deploy-substitution-with-role', {
-  testCases: [stack],
+new integ.IntegTest(app, 'integ-test-bucket-deployment-substitution-with-role', {
+  testCases: [testCase],
 });
 
 app.synth();