konokenj.cdk-api-mcp-server 0.52.0__py3-none-any.whl → 0.54.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-empty.ts

@@ -0,0 +1,69 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with empty security groups array:
+ * - Lambda function runs in VPC with explicitly empty security groups array
+ * - Tests that empty security groups array is handled correctly
+ */
+class TestBucketDeploymentEmptySecurityGroups extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with empty security groups array
+    new s3deploy.BucketDeployment(this, 'DeployWithEmptySecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'empty-sg/',
+      vpc,
+      securityGroups: [],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentEmptySecurityGroups(app, 'test-bucket-deployment-security-groups-empty');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-empty', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-multiple.ts

@@ -0,0 +1,89 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with multiple security groups:
+ * - Lambda function runs in VPC with multiple security groups attached
+ * - Tests that deployments work with multiple security groups having different configurations
+ */
+class TestBucketDeploymentSecurityGroupsMultiple extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a VPC inline instead of looking it up
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security groups with different configurations
+    const sg1 = new ec2.SecurityGroup(this, 'SecurityGroup1', {
+      vpc,
+      description: 'Security group 1 - allow all outbound',
+      allowAllOutbound: true,
+    });
+
+    const sg2 = new ec2.SecurityGroup(this, 'SecurityGroup2', {
+      vpc,
+      description: 'Security group 2 - restrictive outbound',
+      allowAllOutbound: false,
+    });
+
+    // Allow HTTPS outbound for S3 access
+    sg2.addEgressRule(
+      ec2.Peer.anyIpv4(),
+      ec2.Port.tcp(443),
+      'Allow HTTPS outbound for S3 access',
+    );
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true, // needed for integration test cleanup
+    });
+
+    // Test deployment with multiple security groups
+    new s3deploy.BucketDeployment(this, 'DeployWithMultipleSecurityGroups', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'multiple-sg/',
+      vpc,
+      securityGroups: [sg1, sg2],
+      retainOnDelete: false, // default is true, which will block the integration test cleanup
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupsMultiple(app, 'test-bucket-deployment-security-groups-multiple');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-multiple', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-security-groups-single.ts

@@ -0,0 +1,77 @@
+/// !cdk-integ * pragma:enable-lookups
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with single security group:
+ * - Lambda function runs in VPC with a single custom security group
+ * - Tests that explicit security group assignment works correctly
+ */
+class TestBucketDeploymentSecurityGroupSingle extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, {
+      ...props,
+    });
+
+    // Create a VPC inline
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'TestVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    // Create security group with explicit outbound rules for S3 access
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup1', {
+      vpc,
+    });
+
+    const destinationBucket = new s3.Bucket(this, 'Destination', {
+      websiteIndexDocument: 'index.html',
+      publicReadAccess: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    // Test deployment with single security group
+    new s3deploy.BucketDeployment(this, 'DeployWithSingleSecurityGroup', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket,
+      destinationKeyPrefix: 'single-sg/',
+      vpc: vpc,
+      securityGroups: [securityGroup],
+      retainOnDelete: false,
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentSecurityGroupSingle(app, 'test-bucket-deployment-security-groups-single');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-security-groups-single', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-signcontent.ts

@@ -6,6 +6,12 @@ import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { Construct } from 'constructs';
 
+/**
+ * Integration test for bucket deployment with content signing:
+ * - Lambda function signs PutObject payloads before uploading to S3
+ * - Tests signContent flag by enforcing signed payloads via bucket policy
+ * - Successful deployment proves that payloads were properly signed
+ */
 class TestBucketDeployment extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
@@ -15,17 +21,15 @@ class TestBucketDeployment extends cdk.Stack {
       autoDeleteObjects: true, // needed for integration test cleanup
     });
 
-    const deployment = new s3deploy.BucketDeployment(this, 'Deployment', {
+    const deployment = new s3deploy.BucketDeployment(this, 'DeployWithSignedContent', {
       sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
       destinationBucket: bucket,
       signContent: true,
-      retainOnDelete: false, // default is true, which will block the integration test cleanup
+      retainOnDelete: false,
     });
 
-    // The above code would be sufficient for an integration test to detect template changes,
-    // and the stack would deploy successfully, but it would not test functionality because
-    // PutObject payload signing is not mandatory unless enforced via custom resource policy.
-    // With this as a dependency, successful deployment proves that the payloads were signed.
+    // PutObject payload signing is not mandatory unless enforced via bucket policy.
+    // With this policy dependency, successful deployment proves that the payloads were signed.
     const policyResult = bucket.addToResourcePolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.DENY,
@@ -53,7 +57,7 @@ const app = new cdk.App({
 });
 const testCase = new TestBucketDeployment(app, 'test-bucket-deployment-signobject');
 
-new integ.IntegTest(app, 'integ-test-bucket-deployments', {
+new integ.IntegTest(app, 'integ-test-bucket-deployment-signcontent', {
   testCases: [testCase],
   diffAssets: true,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-substitution-with-destination-key.ts

@@ -1,18 +1,25 @@
 import * as path from 'path';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as cdk from 'aws-cdk-lib';
-import { IntegTest, ExpectedResult } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { DeployTimeSubstitutedFile } from 'aws-cdk-lib/aws-s3-deployment';
+import { Construct } from 'constructs';
 import { STANDARD_NODEJS_RUNTIME } from '../../config';
 
-class Test extends cdk.Stack {
+/**
+ * Integration test for DeployTimeSubstitutedFile with custom destination key:
+ * - Tests that custom destinationKey can be specified for the deployed file
+ * - Validates that substitution works correctly with custom destination keys
+ */
+class TestBucketDeploymentSubstitutionWithDestinationKey extends cdk.Stack {
   public readonly bucketName: String;
   public readonly objectKey: String;
   public readonly lambdaArn: String;
 
-  constructor(scope: cdk.App, id: string) {
-    super(scope, id);
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
     const hello = new lambda.Function(this, 'Hello', {
       runtime: STANDARD_NODEJS_RUNTIME,
@@ -21,7 +28,7 @@ class Test extends cdk.Stack {
     });
 
     const bucket = new Bucket(this, 'substitution-bucket');
-    const file = new DeployTimeSubstitutedFile(this, 'Deployment', {
+    const file = new DeployTimeSubstitutedFile(this, 'DeployWithDestinationKey', {
       source: path.join(__dirname, 'sample-file.yaml'),
       destinationBucket: bucket,
       substitutions: {
@@ -43,12 +50,12 @@ const app = new cdk.App({
   },
 });
 
-const testCase = new Test(app, 'test-s3-deploy-substitution-with-destination-key');
-const integ = new IntegTest(app, 'deploy-time-substitution-with-destination-key-integ-test', {
+const testCase = new TestBucketDeploymentSubstitutionWithDestinationKey(app, 'test-bucket-deployment-substitution-with-destination-key');
+const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployment-substitution-with-destination-key', {
   testCases: [testCase],
 });
 
-const apiCall = integ.assertions.awsApiCall('S3', 'getObject', {
+const apiCall = integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: testCase.bucketName,
   Key: 'processed-sample-file.yaml',
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-substitution-with-role.ts

@@ -1,32 +1,47 @@
 import * as path from 'path';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as cdk from 'aws-cdk-lib';
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { DeployTimeSubstitutedFile } from 'aws-cdk-lib/aws-s3-deployment';
+import { Construct } from 'constructs';
 
+/**
+ * Integration test for DeployTimeSubstitutedFile with custom execution role:
+ * - Tests that custom IAM roles can be used for the Lambda execution function
+ * - Validates that role configuration works correctly with file substitution
+ */
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
   },
 });
 
-const stack = new cdk.Stack(app, 'cdk-s3-deploy-substitution-with-role');
+class TestBucketDeploymentSubstitutionWithRole extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
-const bucket = new Bucket(stack, 'substitution-bucket');
-const executionRole = new iam.Role(stack, 'execution-role', {
-  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
-});
+    const bucket = new Bucket(this, 'Bucket', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+    const executionRole = new iam.Role(this, 'ExecutionRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
 
-new DeployTimeSubstitutedFile(stack, 'Deployment', {
-  source: path.join(__dirname, 'sample-file.yaml'),
-  destinationBucket: bucket,
-  substitutions: { },
-  role: executionRole,
-});
+    new DeployTimeSubstitutedFile(this, 'DeployWithCustomRole', {
+      source: path.join(__dirname, 'sample-file.yaml'),
+      destinationBucket: bucket,
+      substitutions: { },
+      role: executionRole,
+    });
+  }
+}
+
+const testCase = new TestBucketDeploymentSubstitutionWithRole(app, 'test-bucket-deployment-substitution-with-role');
 
-new IntegTest(app, 'test-s3-deploy-substitution-with-role', {
-  testCases: [stack],
+new integ.IntegTest(app, 'integ-test-bucket-deployment-substitution-with-role', {
+  testCases: [testCase],
 });
 
 app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-substitution.ts

@@ -1,18 +1,26 @@
 import * as path from 'path';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as cdk from 'aws-cdk-lib';
-import { IntegTest, ExpectedResult } from '@aws-cdk/integ-tests-alpha';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { ExpectedResult } from '@aws-cdk/integ-tests-alpha';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { DeployTimeSubstitutedFile } from 'aws-cdk-lib/aws-s3-deployment';
+import { Construct } from 'constructs';
 import { STANDARD_NODEJS_RUNTIME } from '../../config';
 
-class Test extends cdk.Stack {
+/**
+ * Integration test for DeployTimeSubstitutedFile:
+ * - Tests deploy-time string substitution in template files
+ * - Validates that token values (like Lambda ARN) are properly substituted
+ * - Tests both token and static string substitutions
+ */
+class TestBucketDeploymentSubstitution extends cdk.Stack {
   public readonly bucketName: String;
   public readonly objectKey: String;
   public readonly lambdaArn: String;
 
-  constructor(scope: cdk.App, id: string) {
-    super(scope, id);
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
 
     const hello = new lambda.Function(this, 'Hello', {
       runtime: STANDARD_NODEJS_RUNTIME,
@@ -21,7 +29,7 @@ class Test extends cdk.Stack {
     });
 
     const bucket = new Bucket(this, 'substitution-bucket');
-    const file = new DeployTimeSubstitutedFile(this, 'Deployment', {
+    const file = new DeployTimeSubstitutedFile(this, 'DeployWithSubstitution', {
       source: path.join(__dirname, 'sample-file.yaml'),
       destinationBucket: bucket,
       substitutions: {
@@ -42,12 +50,12 @@ const app = new cdk.App({
   },
 });
 
-const testCase = new Test(app, 'test-s3-deploy-substitution');
-const integ = new IntegTest(app, 'deploy-time-substitution-integ-test', {
+const testCase = new TestBucketDeploymentSubstitution(app, 'test-bucket-deployment-substitution');
+const integTest = new integ.IntegTest(app, 'integ-test-bucket-deployment-substitution', {
   testCases: [testCase],
 });
 
-const apiCall = integ.assertions.awsApiCall('S3', 'getObject', {
+const apiCall = integTest.assertions.awsApiCall('S3', 'getObject', {
   Bucket: testCase.bucketName,
   Key: testCase.objectKey,
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-vpc-basic.ts

@@ -0,0 +1,65 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with basic VPC configuration:
+ * - Lambda function runs in VPC with isolated subnets
+ * - Uses S3 Gateway endpoint to access S3 without NAT Gateway
+ */
+class TestBucketDeploymentVpcBasic extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Basic VPC with isolated subnets - no NAT Gateway or Elastic IP needed
+    // Add S3 VPC Gateway endpoint for Lambda to access S3 without internet
+    const vpc = new ec2.Vpc(this, 'BasicVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const bucket = new s3.Bucket(this, 'Destination', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    new s3deploy.BucketDeployment(this, 'DeployWithBasicVpc', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket: bucket,
+      destinationKeyPrefix: 'basic-vpc/',
+      vpc: vpc,
+      retainOnDelete: false,
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentVpcBasic(app, 'test-bucket-deployment-vpc-basic');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-vpc-basic', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-vpc-config.ts

@@ -0,0 +1,66 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with VPC and Lambda configuration:
+ * - Lambda function runs in VPC with custom memory limit
+ * - Tests that Lambda configuration options work with VPC deployments
+ */
+class TestBucketDeploymentVpcConfig extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // VPC with memory and timeout configuration
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'ConfigVpc', {
+      restrictDefaultSecurityGroup: false,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const bucket = new s3.Bucket(this, 'Destination', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    new s3deploy.BucketDeployment(this, 'DeployWithVpcAndConfig', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket: bucket,
+      destinationKeyPrefix: 'config-vpc/',
+      vpc: vpc,
+      memoryLimit: 1024,
+      retainOnDelete: false,
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentVpcConfig(app, 'test-bucket-deployment-vpc-config');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-vpc-config', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-s3-deployment/integ.bucket-deployment-vpc-custom-subnets.ts

@@ -0,0 +1,66 @@
+import * as path from 'path';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment';
+
+/**
+ * Integration test for bucket deployment with VPC and custom subnet configuration:
+ * - Lambda function runs in VPC with custom maxAzs and subnet configuration
+ * - Tests that custom VPC configurations work with bucket deployments
+ */
+class TestBucketDeploymentVpcCustomSubnets extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // VPC with custom subnet configuration
+    // Use isolated subnets with S3 VPC endpoint - no NAT Gateway or Elastic IP needed
+    const vpc = new ec2.Vpc(this, 'CustomVpc', {
+      restrictDefaultSecurityGroup: false,
+      maxAzs: 2,
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          cidrMask: 24,
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+        },
+      ],
+    });
+
+    // Add S3 Gateway endpoint so Lambda can access S3 without NAT Gateway
+    vpc.addGatewayEndpoint('S3Endpoint', {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+    });
+
+    const bucket = new s3.Bucket(this, 'Destination', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    new s3deploy.BucketDeployment(this, 'DeployWithCustomVpc', {
+      sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+      destinationBucket: bucket,
+      destinationKeyPrefix: 'custom-vpc/',
+      vpc: vpc,
+      retainOnDelete: false,
+    });
+  }
+}
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+
+const testCase = new TestBucketDeploymentVpcCustomSubnets(app, 'test-bucket-deployment-vpc-custom-subnets');
+
+new integ.IntegTest(app, 'integ-test-bucket-deployment-vpc-custom-subnets', {
+  testCases: [testCase],
+  diffAssets: false,
+});
+
+app.synth();