konokenj.cdk-api-mcp-server 0.53.0__py3-none-any.whl → 0.54.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigateway/integ.lambda-permission-consolidation.ts

@@ -0,0 +1,55 @@
+import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { App, Stack } from 'aws-cdk-lib';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import { LambdaIntegration, RestApi } from 'aws-cdk-lib/aws-apigateway';
+
+class LambdaPermissionConsolidationStack extends Stack {
+  public readonly api: RestApi;
+  constructor(scope: Construct) {
+    super(scope, 'LambdaPermissionConsolidationStack');
+
+    const fn = new Function(this, 'Handler', {
+      code: Code.fromInline(`exports.handler = async function(event) {
+        return {
+          body: JSON.stringify({
+            message: 'Hello from ' + event.httpMethod,
+          }),
+          statusCode: 200,
+          headers: { 'Content-Type': 'application/json' }
+        };
+      }`),
+      runtime: Runtime.NODEJS_18_X,
+      handler: 'index.handler',
+    });
+
+    this.api = new RestApi(this, 'Api', {
+      cloudWatchRole: true,
+    });
+
+    const methods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD'];
+    methods.forEach(method => {
+      this.api.root.addMethod(method, new LambdaIntegration(fn, {
+        scopePermissionToMethod: false,
+      }));
+    });
+  }
+}
+
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const testCase = new LambdaPermissionConsolidationStack(app);
+const integ = new IntegTest(app, 'lambda-permission-consolidation', {
+  testCases: [testCase],
+});
+
+// Test that all methods work after consolidation
+const call = integ.assertions.httpApiCall(testCase.api.deploymentStage.urlForPath('/'), {
+  method: 'GET',
+});
+call.expect(ExpectedResult.objectLike({
+  body: { message: 'Hello from GET' },
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-integrations/README.md

@@ -47,6 +47,41 @@ httpApi.addRoutes({
 });
 ```
 
+#### Lambda Integration Permissions
+
+By default, creating a `HttpLambdaIntegration` will add a permission for API Gateway to invoke your AWS Lambda function, scoped to the specific route which uses the integration.
+
+If you reuse the same AWS Lambda function for many integrations, the AWS Lambda permission policy size can be exceeded by adding a separate policy statement for each route which invokes the AWS Lambda function. To avoid this, you can opt to scope permissions to any route on the API by setting `scopePermissionToRoute` to `false`, and this will ensure only a single policy statement is added to the AWS Lambda permission policy.
+
+```ts
+import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+
+declare const booksDefaultFn: lambda.Function;
+
+const httpApi = new apigwv2.HttpApi(this, 'HttpApi');
+
+const getBooksIntegration = new HttpLambdaIntegration('GetBooksIntegration', booksDefaultFn, {
+  scopePermissionToRoute: false,
+});
+const createBookIntegration = new HttpLambdaIntegration('CreateBookIntegration', booksDefaultFn, {
+  scopePermissionToRoute: false,
+});
+
+httpApi.addRoutes({
+  path: '/books',
+  methods: [ apigwv2.HttpMethod.GET ],
+  integration: getBooksIntegration,
+});
+
+httpApi.addRoutes({
+  path: '/books',
+  methods: [ apigwv2.HttpMethod.POST ],
+  integration: createBookIntegration,
+});
+```
+
+In the above example, a single permission is added, shared by both `getBookIntegration` and `createBookIntegration`.
+
 ### HTTP Proxy
 
 HTTP Proxy integrations enables connecting an HTTP API route to a publicly routable HTTP endpoint. When a client

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-integrations/integ.lambda-permission-consolidation.ts

@@ -0,0 +1,45 @@
+import { HttpApi, HttpMethod, HttpRoute, HttpRouteKey } from 'aws-cdk-lib/aws-apigatewayv2';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { App, Stack } from 'aws-cdk-lib';
+import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const stack = new Stack(app, 'integ-lambda-permission-consolidation');
+
+const httpApi = new HttpApi(stack, 'HttpApi');
+
+const lambdaHandler = new lambda.Function(stack, 'Handler', {
+  runtime: lambda.Runtime.NODEJS_18_X,
+  handler: 'index.handler',
+  code: new lambda.InlineCode('exports.handler = async function(event, context) { return { statusCode: 200, body: JSON.stringify({ message: \'Hello from \' + event.requestContext.http.path }) }; };'),
+});
+
+// Add several routes
+for (let i = 1; i <= 10; i++) {
+  new HttpRoute(stack, `Route${i}`, {
+    httpApi: httpApi,
+    integration: new HttpLambdaIntegration(`Integration${i}`, lambdaHandler, {
+      scopePermissionToRoute: false,
+    }),
+    routeKey: HttpRouteKey.with(`/path${i}`, HttpMethod.GET),
+  });
+}
+
+// Integ Test Assertions
+const integ = new IntegTest(app, 'Integ', { testCases: [stack] });
+
+// Test that routes work after consolidation
+integ.assertions.httpApiCall(httpApi.apiEndpoint + '/path1').expect(ExpectedResult.objectLike({
+  body: { message: 'Hello from /path1' },
+  status: 200,
+}));
+
+integ.assertions.httpApiCall(httpApi.apiEndpoint + '/path12').expect(ExpectedResult.objectLike({
+  body: { message: 'Hello from /path10' },
+  status: 200,
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/README.md

@@ -872,6 +872,32 @@ table.addToResourcePolicy(new iam.PolicyStatement({
 TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
 To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy.
 
+### Grant Methods and Resource Policies
+
+Grant methods like `grantReadData()`, `grantWriteData()`, and `grantReadWriteData()` automatically add permissions to resource policies when used with same-account principals (like `AccountRootPrincipal`). This happens transparently:
+
+```ts
+const table = new dynamodb.TableV2(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+
+// Automatically adds to table's resource policy (same account)
+table.grantReadData(new iam.AccountRootPrincipal());
+
+// Adds to IAM user's policy (not resource policy)
+declare const user: iam.User;
+table.grantReadData(user);
+```
+
+**How it works:**
+- **Same-account principals** (AccountRootPrincipal, AccountPrincipal): Grant adds statement to table's resource policy
+- **IAM identities** (User, Role, Group): Grant adds statement to the identity's IAM policy
+- **Resource policy statements**: Automatically use wildcard resources (`*`) to avoid circular dependencies
+
+This behavior follows the same pattern as other AWS services like KMS and S3, where grants intelligently choose between resource policies and identity policies based on the principal type.
+
+**To avoid wildcards in resource policies:** If you need scoped resource ARNs instead of wildcards, use `addToResourcePolicy()` directly with an explicit table name instead of grant methods. See the "Scoped Resource Policies (Advanced)" section above for details.
+
 ## Grants
 
 Using any of the `grant*` methods on an instance of the `TableV2` construct will only apply to the primary table, its indexes, and any associated `encryptionKey`. As an example, `grantReadData` used below will only apply the table in `us-west-2`:

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.add-to-resource-policy.ts

@@ -26,6 +26,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 export class TestStack extends Stack {
   public readonly wildcardTable: dynamodb.Table;
   public readonly scopedTable: dynamodb.Table;
+  public readonly grantTable: dynamodb.Table;
 
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
@@ -66,6 +67,22 @@ export class TestStack extends Stack {
       // Use CloudFormation intrinsic function to construct table ARN with known table name
       resources: [Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table')],
     }));
+
+    // TEST 3: Table using grant methods with AccountRootPrincipal
+    // This validates the fix for issue #35967: circular dependency when using grant methods
+    // Before fix: grant methods with AccountRootPrincipal caused circular dependency
+    // After fix: grant methods use resourceSelfArns: ['*'] to avoid circular dependency
+    this.grantTable = new dynamodb.Table(this, 'GrantTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // This should NOT cause circular dependency - validates fix for #35967
+    // Using grantWriteData because it has simpler actions valid for resource policies
+    this.grantTable.grantWriteData(new iam.AccountRootPrincipal());
   }
 }
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.placement-strategies.ts

@@ -2,6 +2,7 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as integ from '@aws-cdk/integ-tests-alpha';
 
 const app = new cdk.App({
   postCliContext: {
@@ -12,24 +13,29 @@ const app = new cdk.App({
   },
 });
 
-class EcsStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
-    super(scope, id, props);
-
+class BaseEcsStack extends cdk.Stack {
+  protected createBaseResources() {
     const vpc = new ec2.Vpc(this, 'VPC', { restrictDefaultSecurityGroup: false });
-
     const cluster = new ecs.Cluster(this, 'EcsCluster', { vpc });
     cluster.addCapacity('DefaultAutoScalingGroup', {
       instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
     });
-
     const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef');
     taskDefinition.addContainer('web', {
       image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
       memoryLimitMiB: 256,
     });
+    return { vpc, cluster, taskDefinition };
+  }
+}
+
+// Test service with multiple placement strategies
+class EcsWithStrategiesStack extends BaseEcsStack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+    const { cluster, taskDefinition } = this.createBaseResources();
 
-    new ecs.Ec2Service(this, 'Test_Stack', {
+    new ecs.Ec2Service(this, 'Service', {
       cluster,
       taskDefinition,
       placementStrategies: [
@@ -40,6 +46,24 @@ class EcsStack extends cdk.Stack {
   }
 }
 
-new EcsStack(app, 'aws-cdk-ecs-integration-test-stack');
+// Test service with empty placement strategies
+class EcsWithEmptyStrategiesStack extends BaseEcsStack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+    const { cluster, taskDefinition } = this.createBaseResources();
+
+    new ecs.Ec2Service(this, 'Service', {
+      cluster,
+      taskDefinition,
+      placementStrategies: [],
+    });
+  }
+}
+new integ.IntegTest(app, 'LambdaTest', {
+  testCases: [
+    new EcsWithStrategiesStack(app, 'ecs-placement-strategies-with-strategies'),
+    new EcsWithEmptyStrategiesStack(app, 'ecs-placement-strategies-empty'),
+  ],
+});
 
 app.synth();