PyPI - konokenj.cdk-api-mcp-server - Versions diffs - 0.53.0__py3-none-any.whl → 0.55.0__py3-none-any.whl - Mend

konokenj.cdk-api-mcp-server 0.53.0py3-none-any.whl → 0.55.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of konokenj.cdk-api-mcp-server might be problematic. Click here for more details.

Files changed (40) hide show

cdk_api_mcp_server/resources/aws-cdk/constructs/@aws-cdk/mixins-preview/README.md CHANGED Viewed

@@ -1,16 +1,178 @@
-# CDK Mixins: Composable Abstractions for AWS Resources
+# CDK Mixins (Preview)
 <!--BEGIN STABILITY BANNER-->
 ---
 ![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)
-> The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
+> The APIs of higher level constructs in this module are experimental and under active development.
+> They are subject to non-backward compatible changes or removal in any future version. These are
+> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be
+> announced in the release notes. This means that while you may use them, you may need to update
+> your source code when upgrading to a newer version of this package.
 ---
 <!--END STABILITY BANNER-->
-Implementation of the CDK Mixins proposal.
-See <https://github.com/aws/aws-cdk-rfcs/pull/824> for details.
+CDK Mixins provide a new, advanced way to add functionality through composable abstractions.
+Unlike traditional L2 constructs that bundle all features together, Mixins allow you to pick and choose exactly the capabilities you need for constructs.
+## Key Benefits
+* **Universal Compatibility**: Apply the same abstractions to L1 constructs, L2 constructs, or custom constructs
+* **Composable Design**: Mix and match features without being locked into specific implementations
+* **Cross-Service Abstractions**: Use common patterns like encryption across different AWS services
+* **Escape Hatch Freedom**: Customize resources in a safe, typed way while keeping the abstractions you want
+## Basic Usage
+Mixins use `Mixins.of()` as the fundamental API for applying abstractions to constructs:
+```typescript
+// Base form: apply mixins to any construct
+const bucket = new s3.CfnBucket(scope, "MyBucket");
+Mixins.of(bucket)
+  .apply(new EncryptionAtRest())
+  .apply(new AutoDeleteObjects());
+```
+### Fluent Syntax with `.with()`
+For convenience, you can use the `.with()` method for a more fluent syntax:
+```typescript
+import '@aws-cdk/mixins-preview/with';
+const bucket = new s3.CfnBucket(scope, "MyBucket")
+  .with(new EnableVersioning())
+  .with(new AutoDeleteObjects());
+```
+The `.with()` method is available after importing `@aws-cdk/mixins-preview/with`, which augments all constructs with this method. It provides the same functionality as `Mixins.of().apply()` but with a more chainable API.
+> **Note**: The `.with()` fluent syntax is only available in JavaScript and TypeScript. Other jsii languages (Python, Java, C#, and Go) should use the `Mixins.of(...).mustApply()` syntax instead. The import requirement is temporary during the preview phase. Once the API is stable, the `.with()` method will be available by default on all constructs and in all languages.
+## Creating Custom Mixins
+Mixins are simple classes that implement the `IMixin` interface:
+```typescript
+// Simple mixin that enables versioning
+class CustomVersioningMixin implements IMixin {
+  supports(construct: any): boolean {
+    return construct instanceof s3.CfnBucket;
+  }
+  applyTo(bucket: any): any {
+    bucket.versioningConfiguration = {
+      status: "Enabled"
+    };
+    return bucket;
+  }
+}
+// Usage
+const bucket = new s3.CfnBucket(scope, "MyBucket");
+Mixins.of(bucket).apply(new CustomVersioningMixin());
+```
+## Construct Selection
+Mixins operate on construct trees and can be applied selectively:
+```typescript
+// Apply to all constructs in a scope
+Mixins.of(scope).apply(new EncryptionAtRest());
+// Apply to specific resource types
+Mixins.of(scope, ConstructSelector.resourcesOfType(s3.CfnBucket))
+  .apply(new EncryptionAtRest());
+// Apply to constructs matching a pattern
+Mixins.of(scope, ConstructSelector.byId(/.*-prod-.*/))
+  .apply(new ProductionSecurityMixin());
+```
+## Built-in Mixins
+### Cross-Service Mixins
+**EncryptionAtRest**: Applies encryption to supported AWS resources
+```typescript
+// Works across different resource types
+const bucket = new s3.CfnBucket(scope, "Bucket");
+Mixins.of(bucket).apply(new EncryptionAtRest());
+const logGroup = new logs.CfnLogGroup(scope, "LogGroup");
+Mixins.of(logGroup).apply(new EncryptionAtRest());
+```
+### S3-Specific Mixins
+**AutoDeleteObjects**: Configures automatic object deletion for S3 buckets
+```typescript
+const bucket = new s3.CfnBucket(scope, "Bucket");
+Mixins.of(bucket).apply(new AutoDeleteObjects());
+```
+**EnableVersioning**: Enables versioning on S3 buckets
+```typescript
+const bucket = new s3.CfnBucket(scope, "Bucket");
+Mixins.of(bucket).apply(new EnableVersioning());
+```
+### Generic Mixins
+**CfnPropertiesMixin**: Applies arbitrary CloudFormation properties
+```typescript
+const bucket = new s3.CfnBucket(scope, "Bucket");
+Mixins.of(bucket).apply(new CfnPropertiesMixin({
+  customProperty: { enabled: true }
+}));
+```
+## Error Handling
+Mixins provide comprehensive error handling:
+```typescript
+// Graceful handling of unsupported constructs
+Mixins.of(scope)
+  .apply(new EncryptionAtRest()); // Skips unsupported constructs
+// Strict application that requires all constructs to match
+Mixins.of(scope)
+  .mustApply(new EncryptionAtRest()); // Throws if no constructs support the mixin
+```
+## API Reference
+### Core Interfaces
+* `IMixin` - Interface that all mixins must implement
+* `Mixins` - Main entry point for applying mixins
+* `ConstructSelector` - Selects constructs from a tree based on criteria
+* `MixinApplicator` - Applies mixins to selected constructs
+### Mixins
+* `EncryptionAtRest` - Cross-service encryption mixin
+* `AutoDeleteObjects` - S3 auto-delete objects mixin
+* `EnableVersioning` - S3 versioning mixin
+* `CfnPropertiesMixin` - Generic CloudFormation properties mixin
+### Selectors
+* `ConstructSelector.all()` - Select all constructs
+* `ConstructSelector.cfnResource()` - Select CfnResource constructs
+* `ConstructSelector.resourcesOfType()` - Select by type
+* `ConstructSelector.byId()` - Select by ID pattern
+## License
+This project is licensed under the Apache-2.0 License.

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/README.md/README.md CHANGED Viewed

@@ -480,6 +480,8 @@ CloudFormation to re-read the secret.
 `SecretValue.ssmSecure()` is only supported for a limited set of resources.
 [Click here for a list of supported resources and properties](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#template-parameters-dynamic-patterns-resources).
+`SecretValue.cfnDynamicReferenceKey` takes the same parameters as `SecretValue.secretsManager` and returns a key which can be used within a [dynamic reference](#dynamic-references) to dynamically load a secret from AWS Secrets Manager.
 ## ARN manipulation
 Sometimes you will need to put together or pick apart Amazon Resource Names

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigateway/README.md CHANGED Viewed

@@ -334,6 +334,31 @@ const getMessageIntegration = new apigateway.AwsIntegration({
 });
 ```
+### Lambda Integration Permissions
+By default, creating a `LambdaIntegration` will add a permission for API Gateway to invoke your AWS Lambda function, scoped to the specific method which uses the integration.
+If you reuse the same AWS Lambda function for many integrations, the AWS Lambda permission policy size can be exceeded by adding a separate policy statement for each method which invokes the AWS Lambda function. To avoid this, you can opt to scope permissions to any method on the API by setting `scopePermissionToMethod` to `false`, and this will ensure only a single policy statement is added to the AWS Lambda permission policy.
+```ts
+declare const book: apigateway.Resource;
+declare const backend: lambda.Function;
+const getBookIntegration = new apigateway.LambdaIntegration(backend, {
+  scopePermissionToMethod: false,
+});
+const createBookIntegration = new apigateway.LambdaIntegration(backend, {
+  scopePermissionToMethod: false,
+});
+book.addMethod('GET', getBookIntegration);
+book.addMethod('POST', createBookIntegration);
+```
+In the above example, a single permission is added, shared by both `getBookIntegration` and `createBookIntegration`.
+Note that setting `scopePermissionToMethod` to `false` will always allow test invocations, no matter the value specified for `allowTestInvoke`.
 ## Usage Plan & API Keys
 A usage plan specifies who can access one or more deployed API stages and methods, and the rate at which they can be

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigateway/integ.lambda-permission-consolidation.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { App, Stack } from 'aws-cdk-lib';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import { LambdaIntegration, RestApi } from 'aws-cdk-lib/aws-apigateway';
+class LambdaPermissionConsolidationStack extends Stack {
+  public readonly api: RestApi;
+  constructor(scope: Construct) {
+    super(scope, 'LambdaPermissionConsolidationStack');
+    const fn = new Function(this, 'Handler', {
+      code: Code.fromInline(`exports.handler = async function(event) {
+        return {
+          body: JSON.stringify({
+            message: 'Hello from ' + event.httpMethod,
+          }),
+          statusCode: 200,
+          headers: { 'Content-Type': 'application/json' }
+        };
+      }`),
+      runtime: Runtime.NODEJS_18_X,
+      handler: 'index.handler',
+    });
+    this.api = new RestApi(this, 'Api', {
+      cloudWatchRole: true,
+    });
+    const methods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD'];
+    methods.forEach(method => {
+      this.api.root.addMethod(method, new LambdaIntegration(fn, {
+        scopePermissionToMethod: false,
+      }));
+    });
+  }
+}
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const testCase = new LambdaPermissionConsolidationStack(app);
+const integ = new IntegTest(app, 'lambda-permission-consolidation', {
+  testCases: [testCase],
+});
+// Test that all methods work after consolidation
+const call = integ.assertions.httpApiCall(testCase.api.deploymentStage.urlForPath('/'), {
+  method: 'GET',
+});
+call.expect(ExpectedResult.objectLike({
+  body: { message: 'Hello from GET' },
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-integrations/README.md CHANGED Viewed

@@ -47,6 +47,41 @@ httpApi.addRoutes({
 });
 ```
+#### Lambda Integration Permissions
+By default, creating a `HttpLambdaIntegration` will add a permission for API Gateway to invoke your AWS Lambda function, scoped to the specific route which uses the integration.
+If you reuse the same AWS Lambda function for many integrations, the AWS Lambda permission policy size can be exceeded by adding a separate policy statement for each route which invokes the AWS Lambda function. To avoid this, you can opt to scope permissions to any route on the API by setting `scopePermissionToRoute` to `false`, and this will ensure only a single policy statement is added to the AWS Lambda permission policy.
+```ts
+import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+declare const booksDefaultFn: lambda.Function;
+const httpApi = new apigwv2.HttpApi(this, 'HttpApi');
+const getBooksIntegration = new HttpLambdaIntegration('GetBooksIntegration', booksDefaultFn, {
+  scopePermissionToRoute: false,
+});
+const createBookIntegration = new HttpLambdaIntegration('CreateBookIntegration', booksDefaultFn, {
+  scopePermissionToRoute: false,
+});
+httpApi.addRoutes({
+  path: '/books',
+  methods: [ apigwv2.HttpMethod.GET ],
+  integration: getBooksIntegration,
+});
+httpApi.addRoutes({
+  path: '/books',
+  methods: [ apigwv2.HttpMethod.POST ],
+  integration: createBookIntegration,
+});
+```
+In the above example, a single permission is added, shared by both `getBookIntegration` and `createBookIntegration`.
 ### HTTP Proxy
 HTTP Proxy integrations enables connecting an HTTP API route to a publicly routable HTTP endpoint. When a client

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-integrations/integ.lambda-permission-consolidation.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { HttpApi, HttpMethod, HttpRoute, HttpRouteKey } from 'aws-cdk-lib/aws-apigatewayv2';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { App, Stack } from 'aws-cdk-lib';
+import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
+const stack = new Stack(app, 'integ-lambda-permission-consolidation');
+const httpApi = new HttpApi(stack, 'HttpApi');
+const lambdaHandler = new lambda.Function(stack, 'Handler', {
+  runtime: lambda.Runtime.NODEJS_18_X,
+  handler: 'index.handler',
+  code: new lambda.InlineCode('exports.handler = async function(event, context) { return { statusCode: 200, body: JSON.stringify({ message: \'Hello from \' + event.requestContext.http.path }) }; };'),
+});
+// Add several routes
+for (let i = 1; i <= 10; i++) {
+  new HttpRoute(stack, `Route${i}`, {
+    httpApi: httpApi,
+    integration: new HttpLambdaIntegration(`Integration${i}`, lambdaHandler, {
+      scopePermissionToRoute: false,
+    }),
+    routeKey: HttpRouteKey.with(`/path${i}`, HttpMethod.GET),
+  });
+}
+// Integ Test Assertions
+const integ = new IntegTest(app, 'Integ', { testCases: [stack] });
+// Test that routes work after consolidation
+integ.assertions.httpApiCall(httpApi.apiEndpoint + '/path1').expect(ExpectedResult.objectLike({
+  body: { message: 'Hello from /path1' },
+  status: 200,
+}));
+integ.assertions.httpApiCall(httpApi.apiEndpoint + '/path12').expect(ExpectedResult.objectLike({
+  body: { message: 'Hello from /path10' },
+  status: 200,
+}));

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cognito/README.md CHANGED Viewed

@@ -480,13 +480,13 @@ new cognito.UserPool(this, 'myuserpool', {
 ### Threat Protection
-This feature is only available if your Feature Plan is set to PLUS.
 Threat Protection can be set to configure enforcement levels and automatic responses for users in password-based and custom-challenge authentication flows.
 For configuration, there are 2 options for standard authentication and custom authentication.
 These are represented with properties `standardThreatProtectionMode` and `customThreatProtectionMode`.
 See the [documentation on Threat Protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html)
+**Note**: Threat Protection requires the PLUS feature plan for new user pools. CDK allows you to configure threat protection settings at synthesis time, and CloudFormation will validate feature plan requirements at deployment time. Existing user pools that are grandfathered on LITE plans with threat protection enabled will continue to work.
 ### Emails

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/README.md CHANGED Viewed

@@ -872,6 +872,32 @@ table.addToResourcePolicy(new iam.PolicyStatement({
 TableV2 doesn’t support creating a replica and adding a resource-based policy to that replica in the same stack update in Regions other than the Region where you deploy the stack update.
 To incorporate a resource-based policy into a replica, you'll need to initially deploy the replica without the policy, followed by a subsequent update to include the desired policy.
+### Grant Methods and Resource Policies
+Grant methods like `grantReadData()`, `grantWriteData()`, and `grantReadWriteData()` automatically add permissions to resource policies when used with same-account principals (like `AccountRootPrincipal`). This happens transparently:
+```ts
+const table = new dynamodb.TableV2(this, 'Table', {
+  partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+});
+// Automatically adds to table's resource policy (same account)
+table.grantReadData(new iam.AccountRootPrincipal());
+// Adds to IAM user's policy (not resource policy)
+declare const user: iam.User;
+table.grantReadData(user);
+```
+**How it works:**
+- **Same-account principals** (AccountRootPrincipal, AccountPrincipal): Grant adds statement to table's resource policy
+- **IAM identities** (User, Role, Group): Grant adds statement to the identity's IAM policy
+- **Resource policy statements**: Automatically use wildcard resources (`*`) to avoid circular dependencies
+This behavior follows the same pattern as other AWS services like KMS and S3, where grants intelligently choose between resource policies and identity policies based on the principal type.
+**To avoid wildcards in resource policies:** If you need scoped resource ARNs instead of wildcards, use `addToResourcePolicy()` directly with an explicit table name instead of grant methods. See the "Scoped Resource Policies (Advanced)" section above for details.
 ## Grants
 Using any of the `grant*` methods on an instance of the `TableV2` construct will only apply to the primary table, its indexes, and any associated `encryptionKey`. As an example, `grantReadData` used below will only apply the table in `us-west-2`:

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-dynamodb/integ.dynamodb.add-to-resource-policy.ts CHANGED Viewed

@@ -26,6 +26,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 export class TestStack extends Stack {
   public readonly wildcardTable: dynamodb.Table;
   public readonly scopedTable: dynamodb.Table;
+  public readonly grantTable: dynamodb.Table;
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
@@ -66,6 +67,22 @@ export class TestStack extends Stack {
       // Use CloudFormation intrinsic function to construct table ARN with known table name
       resources: [Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-scoped-table')],
     }));
+    // TEST 3: Table using grant methods with AccountRootPrincipal
+    // This validates the fix for issue #35967: circular dependency when using grant methods
+    // Before fix: grant methods with AccountRootPrincipal caused circular dependency
+    // After fix: grant methods use resourceSelfArns: ['*'] to avoid circular dependency
+    this.grantTable = new dynamodb.Table(this, 'GrantTable', {
+      partitionKey: {
+        name: 'id',
+        type: dynamodb.AttributeType.STRING,
+      },
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+    // This should NOT cause circular dependency - validates fix for #35967
+    // Using grantWriteData because it has simpler actions valid for resource policies
+    this.grantTable.grantWriteData(new iam.AccountRootPrincipal());
   }
 }

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.placement-strategies.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as integ from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App({
   postCliContext: {
@@ -12,24 +13,29 @@ const app = new cdk.App({
   },
 });
-class EcsStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
-    super(scope, id, props);
+class BaseEcsStack extends cdk.Stack {
+  protected createBaseResources() {
     const vpc = new ec2.Vpc(this, 'VPC', { restrictDefaultSecurityGroup: false });
     const cluster = new ecs.Cluster(this, 'EcsCluster', { vpc });
     cluster.addCapacity('DefaultAutoScalingGroup', {
       instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
     });
     const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef');
     taskDefinition.addContainer('web', {
       image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
       memoryLimitMiB: 256,
     });
+    return { vpc, cluster, taskDefinition };
+  }
+}
+// Test service with multiple placement strategies
+class EcsWithStrategiesStack extends BaseEcsStack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+    const { cluster, taskDefinition } = this.createBaseResources();
-    new ecs.Ec2Service(this, 'Test_Stack', {
+    new ecs.Ec2Service(this, 'Service', {
       cluster,
       taskDefinition,
       placementStrategies: [
@@ -40,6 +46,24 @@ class EcsStack extends cdk.Stack {
   }
 }
-new EcsStack(app, 'aws-cdk-ecs-integration-test-stack');
+// Test service with empty placement strategies
+class EcsWithEmptyStrategiesStack extends BaseEcsStack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+    const { cluster, taskDefinition } = this.createBaseResources();
+    new ecs.Ec2Service(this, 'Service', {
+      cluster,
+      taskDefinition,
+      placementStrategies: [],
+    });
+  }
+}
+new integ.IntegTest(app, 'LambdaTest', {
+  testCases: [
+    new EcsWithStrategiesStack(app, 'ecs-placement-strategies-with-strategies'),
+    new EcsWithEmptyStrategiesStack(app, 'ecs-placement-strategies-empty'),
+  ],
+});
 app.synth();

konokenj.cdk-api-mcp-server 0.53.0__py3-none-any.whl → 0.55.0__py3-none-any.whl

Potentially problematic release.

konokenj.cdk-api-mcp-server 0.53.0py3-none-any.whl → 0.55.0py3-none-any.whl