konokenj.cdk-api-mcp-server 0.65.0__py3-none-any.whl → 0.67.0__py3-none-any.whl

cdk_api_mcp_server/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Kenji Kono <konoken@amazon.co.jp>
 #
 # SPDX-License-Identifier: MIT
-__version__ = "0.65.0"
+__version__ = "0.67.0"

cdk_api_mcp_server/resources/aws-cdk/constructs/@aws-cdk/aws-imagebuilder-alpha/README.md

@@ -199,8 +199,8 @@ Use AWS-managed workflows for common pipeline phases:
 const workflowPipeline = new imagebuilder.ImagePipeline(this, 'WorkflowPipeline', {
   recipe: exampleImageRecipe,
   workflows: [
-    { workflow: imagebuilder.AwsManagedWorkflow.buildImage(this, 'BuildWorkflow') },
-    { workflow: imagebuilder.AwsManagedWorkflow.testImage(this, 'TestWorkflow') }
+    { workflow: imagebuilder.AmazonManagedWorkflow.buildImage(this, 'BuildWorkflow') },
+    { workflow: imagebuilder.AmazonManagedWorkflow.testImage(this, 'TestWorkflow') }
   ]
 });
 ```
@@ -211,9 +211,9 @@ For container pipelines, use container-specific workflows:
 const containerWorkflowPipeline = new imagebuilder.ImagePipeline(this, 'ContainerWorkflowPipeline', {
   recipe: exampleContainerRecipe,
   workflows: [
-    { workflow: imagebuilder.AwsManagedWorkflow.buildContainer(this, 'BuildContainer') },
-    { workflow: imagebuilder.AwsManagedWorkflow.testContainer(this, 'TestContainer') },
-    { workflow: imagebuilder.AwsManagedWorkflow.distributeContainer(this, 'DistributeContainer') }
+    { workflow: imagebuilder.AmazonManagedWorkflow.buildContainer(this, 'BuildContainer') },
+    { workflow: imagebuilder.AmazonManagedWorkflow.testContainer(this, 'TestContainer') },
+    { workflow: imagebuilder.AmazonManagedWorkflow.distributeContainer(this, 'DistributeContainer') }
   ]
 });
 ```
@@ -430,8 +430,8 @@ Use workflows for custom build, test, and distribution processes:
 const imageWithWorkflows = new imagebuilder.Image(this, 'ImageWithWorkflows', {
   recipe: exampleImageRecipe,
   workflows: [
-    { workflow: imagebuilder.AwsManagedWorkflow.buildImage(this, 'BuildWorkflow') },
-    { workflow: imagebuilder.AwsManagedWorkflow.testImage(this, 'TestWorkflow') }
+    { workflow: imagebuilder.AmazonManagedWorkflow.buildImage(this, 'BuildWorkflow') },
+    { workflow: imagebuilder.AmazonManagedWorkflow.testImage(this, 'TestWorkflow') }
   ]
 });
 ```
@@ -603,12 +603,12 @@ const imageRecipe = new imagebuilder.ImageRecipe(this, 'AmazonManagedImageRecipe
   ),
   components: [
     {
-      component: imagebuilder.AwsManagedComponent.updateOS(this, 'UpdateOS', {
+      component: imagebuilder.AmazonManagedComponent.updateOs(this, 'UpdateOS', {
         platform: imagebuilder.Platform.LINUX
       })
     },
     {
-      component: imagebuilder.AwsManagedComponent.awsCliV2(this, 'AwsCli', {
+      component: imagebuilder.AmazonManagedComponent.awsCliV2(this, 'AwsCli', {
         platform: imagebuilder.Platform.LINUX
       })
     }
@@ -790,19 +790,19 @@ const containerRecipe = new imagebuilder.ContainerRecipe(this, 'ComponentContain
 Use pre-built AWS components:
 
 ```ts
-const containerRecipe = new imagebuilder.ContainerRecipe(this, 'AwsManagedContainerRecipe', {
+const containerRecipe = new imagebuilder.ContainerRecipe(this, 'AmazonManagedContainerRecipe', {
   baseImage: imagebuilder.BaseContainerImage.fromDockerHub('amazonlinux', 'latest'),
   targetRepository: imagebuilder.Repository.fromEcr(
     ecr.Repository.fromRepositoryName(this, 'Repository', 'my-container-repo')
   ),
   components: [
     {
-      component: imagebuilder.AwsManagedComponent.updateOS(this, 'UpdateOS', {
+      component: imagebuilder.AmazonManagedComponent.updateOs(this, 'UpdateOS', {
         platform: imagebuilder.Platform.LINUX
       })
     },
     {
-      component: imagebuilder.AwsManagedComponent.awsCliV2(this, 'AwsCli', {
+      component: imagebuilder.AmazonManagedComponent.awsCliV2(this, 'AwsCli', {
         platform: imagebuilder.Platform.LINUX
       })
     }
@@ -1070,17 +1070,17 @@ AWS provides a collection of managed components for common tasks:
 
 ```ts
 // Install AWS CLI v2
-const awsCliComponent = imagebuilder.AwsManagedComponent.awsCliV2(this, 'AwsCli', {
+const awsCliComponent = imagebuilder.AmazonManagedComponent.awsCliV2(this, 'AwsCli', {
   platform: imagebuilder.Platform.LINUX
 });
 
 // Update the operating system
-const updateComponent = imagebuilder.AwsManagedComponent.updateOS(this, 'UpdateOS', {
+const updateComponent = imagebuilder.AmazonManagedComponent.updateOs(this, 'UpdateOS', {
   platform: imagebuilder.Platform.LINUX
 });
 
 // Reference any AWS-managed component by name
-const customAwsComponent = imagebuilder.AwsManagedComponent.fromAwsManagedComponentName(
+const customAwsComponent = imagebuilder.AmazonManagedComponent.fromAmazonManagedComponentName(
   this,
   'CloudWatchAgent',
   'amazon-cloudwatch-agent-linux'
@@ -1517,15 +1517,15 @@ AWS provides a collection of workflows for common scenarios:
 
 ```ts
 // Build workflows
-const buildImageWorkflow = imagebuilder.AwsManagedWorkflow.buildImage(this, 'BuildImage');
-const buildContainerWorkflow = imagebuilder.AwsManagedWorkflow.buildContainer(this, 'BuildContainer');
+const buildImageWorkflow = imagebuilder.AmazonManagedWorkflow.buildImage(this, 'BuildImage');
+const buildContainerWorkflow = imagebuilder.AmazonManagedWorkflow.buildContainer(this, 'BuildContainer');
 
 // Test workflows  
-const testImageWorkflow = imagebuilder.AwsManagedWorkflow.testImage(this, 'TestImage');
-const testContainerWorkflow = imagebuilder.AwsManagedWorkflow.testContainer(this, 'TestContainer');
+const testImageWorkflow = imagebuilder.AmazonManagedWorkflow.testImage(this, 'TestImage');
+const testContainerWorkflow = imagebuilder.AmazonManagedWorkflow.testContainer(this, 'TestContainer');
 
 // Distribution workflows
-const distributeContainerWorkflow = imagebuilder.AwsManagedWorkflow.distributeContainer(this, 'DistributeContainer');
+const distributeContainerWorkflow = imagebuilder.AmazonManagedWorkflow.distributeContainer(this, 'DistributeContainer');
 ```
 
 ### Lifecycle Policy

cdk_api_mcp_server/resources/aws-cdk/constructs/@aws-cdk/aws-msk-alpha/README.md

@@ -239,7 +239,7 @@ For more information, see [Amazon MSK Express Brokers](https://docs.aws.amazon.c
 
 **Note:** When using Express Brokers, the following constraints apply:
 
-- Apache Kafka version must be 3.6.x or 3.8.x
+- Apache Kafka version must be 3.6.x, 3.8.x, or 3.9.x
 - You must specify the `instanceType`
 - The VPC must have at least 3 subnets (across 3 AZs)
 - `ebsStorageInfo` is not supported

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-codepipeline-actions/integ.pipeline-elastic-beanstalk-deploy.ts

@@ -9,6 +9,7 @@ import { App, Fn, RemovalPolicy, ResourceEnvironment, Stack, UnscopedValidationE
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions';
 import { Node } from 'constructs';
+import { SOLUTION_STACK_NAME } from '../../utils/aws-elasticbeanstalk';
 
 /**
  * To validate that the deployment actually succeeds, perform the following actions:
@@ -93,8 +94,7 @@ const beanstalkApp = new elasticbeanstalk.CfnApplication(stack, 'beastalk-app',
 const beanstalkEnv = new elasticbeanstalk.CfnEnvironment(stack, 'beanstlk-env', {
   applicationName: beanstalkApp.applicationName!,
   environmentName: 'codepipeline-test-env',
-  // see https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.nodejs
-  solutionStackName: '64bit Amazon Linux 2023 v6.6.2 running Node.js 20',
+  solutionStackName: SOLUTION_STACK_NAME.NODEJS_20,
   optionSettings: [
     {
       namespace: 'aws:autoscaling:launchconfiguration',

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ec2/integ.vpc-endpoint-eusc.ts

@@ -0,0 +1,42 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
+
+class EuscVpcEndpointStack extends cdk.Stack {
+  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
+
+    const vpc = new ec2.Vpc(this, 'EuscVpc');
+
+    // Test VPC endpoints for eusc-de-east-1 region services
+    vpc.addInterfaceEndpoint('EcrDkrEndpoint', {
+      service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
+    });
+
+    vpc.addInterfaceEndpoint('EcrApiEndpoint', {
+      service: ec2.InterfaceVpcEndpointAwsService.ECR,
+    });
+
+    vpc.addInterfaceEndpoint('ApiGatewayEndpoint', {
+      service: ec2.InterfaceVpcEndpointAwsService.APIGATEWAY,
+    });
+
+    vpc.addInterfaceEndpoint('SecurityHubEndpoint', {
+      service: ec2.InterfaceVpcEndpointAwsService.SECURITYHUB,
+    });
+  }
+}
+
+const app = new cdk.App();
+
+const testCase = new EuscVpcEndpointStack(app, 'aws-cdk-ec2-vpc-endpoint-eusc', {
+  env: { region: 'eusc-de-east-1' },
+});
+
+new IntegTest(app, 'vpc-endpoint-eusc', {
+  testCases: [testCase],
+});
+
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/README.md

@@ -1665,26 +1665,21 @@ Managed Instances Capacity Providers allow you to use AWS-managed EC2 instances
 
 See [ECS documentation for Managed Instances Capacity Provider](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/managed-instances-capacity-providers-concept.html) for more documentation.
 
+#### IAM Roles Setup
+Managed instances require an infrastructure and an EC2 instance profile. You can either provide your own infrastructure role and/or instance profile, or let the construct create them automatically. 
+
+Option 1: Let CDK create the role and instance profile automatically
 ```ts
 declare const vpc: ec2.Vpc;
-declare const infrastructureRole: iam.Role;
-declare const instanceProfile: iam.InstanceProfile;
 
 const cluster = new ecs.Cluster(this, 'Cluster', { vpc });
 
-// Create a Managed Instances Capacity Provider
 const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(this, 'MICapacityProvider', {
-  infrastructureRole,
-  ec2InstanceProfile: instanceProfile,
   subnets: vpc.privateSubnets,
-  securityGroups: [new ec2.SecurityGroup(this, 'MISecurityGroup', { vpc })],
   instanceRequirements: {
     vCpuCountMin: 1,
     memoryMin: Size.gibibytes(2),
-    cpuManufacturers: [ec2.CpuManufacturer.INTEL],
-    acceleratorManufacturers: [ec2.AcceleratorManufacturer.NVIDIA],
   },
-  propagateTags: ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER,
 });
 
 // Optionally configure security group rules using IConnectable interface
@@ -1718,16 +1713,83 @@ new ecs.FargateService(this, 'FargateService', {
 });
 ```
 
+Option 2: If you don't want to use the `AmazonECSInfrastructureRolePolicyForManagedInstances` managed policy for the ECS infrastructure role, you can create a custom infrastructure role with the required permissions. See [documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/infrastructure_IAM_role.html) for what permissions are needed for the ECS infrastructure role.
+
+You can also choose not to use the automatically created ec2InstanceProfile. See [ECS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/managed-instances-instance-profile.html) for what permissions are required for the profile's role.
+
+```ts
+declare const vpc: ec2.Vpc;
+
+const cluster = new ecs.Cluster(this, 'Cluster', { vpc });
+
+// Add your custom policies to the role.
+const customInstanceRole = new iam.Role(this, 'CustomInstanceRole', {
+  assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
+});
+
+const customInstanceProfile = new iam.InstanceProfile(this, 'CustomInstanceProfile', {
+  role: customInstanceRole,
+});
+
+// Add your custom policies to the role.
+const customInfrastructureRole = new iam.Role(this, 'CustomInfrastructureRole', {
+  assumedBy: new iam.ServicePrincipal('ecs.amazonaws.com'),
+});
+
+// Add PassRole permission to allow ECS to pass the instance role to EC2.
+customInfrastructureRole.addToPolicy(new iam.PolicyStatement({
+  effect: iam.Effect.ALLOW,
+  actions: ['iam:PassRole'],
+  resources: [customInstanceRole.roleArn],
+  conditions: {
+    StringEquals: {
+      'iam:PassedToService': 'ec2.amazonaws.com',
+    },
+  },
+}));
+
+const miCapacityProviderCustom = new ecs.ManagedInstancesCapacityProvider(this, 'MICapacityProviderCustomRoles', {
+  infrastructureRole: customInfrastructureRole,
+  ec2InstanceProfile: customInstanceProfile,
+  subnets: vpc.privateSubnets,
+});
+
+// Add the capacity provider to the cluster
+cluster.addManagedInstancesCapacityProvider(miCapacityProviderCustom);
+
+const taskDefinition = new ecs.TaskDefinition(this, 'TaskDef', {
+  memoryMiB: '512',
+  cpu: '256',
+  networkMode: ecs.NetworkMode.AWS_VPC,
+  compatibility: ecs.Compatibility.MANAGED_INSTANCES,
+});
+
+taskDefinition.addContainer('web', {
+  image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  memoryReservationMiB: 256,
+});
+
+
+new ecs.FargateService(this, 'FargateService', {
+
+  cluster,
+  taskDefinition,
+  minHealthyPercent: 100,
+  capacityProviderStrategies: [
+    {
+      capacityProvider: miCapacityProviderCustom.capacityProviderName,
+      weight: 1,
+    },
+  ],
+});
+```
+
 You can specify detailed instance requirements to control which types of instances are used:
 
 ```ts
-declare const infrastructureRole: iam.Role;
-declare const instanceProfile: iam.InstanceProfile;
 declare const vpc: ec2.Vpc;
 
 const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(this, 'MICapacityProvider', {
-  infrastructureRole,
-  ec2InstanceProfile: instanceProfile,
   subnets: vpc.privateSubnets,
   instanceRequirements: {
     // Required: CPU and memory constraints

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.app-mesh-proxy-config.ts

@@ -5,8 +5,6 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.capacity-provider-managed-draining.ts

@@ -7,8 +7,6 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm': true,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
   },
 });
 const stack = new cdk.Stack(app, 'integ-ec2-capacity-provider-managed-draining');

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.capacity-provider.ts

@@ -6,8 +6,6 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.clb-host-nw.ts

@@ -2,12 +2,11 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';
 import * as cdk from 'aws-cdk-lib';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { CfnResource } from 'aws-cdk-lib';
 
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });
@@ -45,6 +44,14 @@ const lb = new elb.LoadBalancer(stack, 'LB', { vpc });
 lb.addListener({ externalPort: 80 });
 lb.addTarget(service);
 
+// Suppress security guardian rule for CLB default behavior
+lb.connections.securityGroups.forEach(sg => {
+  const cfnSg = sg.node.defaultChild as CfnResource;
+  cfnSg.addMetadata('guard', {
+    SuppressedRules: ['EC2_NO_OPEN_SECURITY_GROUPS'],
+  });
+});
+
 new cdk.CfnOutput(stack, 'LoadBalancerDNS', { value: lb.loadBalancerDnsName });
 
 app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.cloudmap-container-port.ts

@@ -2,12 +2,11 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as cloudmap from 'aws-cdk-lib/aws-servicediscovery';
 import * as cdk from 'aws-cdk-lib';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { CfnResource } from 'aws-cdk-lib';
 
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });
@@ -33,6 +32,14 @@ const capacity = cluster.addCapacity('capacity', {
 });
 capacity.connections.allowFromAnyIpv4(ec2.Port.tcpRange(32768, 61000));
 
+// Suppress security guardian rule for intentional test setup
+capacity.connections.securityGroups.forEach(sg => {
+  const cfnSg = sg.node.defaultChild as CfnResource;
+  cfnSg.addMetadata('guard', {
+    SuppressedRules: ['EC2_NO_OPEN_SECURITY_GROUPS'],
+  });
+});
+
 cluster.addDefaultCloudMapNamespace({ name: 'aws-ecs-integ' });
 
 const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef', {});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.cluster-amazonlinux2-neuron-ami.ts

@@ -7,8 +7,6 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.cluster-imported.ts

@@ -7,8 +7,6 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.cluster-windows-server-ami.ts

@@ -8,8 +8,6 @@ import * as integ from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.cluster.amazonlinux2023-ami.ts

@@ -8,8 +8,6 @@ import * as iam from 'aws-cdk-lib/aws-iam';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': true,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.default-capacity-provider.ts

@@ -7,8 +7,6 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.deployment-alarms.ts

@@ -8,8 +8,6 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.enable-execute-command.ts

@@ -10,8 +10,6 @@ const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
     '@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions': true,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.environment-file.ts

@@ -10,8 +10,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.exec-command.ts

@@ -8,8 +8,6 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.firelens-s3-config.ts

@@ -3,12 +3,11 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as s3_assets from 'aws-cdk-lib/aws-s3-assets';
 import * as cdk from 'aws-cdk-lib';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { CfnResource } from 'aws-cdk-lib';
 
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });
@@ -69,6 +68,13 @@ container.addPortMappings({
 // Create a security group that allows tcp @ port 80
 const securityGroup = new ec2.SecurityGroup(stack, 'websvc-sg', { vpc });
 securityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(80));
+
+// Suppress security guardian rule for intentional test setup
+const cfnSecurityGroup = securityGroup.node.defaultChild as CfnResource;
+cfnSecurityGroup.addMetadata('guard', {
+  SuppressedRules: ['EC2_NO_OPEN_SECURITY_GROUPS'],
+});
+
 new ecs.Ec2Service(stack, 'Service', {
   cluster,
   taskDefinition,

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.graviton.ts

@@ -5,8 +5,6 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.lb-awsvpc-nw.ts

@@ -2,12 +2,11 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import * as cdk from 'aws-cdk-lib';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { CfnResource } from 'aws-cdk-lib';
 
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });
@@ -49,6 +48,14 @@ listener.addTargets('ECS', {
   targets: [service],
 });
 
+// Suppress security guardian rule for ALB default behavior (open: true)
+lb.connections.securityGroups.forEach(sg => {
+  const cfnSg = sg.node.defaultChild as CfnResource;
+  cfnSg.addMetadata('guard', {
+    SuppressedRules: ['EC2_NO_OPEN_SECURITY_GROUPS'],
+  });
+});
+
 new cdk.CfnOutput(stack, 'LoadBalancerDNS', { value: lb.loadBalancerDnsName });
 
 app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-ecs/integ.lb-bridge-nw.ts

@@ -3,12 +3,11 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import * as cdk from 'aws-cdk-lib';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { CfnResource } from 'aws-cdk-lib';
 
 const app = new cdk.App({
   postCliContext: {
     '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
-    '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature': false,
-    '@aws-cdk/aws-ecs:disableEcsImdsBlocking': false,
     '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': false,
   },
 });
@@ -49,6 +48,14 @@ listener.addTargets('ECS', {
   targets: [service],
 });
 
+// Suppress security guardian rule for ALB default behavior (open: true)
+lb.connections.securityGroups.forEach(sg => {
+  const cfnSg = sg.node.defaultChild as CfnResource;
+  cfnSg.addMetadata('guard', {
+    SuppressedRules: ['EC2_NO_OPEN_SECURITY_GROUPS'],
+  });
+});
+
 new cdk.CfnOutput(stack, 'LoadBalancerDNS', { value: lb.loadBalancerDnsName });
 
 app.synth();