Enable deploying the example server stacks multiple times in an account for integ tests

clareliguori · clareliguori · commit f0a3bae7b892 · 2025-03-29T21:42:56.000-07:00
diff --git a/e2e_tests/setup/integ-test-authentication.yaml b/e2e_tests/setup/integ-test-authentication.yaml
@@ -0,0 +1,170 @@
+# This CloudFormation template configures an IAM identity provider that uses GitHub's OIDC,
+# enabling GitHub Actions to run the integration tests against the AWS account where this
+# template is deployed.
+#   aws cloudformation deploy \
+#       --template-file .github/cloudformation/integ-test-authentication.yaml \
+#       --stack-name github-integ-test-identity-provider \
+#       --parameter-overrides GitHubOrg=awslabs RepositoryName=utilities-for-model-context-protocol-with-aws-lambda \
+#       --capabilities CAPABILITY_IAM \
+#       --region us-east-2 \
+#       --profile mcp-lambda-cfn-integ-test-account
+
+Parameters:
+  GitHubOrg:
+    Description: Name of GitHub organization/user (case sensitive)
+    Type: String
+  RepositoryName:
+    Description: Name of GitHub repository (case sensitive)
+    Type: String
+  OIDCProviderArn:
+    Description: Arn for the GitHub OIDC Provider.
+    Default: ""
+    Type: String
+  OIDCAudience:
+    Description: Audience supplied to configure-aws-credentials.
+    Default: "sts.amazonaws.com"
+    Type: String
+
+Conditions:
+  CreateOIDCProvider: !Equals
+    - !Ref OIDCProviderArn
+    - ""
+
+Resources:
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+
+  IntegrationTestRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !If
+                - CreateOIDCProvider
+                - !Ref GithubOidc
+                - !Ref OIDCProviderArn
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+
+  IntegrationTestPolicy:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: mcp-lambda-integration-test-runner
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          # Allow integration tests to manage CloudFormation stacks to deploy the example MCP servers
+          - Effect: Allow
+            Action:
+              - "cloudformation:ContinueUpdateRollback"
+              - "cloudformation:CreateChangeSet"
+              - "cloudformation:DeleteChangeSet"
+              - "cloudformation:DeleteStack"
+              - "cloudformation:DescribeChangeSet"
+              - "cloudformation:DescribeStacks"
+              - "cloudformation:ExecuteChangeSet"
+            Resource:
+              - !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/LambdaMcpServer-*"
+          # Allow CloudFormation to provision the resources for the example MCP servers
+          - Effect: Allow
+            Action:
+              - "lambda:CreateFunction"
+              - "lambda:DeleteFunction"
+              - "lambda:DeleteFunctionCodeSigningConfig"
+              - "lambda:DeleteFunctionConcurrency"
+              - "lambda:GetCodeSigningConfig"
+              - "lambda:GetFunction"
+              - "lambda:GetFunctionCodeSigningConfig"
+              - "lambda:GetFunctionRecursionConfig"
+              - "lambda:GetLayerVersion"
+              - "lambda:GetRuntimeManagementConfig"
+              - "lambda:ListFunctions"
+              - "lambda:ListTags"
+              - "lambda:PutFunctionCodeSigningConfig"
+              - "lambda:PutFunctionConcurrency"
+              - "lambda:PutFunctionRecursionConfig"
+              - "lambda:PutRuntimeManagementConfig"
+              - "lambda:TagResource"
+              - "lambda:UntagResource"
+              - "lambda:UpdateFunctionCode"
+              - "lambda:UpdateFunctionConfiguration"
+              - "lambda:DeleteLayerVersion"
+              - "lambda:GetLayerVersion"
+              - "lambda:ListLayerVersions"
+              - "lambda:PublishLayerVersion"
+            Resource: "*"
+            Condition:
+              "ForAnyValue:StringEquals":
+                "aws:CalledVia":
+                  - cloudformation.amazonaws.com
+          - Effect: Allow
+            Action:
+              - "iam:PassRole"
+            Resource:
+              - !GetAtt LambdaFunctionsRole.Arn
+            Condition:
+              "ForAnyValue:StringEquals":
+                "aws:CalledVia":
+                  - cloudformation.amazonaws.com
+          - Effect: Allow
+            Action:
+              - "ssm:GetParametersByPath"
+              - "ssm:GetParameters"
+              - "ssm:GetParameter"
+            Resource:
+              - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cdk-bootstrap/*/version"
+            Condition:
+              "ForAnyValue:StringEquals":
+                "aws:CalledVia":
+                  - cloudformation.amazonaws.com
+          # Allow integration tests to upload templates and assets to the CDK bucket
+          - Effect: Allow
+            Action:
+              - "s3:PutObject"
+              - "s3:AbortMultipartUpload"
+              - "s3:ListMultipartUploadParts"
+            Resource:
+              - "arn:aws:s3:::cdk*/*"
+          # Allow CloudFormation and Lambda to download templates and assets from the CDK bucket
+          - Effect: Allow
+            Action:
+              - "s3:GetObject"
+              - "s3:GetObjectVersion"
+            Resource:
+              - "arn:aws:s3:::cdk*/*"
+            Condition:
+              "ForAnyValue:StringEquals":
+                "aws:CalledVia":
+                  - cloudformation.amazonaws.com
+      Roles:
+        - !Ref IntegrationTestRole
+
+  LambdaFunctionsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: mcp-lambda-example-servers
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Principal:
+              Service: lambda.amazonaws.com
+
+Outputs:
+  Role:
+    Value: !GetAtt Role.Arn
diff --git a/examples/servers/time/cdk_stack.py b/examples/servers/time/cdk_stack.py
@@ -34,13 +34,15 @@ def before_bundling(self, input_dir: str, output_dir: str) -> list[str]:
 
 
 class LambdaTimeMcpServer(Stack):
-    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
+    def __init__(
+        self, scope: Construct, construct_id: str, stack_name_suffix: str, **kwargs
+    ) -> None:
         super().__init__(scope, construct_id, **kwargs)
 
         lambda_python.PythonFunction(
             self,
             "ServerFunction",
-            function_name="mcp-server-time",
+            function_name="mcp-server-time" + stack_name_suffix,
             role=iam.Role.from_role_name(self, "Role", "mcp-lambda-example-servers"),
             runtime=lambda_.Runtime.PYTHON_3_13,
             entry="function",
@@ -65,9 +67,14 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
 
 app = App()
 env = Environment(account=os.environ["CDK_DEFAULT_ACCOUNT"], region="us-east-2")
+stack_name_suffix = (
+    f'-{os.environ["INTEG_TEST_ID"]}' if "INTEG_TEST_ID" in os.environ else ""
+)
 LambdaTimeMcpServer(
     app,
     "LambdaMcpServer-Time",
+    stack_name_suffix,
+    stack_name="LambdaMcpServer-Time" + stack_name_suffix,
     env=env,
 )
 app.synth()
diff --git a/examples/servers/weather-alerts/lib/weather-alerts-mcp-server.ts b/examples/servers/weather-alerts/lib/weather-alerts-mcp-server.ts
@@ -6,7 +6,12 @@ import { Role } from "aws-cdk-lib/aws-iam";
 import * as path from "path";
 
 export class WeatherAlertsMcpServer extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+  constructor(
+    scope: Construct,
+    id: string,
+    stackNameSuffix: string,
+    props?: cdk.StackProps
+  ) {
     super(scope, id, props);
 
     // Package local module as a layer for testing
@@ -28,7 +33,7 @@ export class WeatherAlertsMcpServer extends cdk.Stack {
     });
 
     new NodejsFunction(this, "function", {
-      functionName: "mcp-server-weather-alerts",
+      functionName: "mcp-server-weather-alerts" + stackNameSuffix,
       role: Role.fromRoleName(this, "role", "mcp-lambda-example-servers"),
       memorySize: 2048,
       runtime: Runtime.NODEJS_22_X,
@@ -56,7 +61,15 @@ export class WeatherAlertsMcpServer extends cdk.Stack {
 }
 
 const app = new cdk.App();
-new WeatherAlertsMcpServer(app, "LambdaMcpServer-WeatherAlerts", {
-  env: { account: process.env["CDK_DEFAULT_ACCOUNT"], region: "us-east-2" },
-});
+const stackNameSuffix =
+  "INTEG_TEST_ID" in process.env ? `-${process.env["INTEG_TEST_ID"]}` : "";
+new WeatherAlertsMcpServer(
+  app,
+  "LambdaMcpServer-WeatherAlerts",
+  stackNameSuffix,
+  {
+    env: { account: process.env["CDK_DEFAULT_ACCOUNT"], region: "us-east-2" },
+    stackName: "LambdaMcpServer-WeatherAlerts" + stackNameSuffix,
+  }
+);
 app.synth();
