Let's explore some best practises for getting started. As always, feedback on the content is always welcomed :D
- Avoid editting the physical and logical names of your constructs.
Physical name of a resource is what you see on AWS console. Logical name of a resource is the resource name in AWS Cloudformation template. The logical name is the construct id we provided with an extra suffix added by the CDK.
const bucket = new s3.Bucket(this, 'thisIsTheConstructId', {
bucketName: 'thePhysicalName',
});
You can edit the physical name of a construct by overriding the name property of the construct (for s3 buckets, the bucketName prop). Assigning physical names to resources has some disadvantages in AWS CloudFormation. Most importantly, any changes to deployed resources that require a resource replacement, such as changes to a resource's properties that are immutable after creation, will fail if a resource has a physical name assigned. If you end up in that state, the only solution is to delete the AWS CloudFormation stack, then deploy the AWS CDK app again. See the AWS CloudFormation documentation for details.
When it is required to add a physical name? In some cases, like when creating an AWS CDK app with cross-environment references.
You should also avoid changing the logical ID of a resource after it has been created. AWS CloudFormation identifies resources by their logical ID. Therefore, if you change the logical ID of a resource, AWS CloudFormation creates a new resource with the new logical ID, then deletes the existing one. Depending on the type of resource, this might cause service interruption, data loss, or both.
- Use grant methods to assign privileges
AWS constructs make least-privilege permissions achievable by offering APIs to express permission requirements.
Try to avoid to manually create IAM permission statements when a grant method fits your use case.
The following example creates the permissions to allow a Lambda function's execution role to read and write objects to a particular Amazon S3 bucket. If the Amazon S3 bucket is encrypted with an AWS KMS key, this method also grants permissions to the Lambda function's execution role to decrypt with the key.
bucket.grantReadWrite(lambdaFun)
If a specific grant method isn't available for the particular use case, you can use a generic grant method to define a new grant with a specified list of actions.
The following example shows how to grant a Lambda function access to the Amazon DynamoDB CreateBackup action.
table.grant(func, 'dynamodb:CreateBackup');
- Don't forget to define removal policies
Resources that maintain persistent data, such as databases, Amazon S3 buckets, and Amazon ECR registries, have a removal policy. The removal policy indicates whether to delete persistent objects when the AWS CDK stack that contains them is destroyed. The values specifying the removal policy are available through the RemovalPolicy enumeration in the AWS CDK core module.
Resources besides those that store data persistently might also have a removalPolicy that is used for a different purpose. For example, a Lambda function version uses a removalPolicy attribute to determine whether a given version is retained when a new version is deployed. These have different meanings and defaults compared to the removal policy on an Amazon S3 bucket or DynamoDB table.
RemovalPolicy.RETAIN (DEFAULT) = Keep the contents of the resource when destroying the stack. The resource is orphaned from the stack and must be deleted manually. If you attempt to re-deploy the stack while the resource still exists, you will receive an error message due to a name conflict.
RemovalPolicy.DESTROY = The resource will be destroyed along with the stack.
Just be careful with S3: even if removal policy of a bucket is set to DESTROY, AWS CloudFormation does not remove Amazon S3 buckets that contain files. Attempting to do so is an AWS CloudFormation error. To have the AWS CDK delete all files from the bucket before destroying it, set the bucket's autoDeleteObjects property to true.
Happy coding folks!
References:
If you would like to explore more CDK best practises, AWS docs are an excellent place. You can find the basic concepts here and some best practises here.
Top comments (0)