DEV Community: TOMOAKI ishihara The latest articles on DEV Community by TOMOAKI ishihara (@issy929). https://dev.to/issy929 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2925874%2F3ce4b2bd-9f95-499f-85a4-4170ed4c116a.jpg DEV Community: TOMOAKI ishihara https://dev.to/issy929 en AWS CDK 100 Drill Exercises #007: SQS-Lambda-Firehose —— Building Event-Driven Data Pipelines TOMOAKI ishihara Mon, 26 Jan 2026 15:23:32 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-007-sqs-lambda-firehose-building-event-driven-data-pipelines-2ki8 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-007-sqs-lambda-firehose-building-event-driven-data-pipelines-2ki8 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" alt="Level 300" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the 8th installment of "AWS CDK 100 Drill Exercises". For the series overview, see <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">here</a>.</p> <p>In this exercise, we'll build an event-driven data pipeline combining <strong>SQS, Lambda, and Firehose</strong>.</p> <h3> Why SQS-Lambda-Firehose? </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Benefit</th> </tr> </thead> <tbody> <tr> <td>Event-Driven</td> <td>Loosely coupled and scalable</td> </tr> <tr> <td>Reliability</td> <td>Robust error handling with DLQ and batch failure reporting</td> </tr> <tr> <td>Cost Efficiency</td> <td>Serverless with pay-per-use pricing</td> </tr> <tr> <td>Reduced Ops</td> <td>Minimize infrastructure management with managed services</td> </tr> </tbody> </table></div> <h3> What You'll Learn </h3> <ul> <li>SQS + Dead Letter Queue design</li> <li>Lambda <strong>ReportBatchItemFailures</strong> for batch processing</li> <li>Firehose → S3 streaming delivery</li> <li>Production monitoring with CloudWatch Alarms</li> </ul> <p>📁 <strong>Code Repository</strong>: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose" rel="noopener noreferrer">GitHub</a></p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsv2k3j195xjxgj0s6t7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsv2k3j195xjxgj0s6t7.png" alt="Architecture Overview" width="800" height="572"></a></p> <h3> Data Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Producer → SQS Queue → Lambda → Firehose → S3 ↓ (on failure) Dead Letter Queue </code></pre> </div> <h3> Key Components and Design Points </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Design Points</th> </tr> </thead> <tbody> <tr> <td>SQS Queue</td> <td>Long Polling (20s), Visibility Timeout (30s), SSL enforcement</td> </tr> <tr> <td>Dead Letter Queue</td> <td>Move to DLQ after 3 failures, 14-day retention</td> </tr> <tr> <td>Lambda</td> <td>Batch size 5, <strong>ReportBatchItemFailures enabled</strong>, X-Ray enabled</td> </tr> <tr> <td>SQS Queue (for Failure Lambda)</td> <td>Long Polling (20s), Visibility Timeout (30s), SSL enforcement</td> </tr> <tr> <td>Lambda (Failure)</td> <td>Lambda without Firehose permissions for DLQ behavior validation</td> </tr> <tr> <td>Firehose</td> <td>1min/1MB buffering, partitioned prefix</td> </tr> <tr> <td>S3</td> <td>Lifecycle management (60d→IA, 90d→Glacier, 365d→Delete)</td> </tr> <tr> <td>CloudWatch</td> <td>8 alarms + SNS notifications</td> </tr> </tbody> </table></div> <h2> Implementation Highlights </h2> <h3> 1. SQS + Dead Letter Queue </h3> <p>DLQ configuration is critical for isolating failed messages and enabling investigation and reprocessing.</p> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/lib/stacks/sqs-lambda-firehose-stack.ts#L35" rel="noopener noreferrer">stacks/sqs-lambda-firehose-stack.ts#L35</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Dead Letter Queue</span> <span class="kd">const</span> <span class="nx">deadLetterQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeadLetterQueue</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">retentionPeriod</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Main Queue with DLQ</span> <span class="kd">const</span> <span class="nx">queue</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MainQueue</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">visibilityTimeout</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">receiveMessageWaitTime</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">20</span><span class="p">),</span> <span class="c1">// Long Polling</span> <span class="na">deadLetterQueue</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxReceiveCount</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// Move to DLQ after 3 failures</span> <span class="na">queue</span><span class="p">:</span> <span class="nx">deadLetterQueue</span><span class="p">,</span> <span class="p">},</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <blockquote> <p><strong>Best Practice</strong>: Set Visibility Timeout to <strong>at least 6 times</strong> the Lambda timeout (<a href="https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-lambda-function-trigger.html" rel="noopener noreferrer">see documentation</a>)</p> </blockquote> <h3> 2. Lambda - ReportBatchItemFailures </h3> <p>When only some messages in a batch fail, you can reprocess only the failed ones.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">lambdaFunction</span><span class="p">.</span><span class="nf">addEventSource</span><span class="p">(</span> <span class="k">new</span> <span class="nx">lambdaEventSources</span><span class="p">.</span><span class="nc">SqsEventSource</span><span class="p">(</span><span class="nx">queue</span><span class="p">,</span> <span class="p">{</span> <span class="na">batchSize</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">reportBatchItemFailures</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Support partial failures</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <h4> Without Powertools vs With Powertools </h4> <p>❌ Without Powertools (Manual Implementation)</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">records</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Records</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="n">batch_item_failures</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">record</span> <span class="ow">in</span> <span class="n">records</span><span class="p">:</span> <span class="n">message_id</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">messageId</span><span class="sh">"</span><span class="p">)</span> <span class="n">message_body</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="nf">process_message</span><span class="p">(</span><span class="n">message_body</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Manually add failed record ID </span> <span class="n">batch_item_failures</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">itemIdentifier</span><span class="sh">"</span><span class="p">:</span> <span class="n">message_id</span><span class="p">})</span> <span class="c1"># Manually construct response format </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">batchItemFailures</span><span class="sh">"</span><span class="p">:</span> <span class="n">batch_item_failures</span><span class="p">}</span> </code></pre> </div> <p><strong>Problems:</strong></p> <ul> <li>Need to manually add <code>itemIdentifier</code> to batch_item_failures</li> <li>Must construct response format accurately</li> <li>Lots of error handling boilerplate</li> <li>Testing becomes complex</li> </ul> <p>✅ With Powertools (Recommended)</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_lambda_powertools.utilities.batch</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">BatchProcessor</span><span class="p">,</span> <span class="n">EventType</span><span class="p">,</span> <span class="n">process_partial_response</span> <span class="p">)</span> <span class="n">processor</span> <span class="o">=</span> <span class="nc">BatchProcessor</span><span class="p">(</span><span class="n">event_type</span><span class="o">=</span><span class="n">EventType</span><span class="p">.</span><span class="n">SQS</span><span class="p">)</span> <span class="k">def</span> <span class="nf">record_handler</span><span class="p">(</span><span class="n">record</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Process each record - just raise exception on failure</span><span class="sh">"""</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">json_body</span> <span class="nf">send_to_firehose</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">return</span> <span class="nf">process_partial_response</span><span class="p">(</span> <span class="n">event</span><span class="o">=</span><span class="n">event</span><span class="p">,</span> <span class="n">record_handler</span><span class="o">=</span><span class="n">record_handler</span><span class="p">,</span> <span class="n">processor</span><span class="o">=</span><span class="n">processor</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span> <span class="p">)</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li> <code>itemIdentifier</code> extraction and setting are automated</li> <li>No need to worry about response format</li> <li> <code>record_handler</code> can focus solely on processing logic</li> <li>Just raise an exception on failure</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Item</th> <th>Manual Implementation</th> <th>Powertools</th> </tr> </thead> <tbody> <tr> <td>Code Volume</td> <td>Large</td> <td>Small</td> </tr> <tr> <td>Bug Risk</td> <td>High (itemIdentifier mistakes, etc.)</td> <td>Low</td> </tr> <tr> <td>Test Ease</td> <td>Complex</td> <td>Simple</td> </tr> <tr> <td>Metrics</td> <td>Manual addition</td> <td>Auto-collection available</td> </tr> </tbody> </table></div> <p>📝 Complete Lambda Function Code (Python)</p> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/common/src/python-lambda/sqs-firehose-powertools/index.py" rel="noopener noreferrer">sqs-firehose-powertools/index.py</a></p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">aws_lambda_powertools</span> <span class="kn">import</span> <span class="n">Logger</span><span class="p">,</span> <span class="n">Tracer</span><span class="p">,</span> <span class="n">Metrics</span> <span class="kn">from</span> <span class="n">aws_lambda_powertools.utilities.batch</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">BatchProcessor</span><span class="p">,</span> <span class="n">EventType</span><span class="p">,</span> <span class="n">process_partial_response</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">aws_lambda_powertools.utilities.data_classes.sqs_event</span> <span class="kn">import</span> <span class="n">SQSRecord</span> <span class="n">logger</span> <span class="o">=</span> <span class="nc">Logger</span><span class="p">()</span> <span class="n">tracer</span> <span class="o">=</span> <span class="nc">Tracer</span><span class="p">()</span> <span class="n">metrics</span> <span class="o">=</span> <span class="nc">Metrics</span><span class="p">()</span> <span class="n">processor</span> <span class="o">=</span> <span class="nc">BatchProcessor</span><span class="p">(</span><span class="n">event_type</span><span class="o">=</span><span class="n">EventType</span><span class="p">.</span><span class="n">SQS</span><span class="p">)</span> <span class="n">firehose_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">firehose</span><span class="sh">'</span><span class="p">)</span> <span class="n">delivery_stream_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">FIREHOSE_DELIVERY_STREAM_NAME</span><span class="sh">'</span><span class="p">]</span> <span class="nd">@tracer.capture_method</span> <span class="k">def</span> <span class="nf">record_handler</span><span class="p">(</span><span class="n">record</span><span class="p">:</span> <span class="n">SQSRecord</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Process individual record</span><span class="sh">"""</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="n">json_body</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Processing message</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">message_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">message_id</span><span class="p">})</span> <span class="n">response</span> <span class="o">=</span> <span class="n">firehose_client</span><span class="p">.</span><span class="nf">put_record</span><span class="p">(</span> <span class="n">DeliveryStreamName</span><span class="o">=</span><span class="n">delivery_stream_name</span><span class="p">,</span> <span class="n">Record</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Data</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="o">+</span> <span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">}</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Sent to Firehose</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">record_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">RecordId</span><span class="sh">'</span><span class="p">]})</span> <span class="n">metrics</span><span class="p">.</span><span class="nf">add_metric</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">ProcessedMessages</span><span class="sh">"</span><span class="p">,</span> <span class="n">unit</span><span class="o">=</span><span class="sh">"</span><span class="s">Count</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="nd">@logger.inject_lambda_context</span> <span class="nd">@tracer.capture_lambda_handler</span> <span class="nd">@metrics.log_metrics</span><span class="p">(</span><span class="n">capture_cold_start_metric</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">return</span> <span class="nf">process_partial_response</span><span class="p">(</span> <span class="n">event</span><span class="o">=</span><span class="n">event</span><span class="p">,</span> <span class="n">record_handler</span><span class="o">=</span><span class="n">record_handler</span><span class="p">,</span> <span class="n">processor</span><span class="o">=</span><span class="n">processor</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span> <span class="p">)</span> </code></pre> </div> <h3> 3. Firehose - Partitioned Delivery </h3> <p>Improves S3 query performance and analysis efficiency with Athena and similar tools.</p> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/lib/stacks/sqs-lambda-firehose-stack.ts#L168" rel="noopener noreferrer">stacks/sqs-lambda-firehose-stack.ts#L168</a></p> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/parameters/dev-params.ts#L69" rel="noopener noreferrer">dev-params.ts#L69</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">deliveryStream</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">firehose</span><span class="p">.</span><span class="nc">DeliveryStream</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeliveryStream</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">destination</span><span class="p">:</span> <span class="k">new</span> <span class="nx">firehose</span><span class="p">.</span><span class="nc">S3Bucket</span><span class="p">(</span><span class="nx">bucket</span><span class="p">,</span> <span class="p">{</span> <span class="na">dataOutputPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">!{timestamp:yyyy/MM/dd}/</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Partition by date</span> <span class="na">errorOutputPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/</span><span class="dl">'</span><span class="p">,</span> <span class="na">bufferingInterval</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="na">bufferingSize</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Size</span><span class="p">.</span><span class="nf">mebibytes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <h3> 4. S3 Lifecycle Management </h3> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/lib/stacks/sqs-lambda-firehose-stack.ts#L88" rel="noopener noreferrer">stacks/sqs-lambda-firehose-stack.ts#L88</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">bucket</span><span class="p">.</span><span class="nf">addLifecycleRule</span><span class="p">({</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">GLACIER</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">)</span> <span class="p">},</span> <span class="p">],</span> <span class="na">expiration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">365</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>📝 Complete Stack Implementation Code</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">sqs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-sqs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">lambda</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-lambda</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">pythonLambda</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-lambda-python-alpha</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">lambdaEventSources</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-lambda-event-sources</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">firehose</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-kinesisfirehose</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">s3</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">logs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-logs</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SqsLambdaFirehoseStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">SqsLambdaFirehoseStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// 1. Dead Letter Queue</span> <span class="kd">const</span> <span class="nx">deadLetterQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeadLetterQueue</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">retentionPeriod</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">sqs</span><span class="p">.</span><span class="nx">QueueEncryption</span><span class="p">.</span><span class="nx">SQS_MANAGED</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// 2. Main Queue</span> <span class="kd">const</span> <span class="nx">queue</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MainQueue</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">visibilityTimeout</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">retentionPeriod</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">4</span><span class="p">),</span> <span class="na">receiveMessageWaitTime</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">20</span><span class="p">),</span> <span class="na">deadLetterQueue</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxReceiveCount</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">queue</span><span class="p">:</span> <span class="nx">deadLetterQueue</span> <span class="p">},</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// 3. S3 Bucket</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DataBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">versioned</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BucketEncryption</span><span class="p">.</span><span class="nx">S3_MANAGED</span><span class="p">,</span> <span class="p">});</span> <span class="nx">bucket</span><span class="p">.</span><span class="nf">addLifecycleRule</span><span class="p">({</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">GLACIER</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">)</span> <span class="p">},</span> <span class="p">],</span> <span class="na">expiration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">365</span><span class="p">),</span> <span class="p">});</span> <span class="c1">// 4. Firehose</span> <span class="kd">const</span> <span class="nx">deliveryStream</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">firehose</span><span class="p">.</span><span class="nc">DeliveryStream</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeliveryStream</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">destination</span><span class="p">:</span> <span class="k">new</span> <span class="nx">firehose</span><span class="p">.</span><span class="nc">S3Bucket</span><span class="p">(</span><span class="nx">bucket</span><span class="p">,</span> <span class="p">{</span> <span class="na">dataOutputPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">!{timestamp:yyyy/MM/dd}/</span><span class="dl">'</span><span class="p">,</span> <span class="na">errorOutputPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/</span><span class="dl">'</span><span class="p">,</span> <span class="na">bufferingInterval</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="na">bufferingSize</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Size</span><span class="p">.</span><span class="nf">mebibytes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">}),</span> <span class="p">});</span> <span class="c1">// 5. Lambda Function</span> <span class="kd">const</span> <span class="nx">lambdaFunction</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">pythonLambda</span><span class="p">.</span><span class="nc">PythonFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ProcessorFunction</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">PYTHON_3_14</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lambda_handler</span><span class="dl">'</span><span class="p">,</span> <span class="na">entry</span><span class="p">:</span> <span class="dl">'</span><span class="s1">../../common/src/python-lambda/sqs-firehose</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="na">memorySize</span><span class="p">:</span> <span class="mi">256</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">FIREHOSE_DELIVERY_STREAM_NAME</span><span class="p">:</span> <span class="nx">deliveryStream</span><span class="p">.</span><span class="nx">deliveryStreamName</span><span class="p">,</span> <span class="p">},</span> <span class="na">tracing</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Tracing</span><span class="p">.</span><span class="nx">ACTIVE</span><span class="p">,</span> <span class="na">loggingFormat</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">LoggingFormat</span><span class="p">.</span><span class="nx">JSON</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// 6. Permissions &amp;amp; Event Source</span> <span class="nx">queue</span><span class="p">.</span><span class="nf">grantConsumeMessages</span><span class="p">(</span><span class="nx">lambdaFunction</span><span class="p">);</span> <span class="nx">deliveryStream</span><span class="p">.</span><span class="nf">grantPutRecords</span><span class="p">(</span><span class="nx">lambdaFunction</span><span class="p">);</span> <span class="nx">lambdaFunction</span><span class="p">.</span><span class="nf">addEventSource</span><span class="p">(</span> <span class="k">new</span> <span class="nx">lambdaEventSources</span><span class="p">.</span><span class="nc">SqsEventSource</span><span class="p">(</span><span class="nx">queue</span><span class="p">,</span> <span class="p">{</span> <span class="na">batchSize</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">reportBatchItemFailures</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> CloudWatch Monitoring </h2> <p>In production, we configure <strong>8 alarms</strong> with SNS notifications.</p> <h3> Alarm List </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Alarm</th> <th>Threshold</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><strong>SQS</strong></td> <td>ApproximateAgeOfOldestMessage</td> <td>300s</td> <td>Detect message backlog</td> </tr> <tr> <td><strong>SQS</strong></td> <td>NumberOfEmptyReceives</td> <td>100</td> <td>Detect Long Polling issues</td> </tr> <tr> <td><strong>DLQ</strong></td> <td>ApproximateNumberOfMessagesVisible</td> <td>1</td> <td>Immediate failure detection</td> </tr> <tr> <td><strong>Firehose</strong></td> <td>DeliveryToS3.DataFreshness</td> <td>900s</td> <td>Detect delivery delays</td> </tr> <tr> <td><strong>Firehose</strong></td> <td>ThrottledRecords</td> <td>1</td> <td>Detect throttling</td> </tr> <tr> <td><strong>Firehose</strong></td> <td>IncomingBytes Rate</td> <td>80%</td> <td>Quota utilization</td> </tr> <tr> <td><strong>Firehose</strong></td> <td>IncomingRecords Rate</td> <td>80%</td> <td>Quota utilization</td> </tr> <tr> <td><strong>Firehose</strong></td> <td>IncomingPutRequests Rate</td> <td>80%</td> <td>Quota utilization</td> </tr> </tbody> </table></div> <h3> DLQ Alarm (Most Critical) </h3> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/lib/stacks/sqs-lambda-firehose-stack.ts#L369" rel="noopener noreferrer">stacks/sqs-lambda-firehose-stack.ts#L369</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">dlqAlarm</span> <span class="o">=</span> <span class="nx">deadLetterQueue</span> <span class="p">.</span><span class="nf">metricApproximateNumberOfMessagesVisible</span><span class="p">()</span> <span class="p">.</span><span class="nf">createAlarm</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DlqAlarm</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Alert even with 1 message</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> Firehose Quota Monitoring (Math Expression) </h3> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/lib/stacks/sqs-lambda-firehose-stack.ts#L390" rel="noopener noreferrer">stacks/sqs-lambda-firehose-stack.ts#L390</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">incomingBytesRateAlarm</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cw</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">IncomingBytesRateAlarm</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="c1">// Alert at 80% usage</span> <span class="na">metric</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cw</span><span class="p">.</span><span class="nc">MathExpression</span><span class="p">({</span> <span class="na">expression</span><span class="p">:</span> <span class="dl">'</span><span class="s1">100*(m1/300/m2)</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Calculate usage as %</span> <span class="na">usingMetrics</span><span class="p">:</span> <span class="p">{</span> <span class="na">m1</span><span class="p">:</span> <span class="nx">firehose</span><span class="p">.</span><span class="nf">metric</span><span class="p">(</span><span class="dl">'</span><span class="s1">IncomingBytes</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statistic</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Sum</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">m2</span><span class="p">:</span> <span class="nx">firehose</span><span class="p">.</span><span class="nf">metric</span><span class="p">(</span><span class="dl">'</span><span class="s1">BytesPerSecondLimit</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statistic</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Minimum</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <p>📝 SNS Notification Integration Code</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">topic</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AlertTopic</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SQS-Firehose Alerts</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">[</span><span class="nx">dlqAlarm</span><span class="p">,</span> <span class="nx">sqsAgeAlarm</span><span class="p">,</span> <span class="nx">firehoseFreshnessAlarm</span><span class="p">,</span> <span class="p">...</span><span class="nx">otherAlarms</span><span class="p">].</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">alarm</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">alarm</span><span class="p">.</span><span class="nf">addAlarmAction</span><span class="p">(</span><span class="k">new</span> <span class="nx">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="nx">topic</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <h2> Deployment &amp; Verification </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run stage:deploy:all <span class="nt">-w</span> workspaces/sqs-lambda-firehose <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <p>See: <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/blob/main/infrastructure/cdk-workspaces/workspaces/sqs-lambda-firehose/test-scripts/send-messages.sh" rel="noopener noreferrer">test-scripts/send-messages.sh</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Send test messages</span> ./test-scripts/send-messages.sh <span class="nt">--env</span> dev <span class="nt">--project</span> myproject <span class="c"># Verify data is saved in S3</span> ./test-scripts/check-s3.sh <span class="nt">--env</span> dev <span class="nt">--project</span> myproject </code></pre> </div> <h2> Best Practices Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Recommended</th> <th>Avoid</th> </tr> </thead> <tbody> <tr> <td>SQS</td> <td>Long Polling, DLQ configuration, SSL enforcement</td> <td>Short Polling, no DLQ</td> </tr> <tr> <td>Lambda</td> <td>ReportBatchItemFailures, appropriate batch size (5-10)</td> <td>Too large batches, no error handling</td> </tr> <tr> <td>Firehose</td> <td>Partitioning, 1-5MB buffer</td> <td>No partitioning, excessively long buffer time</td> </tr> <tr> <td>S3</td> <td>Lifecycle management, encryption</td> <td>No lifecycle, public access</td> </tr> </tbody> </table></div> <h2> Cost Estimation </h2> <p>💰 Monthly Estimate (Tokyo Region, Low-to-Medium Usage)</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Usage</th> <th>Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>SQS</td> <td>1M requests</td> <td>$0.40</td> </tr> <tr> <td>Lambda</td> <td>1M requests, 256MB</td> <td>$0.83</td> </tr> <tr> <td>Firehose</td> <td>1GB delivery</td> <td>$0.03</td> </tr> <tr> <td>S3</td> <td>10GB~60GB</td> <td>$0.50~1.00</td> </tr> <tr> <td>CloudWatch</td> <td>5GB Logs</td> <td>$0.27</td> </tr> </tbody> </table></div> <p>Total: ~$7-10/month</p> <h2> Summary </h2> <p>What we learned from this pattern:</p> <ol> <li>SQS + DLQ: Reliable message processing</li> <li>ReportBatchItemFailures: Efficient handling of partial failures</li> <li>Firehose Partitioning: Analytics-friendly data storage</li> <li>CloudWatch Alarms: Essential monitoring for production</li> </ol> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/sqs/" rel="noopener noreferrer">Amazon SQS Developer Guide</a></li> <li><a href="https://docs.powertools.aws.dev/lambda/python/" rel="noopener noreferrer">AWS Lambda Powertools</a></li> <li><a href="https://docs.aws.amazon.com/firehose/latest/dev/firehose-cloudwatch-metrics-best-practices.html" rel="noopener noreferrer">Firehose Monitoring Best Practices</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises sqs AWS CDK 100 Drill Exercises #006: VPC Peering - Cross-Account Network Integration and DNS Resolution Automation TOMOAKI ishihara Wed, 31 Dec 2025 11:23:15 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-006-vpc-peering-cross-account-network-integration-and-dns-546 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-006-vpc-peering-cross-account-network-integration-and-dns-546 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" alt="Level 300" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the 6th installment of "AWS CDK 100 Drill Exercises."</p> <p>For more information about AWS CDK 100 Drill Exercises, please refer to <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">this article</a>.</p> <p>In this article, we will explore cross-account network integration using VPC Peering, a key feature that enables private communication between multiple VPCs and is a core technology in a multi-account strategy.</p> <h3> Why VPC Peering? </h3> <ol> <li>Multi-account strategy: Organizations are recommended to manage development, staging, and production environments in separate accounts</li> <li>Secure communication: Private communication between VPCs without going through the internet</li> <li>Cost efficiency: Simpler network configuration at lower cost compared to Transit Gateway</li> <li>CDK complexity: Learn CDK limitations and workarounds for cross-account resource references</li> <li>Practical necessity: Essential network configuration pattern in enterprise environments</li> </ol> <h3> What You'll Learn </h3> <ul> <li>VPC Peering connection implementation (same account &amp; cross-account)</li> <li>CDK cross-account stack reference limitations and solutions</li> <li>Value sharing using AWS Systems Manager Parameter Store</li> <li>Cross-account parameter reading via Custom Resources</li> <li>IAM Cross-Account Role design and implementation</li> <li>Automatic VPC Peering connection acceptance and route configuration</li> <li>Cross-account deployment best practices</li> </ul> <p>📁 Code Repository: All code examples for this exercise are available on <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/vpc-peering" rel="noopener noreferrer">GitHub</a>.</p> <h2> Architecture Overview </h2> <p>What we will build:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1777pu4fy705jt9i7f8i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1777pu4fy705jt9i7f8i.png" alt="Architecture Overview" width="800" height="570"></a></p> <h3> Configuration Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Account A (111111111111): ├─ VPC A (10.0.0.0/16) │ └─ Test Instance (Private Subnet) ├─ VPC B (10.1.0.0/16) │ └─ Test Instance (Private Subnet) └─ VPC A ↔ VPC B Peering (same account) Account B (222222222222): └─ VPC C (10.2.0.0/16) └─ Test Instance (Private Isolated Subnet) Cross-account Peering: VPC B (Account A) ↔ VPC C (Account B) </code></pre> </div> <h3> Key Components </h3> <ol> <li> <p><strong>VpcAStack (Account A)</strong></p> <ul> <li>Create VPC A and VPC B</li> <li>VPC Peering connection within same account</li> <li>Save VPC B information to Parameter Store (readable by Account B)</li> </ul> </li> <li> <p><strong>VpcCStack (Account B)</strong></p> <ul> <li>Create VPC C</li> <li>Save VPC C information to Parameter Store (readable by Account A)</li> <li>Create ParameterStoreReadRole (for reading from Account A)</li> </ul> </li> <li> <p><strong>CrossAccountPeeringStack (Account A)</strong></p> <ul> <li>Retrieve VPC C information via Custom Resource</li> <li>Create Peering connection between VPC B and VPC C</li> <li>Save Peering connection ID to Parameter Store</li> <li>Create PeeringIdReadRole (for reading from Account B)</li> </ul> </li> <li> <p><strong>VpcCRoutesStack (Account B)</strong></p> <ul> <li>Retrieve Peering connection ID via Custom Resource</li> <li>Add routes to VPC B in VPC C's route tables</li> </ul> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjdhhi93m58vjohum57r7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjdhhi93m58vjohum57r7.png" alt="stack-overview" width="800" height="551"></a></p> <h2> Prerequisites </h2> <ul> <li>AWS CLI v2 installed and configured</li> <li>Node.js 20+</li> <li>AWS CDK CLI (<code>npm install -g aws-cdk</code>)</li> <li>Basic TypeScript knowledge</li> <li> <strong>Two AWS accounts</strong> (for development, production, etc.)</li> <li>AWS CLI profile configuration for each account</li> <li>Understanding of VPC basic concepts (refer to <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">VPC Basics</a>)</li> </ul> <h3> Project Directory Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vpc-peering/ ├── bin/ │ └── vpc-peering.ts # Application entry point ├── lib/ │ ├── stacks/ │ │ ├── vpc-a-stack.ts # Step1. VPC A/B + same account peering │ │ ├── vpc-c-stack.ts # Step2. VPC C (Account B) │ │ ├── cross-account-peering-stack.ts # Step3. Cross-account peering │ │ └── vpc-c-routes-stack.ts # Step4. VPC C route configuration │ ├── stages/ │ │ └── vpc-peering-stage.ts # Deployment orchestration │ └── types/ │ └── vpc-peering-params.ts # Parameter type definitions ├── parameters/ │ └── environments.ts # Environment-specific parameters └── test/ ├── compliance/ │ └── cdk-nag.test.ts # CDK Nag compliance test ├── snapshot/ │ └── snapshot.test.ts # Snapshot test └── unit/ ├── vpc-a.test.ts # VPC Peering stack test ├── vpc-c.test.ts # VPC C stack test ├── vpc-c-routes-stack.test.ts # VPC C route configuration stack test └── cross-account-peering.test.ts # Cross-account peering test </code></pre> </div> <h2> Cross-Account Reference Challenges in CDK </h2> <p>This implementation requires cross-account value references. In this case, there are the following issues:</p> <h3> Problem: CloudFormation Runtime Limitations </h3> <p>When referencing cross-account resources in CDK, it cannot execute due to the following limitations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ This does not work</span> <span class="kd">const</span> <span class="nx">vpcCStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcCStack</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">accountB</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">peeringStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CrossAccountPeeringStack</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Peering</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">accountA</span> <span class="p">},</span> <span class="na">peerVpc</span><span class="p">:</span> <span class="nx">vpcCStack</span><span class="p">.</span><span class="nx">vpc</span> <span class="c1">// ❌ Cross-account reference not allowed</span> <span class="p">});</span> </code></pre> </div> <p><strong>Error message:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Stack "CrossAccountPeering" cannot consume a cross reference from stack "VpcC". Cross stack references are only supported for stacks deployed to the same environment </code></pre> </div> <h3> Why doesn't it work? </h3> <ol> <li> <p>CloudFormation Export/Import limitations</p> <ul> <li>CloudFormation Export/Import only works within the same account and same region</li> <li>Cannot directly reference stack outputs between different accounts</li> </ul> </li> <li> <p>How CDK stack references work</p> <ul> <li>CDK internally uses CloudFormation Export/Import</li> <li>This mechanism cannot be used for cross-account</li> </ul> </li> <li> <p>Evaluation timing during deployment</p> <ul> <li> <code>vpcCStack.vpc.vpcId</code> is evaluated at deployment time</li> <li>Cannot retrieve values from resources deployed in Account B during Account A deployment</li> </ul> </li> </ol> <h2> Solutions </h2> <p>To solve cross-account references, the following methods can be considered.<br> Ultimately, we adopted the second method.</p> <ul> <li>1. Static parameter passing via CDK Context or environment variable files</li> <li>2. Passing via Parameter Store and AWS Custom Resources</li> </ul> <h3> 1. Manual Parameter Passing via CDK Context or Environment Variable Files </h3> <p><strong>Implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Get parameter for VPC C ID created in Account B</span> <span class="kd">const</span> <span class="nx">vpcCId</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">vpcCId</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">vpcCId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">vpcCId not provided. Run: cdk deploy --context vpcCId=vpc-xxx</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Create VPC Peering</span> <span class="kd">const</span> <span class="nx">peering</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnVPCPeeringConnection</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Peering</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">localVpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">peerVpcId</span><span class="p">:</span> <span class="nx">vpcCId</span><span class="p">,</span> <span class="c1">// ✅ Works</span> <span class="na">peerOwnerId</span><span class="p">:</span> <span class="nx">accountB</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>Deployment procedure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Create VPC C in Account B</span> cdk deploy <span class="nt">--profile</span> account-b VpcC <span class="c"># 2. Manually retrieve VPC C ID</span> <span class="nv">VPC_C_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-vpcs <span class="nt">--profile</span> account-b <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=VpcC"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Vpcs[0].VpcId'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># 3. Create Peering in Account A (pass VPC ID)</span> cdk deploy <span class="nt">--profile</span> account-a <span class="nt">--context</span> <span class="nv">vpcCId</span><span class="o">=</span><span class="nv">$VPC_C_ID</span> CrossAccountPeering </code></pre> </div> <p><strong>Issues:</strong></p> <ul> <li>⚠️ Manual parameter retrieval required</li> <li>Difficult to automate in CI/CD pipelines</li> <li>Human error risk (copy &amp; paste mistakes, etc.)</li> <li>Lack of scalability (management becomes complex as parameters increase)</li> </ul> <h3> 2. Parameter Store and AWS Custom Resources </h3> <p><strong>Architecture:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Account B: ├─ VPC C ├─ SSM Parameter (/project/env/vpc-c/id) └─ ParameterStoreReadRole &lt;- Can be assumed by Account A Account A: ├─ Custom Resource │ ├─ assumeRole -&gt; Account B's ParameterStoreReadRole │ └─ getParameter -&gt; Retrieve VPC C ID └─ VPC Peering Connection (using retrieved VPC C ID) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmq7prn79jkkj2ttd86tw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmq7prn79jkkj2ttd86tw.png" alt="stack-step3" width="800" height="551"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0xn2onpsusk448nqdt4h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0xn2onpsusk448nqdt4h.png" alt="stack-step4" width="800" height="551"></a></p> <p><strong>Implementation:</strong></p> <ol> <li>Account B: Create Parameter Store + Read Role </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// VpcCStack (Account B)</span> <span class="kd">const</span> <span class="nx">vpcCIdParam</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">StringParameter</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcIdParam</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">stringValue</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">parameterName</span><span class="p">:</span> <span class="s2">`/project/env/vpc-c/id`</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// IAM role for reading from Account A</span> <span class="kd">const</span> <span class="nx">readRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ParameterStoreReadRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">AccountPrincipal</span><span class="p">(</span><span class="nx">accountA</span><span class="p">),</span> <span class="na">roleName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">project-env-ParameterStoreReadRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">vpcCIdParam</span><span class="p">.</span><span class="nf">grantRead</span><span class="p">(</span><span class="nx">readRole</span><span class="p">);</span> </code></pre> </div> <ol> <li>Account A: Read parameter with Custom Resource </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// CrossAccountPeeringStack (Account A)</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cr</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/custom-resources</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">readRoleArn</span> <span class="o">=</span> <span class="s2">`arn:aws:iam::</span><span class="p">${</span><span class="nx">accountB</span><span class="p">}</span><span class="s2">:role/project-env-ParameterStoreReadRole`</span><span class="p">;</span> <span class="c1">// Read Parameter Store from other account with Custom Resource</span> <span class="kd">const</span> <span class="nx">getVpcCId</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cr</span><span class="p">.</span><span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GetVpcCId</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSM</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">getParameter</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/project/env/vpc-c/id</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ap-northeast-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="dl">'</span><span class="s1">VpcCIdLookup</span><span class="dl">'</span><span class="p">),</span> <span class="na">assumedRoleArn</span><span class="p">:</span> <span class="nx">readRoleArn</span><span class="p">,</span> <span class="c1">// ✅ Assume Account B's Role</span> <span class="p">},</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromStatements</span><span class="p">([</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sts:AssumeRole</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">readRoleArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">]),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">vpcCId</span> <span class="o">=</span> <span class="nx">getVpcCId</span><span class="p">.</span><span class="nf">getResponseField</span><span class="p">(</span><span class="dl">'</span><span class="s1">Parameter.Value</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Create VPC Peering</span> <span class="kd">const</span> <span class="nx">peering</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnVPCPeeringConnection</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Peering</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">localVpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">peerVpcId</span><span class="p">:</span> <span class="nx">vpcCId</span><span class="p">,</span> <span class="c1">// ✅ Use automatically retrieved value</span> <span class="na">peerOwnerId</span><span class="p">:</span> <span class="nx">accountB</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Fully automated: No manual parameter retrieval required</li> <li>CI/CD ready: Can be integrated into pipelines</li> <li>Secure: Strict access control with IAM roles</li> <li>Scalable: Supports multiple parameters</li> <li>Error detection: Errors are automatically detected at deployment time</li> </ul> <p><strong>Drawbacks:</strong></p> <ul> <li>Lambda function is automatically created (slight cost increase)</li> <li>Implementation is somewhat complex</li> <li>Custom Resource lifecycle management required</li> </ul> <h2> VPC Peering Within Same Account </h2> <p>The implementation of VPC Peering within the same account is as follows.</p> <h3> VpcAStack Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/stacks/vpc-peering-stack.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">VpcAStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpcA</span><span class="p">:</span> <span class="nx">VpcConstruct</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpcB</span><span class="p">:</span> <span class="nx">VpcConstruct</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">VpcAStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Create VPC A</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcA</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcConstruct</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcA</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Specify parameters</span> <span class="p">});</span> <span class="c1">// Create VPC B</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcB</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcConstruct</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcB</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Specify parameters</span> <span class="p">});</span> <span class="c1">// VPC Peering connection</span> <span class="kd">const</span> <span class="nx">peering</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcPeering</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcABPeering</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcA</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">peerVpc</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcB</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> VPC Peering Construct </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// common/constructs/vpc/vpc-peering.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">VpcPeering</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpcPeeringConnection</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">CfnVPCPeeringConnection</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">localSecurityGroup</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">ISecurityGroup</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">peeringSecurityGroup</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">ISecurityGroup</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">VpcPeeringProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="c1">// CIDR overlap check</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span> <span class="o">===</span> <span class="nx">props</span><span class="p">.</span><span class="nx">peerVpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`VPC CIDR blocks overlap`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Create VPC Peering connection</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcPeeringConnection</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnVPCPeeringConnection</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">peerVpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">peerVpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Add routes (Local VPC -&gt; Peer VPC)</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">subnet</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`RouteToPeer</span><span class="p">${</span><span class="nx">index</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">routeTableId</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">routeTable</span><span class="p">.</span><span class="nx">routeTableId</span><span class="p">,</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">peerVpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="na">vpcPeeringConnectionId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcPeeringConnection</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Add routes (Peer VPC -&gt; Local VPC)</span> <span class="nx">props</span><span class="p">.</span><span class="nx">peerVpc</span><span class="p">.</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">subnet</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`RouteToLocal</span><span class="p">${</span><span class="nx">index</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">routeTableId</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">routeTable</span><span class="p">.</span><span class="nx">routeTableId</span><span class="p">,</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="na">vpcPeeringConnectionId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcPeeringConnection</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Security groups (allow mutual communication)</span> <span class="p">:</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Cross-Account VPC Peering </h2> <h3> Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Step 3. Deploy to Account A: CrossAccountPeeringStack ├─ Retrieve VPC C information via Custom Resource ├─ Create VPC B &lt;-&gt; VPC C Peering ├─ Save Peering ID to Parameter Store └─ Create PeeringIdReadRole </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmq7prn79jkkj2ttd86tw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmq7prn79jkkj2ttd86tw.png" alt="stack-step3" width="800" height="551"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Step 4. Deploy to Account B: VpcCRoutesStack ├─ Retrieve Peering ID via Custom Resource └─ Update VPC C route tables </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0xn2onpsusk448nqdt4h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0xn2onpsusk448nqdt4h.png" alt="stack-step4" width="800" height="551"></a></p> <h3> VpcCStack (Account B) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/stacks/vpc-c-stack.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">VpcCStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpcC</span><span class="p">:</span> <span class="nx">VpcConstruct</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">VpcCStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Create VPC C</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcC</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcConstruct</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Specify parameters</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountAId</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Save VPC C information to Parameter Store</span> <span class="kd">const</span> <span class="nx">vpcCIdParam</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">StringParameter</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcIdParam</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">stringValue</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpcC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VPC C ID in Account B</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameterName</span><span class="p">:</span> <span class="s2">`/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">/vpc-c/id`</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">parameterReadRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ParameterStoreReadRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">AccountPrincipal</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountAId</span><span class="p">),</span> <span class="na">roleName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-ParameterStoreReadRole`</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="s2">`Role to allow Account </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountAId</span><span class="p">}</span><span class="s2"> to read VPC C parameters from Parameter Store`</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Grant read access to VPC C parameters</span> <span class="nx">vpcCIdParam</span><span class="p">.</span><span class="nf">grantRead</span><span class="p">(</span><span class="nx">parameterReadRole</span><span class="p">);</span> <span class="c1">// Peering acceptance role</span> <span class="kd">const</span> <span class="nx">peeringRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcPeeringRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">AccountPrincipal</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountAId</span><span class="p">),</span> <span class="na">roleName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">peeringRoleName</span><span class="p">,</span> <span class="p">});</span> <span class="nx">peeringRole</span><span class="p">.</span><span class="nf">addToPolicy</span><span class="p">(</span><span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ec2:AcceptVpcPeeringConnection</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> CrossAccountPeeringStack (Account A) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/stacks/cross-account-peering-stack.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CrossAccountPeeringStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">peeringConnection</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">CfnVPCPeeringConnection</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CrossAccountPeeringStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Retrieve VPC C ID via Custom Resource</span> <span class="kd">const</span> <span class="nx">getVpcCId</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cr</span><span class="p">.</span><span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GetVpcCId</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSM</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">getParameter</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">parameterName</span><span class="p">,</span> <span class="p">},</span> <span class="na">region</span><span class="p">:</span> <span class="nx">region</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="dl">'</span><span class="s1">VpcCIdLookup</span><span class="dl">'</span><span class="p">),</span> <span class="na">assumedRoleArn</span><span class="p">:</span> <span class="nx">parameterReadRoleArn</span><span class="p">,</span> <span class="p">},</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromStatements</span><span class="p">([</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sts:AssumeRole</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">parameterReadRoleArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">]),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">vpcCId</span> <span class="o">=</span> <span class="nx">getVpcCId</span><span class="p">.</span><span class="nf">getResponseField</span><span class="p">(</span><span class="dl">'</span><span class="s1">Parameter.Value</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Create VPC Peering</span> <span class="k">this</span><span class="p">.</span><span class="nx">peeringConnection</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnVPCPeeringConnection</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcBCPeering</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">requestorVpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">peerVpcId</span><span class="p">:</span> <span class="nx">vpcCId</span><span class="p">,</span> <span class="na">peerOwnerId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountBId</span><span class="p">,</span> <span class="na">peerRegion</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">regionB</span><span class="p">,</span> <span class="na">peerRoleArn</span><span class="p">:</span> <span class="s2">`arn:aws:iam::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountBId</span><span class="p">}</span><span class="s2">:role/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">peeringRoleName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Save Peering ID to Parameter Store</span> <span class="kd">const</span> <span class="nx">peeringIdParam</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">StringParameter</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PeeringConnectionIdParam</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">stringValue</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">peeringConnectionId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VPC Peering Connection ID for VPC B &lt;-&gt; VPC C</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameterName</span><span class="p">:</span> <span class="s2">`/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">/peering/vpc-b-vpc-c/id`</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">peeringIdReadRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PeeringIdReadRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">AccountPrincipal</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountBId</span><span class="p">),</span> <span class="na">roleName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-PeeringIdReadRole`</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="s2">`Role to allow Account </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountBId</span><span class="p">}</span><span class="s2"> to read Peering Connection ID from Parameter Store`</span><span class="p">,</span> <span class="p">});</span> <span class="nx">peeringIdParam</span><span class="p">.</span><span class="nf">grantRead</span><span class="p">(</span><span class="nx">peeringIdReadRole</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> VpcCRoutesStack (Account B) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/stacks/vpc-c-routes-stack.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">VpcCRoutesStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">VpcCRoutesStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Account A role</span> <span class="kd">const</span> <span class="nx">parameterReadRoleArn</span> <span class="o">=</span> <span class="s2">`arn:aws:iam::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">accountAId</span><span class="p">}</span><span class="s2">:role/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-PeeringIdReadRole`</span><span class="p">;</span> <span class="c1">// Retrieve Peering ID via Custom Resource</span> <span class="kd">const</span> <span class="nx">getPeeringConnectionId</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cr</span><span class="p">.</span><span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">GetPeeringConnectionId</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSM</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">getParameter</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">peeringIdParamName</span><span class="p">,</span> <span class="c1">// /${props.project}/${props.environment}/peering/vpc-b-vpc-c/id,</span> <span class="p">},</span> <span class="na">region</span><span class="p">:</span> <span class="nx">regionA</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="dl">'</span><span class="s1">PeeringConnectionIdLookup</span><span class="dl">'</span><span class="p">),</span> <span class="na">assumedRoleArn</span><span class="p">:</span> <span class="nx">parameterReadRoleArn</span><span class="p">,</span> <span class="p">},</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromStatements</span><span class="p">([</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sts:AssumeRole</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">parameterReadRoleArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">]),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">peeringConnectionId</span> <span class="o">=</span> <span class="nx">getPeeringConnectionId</span><span class="p">.</span><span class="nf">getResponseField</span><span class="p">(</span><span class="dl">'</span><span class="s1">Parameter.Value</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// target Subnet</span> <span class="c1">// private or isolated subnets</span> <span class="kd">const</span> <span class="nx">targetSubnets</span> <span class="o">=</span> <span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnets</span> <span class="o">&amp;&amp;</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">?</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnets</span> <span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">isolatedSubnets</span><span class="p">;</span> <span class="c1">// Add routes to VPC C private subnets pointing to VPC B</span> <span class="nx">targetSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">subnet</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`VpcCToVpcBRoute</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">routeTableId</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">routeTable</span><span class="p">.</span><span class="nx">routeTableId</span><span class="p">,</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcBCidr</span><span class="p">,</span> <span class="na">vpcPeeringConnectionId</span><span class="p">:</span> <span class="nx">peeringConnectionId</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> VPC Peering DNS Resolution Options Automation (Custom Resource Implementation Example) </h2> <h3> Why DNS Resolution Options are Needed </h3> <p>Just creating a VPC Peering connection doesn't enable resolution of private DNS names in the peer VPC. For example, if you want to access an EC2 instance in VPC B from VPC A using a private DNS name like <code>ip-10-1-0-10.ap-northeast-1.compute.internal</code>, you need to enable DNS resolution options.</p> <p>Normally, this option is configured manually from the console or set using AWS CLI as follows (documentation is <a href="https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-dns.html" rel="noopener noreferrer">here</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 modify-vpc-peering-connection-options <span class="se">\</span> <span class="nt">--vpc-peering-connection-id</span> pcx-xxxxx <span class="se">\</span> <span class="nt">--requester-peering-connection-options</span> <span class="nv">AllowDnsResolutionFromRemoteVpc</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--accepter-peering-connection-options</span> <span class="nv">AllowDnsResolutionFromRemoteVpc</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p>In this implementation, we automate this configuration using AWS CDK's <code>AwsCustomResource</code>.</p> <h3> For Same Account </h3> <p>For same account, specify both <code>RequesterPeeringConnectionOptions</code> and <code>AccepterPeeringConnectionOptions</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feea3hi93od0jyf6hfyev.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feea3hi93od0jyf6hfyev.jpg" alt="same-account" width="555" height="309"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="c1">// Enable DNS resolution over VPC Peering</span> <span class="kd">const</span> <span class="nx">onCreate</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsSdkCall</span> <span class="o">=</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">EC2</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">modifyVpcPeeringConnectionOptions</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">VpcPeeringConnectionId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">peeringConnection</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">RequesterPeeringConnectionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">AllowDnsResolutionFromRemoteVpc</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">AccepterPeeringConnectionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">AllowDnsResolutionFromRemoteVpc</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}</span> <span class="p">},</span> <span class="na">region</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="s2">`EnableVpcPeeringDnsResolution:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">peeringConnection</span><span class="p">.</span><span class="nx">ref</span><span class="p">}</span><span class="s2">`</span><span class="p">),</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">onUpdate</span> <span class="o">=</span> <span class="nx">onCreate</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">onDelete</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsSdkCall</span> <span class="o">=</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">EC2</span><span class="dl">"</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">modifyVpcPeeringConnectionOptions</span><span class="dl">"</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">VpcPeeringConnectionId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">peeringConnection</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">RequesterPeeringConnectionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">AllowDnsResolutionFromRemoteVpc</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="na">AccepterPeeringConnectionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">AllowDnsResolutionFromRemoteVpc</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}</span> <span class="p">},</span> <span class="p">}</span> <span class="k">new</span> <span class="nx">cr</span><span class="p">.</span><span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EnableVpcPeeringDnsResolution</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">onUpdate</span><span class="p">,</span> <span class="nx">onCreate</span><span class="p">,</span> <span class="nx">onDelete</span><span class="p">,</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromSdkCalls</span><span class="p">({</span><span class="na">resources</span><span class="p">:</span> <span class="nx">cr</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nx">ANY_RESOURCE</span><span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <h3> For Cross-Account </h3> <p>For cross-account VPC Peering, configure separately from Requester and Accepter side stacks.</p> <p>※Duplicate parts from the same account case are omitted.</p> <ol> <li>Requester side (Account A): CrossAccountPeeringStack</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft3dvbj727ljn9mwv8e79.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft3dvbj727ljn9mwv8e79.jpg" alt="requester-vpc" width="584" height="294"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="nl">VpcPeeringConnectionId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">peeringConnection</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="nx">RequesterPeeringConnectionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="nl">AllowDnsResolutionFromRemoteVpc</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">},</span> </code></pre> </div> <ol> <li>Accepter side (Account B): VpcCRoutesStack</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcjv65avk0v8uomsw53j0.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcjv65avk0v8uomsw53j0.jpg" alt="accepter-vpc" width="529" height="234"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="nl">VpcPeeringConnectionId</span><span class="p">:</span> <span class="nx">peeringConnectionId</span><span class="p">,</span> <span class="nx">AccepterPeeringConnectionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="nl">AllowDnsResolutionFromRemoteVpc</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}</span> <span class="p">},</span> </code></pre> </div> <h2> Deployment and Cleanup </h2> <h3> 1. Environment Parameter Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// parameters/environments.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">params</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="nx">Environment</span><span class="p">,</span> <span class="nx">EnvParams</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="p">[</span><span class="nx">Environment</span><span class="p">.</span><span class="nx">DEVELOPMENT</span><span class="p">]:</span> <span class="p">{</span> <span class="na">accountAId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">111111111111</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Account A</span> <span class="na">accountBId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">222222222222</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Account B</span> <span class="na">regionA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ap-northeast-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">regionB</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ap-northeast-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">vpcAConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">createConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.0.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">vpcBConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">createConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.1.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">vpcCConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">createConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.2.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h3> 2. Bootstrap </h3> <h4> 1. Bootstrap Account A (pipeline account) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic bootstrap to host pipeline in Account A</span> npx cdk bootstrap <span class="se">\</span> <span class="nt">--profile</span> account-a-admin <span class="se">\</span> <span class="nt">--cloudformation-execution-policies</span> arn:aws:iam::aws:policy/AdministratorAccess <span class="se">\</span> aws://111111111111/ap-northeast-1 </code></pre> </div> <h4> 2. Bootstrap Account B (target account) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bootstrap Account B and trust Account A</span> npx cdk bootstrap <span class="se">\</span> <span class="nt">--profile</span> account-b-admin <span class="se">\</span> <span class="nt">--cloudformation-execution-policies</span> arn:aws:iam::aws:policy/AdministratorAccess <span class="se">\</span> <span class="nt">--trust</span> 111111111111 <span class="se">\</span> aws://222222222222/ap-northeast-1 </code></pre> </div> <p><strong>Important points:</strong></p> <ul> <li> <code>--trust 111111111111</code>: Allows Account A to deploy to Account B</li> <li>This configuration allows Account A's bootstrap role to AssumeRole to Account B's resources</li> </ul> <h4> How <code>--trust</code> option works </h4> <h5> 1. IAM Role Creation </h5> <p>When you bootstrap with the <code>--trust</code> option, the following IAM roles are created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::111111111111:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This trust policy allows Account A's principals to:</p> <ul> <li> <strong>CDKDeployRole</strong>: Deploy CloudFormation stacks</li> <li> <strong>CDKFilePublishingRole</strong>: Upload file assets to S3</li> <li> <strong>CDKImagePublishingRole</strong>: Push Docker images to ECR</li> </ul> <h3> 3. Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">CDK_CROSS_ACCOUNT_ID</span><span class="o">=</span>222222222222 npm run stage:deploy:all <span class="nt">-w</span> workspaces/vpc-peering <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h3> 4. Connection Verification </h3> <p>Example connection verification from VPC A. In the example below, we connect to EC2, but you can also use CloudShell.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ping from VPC A instance to VPC B instance</span> aws ssm start-session <span class="nt">--profile</span> account-a <span class="se">\</span> <span class="nt">--target</span> i-0xxxxxxxxxxxxx <span class="c"># VPC A Instance ID</span> <span class="c"># Connectivity check to VPC B</span> ping 10.1.x.x <span class="c"># VPC B Private IP</span> <span class="c"># Ping to VPC C (cross-account) -&gt; Cannot connect from VPC A</span> ping 10.2.x.x <span class="c"># VPC C Private IP</span> </code></pre> </div> <h3> 5. Cleanup </h3> <p>If you connected to VPC using CloudShell for connection verification, delete the CloudShell environment before cleanup. Stack deletion will fail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete all resources</span> <span class="nv">CDK_CROSS_ACCOUNT_ID</span><span class="o">=</span>222222222222 npm run stage:destroy:all <span class="nt">-w</span> workspaces/vpc-peering <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h2> Summary </h2> <p>This article explained the implementation of VPC Peering using AWS CDK, focusing on cross-account challenges and solutions.</p> <h3> What We Learned </h3> <ol> <li> <p>CDK cross-account limitations</p> <ul> <li>CloudFormation Export/Import only works within the same account</li> <li>Stack references do not work cross-account</li> </ul> </li> <li> <p>Implementation patterns</p> <ul> <li>Parameter Store: Store and share values</li> <li>IAM Cross-Account Role: Secure access control</li> <li>Custom Resource: Dynamic value retrieval at deployment time</li> </ul> </li> </ol> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html" rel="noopener noreferrer">AWS VPC Peering Guide</a></li> <li><a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html" rel="noopener noreferrer">AWS CDK Custom Resources</a></li> <li><a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" rel="noopener noreferrer">AWS Systems Manager Parameter Store</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html" rel="noopener noreferrer">IAM Cross-Account Access</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises vpc AWS CDK 100 Drill Exercises #005: CDK Parameters —— Managing Parameters with TypeScript vs cdk.json TOMOAKI ishihara Fri, 26 Dec 2025 14:21:53 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-005-cdk-parameters-managing-parameters-with-typescript-vs-cdkjson-12b9 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-005-cdk-parameters-managing-parameters-with-typescript-vs-cdkjson-12b9 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkpovqovupuz0fqscdot.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkpovqovupuz0fqscdot.png" alt="Level 200" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the fifth installment of "AWS CDK 100 Drill Exercises."</p> <p>For more information about AWS CDK 100 Drill Exercises, please refer to <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">this article</a>.</p> <p>When developing CDK applications, you'll face the challenge of how to manage different configuration values for each environment. Small instances for development, large instances for production. One NAT Gateway for development, multiple across AZs for production. How should you manage these environment-specific configurations?</p> <p>In this exercise, we'll implement two main approaches for managing parameters in CDK and understand the pros and cons of each.</p> <h3> Why is Parameter Management Important? </h3> <ol> <li>Environment Isolation: Use different configurations for development, staging, and production</li> <li>Code Reusability: Reuse the same code with different configurations</li> <li>Configuration Visibility: Make it clear what values are being used</li> <li>Ease of Change: Change configurations without modifying code</li> <li>Type Safety: Leverage TypeScript's type system for safe configuration management</li> </ol> <h3> What You'll Learn </h3> <ul> <li>How to define parameters in TypeScript files (type-safety focused)</li> <li>How to define parameters in cdk.json (flexibility focused)</li> <li>Environment-specific parameter management and best practices</li> <li>Parameter validation at deployment time</li> <li>Pros and cons of each approach</li> <li>When to use which approach in production</li> </ul> <p>📁 Code Repository: All code examples for this exercise are available on <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/cdk-parameters" rel="noopener noreferrer">GitHub</a>.</p> <h2> Architecture Overview </h2> <p>Here's what we'll build:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F746ecmphw6b83s4hofc1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F746ecmphw6b83s4hofc1.png" alt="Architecture Overview" width="800" height="617"></a></p> <p>We'll implement two parameter management approaches.</p> <h3> 1. TypeScript Parameters (CdkTSParametersStack) </h3> <ul> <li>Define parameters in TypeScript files</li> <li>Type safety and IDE support</li> <li>Separate parameter files for each environment</li> <li>Compile-time validation</li> </ul> <h3> 2. cdk.json Parameters (CdkJsonParametersStack) </h3> <ul> <li>Define parameters in the context section of cdk.json</li> <li>JSON-based flexible configuration</li> <li>Standard CDK approach</li> <li>Easy dynamic value retrieval</li> </ul> <p>Both approaches create the same VPC resources, but differ in how parameters are defined and type safety is ensured.</p> <h2> Prerequisites </h2> <p>To proceed with this exercise, you'll need:</p> <ul> <li>AWS CLI v2 installed and configured</li> <li>Node.js 20+</li> <li>AWS CDK CLI (<code>npm install -g aws-cdk</code>)</li> <li>Basic knowledge of TypeScript</li> <li>AWS Account (can be done within free tier)</li> <li>Basic understanding of VPC concepts (refer to <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">Episode 3: VPC Basics</a>)</li> </ul> <h2> Project Directory Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cdk-parameters/ ├── bin/ │ └── cdk-parameters.ts # Application entry point ├── lib/ │ ├── stacks/ │ │ ├── cdk-ts-parameters-stack.ts # TypeScript parameters stack │ │ └── cdk-json-parameters-stack.ts # cdk.json parameters stack │ └── types/ │ ├── common.ts # Common type definitions │ ├── vpc.ts # VPC type definitions │ └── index.ts # Type definitions export ├── parameters/ │ ├── environments.ts # Environment definitions and parameter interfaces │ ├── dev-params.ts # Development environment parameters │ ├── stg-params.ts # Staging environment parameters │ ├── prd-params.ts # Production environment parameters │ └── index.ts # Parameter exports ├── test/ │ ├── compliance/ │ │ └── cdk-nag.test.ts # Compliance tests │ ├── snapshot/ │ │ └── snapshot.test.ts # Snapshot tests │ └── unit/ │ ├── cdk-ts-parameters-stack.test.ts # Unit tests │ └── cdk-json-parameters-stack.test.ts ├── cdk.json # CDK configuration and JSON parameters ├── package.json └── tsconfig.json </code></pre> </div> <h2> Pattern 1: Defining Parameters in TypeScript Files </h2> <h3> Creating Type Definitions </h3> <p>First, define the types for parameters. This enables IDE autocomplete and compile-time type checking.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/types/index.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">enum</span> <span class="nx">Environment</span> <span class="p">{</span> <span class="nx">DEVELOPMENT</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">,</span> <span class="nx">STAGING</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">stg</span><span class="dl">'</span><span class="p">,</span> <span class="nx">PRODUCTION</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">prd</span><span class="dl">'</span><span class="p">,</span> <span class="nx">TEST</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">SubnetConfig</span> <span class="p">{</span> <span class="nl">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">cidrMask</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">VpcCreateConfig</span> <span class="p">{</span> <span class="nl">vpcName</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">cidr</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">maxAzs</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">natCount</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">enableDnsHostnames</span><span class="p">?:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">enableDnsSupport</span><span class="p">?:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">subnets</span><span class="p">?:</span> <span class="nx">SubnetConfig</span><span class="p">[];</span> <span class="p">}</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">VpcConfig</span> <span class="p">{</span> <span class="nl">existingVpcId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">createConfig</span><span class="p">?:</span> <span class="nx">VpcCreateConfig</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>Detailed type definitions like <code>SubnetConfig</code> and <code>VpcCreateConfig</code> prevent configuration mistakes</li> <li>Using <code>enum</code> for environment names prevents typos</li> <li>Optional properties (<code>?</code>) allow for default value usage</li> </ul> <h3> Environment-Specific Parameter Files </h3> <p>Create parameter files for each environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// parameters/environments.ts</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">EnvParams</span> <span class="p">{</span> <span class="nl">accountId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">vpcConfig</span><span class="p">:</span> <span class="nx">VpcConfig</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">params</span><span class="p">:</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nb">Record</span><span class="o">&lt;</span><span class="nx">Environment</span><span class="p">,</span> <span class="nx">EnvParams</span><span class="o">&gt;&gt;</span> <span class="o">=</span> <span class="p">{};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// parameters/dev-params.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">types</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lib/types</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">params</span><span class="p">,</span> <span class="nx">EnvParams</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">parameters/environments</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">devParams</span><span class="p">:</span> <span class="nx">EnvParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">accountId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">111122223333</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Development environment AWS Account ID</span> <span class="na">vpcConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">createConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">vpcName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DevVPC</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.10.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="c1">// Only 2 AZs for development</span> <span class="na">natCount</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Only 1 NAT for cost savings</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Public</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Private</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> <span class="c1">// Register in global params object</span> <span class="nx">params</span><span class="p">[</span><span class="nx">types</span><span class="p">.</span><span class="nx">Environment</span><span class="p">.</span><span class="nx">DEVELOPMENT</span><span class="p">]</span> <span class="o">=</span> <span class="nx">devParams</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// parameters/prd-params.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">types</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lib/types</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">params</span><span class="p">,</span> <span class="nx">EnvParams</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">parameters/environments</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prdParams</span><span class="p">:</span> <span class="nx">EnvParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">accountId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">999988887777</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Production environment AWS Account ID</span> <span class="na">vpcConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">createConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">vpcName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PrdVPC</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.0.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// 3 AZs for redundancy in production</span> <span class="na">natCount</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// NAT Gateway in each AZ</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Public</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Private</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> <span class="nx">params</span><span class="p">[</span><span class="nx">types</span><span class="p">.</span><span class="nx">Environment</span><span class="p">.</span><span class="nx">PRODUCTION</span><span class="p">]</span> <span class="o">=</span> <span class="nx">prdParams</span><span class="p">;</span> </code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>Different configurations for development and production (number of AZs, NAT Gateways)</li> <li>Including account ID prevents deployment to wrong accounts</li> <li>Type safety detects configuration errors at compile time</li> </ul> <h3> Stack Using Parameters </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/stacks/cdk-parameters-stack.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">VpcConfig</span><span class="p">,</span> <span class="nx">Environment</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lib/types</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">pascalCase</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">change-case-commonjs</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">StackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">project</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">environment</span><span class="p">:</span> <span class="nx">Environment</span><span class="p">;</span> <span class="nl">isAutoDeleteObject</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">vpcConfig</span><span class="p">:</span> <span class="nx">VpcConfig</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CdkTSParametersStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IVpc</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Reference existing VPC</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">vpcConfig</span><span class="p">.</span><span class="nx">existingVpcId</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcConfig</span><span class="p">.</span><span class="nx">existingVpcId</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Create new VPC</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">vpcConfig</span><span class="p">.</span><span class="nx">createConfig</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">createConfig</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcConfig</span><span class="p">.</span><span class="nx">createConfig</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">vpcNameSuffix</span> <span class="o">=</span> <span class="nx">createConfig</span><span class="p">.</span><span class="nx">vpcName</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">vpc</span><span class="dl">'</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">)}</span><span class="s2">/</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">)}</span><span class="s2">/</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">vpcNameSuffix</span><span class="p">)}</span><span class="s2">`</span><span class="p">,</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="nx">createConfig</span><span class="p">.</span><span class="nx">cidr</span><span class="p">),</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">.</span><span class="nx">maxAzs</span> <span class="o">||</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">availabilityZones</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">.</span><span class="nx">natCount</span> <span class="o">||</span> <span class="mi">1</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">.</span><span class="nx">subnets</span> <span class="o">||</span> <span class="p">[</span> <span class="c1">// Default subnet configuration</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Public</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Private</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">.</span><span class="nx">enableDnsHostnames</span> <span class="o">??</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">.</span><span class="nx">enableDnsSupport</span> <span class="o">??</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">VPC configuration is required to create the VPC.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>Type-safe parameter passing through <code>VpcConfig</code> interface</li> <li>Supports both existing VPC reference and new creation</li> <li>Default values allow operation with minimal parameters</li> </ul> <h3> Entry Point and Deployment Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// bin/cdk-parameters.ts</span><span class="cp"> #!/usr/bin/env node </span><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">pascalCase</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">change-case-commonjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">parameters/environments</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CdkParametersStage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lib/stages/cdk-parameters-stage</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lib/types/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">validateDeployment</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@common/helpers/validate-deployment</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="dl">'</span><span class="s1">parameters</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">pjName</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="nx">app</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="dl">"</span><span class="s2">project</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">envName</span><span class="p">:</span> <span class="nx">Environment</span> <span class="o">=</span> <span class="nx">app</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="dl">"</span><span class="s2">env</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="nx">Environment</span><span class="p">.</span><span class="nx">DEVELOPMENT</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">defaultEnv</span> <span class="o">=</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_REGION</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// Check for parameter existence</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">params</span><span class="p">[</span><span class="nx">envName</span><span class="p">])</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`No parameters found for environment: </span><span class="p">${</span><span class="nx">envName</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Pre-deployment validation</span> <span class="nf">validateDeployment</span><span class="p">(</span><span class="nx">pjName</span><span class="p">,</span> <span class="nx">envName</span><span class="p">,</span> <span class="nx">params</span><span class="p">[</span><span class="nx">envName</span><span class="p">].</span><span class="nx">accountId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isAutoDeleteObject</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isTerminationProtection</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">new</span> <span class="nc">CdkParametersStage</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">envName</span><span class="p">)}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="nx">pjName</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">envName</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="nx">defaultEnv</span><span class="p">,</span> <span class="na">terminationProtection</span><span class="p">:</span> <span class="nx">isTerminationProtection</span><span class="p">,</span> <span class="na">isAutoDeleteObject</span><span class="p">:</span> <span class="nx">isAutoDeleteObject</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="nx">params</span><span class="p">[</span><span class="nx">envName</span><span class="p">],</span> <span class="p">});</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">"</span><span class="s2">Project</span><span class="dl">"</span><span class="p">,</span> <span class="nx">pjName</span><span class="p">);</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">"</span><span class="s2">Environment</span><span class="dl">"</span><span class="p">,</span> <span class="nx">envName</span><span class="p">);</span> </code></pre> </div> <p><strong>Deployment Validation Implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// common/helpers/validate-deployment.ts</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">validateDeployment</span><span class="p">(</span> <span class="nx">pjName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">envName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">accountId</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Project Name: </span><span class="p">${</span><span class="nx">pjName</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Environment Name: </span><span class="p">${</span><span class="nx">envName</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Account ID validation</span> <span class="k">if </span><span class="p">(</span><span class="nx">accountId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isSameAccount</span> <span class="o">=</span> <span class="nx">accountId</span> <span class="o">===</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isSameAccount</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">warningBox</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">''</span><span class="p">,</span> <span class="dl">'</span><span class="s1">╭────────────────────────────────────────────────────────────╮</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ ❌ ACCOUNT MISMATCH WARNING │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ The provided account ID does not match the current │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ CDK account. │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ │</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`│ Expected: </span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2"> │`</span><span class="p">,</span> <span class="s2">`│ Current: </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span><span class="p">}</span><span class="s2"> │`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">╰────────────────────────────────────────────────────────────╯</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">warningBox</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Account ID mismatch. Deployment aborted.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Production environment deployment confirmation</span> <span class="k">if </span><span class="p">(</span><span class="nx">envName</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">prd</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cautionBox</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">''</span><span class="p">,</span> <span class="dl">'</span><span class="s1">╭────────────────────────────────────────────────────────────╮</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ 🚨 PRODUCTION DEPLOYMENT │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ This is a production release. │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ Please review carefully before proceeding. │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">│ │</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">╰────────────────────────────────────────────────────────────╯</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cautionBox</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">readlineSync</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">readline-sync</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">answer</span> <span class="o">=</span> <span class="nx">readlineSync</span><span class="p">.</span><span class="nf">question</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Are you sure you want to proceed? (yes/no): </span><span class="dl">'</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">answer</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">yes</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Deployment aborted by user.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">✓ Proceeding with deployment...</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lvg3cx102j3olvdbrqz.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3lvg3cx102j3olvdbrqz.jpg" alt="check-accountid" width="458" height="179"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhcerbw4cyetjccln39i6.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhcerbw4cyetjccln39i6.jpg" alt="check-production" width="516" height="158"></a></p> <p><strong>Key Points:</strong></p> <ul> <li>Account ID validation prevents deployment to wrong accounts</li> <li>Requires user confirmation before production deployment</li> <li>Visually clear box display</li> <li>In the actual implementation, ANSI color codes are used to customize the display (red for errors, yellow for warnings, green for success messages) for better visibility in the terminal</li> </ul> <h3> Deployment Method </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy to development environment</span> npm run stage:deploy:all <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Deploy to production environment (with confirmation prompt)</span> npm run stage:deploy:all <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>prd </code></pre> </div> <h3> Pros and Cons of TypeScript Approach </h3> <p><strong>Pros:</strong></p> <ul> <li>Type Safety: Detect configuration errors at compile time</li> <li>IDE Support: Autocomplete and refactoring</li> <li>Complex Logic: Easy parameter calculation and conditional branching</li> <li>Reusability: Share common type definitions across multiple stacks</li> <li>Version Control: Track parameter changes with Git</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Recompilation on Changes: Build required every time parameters change</li> <li>Initial Setup: Type definitions and file structure preparation needed</li> <li>Learning Cost: TypeScript knowledge required</li> </ul> <h2> Pattern 2: Defining Parameters in cdk.json </h2> <h3> Parameter Definition in cdk.json </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">cdk.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"app"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx ts-node --prefer-ts-exts bin/cdk-parameters.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dev"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vpcConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"createConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vpcName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DevVPC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.100.0.0/16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxAzs"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"natCount"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"enableDnsHostnames"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"enableDnsSupport"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"subnets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"subnetType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PUBLIC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Public"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidrMask"</span><span class="p">:</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"subnetType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PRIVATE_WITH_NAT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Private"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidrMask"</span><span class="p">:</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"stg"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vpcConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"createConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vpcName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"StgVPC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.101.0.0/16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxAzs"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"natCount"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"prd"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vpcConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"createConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vpcName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PrdVPC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.0.0.0/16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxAzs"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"natCount"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>Define environment-specific parameters in JSON</li> <li>Use CDK's standard <code>context</code> section</li> <li>Configuration changes possible without recompilation</li> </ul> <h3> Stack Using cdk.json Parameters </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/stacks/cdk-json-parameters-stack.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lib/types</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">pascalCase</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">change-case-commonjs</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">StackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">project</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">environment</span><span class="p">:</span> <span class="nx">Environment</span><span class="p">;</span> <span class="nl">isAutoDeleteObject</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CdkJsonParametersStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IVpc</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Get parameters from cdk.json</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="o">||</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">vpcConfig</span> <span class="o">=</span> <span class="nx">params</span><span class="p">[</span><span class="dl">'</span><span class="s1">vpcConfig</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="p">{};</span> <span class="c1">// Reference existing VPC</span> <span class="k">if </span><span class="p">(</span><span class="nx">vpcConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">existingVpcId</span><span class="dl">'</span><span class="p">])</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">VPC</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">vpcConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">existingVpcId</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check for createConfig existence</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">vpcConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">createConfig</span><span class="dl">'</span><span class="p">])</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">'</span><span class="s1">VPC createConfig is required in JSON parameters to create the VPC.</span><span class="dl">'</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">createConfig</span> <span class="o">=</span> <span class="nx">vpcConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">createConfig</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// Subnet configuration mapping</span> <span class="kd">const</span> <span class="nx">subnets</span> <span class="o">=</span> <span class="nx">createConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">subnets</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="p">[</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PUBLIC</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Public</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PRIVATE_WITH_NAT</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Private</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="p">}</span> <span class="p">];</span> <span class="c1">// Create VPC</span> <span class="kd">const</span> <span class="nx">vpcNameSuffix</span> <span class="o">=</span> <span class="nx">createConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">vpcName</span><span class="dl">'</span><span class="p">]</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">vpc</span><span class="dl">'</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">VPC</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">)}</span><span class="s2">/</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">)}</span><span class="s2">/</span><span class="p">${</span><span class="nf">pascalCase</span><span class="p">(</span><span class="nx">vpcNameSuffix</span><span class="p">)}</span><span class="s2">`</span><span class="p">,</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span> <span class="nx">createConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">cidr</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">10.1.0.0/16</span><span class="dl">'</span> <span class="p">),</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">maxAzs</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="mi">3</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="nx">createConfig</span><span class="p">[</span><span class="dl">'</span><span class="s1">natCount</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="mi">1</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="nx">subnets</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="na">subnet</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Convert string subnetType to ec2.SubnetType</span> <span class="k">if </span><span class="p">(</span><span class="nx">subnet</span><span class="p">[</span><span class="dl">'</span><span class="s1">subnetType</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">PUBLIC</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Public</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">[</span><span class="dl">'</span><span class="s1">cidrMask</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="mi">24</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">subnet</span><span class="p">[</span><span class="dl">'</span><span class="s1">subnetType</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">PRIVATE_WITH_NAT</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Private</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="nx">subnet</span><span class="p">[</span><span class="dl">'</span><span class="s1">cidrMask</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="mi">24</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}).</span><span class="nf">filter</span><span class="p">((</span><span class="na">config</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">config</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">),</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>Retrieve values from cdk.json using <code>this.node.tryGetContext()</code> </li> <li>Convert string-type parameters to TypeScript types</li> <li>Default values allow operation with minimal parameters</li> <li>Type checking performed at runtime</li> </ul> <h3> Pros and Cons of cdk.json Approach </h3> <p><strong>Pros:</strong></p> <ul> <li>No Recompilation: Deploy immediately after parameter changes</li> <li>CDK Standard: Standard CDK approach</li> <li>External Tool Integration: Easy to read with JSON parsers</li> <li>Low Learning Cost: Only JSON knowledge required</li> <li>Dynamic Values: Retrieve and calculate values at runtime</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>No Type Safety: Cannot detect configuration errors until runtime</li> <li>Limited IDE Support: No autocomplete or refactoring</li> <li>Complex Logic: Difficult to perform calculations or conditional branching</li> <li>Error Handling: Runtime error handling required</li> </ul> <h2> Which Approach Should You Choose? </h2> <h3> Approach Comparison Table </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>TypeScript Approach</th> <th>cdk.json Approach</th> </tr> </thead> <tbody> <tr> <td><strong>Type Safety</strong></td> <td>✅ Compile-time type checking</td> <td>❌ Cannot detect until runtime</td> </tr> <tr> <td><strong>IDE Support</strong></td> <td>✅ Autocomplete and refactoring</td> <td>⚠️ Limited</td> </tr> <tr> <td><strong>Ease of Change</strong></td> <td>⚠️ Recompilation required</td> <td>✅ No recompilation needed</td> </tr> <tr> <td><strong>Complex Logic</strong></td> <td>✅ Easy calculation and conditional branching</td> <td>❌ Difficult</td> </tr> <tr> <td><strong>External Tool Integration</strong></td> <td>⚠️ Build required</td> <td>✅ Easy with JSON parser</td> </tr> <tr> <td><strong>Learning Cost</strong></td> <td>⚠️ TypeScript knowledge required</td> <td>✅ JSON only</td> </tr> <tr> <td><strong>Initial Setup</strong></td> <td>⚠️ Type definitions and file structure needed</td> <td>✅ Simple</td> </tr> <tr> <td><strong>Version Control</strong></td> <td>Change history is clear</td> <td>Change history is clear</td> </tr> <tr> <td><strong>Error Detection</strong></td> <td>✅ Compile-time</td> <td>❌ Runtime</td> </tr> <tr> <td><strong>CDK Standard</strong></td> <td>⚠️ Custom approach</td> <td>✅ CDK standard</td> </tr> </tbody> </table></div> <h3> Recommended Use Cases </h3> <h4> TypeScript Approach Recommended </h4> <ul> <li>Large projects (many parameters and complex configurations)</li> <li>When type safety is important</li> <li>Team development (IDE support improves development efficiency)</li> <li>Complex logic (parameter calculations and conditional branching)</li> <li>Long-term operation (maintainability and readability focused)</li> </ul> <h4> cdk.json Approach Recommended </h4> <ul> <li>Small projects (simple configurations)</li> <li>When rapid changes are needed</li> <li>CDK beginners (limited TypeScript knowledge)</li> <li>CI/CD integration (configuration changes from external tools)</li> <li>Prototyping (rapid experimentation and validation)</li> </ul> <h3> Hybrid Approach </h3> <p>In production, combining both approaches can be effective.</p> <ul> <li>Basic Configuration: Managed in cdk.json (environment name, region, etc.)</li> <li>Complex Configuration: Managed in TypeScript (VPC configuration, security groups, etc.)</li> <li>Sensitive Information: Retrieved from AWS Secrets Manager</li> </ul> <h2> Test Implementation </h2> <p>The same test patterns can be applied to both approaches.</p> <h3> Unit Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// test/unit/cdk-parameters-stack.test.ts</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">CdkTSParametersStack Fine-grained Assertions</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="na">stackTemplate</span><span class="p">:</span> <span class="nx">Template</span><span class="p">;</span> <span class="nf">beforeAll</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">stack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CdkTSParametersStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CdkParameters</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="dl">"</span><span class="s2">TestProject</span><span class="dl">"</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">Environment</span><span class="p">.</span><span class="nx">TEST</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="dl">'</span><span class="s1">123456789012</span><span class="dl">'</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ap-northeast-1</span><span class="dl">'</span> <span class="p">},</span> <span class="na">isAutoDeleteObject</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">terminationProtection</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">vpcConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">createConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">vpcName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">TestVPC</span><span class="dl">"</span><span class="p">,</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">"</span><span class="s2">10.1.0.0/16</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natCount</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Public</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span> <span class="p">},</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Private</span><span class="dl">'</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">stackTemplate</span> <span class="o">=</span> <span class="nx">Template</span><span class="p">.</span><span class="nf">fromStack</span><span class="p">(</span><span class="nx">stack</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">should create 1 VPC</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">stackTemplate</span><span class="p">.</span><span class="nf">resourceCountIs</span><span class="p">(</span><span class="dl">"</span><span class="s2">AWS::EC2::VPC</span><span class="dl">"</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">VPC should have correct CIDR block</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">stackTemplate</span><span class="p">.</span><span class="nf">hasResourceProperties</span><span class="p">(</span><span class="dl">"</span><span class="s2">AWS::EC2::VPC</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">CidrBlock</span><span class="p">:</span> <span class="dl">"</span><span class="s2">10.1.0.0/16</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> Snapshot Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// test/snapshot/snapshot.test.ts</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Stack Snapshot Tests</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">({</span> <span class="na">context</span><span class="p">:</span> <span class="nx">testContext</span> <span class="p">});</span> <span class="c1">// Create all stacks first</span> <span class="kd">const</span> <span class="nx">stack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CdkTSParametersStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CdkParameters</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="nx">projectName</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">envName</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="nx">defaultEnv</span><span class="p">,</span> <span class="na">isAutoDeleteObject</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">terminationProtection</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">vpcConfig</span><span class="p">:</span> <span class="nx">envParams</span><span class="p">.</span><span class="nx">vpcConfig</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">jsonParameterStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CdkJsonParametersStack</span><span class="p">(</span> <span class="nx">app</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CdkJsonParameters</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="nx">projectName</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">envName</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="nx">defaultEnv</span><span class="p">,</span> <span class="na">isAutoDeleteObject</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">terminationProtection</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Get templates after all stacks are created</span> <span class="kd">const</span> <span class="nx">stackTemplate</span> <span class="o">=</span> <span class="nx">Template</span><span class="p">.</span><span class="nf">fromStack</span><span class="p">(</span><span class="nx">stack</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jsonParameterStackTemplate</span> <span class="o">=</span> <span class="nx">Template</span><span class="p">.</span><span class="nf">fromStack</span><span class="p">(</span><span class="nx">jsonParameterStack</span><span class="p">);</span> <span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Complete CloudFormation template snapshot</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">stackTemplate</span><span class="p">.</span><span class="nf">toJSON</span><span class="p">()).</span><span class="nf">toMatchSnapshot</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">jsonParameterStackTemplate</span><span class="p">.</span><span class="nf">toJSON</span><span class="p">()).</span><span class="nf">toMatchSnapshot</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Key Points:</strong></p> <ul> <li>Create all stacks before calling <code>Template.fromStack()</code> </li> <li>Use same test patterns for both approaches</li> <li>Snapshot tests detect unintended changes</li> </ul> <h2> Deployment and Cleanup </h2> <h3> Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy TypeScript parameters version</span> npm run stage:deploy:all <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Deploy cdk.json parameters version</span> npm run stage:deploy:all <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete all resources</span> npm run stage:destroy:all <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h2> Summary </h2> <p>In this exercise, we learned two major approaches for managing parameters in CDK.</p> <h3> What We Learned </h3> <ol> <li>TypeScript Approach: Development efficiency through type safety and IDE support</li> <li>cdk.json Approach: Flexibility and rapid changes</li> <li>Deployment Validation: Account ID checking and production environment confirmation</li> <li>Test Strategy: Test patterns applicable to both approaches</li> <li>Best Practices: Choosing based on project size</li> </ol> <h3> Best Practices </h3> <ol> <li>Leverage Type Definitions: Make full use of TypeScript's type system</li> <li>Default Values: Set default values for non-required parameters</li> <li>Implement Validation: Implement parameter validation before deployment</li> <li>Documentation: Clearly document parameter meanings and constraints</li> <li>Testing: Implement tests for parameter changes</li> </ol> <h2> Reference Resources </h2> <ul> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/context.html" rel="noopener noreferrer">AWS CDK Documentation - Context Values</a></li> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/best-practices.html" rel="noopener noreferrer">AWS CDK Best Practices</a></li> <li><a href="https://www.typescriptlang.org/docs/handbook/intro.html" rel="noopener noreferrer">TypeScript Handbook</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises AWS CDK 100 Drill Exercises #004: NAT Instance V2 — Cost-Effective NAT with Automated Scheduling and Patch Management TOMOAKI ishihara Wed, 24 Dec 2025 15:24:21 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-004-nat-instance-v2-cost-effective-nat-with-automated-scheduling-49li https://dev.to/aws-builders/aws-cdk-100-drill-exercises-004-nat-instance-v2-cost-effective-nat-with-automated-scheduling-49li <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" alt="Level 300" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the fourth installment of "AWS CDK 100 Drill Exercises."</p> <p>For more information about AWS CDK 100 Drill Exercises, please refer to <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">this article</a>.</p> <p>In <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">the previous article</a>, we learned VPC basics and introduced a method to reduce NAT Gateways to a single instance for cost optimization in development environments. This time, we'll explain how to replace NAT Gateway with an EC2-based NAT instance for even greater cost savings.</p> <h3> Why NAT Instance? </h3> <p>Development and test environments often don't need to run 24/7. However, NAT Gateway uses a pay-as-you-go pricing model, incurring charges even during idle hours.</p> <p>Cost Comparison (Tokyo Region):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Monthly Cost</th> <th>Annual Cost</th> <th>Features</th> </tr> </thead> <tbody> <tr> <td>NAT Gateway (1 instance)</td> <td>~$44.64</td> <td>~$535.68</td> <td>24/7 operation, data transfer charges separate</td> </tr> <tr> <td>NAT Instance (t4g.nano)</td> <td>~$4.66</td> <td>~$55.92</td> <td>Schedulable start/stop</td> </tr> <tr> <td>Savings Rate</td> <td>90.8% reduction</td> <td>90.8% reduction</td> <td>-</td> </tr> </tbody> </table></div> <p>Furthermore, when operating only during business hours (weekdays 9:00-18:00):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Monthly Cost</th> <th>Annual Cost</th> <th>Features</th> </tr> </thead> <tbody> <tr> <td>NAT Instance (business hours only)</td> <td>~$1.84</td> <td>~$22.08</td> <td>9 hours on weekdays only</td> </tr> <tr> <td>Savings Rate</td> <td>96.4% reduction</td> <td>96.4% reduction</td> <td>-</td> </tr> </tbody> </table></div> <p>💡 In development environments, you can save over $587.97 annually!</p> <h3> What You'll Learn </h3> <ul> <li>NAT Instance v2 implementation method</li> <li>Automated start/stop scheduling with EventBridge</li> <li>Static Elastic IP assignment to NAT Instance</li> <li>Monitoring NAT Instance state changes and SNS notifications</li> <li>Automated patch application using Systems Manager Patch Manager</li> <li>Maintenance window configuration and operations</li> <li>Trade-offs between NAT Gateway and NAT Instance</li> </ul> <p>📁 Code Repository: All code examples for this exercise are available on <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/vpc-natinstance-v2" rel="noopener noreferrer">GitHub</a>.</p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8i22f5s1jqctcj4qkzdb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8i22f5s1jqctcj4qkzdb.png" alt="Architecture Overview" width="800" height="573"></a></p> <p>The basic VPC configuration is the same as <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">vpc-basics</a>, with the following differences.</p> <h3> Key Changes </h3> <ol> <li>NAT Gateway → NAT Instance: Changed from managed NAT service to EC2-based NAT instance</li> <li>EventBridge Schedule: Automated start/stop schedule configuration</li> <li>Elastic IP Assignment: Assigned static IP address to NAT Instance</li> <li>SNS Notification: Monitoring NAT Instance state changes</li> <li>Patch Manager: Automated patch application via Systems Manager</li> </ol> <h2> Prerequisites </h2> <p>In addition to the prerequisites of <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">vpc-basics</a>, the following are required:</p> <ul> <li>Basic understanding of EventBridge and SNS</li> <li>Knowledge of EC2 instance types</li> </ul> <h2> NAT Instance v2 Implementation </h2> <h3> 1. Creating NAT Provider </h3> <p>In CDK v2, you can easily create a NAT instance using <code>NatProvider.instanceV2()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Creating NAT Instance Provider</span> <span class="kd">const</span> <span class="nx">natProvider</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">NatProvider</span><span class="p">.</span><span class="nf">instanceV2</span><span class="p">({</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T4G</span><span class="p">,</span> <span class="c1">// ARM-based Graviton2</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">NANO</span> <span class="c1">// Smallest size for cost optimization</span> <span class="p">),</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">latestAmazonLinux2023</span><span class="p">({</span> <span class="na">edition</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">AmazonLinuxEdition</span><span class="p">.</span><span class="nx">STANDARD</span><span class="p">,</span> <span class="na">cpuType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">AmazonLinuxCpuType</span><span class="p">.</span><span class="nx">ARM_64</span><span class="p">,</span> <span class="c1">// For Graviton2</span> <span class="p">}),</span> <span class="na">defaultAllowedTraffic</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">NatTrafficDirection</span><span class="p">.</span><span class="nx">OUTBOUND_ONLY</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Applying NAT Provider to VPC</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcNatInstanceV2</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">vpcName</span><span class="p">,</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="dl">'</span><span class="s1">10.1.0.0/16</span><span class="dl">'</span><span class="p">),</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// One per AZ</span> <span class="na">natGatewayProvider</span><span class="p">:</span> <span class="nx">natProvider</span><span class="p">,</span> <span class="c1">// Using NAT Instance</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// Subnet configuration same as before</span> <span class="c1">// ...</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h4> Why t4g.nano? </h4> <p>※ Tokyo Region pricing</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Instance Type</th> <th>vCPU</th> <th>Memory</th> <th>Price/hour (Tokyo)</th> <th>Monthly</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td>t4g.nano</td> <td>2</td> <td>0.5 GB</td> <td>$0.0054</td> <td>~$3.94</td> <td>Small traffic for development environments</td> </tr> <tr> <td>t4g.micro</td> <td>2</td> <td>1 GB</td> <td>$0.0108</td> <td>~$7.88</td> <td>Medium traffic</td> </tr> <tr> <td>t3.nano</td> <td>2</td> <td>0.5 GB</td> <td>$0.0068</td> <td>~$4.96</td> <td>When x86 is required</td> </tr> </tbody> </table></div> <p>💡 Benefits of Graviton2 (ARM):</p> <ul> <li>Approximately 20% cheaper than equivalent x86 instances</li> <li>Superior cost-performance ratio</li> <li>Fully supported by Amazon Linux 2023</li> </ul> <h3> 2. Allowing Traffic from VPC to NAT Instance </h3> <p>NAT Instance needs to accept all traffic from within the VPC.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Allow all traffic from VPC CIDR</span> <span class="p">(</span><span class="nx">natProvider</span> <span class="k">as</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">NatInstanceProviderV2</span><span class="p">).</span><span class="nx">connections</span><span class="p">.</span><span class="nf">allowFrom</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">allTraffic</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">Allow all traffic from VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">);</span> </code></pre> </div> <p>This allows resources in private subnets to access the internet via NAT Instance.</p> <h2> Automated Start/Stop with EventBridge </h2> <p>You can further reduce costs by stopping NAT Instance outside business hours.</p> <h3> 1. Creating IAM Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">natInstanceScheduleRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceScheduleRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">roleName</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceSchedule</span><span class="dl">'</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">),</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">events.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span> <span class="dl">'</span><span class="s1">service-role/AmazonSSMAutomationRole</span><span class="dl">'</span> <span class="p">),</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h3> 2. Creating Schedule Rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">events</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">;</span> <span class="c1">// Schedule configuration (UTC time)</span> <span class="kd">const</span> <span class="nx">startCronSchedule</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">cron(0 0 ? * * *)</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// 00:00 UTC (JST 09:00)</span> <span class="kd">const</span> <span class="nx">stopCronSchedule</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">cron(0 9 ? * * *)</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// 09:00 UTC (JST 18:00)</span> <span class="kd">const</span> <span class="nx">natInstanceIds</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="nx">natProvider</span><span class="p">.</span><span class="nx">configuredGateways</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">nat</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">natInstanceIds</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">);</span> <span class="c1">// Start schedule</span> <span class="k">new</span> <span class="nx">events</span><span class="p">.</span><span class="nc">CfnRule</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`EC2StartRule</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NATStartRule</span><span class="dl">'</span><span class="p">,</span> <span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">),</span> <span class="na">description</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">startCronSchedule</span><span class="p">}</span><span class="s2"> Start`</span><span class="p">,</span> <span class="na">scheduleExpression</span><span class="p">:</span> <span class="nx">startCronSchedule</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[{</span> <span class="na">arn</span><span class="p">:</span> <span class="s2">`arn:aws:ssm:</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">::automation-definition/AWS-StartEC2Instance:$DEFAULT`</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TargetEC2Instance1</span><span class="dl">'</span><span class="p">,</span> <span class="na">input</span><span class="p">:</span> <span class="s2">`{"InstanceId": ["</span><span class="p">${</span><span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">}</span><span class="s2">"]}`</span><span class="p">,</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">natInstanceScheduleRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="p">}],</span> <span class="p">});</span> <span class="c1">// Stop schedule</span> <span class="k">new</span> <span class="nx">events</span><span class="p">.</span><span class="nc">CfnRule</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`EC2StopRule</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NATStopRule</span><span class="dl">'</span><span class="p">,</span> <span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">),</span> <span class="na">description</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">stopCronSchedule</span><span class="p">}</span><span class="s2"> Stop`</span><span class="p">,</span> <span class="na">scheduleExpression</span><span class="p">:</span> <span class="nx">stopCronSchedule</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[{</span> <span class="na">arn</span><span class="p">:</span> <span class="s2">`arn:aws:ssm:</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">::automation-definition/AWS-StopEC2Instance:$DEFAULT`</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TargetEC2Instance1</span><span class="dl">'</span><span class="p">,</span> <span class="na">input</span><span class="p">:</span> <span class="s2">`{"InstanceId": ["</span><span class="p">${</span><span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">}</span><span class="s2">"]}`</span><span class="p">,</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">natInstanceScheduleRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="p">}],</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h4> Understanding Cron Expressions </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cron(minute hour day month day-of-week year) Examples: cron(0 0 ? * * *) # Every day at 00:00 UTC cron(0 9 ? * * *) # Every day at 09:00 UTC cron(0 0 ? * MON-FRI *) # Weekdays only at 00:00 UTC cron(0 0 1 * ? *) # 1st day of every month at 00:00 UTC </code></pre> </div> <p>💡 Time Zone Notes:</p> <ul> <li>EventBridge cron uses UTC time</li> <li>JST = UTC + 9 hours</li> <li>JST 09:00 = UTC 00:00</li> <li>JST 18:00 = UTC 09:00</li> </ul> <p>Schedule examples by environment:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Environment</th> <th>Operating Hours (JST)</th> <th>Start (UTC)</th> <th>Stop (UTC)</th> <th>Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>Development</td> <td>Weekdays 9:00-18:00</td> <td><code>cron(0 0 ? * MON-FRI *)</code></td> <td><code>cron(0 9 ? * MON-FRI *)</code></td> <td>~$1.07 (t4g.nano)</td> </tr> <tr> <td>Test</td> <td>Daily 9:00-18:00</td> <td><code>cron(0 0 ? * * *)</code></td> <td><code>cron(0 9 ? * * *)</code></td> <td>~$3.89 (t4g.nano)</td> </tr> <tr> <td>Staging</td> <td>24/7</td> <td>Recommend NAT Gateway same as production</td> <td>Recommend NAT Gateway same as production</td> <td>~$44.64</td> </tr> <tr> <td>Production</td> <td>24/7</td> <td>Recommend NAT Gateway</td> <td>Recommend NAT Gateway</td> <td>~$44.64</td> </tr> </tbody> </table></div> <h2> Static Elastic IP Assignment </h2> <p>By assigning a static Elastic IP to NAT Instance, you can fix the source IP address for outbound communications.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">outboundEips</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">CfnEIP</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="nx">natProvider</span><span class="p">.</span><span class="nx">configuredGateways</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">nat</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Creating Elastic IP</span> <span class="kd">const</span> <span class="nx">eip</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnEIP</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`NatEip</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="p">[{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Name</span><span class="dl">"</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">/NatEIP</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span> <span class="p">}],</span> <span class="p">});</span> <span class="nx">eip</span><span class="p">.</span><span class="nf">applyRemovalPolicy</span><span class="p">(</span><span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">);</span> <span class="c1">// Associate Elastic IP with NAT Instance</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnEIPAssociation</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`NatEipAssociation</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">allocationId</span><span class="p">:</span> <span class="nx">eip</span><span class="p">.</span><span class="nx">attrAllocationId</span><span class="p">,</span> <span class="na">instanceId</span><span class="p">:</span> <span class="nx">nat</span><span class="p">.</span><span class="nx">gatewayId</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Output as CloudFormation Output</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`NatInstance</span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">PublicIP`</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">eip</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="s2">`Public IP address of NAT Instance </span><span class="p">${</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> <span class="nx">outboundEips</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">eip</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Why Static IP is Needed? </h3> <ol> <li> <p><strong>External Service Whitelisting</strong></p> <ul> <li>Many third-party APIs require IP whitelisting</li> <li>Database access control via security groups</li> <li>VPN connection configurations</li> </ul> </li> <li> <p><strong>Log Analysis and Troubleshooting</strong></p> <ul> <li>Tracking outbound traffic with fixed source IP</li> <li>Easier identification of access source</li> </ul> </li> <li> <p><strong>Compliance Requirements</strong></p> <ul> <li>Some industries require tracking of outbound communication sources</li> <li>Auditing and logging requirements</li> </ul> </li> </ol> <h2> Monitoring NAT Instance State Changes </h2> <p>Set up SNS notifications to receive alerts when NAT Instance state changes.</p> <h3> 1. Creating SNS Topic </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">sns</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-sns</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">subscriptions</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-sns-subscriptions</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Create SNS Topic</span> <span class="kd">const</span> <span class="nx">natInstanceTopic</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceTopic</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">topicName</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstance</span><span class="dl">'</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">),</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NAT Instance State Change Notifications</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Email subscription (optional)</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">notificationEmail</span><span class="p">)</span> <span class="p">{</span> <span class="nx">natInstanceTopic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span> <span class="k">new</span> <span class="nx">subscriptions</span><span class="p">.</span><span class="nc">EmailSubscription</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">notificationEmail</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Creating EventBridge Rule </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">events</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">targets</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events-targets</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Rule for NAT Instance state change</span> <span class="kd">const</span> <span class="nx">natInstanceStateRule</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">events</span><span class="p">.</span><span class="nc">Rule</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceStateRule</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ruleName</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceState</span><span class="dl">'</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">),</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Notify when NAT Instance state changes</span><span class="dl">'</span><span class="p">,</span> <span class="na">eventPattern</span><span class="p">:</span> <span class="p">{</span> <span class="na">source</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">aws.ec2</span><span class="dl">'</span><span class="p">],</span> <span class="na">detailType</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">EC2 Instance State-change Notification</span><span class="dl">'</span><span class="p">],</span> <span class="na">detail</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">instance-id</span><span class="dl">'</span><span class="p">:</span> <span class="nx">natInstanceIds</span><span class="p">,</span> <span class="dl">'</span><span class="s1">state</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pending</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">running</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stopping</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stopped</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">terminated</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Add SNS topic as target</span> <span class="nx">natInstanceStateRule</span><span class="p">.</span><span class="nf">addTarget</span><span class="p">(</span><span class="k">new</span> <span class="nx">targets</span><span class="p">.</span><span class="nc">SnsTopic</span><span class="p">(</span><span class="nx">natInstanceTopic</span><span class="p">,</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">RuleTargetInput</span><span class="p">.</span><span class="nf">fromObject</span><span class="p">({</span> <span class="na">subject</span><span class="p">:</span> <span class="s2">`[</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nf">toUpperCase</span><span class="p">()}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">toUpperCase</span><span class="p">()}</span><span class="s2">] NAT Instance State Change`</span><span class="p">,</span> <span class="na">instanceId</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.instance-id</span><span class="dl">'</span><span class="p">),</span> <span class="na">state</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.state</span><span class="dl">'</span><span class="p">),</span> <span class="na">time</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.time</span><span class="dl">'</span><span class="p">),</span> <span class="p">}),</span> <span class="p">}));</span> </code></pre> </div> <h3> 3. Setting Up Email Notifications (Optional) </h3> <p>When an email address is provided, you'll receive notifications like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[YOURPROJECT-DEV] NAT Instance State Change"</span><span class="p">,</span><span class="w"> </span><span class="nl">"instanceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"i-0123456789abcdef0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"state"</span><span class="p">:</span><span class="w"> </span><span class="s2">"running"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2024-01-15T12:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Notified Events </h4> <ul> <li> <code>pending</code>: Instance is starting</li> <li> <code>running</code>: Instance is running</li> <li> <code>stopping</code>: Instance is stopping</li> <li> <code>stopped</code>: Instance is stopped</li> <li> <code>terminated</code>: Instance is terminated</li> </ul> <p>💡 <strong>Tips</strong>:</p> <ul> <li>Set up Slack/Teams integration via SNS for team notifications</li> <li>Log important events to CloudWatch Logs</li> <li>Create dashboards combining CloudWatch metrics</li> </ul> <h2> NAT Gateway vs NAT Instance: Trade-offs </h2> <h3> Feature Comparison Table </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>NAT Gateway</th> <th>NAT Instance</th> </tr> </thead> <tbody> <tr> <td><strong>Availability</strong></td> <td>✅ Managed by AWS</td> <td>Depends on instance type</td> </tr> <tr> <td><strong>Performance</strong></td> <td>✅ Up to 100 Gbps</td> <td>Depends on instance type</td> </tr> <tr> <td><strong>Cost (24/7)</strong></td> <td>~$44.64/month</td> <td>✅ ~$3.94/month (t4g.nano)</td> </tr> <tr> <td><strong>Scheduled Control</strong></td> <td>❌ Not available</td> <td>✅ EventBridge schedule</td> </tr> <tr> <td><strong>Patch Management</strong></td> <td>✅ Not required (Managed)</td> <td>Required (SSM Patch Manager)</td> </tr> <tr> <td><strong>Scalability</strong></td> <td>✅ Automatic</td> <td>Manual (instance type change)</td> </tr> <tr> <td><strong>Monitoring</strong></td> <td>CloudWatch metrics</td> <td>CloudWatch + OS metrics</td> </tr> <tr> <td><strong>Single Point of Failure</strong></td> <td>✅ No</td> <td>Yes (single instance)</td> </tr> </tbody> </table></div> <h3> Recommended Use Cases </h3> <h4> Use Cases for NAT Gateway </h4> <ol> <li> <p><strong>Production Environments</strong></p> <ul> <li>24/7 operation required</li> <li>High availability is critical</li> <li>Handling large traffic volume</li> </ul> </li> <li> <p><strong>High Performance Requirements</strong></p> <ul> <li>Burst traffic handling needed</li> <li>Bandwidth requirements over 5 Gbps</li> <li>Multiple concurrent connections</li> </ul> </li> <li> <p><strong>Zero Operational Overhead</strong></p> <ul> <li>No infrastructure management desired</li> <li>Fully managed service preferred</li> <li>No patching management needed</li> </ul> </li> </ol> <h4> Use Cases for NAT Instance </h4> <ol> <li> <p><strong>Development/Test Environments</strong></p> <ul> <li>Traffic only during business hours</li> <li>Cost optimization prioritized</li> <li>Downtime acceptable</li> </ul> </li> <li> <p><strong>Cost Reduction Priority</strong></p> <ul> <li>Small-scale traffic</li> <li>Scheduled operation possible</li> <li>Operational overhead acceptable</li> </ul> </li> <li> <p><strong>Custom Network Control</strong></p> <ul> <li>Custom security groups needed</li> <li>Traffic filtering required</li> <li>Specific logging requirements</li> </ul> </li> </ol> <h3> Performance Comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>NAT Gateway</th> <th>NAT Instance (t4g.nano)</th> <th>NAT Instance (t4g.micro)</th> </tr> </thead> <tbody> <tr> <td><strong>Bandwidth</strong></td> <td>Up to 100 Gbps</td> <td>Up to 5 Gbps</td> <td>Up to 5 Gbps</td> </tr> <tr> <td><strong>Max Connections</strong></td> <td>55,000~440,000</td> <td>~55,000</td> <td>~55,000</td> </tr> <tr> <td><strong>Bandwidth</strong></td> <td>10 Gbps</td> <td>~ 5 Gbps</td> <td>~ 5 Gbps</td> </tr> <tr> <td><strong>Latency</strong></td> <td>Low</td> <td>Low</td> <td>Low</td> </tr> </tbody> </table></div> <p>💡 <strong>Tips</strong>: For development environments with low traffic, t4g.nano is sufficient. For production use, consider t4g.medium or larger.</p> <h2> Cost Analysis </h2> <h3> Detailed Cost Comparison (Tokyo Region) </h3> <h4> 1. NAT Gateway (Traditional) </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Base Charge: - $0.062/hour × 730 hours = $45.26/month Data Processing: - $0.062/GB - Example: 100 GB/month = $6.20 Total: ~$51.46/month per AZ 3 AZs: ~$154.38/month </code></pre> </div> <h4> 2. NAT Instance (t4g.nano) - 24/7 Operation </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Instance Charge: - $0.0054/hour × 730 hours = $3.94/month Elastic IP: - While stopped: $0.005/hour × 730 hours = $3.65/month Data Transfer: - Same as NAT Gateway ($0.062/GB) - Example: 100 GB/month = $6.20 Total: ~$13.79/month per instance 3 instances: ~$41.37/month Savings: $154.38 - $41.37 = $113.01/month (73% reduction) Annual savings: ~$1,356 </code></pre> </div> <h4> 3. NAT Instance - Business Hours Only (Weekdays 9 hours) </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Instance Charge: - Operating hours: 9 hours × 5 days × 4.33 weeks = ~195 hours/month - $0.0054/hour × 195 hours = $1.05/month Elastic IP: - While stopped: $0.005/hour × 730 hours = $3.65/month Data Transfer: - Same as NAT Gateway ($0.062/GB) - Example: 100 GB/month = $6.20 Total: ~$10.9/month per instance 3 instances: ~$32.7/month Savings: $154.38 - $32.7 = $121.68/month (79% reduction) Annual savings: ~$1,460 </code></pre> </div> <p>💡 <strong>Important Note</strong>: For scheduled operation, also calculate Elastic IP charges during stop periods. In many cases, 24/7 operation may be more cost-effective.</p> <h3> Recommended Configuration and Costs by Environment </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Environment</th> <th>Configuration</th> <th>Monthly Cost</th> <th>Reasoning</th> </tr> </thead> <tbody> <tr> <td><strong>Development</strong></td> <td>NAT Instance × 1 (t4g.nano, 9/7)</td> <td>~$1.84</td> <td>Cost priority, downtime acceptable</td> </tr> <tr> <td><strong>Test</strong></td> <td>NAT Instance × 1 (t4g.micro, 9/7)</td> <td>~$1.84</td> <td>Cost and performance balance</td> </tr> <tr> <td><strong>Staging</strong></td> <td>NAT Gateway × 1</td> <td>~$44.64</td> <td>Production equivalent</td> </tr> <tr> <td><strong>Production</strong></td> <td>NAT Gateway × 3</td> <td>~$154</td> <td>High availability critical</td> </tr> </tbody> </table></div> <h2> Automating Patch Application </h2> <p>Use Systems Manager Patch Manager to automatically apply security patches to NAT Instance.</p> <h3> 1. Granting SSM Permissions to NAT Instance </h3> <p>NAT Instance requires permissions to use Systems Manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Add SSM managed policy to NAT Instance role</span> <span class="p">(</span><span class="nx">natProvider</span> <span class="k">as</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">NatInstanceProviderV2</span><span class="p">).</span><span class="nx">connections</span><span class="p">.</span><span class="nf">allowFrom</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">allTraffic</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">Allow all traffic from VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">);</span> <span class="c1">// Get NAT Instance role</span> <span class="kd">const</span> <span class="nx">natInstanceRole</span> <span class="o">=</span> <span class="p">(</span><span class="nx">natProvider</span> <span class="k">as</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">NatInstanceProviderV2</span><span class="p">).</span><span class="nx">securityGroup</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryFindChild</span><span class="p">(</span><span class="dl">'</span><span class="s1">InstanceRole</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Role</span><span class="p">;</span> <span class="c1">// Add SSM managed policy</span> <span class="nx">natInstanceRole</span><span class="p">.</span><span class="nf">addManagedPolicy</span><span class="p">(</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">AmazonSSMManagedInstanceCore</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>This allows NAT Instance to:</p> <ul> <li>Report to Systems Manager Fleet Manager</li> <li>Execute commands via Session Manager</li> <li>Execute Patch Manager tasks</li> </ul> <h3> 2. Creating Patch Baseline </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ssm</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ssm</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Create patch baseline for Amazon Linux 2023</span> <span class="kd">const</span> <span class="nx">patchBaseline</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">CfnPatchBaseline</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstancePatchBaseline</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-AL2023-PatchBaseline`</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Patch baseline for NAT Instance (Amazon Linux 2023)</span><span class="dl">'</span><span class="p">,</span> <span class="na">operatingSystem</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AMAZON_LINUX_2023</span><span class="dl">'</span><span class="p">,</span> <span class="na">approvalRules</span><span class="p">:</span> <span class="p">{</span> <span class="na">patchRules</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="c1">// Security patches</span> <span class="na">patchFilterGroup</span><span class="p">:</span> <span class="p">{</span> <span class="na">patchFilters</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CLASSIFICATION</span><span class="dl">'</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Security</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Bugfix</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SEVERITY</span><span class="dl">'</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Critical</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Important</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">approveAfterDays</span><span class="p">:</span> <span class="mi">7</span><span class="p">,</span> <span class="c1">// Apply 7 days after release</span> <span class="na">complianceLevel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HIGH</span><span class="dl">'</span><span class="p">,</span> <span class="na">enableNonSecurity</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="c1">// Tag-based target specification</span> <span class="na">patchGroups</span><span class="p">:</span> <span class="p">[</span><span class="s2">`/NatInstance/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>💡 <strong>Key Points</strong>:</p> <ul> <li> <code>approveAfterDays: 7</code>: Apply only tested patches</li> <li> <code>SEVERITY: Critical, Important</code>: Apply high-priority patches first</li> </ul> <h3> 3. Configuring Maintenance Window </h3> <h4> 3.1. IAM Role for Maintenance Window </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">maintenanceWindowRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MaintenanceWindowRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">roleName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-MaintenanceWindowRole`</span><span class="p">,</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">CompositePrincipal</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ssm.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ec2.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">service-role/AmazonSSMMaintenanceWindowRole</span><span class="dl">'</span><span class="p">),</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">AmazonSSMManagedInstanceCore</span><span class="dl">'</span><span class="p">),</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Add PassRole permission</span> <span class="nx">maintenanceWindowRole</span><span class="p">.</span><span class="nf">addToPolicy</span><span class="p">(</span><span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">iam:PassRole</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">natInstanceRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">iam:PassedToService</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ssm.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}));</span> </code></pre> </div> <h4> 3.2. Creating Maintenance Window </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Maintenance window: Every Sunday 12:00 JST (03:00 UTC)</span> <span class="kd">const</span> <span class="nx">maintenanceWindow</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">CfnMaintenanceWindow</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceMaintenanceWindow</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-NatInstance-PatchWindow`</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Weekly maintenance window for NAT Instance patches</span><span class="dl">'</span><span class="p">,</span> <span class="na">schedule</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cron(0 3 ? * SUN *)</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Every Sunday 03:00 UTC (12:00 JST)</span> <span class="na">duration</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="c1">// 4 hours</span> <span class="na">cutoff</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Stop 1 hour before end</span> <span class="na">allowUnassociatedTargets</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">scheduleTimezone</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UTC</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h4> 3.3. Configuring Patch Task </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Maintenance window target</span> <span class="kd">const</span> <span class="nx">maintenanceWindowTarget</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">CfnMaintenanceWindowTarget</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceTarget</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">windowId</span><span class="p">:</span> <span class="nx">maintenanceWindow</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INSTANCE</span><span class="dl">'</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tag:Patch Group</span><span class="dl">'</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">[</span><span class="s2">`/NatInstance/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Patch task</span> <span class="k">new</span> <span class="nx">ssm</span><span class="p">.</span><span class="nc">CfnMaintenanceWindowTask</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PatchTask</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">windowId</span><span class="p">:</span> <span class="nx">maintenanceWindow</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">taskType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RUN_COMMAND</span><span class="dl">'</span><span class="p">,</span> <span class="na">taskArn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AWS-RunPatchBaseline</span><span class="dl">'</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">WindowTargetIds</span><span class="dl">'</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">[</span><span class="nx">maintenanceWindowTarget</span><span class="p">.</span><span class="nx">ref</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="na">serviceRoleArn</span><span class="p">:</span> <span class="nx">maintenanceWindowRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">maxConcurrency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Sequential execution one at a time</span> <span class="na">maxErrors</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="na">taskInvocationParameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">maintenanceWindowRunCommandParameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">Operation</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Install</span><span class="dl">'</span><span class="p">],</span> <span class="na">RebootOption</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">RebootIfNeeded</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="na">timeoutSeconds</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="c1">// 1 hour timeout</span> <span class="na">cloudWatchOutputConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">cloudWatchLogGroupName</span><span class="p">:</span> <span class="s2">`/aws/ssm/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">/patch`</span><span class="p">,</span> <span class="na">cloudWatchOutputEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>💡 <strong>Important Parameters</strong>:</p> <ul> <li> <code>maxConcurrency: '1'</code>: Apply sequentially one instance at a time (maintain availability)</li> <li> <code>RebootOption: 'RebootIfNeeded'</code>: Auto-reboot when kernel patch requires it</li> <li> <code>timeoutSeconds: 3600</code>: Allow sufficient time for patch application</li> </ul> <h3> 5. Monitoring Patch Application Status </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cloudwatch</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cloudwatch</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cloudwatchActions</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cloudwatch-actions</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// SNS topic for patch notifications</span> <span class="kd">const</span> <span class="nx">patchNotificationTopic</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PatchNotificationTopic</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">topicName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-PatchNotification`</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NAT Instance Patch Status Notifications</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Email subscription (optional)</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">notificationEmail</span><span class="p">)</span> <span class="p">{</span> <span class="nx">patchNotificationTopic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span> <span class="k">new</span> <span class="nx">subscriptions</span><span class="p">.</span><span class="nc">EmailSubscription</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">notificationEmail</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// EventBridge rule for patch completion</span> <span class="kd">const</span> <span class="nx">patchCompletionRule</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">events</span><span class="p">.</span><span class="nc">Rule</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PatchCompletionRule</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ruleName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-NatInstancePatchCompletion`</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Notify when NAT Instance patch completes</span><span class="dl">'</span><span class="p">,</span> <span class="na">eventPattern</span><span class="p">:</span> <span class="p">{</span> <span class="na">source</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">aws.ssm</span><span class="dl">'</span><span class="p">],</span> <span class="na">detailType</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">EC2 Command Status-change Notification</span><span class="dl">'</span><span class="p">],</span> <span class="na">detail</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Success</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Failed</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TimedOut</span><span class="dl">'</span><span class="p">],</span> <span class="dl">'</span><span class="s1">document-name</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">AWS-RunPatchBaseline</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">patchCompletionRule</span><span class="p">.</span><span class="nf">addTarget</span><span class="p">(</span><span class="k">new</span> <span class="nx">targets</span><span class="p">.</span><span class="nc">SnsTopic</span><span class="p">(</span><span class="nx">patchNotificationTopic</span><span class="p">,</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">RuleTargetInput</span><span class="p">.</span><span class="nf">fromObject</span><span class="p">({</span> <span class="na">default</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail</span><span class="dl">'</span><span class="p">),</span> <span class="na">subject</span><span class="p">:</span> <span class="s2">`[</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nf">toUpperCase</span><span class="p">()}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">toUpperCase</span><span class="p">()}</span><span class="s2">] NAT Instance Patch Status`</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">summary</span><span class="p">:</span> <span class="s2">`Patch operation </span><span class="p">${</span><span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.status</span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">,</span> <span class="na">details</span><span class="p">:</span> <span class="p">{</span> <span class="na">commandId</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.command-id</span><span class="dl">'</span><span class="p">),</span> <span class="na">instanceId</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.instance-id</span><span class="dl">'</span><span class="p">),</span> <span class="na">status</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.status</span><span class="dl">'</span><span class="p">),</span> <span class="na">documentName</span><span class="p">:</span> <span class="nx">events</span><span class="p">.</span><span class="nx">EventField</span><span class="p">.</span><span class="nf">fromPath</span><span class="p">(</span><span class="dl">'</span><span class="s1">$.detail.document-name</span><span class="dl">'</span><span class="p">),</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">}));</span> <span class="c1">// Compliance violation alarm</span> <span class="kd">const</span> <span class="nx">complianceMetric</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Metric</span><span class="p">({</span> <span class="na">namespace</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AWS/SSM</span><span class="dl">'</span><span class="p">,</span> <span class="na">metricName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PatchComplianceNonCompliantCount</span><span class="dl">'</span><span class="p">,</span> <span class="na">dimensionsMap</span><span class="p">:</span> <span class="p">{</span> <span class="na">PatchGroup</span><span class="p">:</span> <span class="s2">`/NatInstance/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="na">statistic</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Average</span><span class="dl">'</span><span class="p">,</span> <span class="na">period</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">hours</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PatchComplianceAlarm</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">alarmName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">}</span><span class="s2">-NatInstancePatchNonCompliant`</span><span class="p">,</span> <span class="na">metric</span><span class="p">:</span> <span class="nx">complianceMetric</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">comparisonOperator</span><span class="p">:</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nx">ComparisonOperator</span><span class="p">.</span><span class="nx">GREATER_THAN_THRESHOLD</span><span class="p">,</span> <span class="na">treatMissingData</span><span class="p">:</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nx">TreatMissingData</span><span class="p">.</span><span class="nx">NOT_BREACHING</span><span class="p">,</span> <span class="p">}).</span><span class="nf">addAlarmAction</span><span class="p">(</span><span class="k">new</span> <span class="nx">cloudwatchActions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="nx">patchNotificationTopic</span><span class="p">));</span> </code></pre> </div> <h3> Key Points for Patch Management </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Item</th> <th>Setting</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td>Execution Timing</td> <td>Every Sunday 3:00 UTC (12:00 JST)</td> <td>Low traffic period</td> </tr> <tr> <td>Window Duration</td> <td>4 hours</td> <td>Accommodate sequential application to multiple instances</td> </tr> <tr> <td>Concurrency</td> <td>1 instance</td> <td>Sequential execution to maintain availability</td> </tr> <tr> <td>Reboot</td> <td>As needed</td> <td>For kernel patches etc.</td> </tr> <tr> <td>Approval Period</td> <td>7 days</td> <td>Apply only tested patches</td> </tr> <tr> <td>Target Patches</td> <td>Critical/Important security patches</td> <td>Prioritize high-severity</td> </tr> </tbody> </table></div> <h3> Patch Application Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Every Sunday 12:00 JST ↓ 2. Maintenance window starts ↓ 3. Apply patches to NAT Instance #1 ↓ (Reboot if needed) ↓ 4. Apply patches to NAT Instance #2 ↓ (Reboot if needed) ↓ 5. Apply patches to NAT Instance #3 ↓ (Reboot if needed) ↓ 6. Completion notification (via SNS) </code></pre> </div> <p>💡 For development environments: With single NAT Instance configuration, internet connection is temporarily lost during patch application (especially during reboot). Recommend setting maintenance window outside business hours.</p> <h2> Best Practices </h2> <h3> 1. Security </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Disable source/destination check for NAT Instance</span> <span class="c1">// (Automatically set by NatProvider.instanceV2())</span> <span class="c1">// ✅ Restrict traffic with security groups</span> <span class="p">(</span><span class="nx">natProvider</span> <span class="k">as</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">NatInstanceProviderV2</span><span class="p">).</span><span class="nx">connections</span><span class="p">.</span><span class="nf">allowFrom</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">allTraffic</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">Allow all traffic from VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">);</span> <span class="c1">// ✅ Access via Systems Manager Session Manager</span> <span class="c1">// (Disable public SSH access)</span> </code></pre> </div> <h3> 2. Monitoring and Alerts </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// CloudWatch alarm configuration example</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cloudwatch</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cloudwatch</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">actions</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cloudwatch-actions</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cpuAlarm</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NatInstanceCpuAlarm</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">metric</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Metric</span><span class="p">({</span> <span class="na">namespace</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AWS/EC2</span><span class="dl">'</span><span class="p">,</span> <span class="na">metricName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CPUUtilization</span><span class="dl">'</span><span class="p">,</span> <span class="na">dimensionsMap</span><span class="p">:</span> <span class="p">{</span> <span class="na">InstanceId</span><span class="p">:</span> <span class="nx">natInstanceId</span><span class="p">,</span> <span class="p">},</span> <span class="na">statistic</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Average</span><span class="dl">'</span><span class="p">,</span> <span class="na">period</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="p">}),</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">alarmDescription</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NAT Instance CPU utilization is too high</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">cpuAlarm</span><span class="p">.</span><span class="nf">addAlarmAction</span><span class="p">(</span><span class="k">new</span> <span class="nx">actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="nx">snsTopic</span><span class="p">));</span> <span class="c1">// Patch compliance alarm</span> <span class="kd">const</span> <span class="nx">complianceAlarm</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PatchComplianceAlarm</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">metric</span><span class="p">:</span> <span class="nx">complianceMetric</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">comparisonOperator</span><span class="p">:</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nx">ComparisonOperator</span><span class="p">.</span><span class="nx">GREATER_THAN_THRESHOLD</span><span class="p">,</span> <span class="na">alarmDescription</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NAT Instance has missing security patches</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">complianceAlarm</span><span class="p">.</span><span class="nf">addAlarmAction</span><span class="p">(</span><span class="k">new</span> <span class="nx">actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="nx">patchNotificationTopic</span><span class="p">));</span> </code></pre> </div> <h3> 3. Optimal Availability for Development Environments </h3> <p>In this architecture, we configured 3 NAT instances as a high-availability example, but for development environments, a single NAT instance is often sufficient. In that case, adjust the <code>natGateways</code> count.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Deploy NAT Instance to multiple AZs</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcNatInstanceV2</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Only 1 instance</span> <span class="na">natGatewayProvider</span><span class="p">:</span> <span class="nx">natProvider</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Cost becomes:</p> <ul> <li>3 instances: $9.30/month</li> <li>1 instance: $3.10/month</li> </ul> <h2> Troubleshooting </h2> <h3> Common Issues and Solutions </h3> <h4> 1. Cannot Access Internet from Private Subnet After NAT Instance Stops </h4> <p><strong>Cause</strong>: Stopped by schedule or manually stopped</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Manually start NAT Instance</span> aws ec2 start-instances <span class="nt">--instance-ids</span> i-xxxxx <span class="c"># Or temporarily disable schedule</span> aws events disable-rule <span class="nt">--name</span> YourProject-dev-NATStopRule-i-xxxxx </code></pre> </div> <h4> 2. Instance Not Showing in Systems Manager </h4> <p><strong>Cause</strong>: IAM role missing <code>AmazonSSMManagedInstanceCore</code> policy</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check in Fleet Manager</span> aws ssm describe-instance-information <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'InstanceInformationList[].[InstanceId,PingStatus,PlatformName]'</span> <span class="se">\</span> <span class="nt">--output</span> table <span class="c"># If instance not shown, check IAM role</span> aws iam list-attached-role-policies <span class="nt">--role-name</span> &lt;NAT-Instance-Role-Name&gt; </code></pre> </div> <p>💡 NAT Instance IAM role requires the following policies:</p> <ul> <li> <code>AmazonSSMManagedInstanceCore</code> (For Systems Manager management)</li> </ul> <h4> 3. Patch Application Fails </h4> <p><strong>Cause</strong>: Maintenance window IAM role missing <code>iam:PassRole</code> permission</p> <p><strong>Solution</strong>:</p> <p>Check error in CloudTrail logs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudtrail lookup-events <span class="se">\</span> <span class="nt">--lookup-attributes</span> <span class="nv">AttributeKey</span><span class="o">=</span>EventName,AttributeValue<span class="o">=</span>SendCommand <span class="se">\</span> <span class="nt">--max-results</span> 5 </code></pre> </div> <p>If error is <code>InvalidDocument: document hash and hash type must both be present or none</code>, remove <code>documentHashType</code> parameter (not needed for AWS managed documents).</p> <h4> 4. Poor Performance </h4> <p><strong>Cause</strong>: Instance type is too small</p> <p><strong>Solution</strong>: Change to larger instance type<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T4G</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">,</span> <span class="c1">// nano → micro</span> <span class="p">),</span> </code></pre> </div> <h4> 5. Unexpected Shutdown </h4> <p><strong>Cause</strong>: Need to check CloudWatch Logs</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check logs in Systems Manager</span> aws logs filter-log-events <span class="se">\</span> <span class="nt">--log-group-name</span> /aws/ssm/automation <span class="se">\</span> <span class="nt">--filter-pattern</span> <span class="s2">"i-xxxxx"</span> <span class="c"># Check EC2 instance status history</span> aws ec2 describe-instance-status <span class="se">\</span> <span class="nt">--instance-ids</span> i-xxxxx <span class="se">\</span> <span class="nt">--include-all-instances</span> </code></pre> </div> <h3> Troubleshooting Tips </h3> <ul> <li>Utilize CloudTrail: Analyze API call failure reasons in detail</li> <li>Validate IAM permissions: Correctly configure conditional policies for <code>iam:PassRole</code> </li> <li>Systems Manager logs: Check detailed execution logs for patch application</li> <li>EventBridge metrics: Monitor schedule rule execution status</li> </ul> <h2> Deployment and Cleanup </h2> <h3> Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install dependencies</span> <span class="nb">cd </span>infrastructure/cdk-workspaces/workspaces/vpc-natinstance-v2 npm <span class="nb">install</span> <span class="c"># Bootstrap CDK (first time only)</span> cdk bootstrap <span class="c"># Deploy</span> cdk deploy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>YourProject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete stack</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>YourProject <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Skip confirmation prompt</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>YourProject <span class="nt">--env</span><span class="o">=</span>dev <span class="nt">--force</span> </code></pre> </div> <p>⚠️ Notes:</p> <ul> <li>Elastic IPs are automatically released</li> <li>Flow logs in S3 bucket are auto-deleted due to <code>autoDeleteObjects: true</code> </li> <li>For production environments, use <code>removalPolicy: cdk.RemovalPolicy.RETAIN</code> </li> </ul> <h2> Summary </h2> <p>NAT Instance is an excellent alternative to NAT Gateway. Especially for development environments, it offers the following benefits:</p> <p>Benefits:</p> <ul> <li>Significant cost savings: Save over $400 annually</li> <li>Schedule management: Auto-stop outside business hours</li> <li>Flexible control: Security groups and Network ACLs</li> <li>Monitoring and alerts: CloudWatch and EventBridge integration</li> </ul> <p>Drawbacks (Considerations):</p> <ul> <li>Single point of failure (for single instance)</li> <li>Performance limitations (depends on instance type)</li> <li>Operational management required (patching, monitoring)</li> <li>Additional cost for high availability configuration</li> </ul> <h3> Recommendations </h3> <ol> <li>Development/Test environments: Use NAT Instance for cost optimization</li> <li>Production environments: Use NAT Gateway for availability</li> <li>Hybrid configuration: Choose optimal configuration per environment</li> </ol> <h2> References </h2> <ul> <li><a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">Previous article: VPC Basics</a></li> <li><a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html" rel="noopener noreferrer">AWS CDK VPC Construct</a></li> <li><a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.NatInstanceProviderV2.html" rel="noopener noreferrer">NAT Instance v2</a></li> <li><a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule-schedule.html" rel="noopener noreferrer">EventBridge Schedule Expressions</a></li> <li><a href="https://aws.amazon.com/ec2/instance-types/" rel="noopener noreferrer">EC2 Instance Types</a></li> <li><a href="https://calculator.aws/" rel="noopener noreferrer">AWS Pricing Calculator</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises vpc AWS CDK 100 Drill Exercises #003: VPC Basics — From Network Configuration to Security TOMOAKI ishihara Sun, 21 Dec 2025 08:15:58 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkpovqovupuz0fqscdot.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkpovqovupuz0fqscdot.png" alt="Level 200" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the third installment of the "AWS CDK 100 Drill Exercises" series.</p> <p>For an overview of the AWS CDK 100 Drill Exercises, please refer to <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">this article</a>.</p> <p>Following <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-001-s3-bucket-fundamentals-from-default-settings-to-practical-1hmd">S3 Fundamentals in Exercise #001</a> and <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-002-iam-basics-users-roles-and-secure-password-management-1npa">IAM Basics in Exercise #002</a>, we'll tackle Amazon Virtual Private Cloud (VPC). VPC is the foundation of AWS networking and is essential for securely isolating resources and controlling communication.</p> <h3> Why VPC? </h3> <ol> <li>Networking Foundation: Many AWS resources are deployed within a VPC</li> <li>Security Layer: Implements security controls at the network level</li> <li>Production Necessity: Almost all production environments require VPC</li> <li>CDK Integration: Understanding how CDK abstracts VPC resources</li> <li>Best Practices: Learning proper network design from the start</li> </ol> <h3> What You'll Learn </h3> <ul> <li>Two approaches to creating VPCs with CDK (default and custom)</li> <li>Subnet design and CIDR block calculations</li> <li>Differences between public/private subnets</li> <li>Roles of NAT Gateway and Internet Gateway</li> <li>Traffic monitoring with VPC Flow Logs</li> <li>VPC Endpoint implementation (Gateway/Interface)</li> <li>Secure SSH access via EC2 Instance Connect Endpoint</li> <li>Security group cross-referencing and avoiding circular dependencies</li> </ul> <p>📁 Code Repository: All code examples for this exercise are available on <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/vpc-basics" rel="noopener noreferrer">GitHub</a>.</p> <h2> Architecture Overview </h2> <p>Here's what we'll build in this exercise:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1nxbfirgnrehraei5ejj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1nxbfirgnrehraei5ejj.png" alt="Architecture Overview" width="800" height="560"></a></p> <p>We'll implement two patterns:</p> <ul> <li>Default VPC: Created with CDK default settings</li> <li>Custom VPC: Created with custom configurations</li> </ul> <h3> 1. Default VPC (CDKDefault) </h3> <ul> <li>VPC created with CDK's default settings</li> <li>Fully functional VPC with minimal code</li> </ul> <h3> 2. Custom VPC (CustomVPC) </h3> <ul> <li>VPC with custom configuration <ul> <li>Up to 3 Availability Zones (varies by region)</li> <li>6 types of subnets (External, Management, Internal, Application, Isolated, TransitGateway)</li> <li>Custom CIDR blocks</li> <li>Single NAT Gateway (cost optimization)</li> </ul> </li> <li>VPC Flow Logs implementation <ul> <li>All traffic logged to S3</li> <li>Rejected traffic logged to CloudWatch Logs</li> </ul> </li> <li>VPC Endpoints <ul> <li>Gateway Endpoints (S3, DynamoDB)</li> <li>Interface Endpoints (Systems Manager)</li> </ul> </li> <li>EC2 Instance Connect Endpoint <ul> <li>Secure SSH access without going through the internet</li> <li>Security group cross-referencing</li> </ul> </li> </ul> <h2> Prerequisites </h2> <p>To proceed with this exercise, you'll need:</p> <ul> <li>AWS CLI v2 installed and configured</li> <li>Node.js 20+</li> <li>AWS CDK CLI (<code>npm install -g aws-cdk</code>)</li> <li>Basic knowledge of TypeScript</li> <li>AWS Account (can be done with Free Tier)</li> <li>Basic understanding of VPC concepts (CIDR, subnets, routing)</li> </ul> <h2> Project Directory Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vpc-basics/ ├── bin/ │ └── vpc-basics.ts # Application entry point ├── lib/ │ └── stacks/ │ ├── vpc-cdkdefault-stack.ts # CDK Default VPC Creation Stack │ └── vpc-basics-stack.ts # Custom VPC stack definition ├── test/ │ ├── compliance/ │ │ └── cdk-nag.test.ts # CDK Nag compliance tests │ ├── snapshot/ │ │ └── snapshot.test.ts # Snapshot tests │ └── unit/ │ ├── vpc-cdkdefault.test.ts # Unit tests │ └── vpc-basics.test.ts # Unit tests ├── cdk.json ├── package.json └── tsconfig.json </code></pre> </div> <h2> Pattern 1: Understanding CDK Default VPC </h2> <p>This is the simplest VPC creation. CDK automatically handles all configurations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">VpcCDKDefaultStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Create VPC with CDK default settings</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CDKDefault</span><span class="dl">'</span><span class="p">,</span> <span class="p">{});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Default Configuration Details </h3> <p>What CDK automatically configures:</p> <ul> <li>CIDR Block: <code>10.0.0.0/16</code> (65,536 IP addresses)</li> <li>Availability Zones: Available AZs in the region (up to 3)</li> <li>Subnet Configuration: <ul> <li>Public Subnet: One per AZ</li> <li>Private Subnet: One per AZ</li> </ul> </li> <li>NAT Gateway: One per AZ (high availability configuration)</li> <li>Internet Gateway: One</li> <li>Route Tables: Automatically configured</li> </ul> <p>Generated resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CDKDefault VPC (10.0.0.0/16) ├── AZ-1 │ ├── Public Subnet (10.0.0.0/19) - 8,192 IPs │ ├── Private Subnet (10.0.96.0/19) - 8,192 IPs │ └── NAT Gateway ├── AZ-2 │ ├── Public Subnet (10.0.32.0/19) - 8,192 IPs │ ├── Private Subnet (10.0.128.0/19) - 8,192 IPs │ └── NAT Gateway ├── AZ-3 │ ├── Public Subnet (10.0.64.0/19) - 8,192 IPs │ ├── Private Subnet (10.0.160.0/19) - 8,192 IPs │ └── NAT Gateway └── Internet Gateway </code></pre> </div> <h3> Pros and Cons of Default VPC </h3> <p>Pros:</p> <ul> <li>Minimal code</li> <li>Production-ready configuration</li> <li>High availability (multiple AZs, multiple NAT Gateways)</li> <li>Follows best practices</li> </ul> <p>Cons:</p> <ul> <li>High cost (multiple NAT Gateways)</li> <li>No CIDR range customization</li> <li>Fixed number of subnets</li> </ul> <p>💡 For development environments, we recommend using a custom VPC for cost reduction.</p> <h2> Pattern 2: Creating a Custom VPC </h2> <p>In real projects, you'll create VPCs tailored to requirements.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">pascalCase</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">change-case-commonjs</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">vpcName</span> <span class="o">=</span> <span class="p">[</span> <span class="nf">pascalCase</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">),</span> <span class="c1">// Project name</span> <span class="nf">pascalCase</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">),</span> <span class="c1">// Environment identifier (dev/test/prod)</span> <span class="dl">'</span><span class="s1">CustomVPC</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Purpose</span> <span class="p">]</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">customVpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CustomVPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">vpcName</span><span class="p">,</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="dl">'</span><span class="s1">10.1.0.0/16</span><span class="dl">'</span><span class="p">),</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// Use up to 3 AZs</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Only 1 NAT Gateway (cost optimization)</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">26</span><span class="p">,</span> <span class="c1">// 64 IPs per AZ (/26 = 2^(32-26) = 64)</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">External</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">27</span><span class="p">,</span> <span class="c1">// 32 IPs per AZ (/27 = 2^(32-27) = 32)</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Management</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="c1">// 1024 IPs per AZ (/22 = 2^(32-22) = 1024)</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="c1">// 1024 IPs per AZ</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Application</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span><span class="p">,</span> <span class="c1">// 256 IPs per AZ (/24 = 2^(32-24) = 256)</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Isolated</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_ISOLATED</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">28</span><span class="p">,</span> <span class="c1">// 16 IPs per AZ (/28 = 2^(32-28) = 16)</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TransitGateway</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_ISOLATED</span><span class="p">,</span> <span class="p">}</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h3> Understanding CIDR Calculations </h3> <p>CIDR (Classless Inter-Domain Routing) defines IP address ranges.</p> <p>The basic calculation formula:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Available IP Addresses = 2^(32 - CIDR mask) /16 = 2^(32-16) = 2^16 = 65,536 IPs /22 = 2^(32-22) = 2^10 = 1,024 IPs /24 = 2^(32-24) = 2^8 = 256 IPs /26 = 2^(32-26) = 2^6 = 64 IPs /27 = 2^(32-27) = 2^5 = 32 IPs /28 = 2^(32-28) = 2^4 = 16 IPs </code></pre> </div> <p>For each subnet, AWS reserves 5 IPv4 addresses. (Documentation <a href="https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html" rel="noopener noreferrer">here</a>)</p> <ul> <li> <code>.0</code>: Network address</li> <li> <code>.1</code>: VPC router</li> <li> <code>.2</code>: DNS</li> <li> <code>.3</code>: Reserved for future use</li> <li> <code>.255</code>: Broadcast (not used in VPC but reserved)</li> </ul> <p>The actual usable IPs are <code>calculated value - 5</code>.</p> <h3> Understanding Subnet Types </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Type</th> <th>Description</th> <th>Routing</th> <th>Use Cases</th> </tr> </thead> <tbody> <tr> <td><code>PUBLIC</code></td> <td>Route to Internet Gateway</td> <td>Internet via IGW</td> <td>Load balancers, NAT Gateway, Bastion</td> </tr> <tr> <td><code>PRIVATE_WITH_EGRESS</code></td> <td>Route to NAT Gateway</td> <td>Outbound only via NAT</td> <td>Application servers, VPC Endpoints</td> </tr> <tr> <td><code>PRIVATE_ISOLATED</code></td> <td>No route to internet</td> <td>VPC only</td> <td>Databases, Transit Gateway attachments</td> </tr> </tbody> </table></div> <h3> Subnet Configuration Design </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CustomVPC (10.1.0.0/16) - 65,536 IPs ├── AZ-1 (ap-northeast-1a) │ ├── ExternalSubnet-1 (10.1.0.0/26) - 64 IPs (59 usable) │ ├── ManagementSubnet-1 (10.1.0.64/27) - 32 IPs (27 usable) │ ├── InternalSubnet-1 (10.1.0.128/22) - 1,024 IPs (1,019 usable) │ ├── ApplicationSubnet-1 (10.1.4.128/22) - 1,024 IPs (1,019 usable) │ ├── IsolatedSubnet-1 (10.1.8.128/24) - 256 IPs (251 usable) │ └── TransitGatewaySubnet-1 (10.1.9.0/28) - 16 IPs (11 usable) ├── AZ-2 (ap-northeast-1c) │ ├── ExternalSubnet-2 (10.1.0.96/26) - 64 IPs (59 usable) │ ├── ManagementSubnet-2 (10.1.0.160/27) - 32 IPs (27 usable) │ ├── InternalSubnet-2 (10.1.9.16/22) - 1,024 IPs (1,019 usable) │ ├── ApplicationSubnet-2 (10.1.13.16/22) - 1,024 IPs (1,019 usable) │ ├── IsolatedSubnet-2 (10.1.17.16/24) - 256 IPs (251 usable) │ └── TransitGatewaySubnet-2 (10.1.18.0/28) - 16 IPs (11 usable) ├── AZ-3 (ap-northeast-1d) │ ├── ExternalSubnet-3 (10.1.0.192/26) - 64 IPs (59 usable) │ ├── ManagementSubnet-3 (10.1.0.224/27) - 32 IPs (27 usable) │ ├── InternalSubnet-3 (10.1.17.32/22) - 1,024 IPs (1,019 usable) │ ├── ApplicationSubnet-3 (10.1.21.32/22) - 1,024 IPs (1,019 usable) │ ├── IsolatedSubnet-3 (10.1.25.32/24) - 256 IPs (251 usable) │ └── TransitGatewaySubnet-3 (10.1.26.32/28) - 16 IPs (11 usable) ├── NAT Gateway (AZ-1 only) └── Internet Gateway </code></pre> </div> <h3> Why 6 Types of Subnets? </h3> <p>This doesn't mean you should always create many subnets, but we've created 6 as examples of subnet segmentation. Dividing subnets too finely wastes reserved IPs per subnet, so adjust the subnet configuration according to your actual project requirements. For basic projects, two types—Public and Private Subnets—are often sufficient.</p> <ol> <li>ExternalSubnet (Public): For internet-facing load balancers, NAT Gateway placement</li> <li>ManagementSubnet (Public): For Bastion Hosts and operational management</li> <li>InternalSubnet (Private with Egress): For VPC Endpoints, internal load balancers</li> <li>ApplicationSubnet (Private with Egress): For application servers, ECS tasks, Lambda functions</li> <li>IsolatedSubnet (Private Isolated): For database layers like RDS, ElastiCache</li> <li>TransitGatewaySubnet (Private Isolated): For Transit Gateway attachments</li> </ol> <h2> VPC Flow Logs Implementation </h2> <p>VPC Flow Logs capture information about IP traffic flowing to and from network interfaces in your VPC.</p> <h3> Flow Logs to S3 </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">s3</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Create secure S3 bucket</span> <span class="kd">const</span> <span class="nx">flowLogBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FlowLogBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BucketEncryption</span><span class="p">.</span><span class="nx">S3_MANAGED</span><span class="p">,</span> <span class="na">blockPublicAccess</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BlockPublicAccess</span><span class="p">.</span><span class="nx">BLOCK_ALL</span><span class="p">,</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Require HTTPS</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="c1">// ⚠️ For dev (use RETAIN for prod)</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// ⚠️ For dev (use RETAIN removalPolicy for prod)</span> <span class="p">});</span> <span class="c1">// Log all traffic to S3</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">addFlowLog</span><span class="p">(</span><span class="dl">'</span><span class="s1">FlowLogToS3</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">destination</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">FlowLogDestination</span><span class="p">.</span><span class="nf">toS3</span><span class="p">(</span> <span class="nx">flowLogBucket</span><span class="p">,</span> <span class="dl">'</span><span class="s1">vpcFlowLog/</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">fileFormat</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">FlowLogFileFormat</span><span class="p">.</span><span class="nx">PLAIN_TEXT</span><span class="p">,</span> <span class="na">hiveCompatiblePartitions</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// For Athena queries</span> <span class="na">perHourPartition</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}</span> <span class="p">),</span> <span class="na">trafficType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">FlowLogTrafficType</span><span class="p">.</span><span class="nx">ALL</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Generated log file structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>s3://bucket-name/vpcFlowLog/ └── AWSLogs/ └── aws-account-id=123456789012/ └── aws-service=vpcflowlogs/ └── aws-region=ap-northeast-1/ └── year=2024/ └── month=12/ └── day=20/ └── hour=12/ └── &lt;AWSAccountID&gt;_vpcflowlogs_&lt;region&gt;_xxxxx.log.gz </code></pre> </div> <h3> Flow Logs to CloudWatch Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">logs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-logs</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Log rejected traffic only to CloudWatch Logs</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">addFlowLog</span><span class="p">(</span><span class="dl">'</span><span class="s1">FlowLog</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">destination</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">FlowLogDestination</span><span class="p">.</span><span class="nf">toCloudWatchLogs</span><span class="p">(</span> <span class="k">new</span> <span class="nx">logs</span><span class="p">.</span><span class="nc">LogGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FlowLogGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">retention</span><span class="p">:</span> <span class="nx">logs</span><span class="p">.</span><span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_WEEK</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">})</span> <span class="p">),</span> <span class="na">trafficType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">FlowLogTrafficType</span><span class="p">.</span><span class="nx">REJECT</span><span class="p">,</span> <span class="c1">// Rejected only</span> <span class="p">});</span> </code></pre> </div> <h3> Flow Logs Comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Destination</th> <th>Pros</th> <th>Cons</th> <th>Use Cases</th> </tr> </thead> <tbody> <tr> <td>S3</td> <td>- Ideal for long-term storage<br>- Queryable with Athena<br>- Cost effective</td> <td>- No real-time analysis</td> <td>Auditing, compliance, long-term analysis</td> </tr> <tr> <td>CloudWatch Logs</td> <td>- Real-time monitoring<br>- Metric filters<br>- Alerting</td> <td>- Higher storage costs</td> <td>Security monitoring, immediate threat detection</td> </tr> </tbody> </table></div> <h3> Flow Log Format </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status 2 123456789012 eni-1234abcd 10.0.1.5 203.0.113.5 49152 80 6 10 5000 1670000000 1670000060 ACCEPT OK </code></pre> </div> <p>Key fields (<a href="https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html#flow-logs-fields" rel="noopener noreferrer">documentation</a>):</p> <ul> <li> <code>srcaddr/dstaddr</code>: Source/destination IP addresses</li> <li> <code>srcport/dstport</code>: Source/destination ports</li> <li> <code>protocol</code>: IP protocol number (6=TCP, 17=UDP)</li> <li> <code>action</code>: ACCEPT or REJECT</li> </ul> <h2> VPC Endpoints Implementation </h2> <p>VPC Endpoints enable private connections between your VPC and AWS services.</p> <h3> Gateway Endpoints (S3, DynamoDB) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">endpointSubnets</span> <span class="o">=</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">selectSubnets</span><span class="p">({</span> <span class="na">subnetGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// S3 Gateway Endpoint</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">addGatewayEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">S3Endpoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">GatewayVpcEndpointAwsService</span><span class="p">.</span><span class="nx">S3</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[{</span> <span class="na">subnets</span><span class="p">:</span> <span class="nx">endpointSubnets</span><span class="p">.</span><span class="nx">subnets</span> <span class="p">}],</span> <span class="p">});</span> <span class="c1">// DynamoDB Gateway Endpoint</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">addGatewayEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">DynamoDBEndpoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">GatewayVpcEndpointAwsService</span><span class="p">.</span><span class="nx">DYNAMODB</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[{</span> <span class="na">subnets</span><span class="p">:</span> <span class="nx">endpointSubnets</span><span class="p">.</span><span class="nx">subnets</span> <span class="p">}],</span> <span class="p">});</span> </code></pre> </div> <h3> Interface Endpoints (Systems Manager) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// SSM Interface Endpoint</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">addInterfaceEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">SSMEndpoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InterfaceVpcEndpointAwsService</span><span class="p">.</span><span class="nx">SSM</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnets</span><span class="p">:</span> <span class="nx">endpointSubnets</span><span class="p">.</span><span class="nx">subnets</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// SSM Messages Interface Endpoint</span> <span class="nx">customVpc</span><span class="p">.</span><span class="nf">addInterfaceEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">SSMMessagesEndpoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InterfaceVpcEndpointAwsService</span><span class="p">.</span><span class="nx">SSM_MESSAGES</span><span class="p">,</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnets</span><span class="p">:</span> <span class="nx">endpointSubnets</span><span class="p">.</span><span class="nx">subnets</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Comparison: Gateway vs Interface Endpoints </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Gateway Endpoint</th> <th>Interface Endpoint</th> </tr> </thead> <tbody> <tr> <td>Supported Services</td> <td>S3, DynamoDB</td> <td>Most AWS services</td> </tr> <tr> <td>Pricing</td> <td>Free</td> <td>Hourly + data transfer</td> </tr> <tr> <td>Implementation</td> <td>Route table entry</td> <td>ENI in subnet</td> </tr> <tr> <td>DNS</td> <td>Service endpoint</td> <td>Private DNS</td> </tr> <tr> <td>High Availability</td> <td>Managed by AWS</td> <td>Per AZ</td> </tr> </tbody> </table></div> <h3> Why Use VPC Endpoints? </h3> <ol> <li>Security: Traffic doesn't traverse the internet</li> <li>Performance: Lower latency</li> <li>Cost savings: Reduce NAT Gateway data transfer charges</li> <li>Compliance: Keep data within AWS network</li> </ol> <h2> EC2 Instance Connect Endpoint </h2> <p><a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-with-ec2-instance-connect-endpoint.html" rel="noopener noreferrer">EC2 Instance Connect Endpoint</a> allows SSH connections to EC2 instances in private subnets without public IPs or Bastion hosts.</p> <p>Please note that the Instance Connect Endpoint has the following restrictions. For details, please refer to the documentation <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-quotas.html" rel="noopener noreferrer">here</a>.</p> <ul> <li>Maximum number of EC2 Instance Connect Endpoints per AWS account per AWS Region: 5</li> <li>Maximum number of EC2 Instance Connect Endpoints per VPC: 1</li> <li>Maximum number of EC2 Instance Connect Endpoints per subnet: 1</li> <li>Maximum number of concurrent connections per EC2 Instance Connect Endpoint: 20 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Security group for Instance Connect</span> <span class="kd">const</span> <span class="nx">ec2InstanceConnectsg</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EC2InstanceConnectSG</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Security group for EC2 Instance Connect Endpoint</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// Deny default outbound</span> <span class="p">});</span> <span class="c1">// Select first subnet in InternalSubnet</span> <span class="kd">const</span> <span class="nx">iceSubnet</span> <span class="o">=</span> <span class="nx">endpointSubnets</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="c1">// Create Instance Connect Endpoint</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnInstanceConnectEndpoint</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EC2InstanceConnectEndpoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">subnetId</span><span class="p">:</span> <span class="nx">iceSubnet</span><span class="p">.</span><span class="nx">subnetId</span><span class="p">,</span> <span class="na">preserveClientIp</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">securityGroupIds</span><span class="p">:</span> <span class="p">[</span><span class="nx">ec2InstanceConnectsg</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">],</span> <span class="p">});</span> <span class="c1">// Security group for EC2 instances</span> <span class="kd">const</span> <span class="nx">ec2sg</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EC2SG</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Security group for EC2 instances</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> Avoiding Circular Dependencies with Security Groups </h3> <p>⚠️ Important: Using <code>addIngressRule</code> or <code>addEgressRule</code> creates circular dependencies between two security groups. While <code>cdk synth</code> succeeds, <code>cdk deploy</code> will fail.</p> <p>Wrong approach (causes circular dependency):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ This will cause an error</span> <span class="nx">ec2sg</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2InstanceConnectsg</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow SSH from Instance Connect</span><span class="dl">'</span> <span class="p">);</span> <span class="nx">ec2InstanceConnectsg</span><span class="p">.</span><span class="nf">addEgressRule</span><span class="p">(</span> <span class="nx">ec2sg</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow SSH to EC2 instances</span><span class="dl">'</span> <span class="p">);</span> <span class="c1">// ❌ Dev-DrillexercisesVpcBasics failed: ValidationError: </span> <span class="nx">Circular</span> <span class="nx">dependency</span> <span class="nx">between</span> <span class="nx">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">EC2InstanceConnectSG697BC6D2</span><span class="p">,</span> <span class="nx">EC2InstanceConnectEndpoint</span><span class="p">,</span> <span class="nx">EC2SG244E8056</span><span class="p">]</span> </code></pre> </div> <p>Correct approach (using CloudFormation resources directly):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ Use CfnSecurityGroupIngress/Egress</span> <span class="c1">// Ingress: Instance Connect SG -&gt; EC2 SG</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnSecurityGroupIngress</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AllowSSHFromInstanceConnect</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ipProtocol</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tcp</span><span class="dl">'</span><span class="p">,</span> <span class="na">fromPort</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">toPort</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">groupId</span><span class="p">:</span> <span class="nx">ec2sg</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">,</span> <span class="na">sourceSecurityGroupId</span><span class="p">:</span> <span class="nx">ec2InstanceConnectsg</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Allow SSH from Instance Connect SG</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Egress: Instance Connect SG -&gt; EC2 SG</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnSecurityGroupEgress</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AllowSSHToEC2SG</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">ipProtocol</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tcp</span><span class="dl">'</span><span class="p">,</span> <span class="na">fromPort</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">toPort</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">groupId</span><span class="p">:</span> <span class="nx">ec2InstanceConnectsg</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">,</span> <span class="na">destinationSecurityGroupId</span><span class="p">:</span> <span class="nx">ec2sg</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Allow SSH to EC2 SG</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> Using Instance Connect Endpoint </h3> <p>To connect to an EC2 instance via Instance Connect Endpoint using AWS CLI, use the following command. Refer to the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html#connect-linux-inst-eic-cli-ssh" rel="noopener noreferrer">documentation</a> for details.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH connection via Instance Connect Endpoint</span> aws ec2-instance-connect ssh <span class="se">\</span> <span class="nt">--instance-id</span> i-1234567890abcdef0 <span class="se">\</span> <span class="nt">--connection-type</span> eice </code></pre> </div> <h3> Why Use Instance Connect Endpoint? </h3> <p>Comparison with traditional methods:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Public IP</th> <th>Bastion Host</th> <th>SSH Key Management</th> <th>Additional Cost</th> </tr> </thead> <tbody> <tr> <td>EC2 with Public IP</td> <td>Required</td> <td>✅Not needed</td> <td>Required</td> <td>✅None</td> </tr> <tr> <td>Bastion Host</td> <td>Required for Bastion</td> <td>Required</td> <td>Required</td> <td>EC2 charges</td> </tr> <tr> <td>Instance Connect Endpoint</td> <td>✅Not needed</td> <td>✅Not needed</td> <td>✅Not needed</td> <td>Yes</td> </tr> </tbody> </table></div> <p>Benefits:</p> <ul> <li>No internet exposure</li> <li>No SSH key management (IAM authentication)</li> <li>No Bastion host needed (cost reduction)</li> <li>All connections logged in CloudTrail</li> </ul> <h2> CloudFormation Output Example </h2> <p>Key parts of the CloudFormation template generated after deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Resources"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CustomVPC616E3387"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::EC2::VPC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CidrBlock"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.1.0.0/16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"EnableDnsHostnames"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"EnableDnsSupport"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"Tags"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Name"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Myproject/Dev/CustomVPC"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"CustomVPCS3Endpoint"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::EC2::VPCEndpoint"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ServiceName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"com.amazonaws.ap-northeast-1.s3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"VpcEndpointType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Gateway"</span><span class="p">,</span><span class="w"> </span><span class="nl">"RouteTableIds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"CustomVPCSSMEndpoint"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::EC2::VPCEndpoint"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ServiceName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"com.amazonaws.ap-northeast-1.ssm"</span><span class="p">,</span><span class="w"> </span><span class="nl">"VpcEndpointType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Interface"</span><span class="p">,</span><span class="w"> </span><span class="nl">"PrivateDnsEnabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"SecurityGroupIds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"SubnetIds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Deployment and Validation </h2> <h3> Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check differences</span> cdk diff <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Deploy</span> cdk deploy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h3> Validation </h3> <ol> <li>Verify VPC </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># List VPCs</span> aws ec2 describe-vpcs <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=*Myproject/Dev/CustomVPC*"</span> <span class="c"># Check subnets</span> aws ec2 describe-subnets <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=vpc-id,Values=&lt;vpc-id&gt;"</span> </code></pre> </div> <ol> <li>Verify VPC Endpoints </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># List VPC Endpoints</span> aws ec2 describe-vpc-endpoints <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=vpc-id,Values=&lt;vpc-id&gt;"</span> </code></pre> </div> <ol> <li>Verify Flow Logs </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Check logs in S3 bucket</span> aws s3 <span class="nb">ls </span>s3://&lt;bucket-name&gt;/vpcFlowLog/ <span class="nt">--recursive</span> <span class="c"># Check CloudWatch Logs</span> aws logs describe-log-streams <span class="se">\</span> <span class="nt">--log-group-name</span> &lt;log-group-name&gt; </code></pre> </div> <ol> <li>Verify Security Groups </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># List security groups</span> aws ec2 describe-security-groups <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=vpc-id,Values=&lt;vpc-id&gt;"</span> </code></pre> </div> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete stacks</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Force delete without confirmation</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--force</span> <span class="nt">--project</span><span class="o">=</span>myproject <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <p>💡 Note</p> <ul> <li>This example sets <code>autoDeleteObjects: true</code> for development environments, so S3 buckets are automatically deleted when the stack is deleted</li> <li>For production, consider using <code>removalPolicy: cdk.RemovalPolicy.RETAIN</code> to protect data</li> </ul> <h2> Best Practices </h2> <h3> Network Design </h3> <ol> <li>CIDR Planning: Design CIDR blocks considering future expansion</li> <li>Multiple AZs: Use at least 2 AZs for high availability <ul> <li>Specify maximum with <code>maxAzs</code>, but actual number depends on the region</li> <li>Tokyo region (ap-northeast-1) has a maximum of 3 AZs available</li> </ul> </li> <li>Subnet Isolation: Use different subnets for different tiers (Web, App, DB)</li> <li>Reserved IPs: Account for the 5 IPs AWS reserves in each subnet</li> </ol> <h3> Security </h3> <ol> <li>Least Privilege: Open only necessary ports in security groups</li> <li>Flow Logs: Enable flow logs for all VPCs</li> <li>VPC Endpoints: Use to avoid going through the internet</li> <li>Private Subnets: Place databases in completely isolated subnets</li> <li>NACLs: Provide additional layers with Network ACLs when needed</li> </ol> <h3> Cost Optimization </h3> <ol> <li>NAT Gateway Count: One NAT Gateway is sufficient for development</li> <li>VPC Endpoints: Choose based on usage frequency <ul> <li>High frequency: Interface Endpoint (worth the hourly rate)</li> <li>Low frequency: Via NAT Gateway (pay-as-you-go)</li> </ul> </li> <li>Flow Logs: Use S3 for reduced long-term storage costs</li> <li>Resource Tags: Tag all resources for cost tracking</li> </ol> <h3> Operations </h3> <ol> <li>Naming Conventions: Use consistent naming patterns </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Example: {project}-{environment}-{resource}-{account}-{region} </code></pre> </div> <ol> <li>Tagging Strategy: Use Environment, Project, Owner, CostCenter tags</li> <li>Monitoring: Monitor VPC metrics in CloudWatch</li> <li>Documentation: Document network diagrams and CIDR allocations</li> </ol> <h3> Testing </h3> <ol> <li>Snapshot Tests: Clarify change differences</li> <li>Unit Tests: Validate resource existence and configuration</li> <li>Compliance Tests: Check security best practices with CDK Nag</li> </ol> <h2> Cost Estimation </h2> <h3> Example Pricing for Key Components (Tokyo Region) </h3> <p>For CDK Default VPC:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Quantity</th> <th>Estimated Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>VPC</td> <td>1</td> <td>$0 (Free)</td> </tr> <tr> <td>NAT Gateway</td> <td>3</td> <td>$133.92 ($0.062/hour × 24 × 30 × 3)</td> </tr> <tr> <td>NAT Gateway Data Processing</td> <td>100GB</td> <td>$18.6 ($0.062/GB × 3)</td> </tr> <tr> <td>VPC Gateway Endpoint</td> <td>-</td> <td>$0</td> </tr> <tr> <td>VPC Interface Endpoint</td> <td>-</td> <td>$0</td> </tr> <tr> <td>Endpoint Data Processing</td> <td>-</td> <td>$0</td> </tr> <tr> <td>Total</td> <td>-</td> <td>~$152.52/month</td> </tr> </tbody> </table></div> <p>For Custom VPC:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Quantity</th> <th>Estimated Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>VPC</td> <td>1</td> <td>$0 (Free)</td> </tr> <tr> <td>NAT Gateway</td> <td>1</td> <td>$39.42 ($0.062/hour × 24 × 30)</td> </tr> <tr> <td>NAT Gateway Data Processing</td> <td>100GB</td> <td>$6.20 ($0.062/GB)</td> </tr> <tr> <td>VPC Gateway Endpoint</td> <td>2</td> <td>$0</td> </tr> <tr> <td>VPC Interface Endpoint</td> <td>2</td> <td>$15.12 ($0.012/hour × 2 × 24 × 30)</td> </tr> <tr> <td>Endpoint Data Processing</td> <td>10GB</td> <td>$0.12 ($0.012/GB)</td> </tr> <tr> <td>S3 Storage (Flow Logs)</td> <td>50GB</td> <td>$1.15 ($0.023/GB)</td> </tr> <tr> <td>CloudWatch Logs (7-day retention)</td> <td>5GB</td> <td>$0.35 ($0.033/GB)</td> </tr> <tr> <td>Total</td> <td>-</td> <td>~$62.36/month</td> </tr> </tbody> </table></div> <p>💡 Cost Reduction Tips</p> <ul> <li>Development: One NAT Gateway is sufficient (multiple recommended for production) or use NAT instances with EC2</li> <li>Flow Logs: Can be temporarily disabled in development</li> <li>VPC Endpoints: Choose based on usage frequency</li> </ul> <h2> Summary </h2> <p>In this exercise, we learned VPC fundamentals through AWS CDK.</p> <h3> What We Learned </h3> <ol> <li>VPC Basics: Differences between CDK default and custom VPC</li> <li>Subnet Design: CIDR calculations and 3-tier subnet configuration</li> <li>Traffic Management: NAT Gateway, Internet Gateway, routing</li> <li>Visibility: Network monitoring with VPC Flow Logs</li> <li>VPC Endpoints: When to use Gateway vs Interface Endpoints</li> <li>Secure Access: Implementing Instance Connect Endpoint</li> <li>Security Groups: Cross-referencing and avoiding circular dependencies</li> <li>Best Practices: Security, cost, and operations perspectives</li> </ol> <h3> Key Takeaways </h3> <ul> <li>Network Design: Proper CIDR planning is crucial for future expansion</li> <li>Security Layers: Network-level isolation and control</li> <li>Visibility: Flow log monitoring is essential</li> <li>Cost Optimization: Choose NAT Gateway count and VPC Endpoints wisely</li> <li>High Availability: Multi-AZ and failover design</li> </ul> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/vpc/" rel="noopener noreferrer">Amazon VPC Official Documentation</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html" rel="noopener noreferrer">VPC Best Practices</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html" rel="noopener noreferrer">VPC Flow Logs</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html" rel="noopener noreferrer">VPC Endpoints</a></li> <li><a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-with-ec2-instance-connect-endpoint.html" rel="noopener noreferrer">EC2 Instance Connect Endpoint</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises vpc AWS CDK 100 Drill Exercises #002: IAM Basics —— Users, Roles, and Secure Password Management TOMOAKI ishihara Tue, 09 Dec 2025 16:00:39 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-002-iam-basics-users-roles-and-secure-password-management-1npa https://dev.to/aws-builders/aws-cdk-100-drill-exercises-002-iam-basics-users-roles-and-secure-password-management-1npa <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz27r3b4j3ikksvzdfre9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz27r3b4j3ikksvzdfre9.png" alt="Level 100" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the second exercise in the "AWS CDK 100 Drill Exercises" series.</p> <p>For more about AWS CDK 100 Drill Exercises, see <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">this introduction article</a>.</p> <p>After learning S3 fundamentals in the <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-001-s3-bucket-fundamentals-from-default-settings-to-practical-1hmd">first exercise</a>, we now dive into AWS Identity and Access Management (IAM). IAM is the foundation of AWS security, controlling who can access your resources and what they can do with them.</p> <h3> Why IAM After S3? </h3> <ol> <li>Security Foundation: IAM is essential for securing all AWS resources</li> <li>Real-World Necessity: Every AWS deployment requires proper access management</li> <li>CDK Integration: Understanding how CDK generates IAM policies and roles</li> <li>Best Practices: Learning secure patterns from the start prevents future vulnerabilities</li> </ol> <h3> What You'll Learn </h3> <ul> <li>How CDK creates IAM users, groups, and roles</li> <li>Secure password management with AWS Secrets Manager</li> <li>The difference between managed policies and inline policies</li> <li>Switch role implementation with MFA requirements</li> <li>CloudFormation's dynamic secret resolution</li> <li>IAM security best practices</li> </ul> <p>📁 Code Repository: All code examples for this exercise are available on <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/iam-basics" rel="noopener noreferrer">GitHub</a>.</p> <h2> Architecture Overview </h2> <p>Here's what we'll build in this exercise:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ribo9w353xvl8nqekea.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ribo9w353xvl8nqekea.png" alt="Architecture Overview" width="800" height="547"></a></p> <p>We'll implement five different patterns across four constructs:</p> <h3> Construct 1: Basic User (CDKDefaultUser) </h3> <ul> <li>Pattern 1: Minimal IAM user configuration</li> </ul> <h3> Construct 2: Password Management User (IAMUserWithPassword) </h3> <ul> <li>Pattern 2A: Hardcoded password (⚠️ Not recommended)</li> <li>Pattern 2B: Secure password management with Secrets Manager (✅ Recommended)</li> <li>Pattern 3A: AWS managed policy attachment</li> <li>Pattern 3B: Inline policy attachment</li> </ul> <h3> Construct 3: Group Management User (IamUserGroup) </h3> <ul> <li>Pattern 4: Group-based permission management</li> </ul> <h3> Construct 4: Switch Role User (SwitchRoleUser) </h3> <ul> <li>Pattern 5: MFA-required role assumption</li> </ul> <h2> Prerequisites </h2> <p>To follow along, you'll need:</p> <ul> <li>AWS CLI v2 installed and configured</li> <li>Node.js 20+</li> <li>AWS CDK CLI (<code>npm install -g aws-cdk</code>)</li> <li>Basic TypeScript knowledge</li> <li>AWS Account (Free Tier works for this exercise)</li> <li>Understanding of IAM concepts (users, roles, policies)</li> </ul> <h2> Project Directory Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>iam-basics/ ├── bin/ │ └── iam-basics.ts # Application entry point ├── lib/ │ ├── stacks/ │ │ └── iam-basics-stack.ts # Main stack definition │ └── constructs/ │ ├── iam-user-with-password.ts # Patterns 2-3 │ ├── iam-user-with-group.ts # Pattern 4 │ └── iam-user-with-switch-role.ts # Pattern 5 ├── test/ │ ├── compliance/ │ │ └── cdk-nag.test.ts # Testing (explained in later exercises) │ ├── snapshot/ │ │ └── snapshot.test.ts # Testing (explained in later exercises) │ └── unit/ │ └── iam-basics.test.ts # Testing (explained in later exercises) ├── cdk.json ├── package.json └── tsconfig.json </code></pre> </div> <h2> Pattern 1: Understanding CDK Default User </h2> <p>Let's start with the simplest IAM user creation. This is all you need to create an IAM user.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">IamBasicsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Minimal IAM user configuration</span> <span class="kd">const</span> <span class="nx">cdkDefaultUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">User</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CDKDefaultUser</span><span class="dl">'</span><span class="p">,</span> <span class="p">{});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Resources"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CDKDefaultUserF7AAA71A"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:cdk:path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dev/DrillexercisesIamBasics/CDKDefaultUser/Resource"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Default Configuration Details </h3> <p>Let's examine what CDK automatically configures:</p> <ul> <li>User Name: Auto-generated by AWS</li> <li>No Password: Console access disabled by default</li> <li>No Policies: Zero permissions (principle of least privilege)</li> <li>No Access Keys: Programmatic access disabled</li> </ul> <p>Until you explicitly grant permissions, this user cannot access anything.</p> <h2> Pattern 2A: User with Hardcoded Password (⚠️ Not Recommended) </h2> <p>⚠️ This pattern demonstrates what happens when you use it in production environments.<br> Note that <code>"PasswordResetRequired": true</code> is set, but the user cannot change the password because they lack permissions.<br> To allow password changes, you need the <code>IAMUserChangePassword</code> policy shown in [Pattern 2B].<br> Alternatively, you can configure your AWS account to allow all IAM users to change their own passwords. (<a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_enable-user-change.html#proc_letalluserschangepassword" rel="noopener noreferrer">See AWS Documentation</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">userWithPassword</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">User</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PasswordUser</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">SecretValue</span><span class="p">.</span><span class="nf">unsafePlainText</span><span class="p">(</span><span class="dl">'</span><span class="s1">InitialPassword123!</span><span class="dl">'</span><span class="p">),</span> <span class="na">passwordResetRequired</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserWithPasswordPasswordUserA5E8EDB8"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"LoginProfile"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"InitialPassword123!"</span><span class="p">,</span><span class="w"> </span><span class="nl">"PasswordResetRequired"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Why This Is Dangerous </h3> <ol> <li>Password in source code: Visible in version control. Even if passed via environment variables, it will be exposed for the following reasons.</li> <li>CloudFormation template: Password exposed in console and logs</li> <li>No encryption: Stored in plain text</li> <li>Audit trail: Difficult to track password changes</li> </ol> <p>Never use this pattern in production.</p> <h2> Pattern 2B: User with Secrets Manager (✅ Recommended) </h2> <p>This is the secure way to manage IAM user passwords.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">secretsmanager</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-secretsmanager</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userName</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">SecretsPasswordUser</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Create the secret with auto-generated password</span> <span class="kd">const</span> <span class="nx">userSecret</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">secretsmanager</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">UserSecret</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">userName</span> <span class="p">}),</span> <span class="na">generateStringKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="na">excludePunctuation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">passwordLength</span><span class="p">:</span> <span class="mi">16</span><span class="p">,</span> <span class="na">requireEachIncludedType</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Create user with password from Secrets Manager</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">User</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SecretsPasswordUser</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userName</span><span class="p">:</span> <span class="nx">userName</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">userSecret</span><span class="p">.</span><span class="nf">secretValueFromJson</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">),</span> <span class="na">passwordResetRequired</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// change password policy</span> <span class="nx">userWithSecretsManager</span><span class="p">.</span><span class="nf">addManagedPolicy</span><span class="p">(</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">IAMUserChangePassword</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="c1">// Grant the user permission to read their own password</span> <span class="nx">userSecret</span><span class="p">.</span><span class="nf">grantRead</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="c1">// Output the secret ARN for retrieval</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SecretArn</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">userSecret</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Retrieve password: aws secretsmanager get-secret-value --secret-id &lt;this-arn&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserWithPasswordSecretsPasswordUserSecret32219BC7"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::SecretsManager::Secret"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"GenerateSecretString"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ExcludePunctuation"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"GenerateStringKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"password"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SecretStringTemplate"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\"</span><span class="s2">username</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">SecretsPasswordUser</span><span class="se">\"</span><span class="s2">}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UserWithPasswordSecretsPasswordUserCFEF7855"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"LoginProfile"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Password"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Fn::Join"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"{{resolve:secretsmanager:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UserWithPasswordSecretsPasswordUserSecret32219BC7"</span><span class="p">},</span><span class="w"> </span><span class="s2">":SecretString:password::}}"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"PasswordResetRequired"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ManagedPolicyArns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Fn::Join"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::Partition"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">":iam::aws:policy/IAMUserChangePassword"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"UserName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SecretsPasswordUser"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UserWithPasswordSecretsPasswordUserDefaultPolicy6A5FC9BF"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"PolicyDocument"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"secretsmanager:DescribeSecret"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager:GetSecretValue"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UserWithPasswordSecretsPasswordUserSecret32219BC7"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Users"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UserWithPasswordSecretsPasswordUserCFEF7855"</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Key Features of This Pattern </h3> <h4> 1. CloudFormation Dynamic Reference </h4> <p>The most important part is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Password"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Fn::Join"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"{{resolve:secretsmanager:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SecretId"</span><span class="p">},</span><span class="w"> </span><span class="s2">":SecretString:password::}}"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>CloudFormation uses <code>{{resolve:secretsmanager:...}}</code> to dynamically retrieve the password during stack deployment. The actual password never appears in the CloudFormation template.</p> <h4> 2. Auto-Generated Secure Password </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="nl">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">userName</span> <span class="p">}),</span> <span class="nx">generateStringKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="nx">excludePunctuation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Avoid special characters that might cause issues</span> <span class="nx">passwordLength</span><span class="p">:</span> <span class="mi">16</span><span class="p">,</span> <span class="c1">// Strong password length</span> <span class="nx">requireEachIncludedType</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Include uppercase, lowercase, numbers</span> <span class="p">}</span> </code></pre> </div> <h4> 3. Principle of Least Privilege </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">userSecret</span><span class="p">.</span><span class="nf">grantRead</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> </code></pre> </div> <p>This grants only this specific user permission to read their own password secret. The generated policy includes:</p> <ul> <li><code>secretsmanager:DescribeSecret</code></li> <li><code>secretsmanager:GetSecretValue</code></li> </ul> <h3> Retrieving the Password </h3> <p>After deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get the secret ARN from stack outputs</span> <span class="nv">SECRET_ARN</span><span class="o">=</span><span class="si">$(</span>aws cloudformation describe-stacks <span class="se">\</span> <span class="nt">--stack-name</span> YourStackName <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Stacks[0].Outputs[?OutputKey==`SecretArn`].OutputValue'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># Retrieve the password</span> aws secretsmanager get-secret-value <span class="nt">--secret-id</span> <span class="nv">$SECRET_ARN</span> <span class="se">\</span> <span class="nt">--query</span> SecretString <span class="nt">--output</span> text | jq <span class="nt">-r</span> <span class="s1">'.password'</span> </code></pre> </div> <h2> Pattern 3: Managed Policies vs Inline Policies </h2> <p>This pattern is implemented within the <code>IAMUserWithPassword</code> construct.<br> Two types of policies apply to users whose passwords are generated by Secrets Manager.</p> <h3> AWS Managed Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">userWithPassword</span><span class="p">.</span><span class="nf">addManagedPolicy</span><span class="p">(</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">ReadOnlyAccess</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ManagedPolicyArns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Fn::Join"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::Partition"</span><span class="p">},</span><span class="w"> </span><span class="s2">":iam::aws:policy/ReadOnlyAccess"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Characteristics:</p> <ul> <li>Maintained by AWS</li> <li>Automatically updated with new services</li> <li>Can be attached to multiple users/roles/groups</li> <li>Reference by ARN</li> </ul> <h3> Inline Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">userWithPassword</span><span class="p">.</span><span class="nf">addToPolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">s3:ListAllMyBuckets</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">arn:aws:s3:::*</span><span class="dl">'</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserDefaultPolicy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"PolicyDocument"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:ListAllMyBuckets"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Users"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User"</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Characteristics:</p> <ul> <li>Custom permissions</li> <li>Tightly coupled to the user/role</li> <li>Deleted when the user/role is deleted</li> <li>Defined directly in the template</li> </ul> <h3> When to Use Each </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Use Case</th> <th>Managed Policy</th> <th>Inline Policy</th> </tr> </thead> <tbody> <tr> <td>Common AWS permissions</td> <td>✅</td> <td>❌</td> </tr> <tr> <td>Custom application-specific permissions</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Shared across multiple entities</td> <td>✅</td> <td>❌</td> </tr> <tr> <td>One-time, specific permissions</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Frequently changing permissions</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <h2> Pattern 4: Group-Based Permission Management </h2> <p>Groups allow you to grant consistent permissions to multiple users.<br> This pattern is implemented in <code>iam-user-with-group.ts</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Create a group</span> <span class="kd">const</span> <span class="nx">group</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Group</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">IamGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{});</span> <span class="c1">// Attach policy to group</span> <span class="nx">group</span><span class="p">.</span><span class="nf">addManagedPolicy</span><span class="p">(</span><span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">ReadOnlyAccess</span><span class="dl">'</span><span class="p">));</span> <span class="c1">// Add user to group</span> <span class="nx">user</span><span class="p">.</span><span class="nf">addToGroup</span><span class="p">(</span><span class="nx">group</span><span class="p">);</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserGroupIamGroupAB148728"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::Group"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ManagedPolicyArns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Fn::Join"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::Partition"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">":iam::aws:policy/ReadOnlyAccess"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UserGroupUser5985318E"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Groups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UserGroupIamGroupAB148728"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Benefits of Group-Based Management </h3> <ol> <li>Centralized Management: Update permissions for all users at once</li> <li>Consistency: Ensure all users in a role have identical permissions</li> <li>Scalability: Easy to onboard new team members</li> <li>Auditability: Clear permission structure</li> </ol> <h2> Pattern 5: Switch Role with MFA (Advanced) </h2> <p>💡 Note: Advanced Pattern for Level 100</p> <p>This pattern is implemented in <code>iam-user-with-switch-role.ts</code>.<br> This switch role pattern is slightly advanced for Level 100, but we include it here because:</p> <ul> <li>It's a fundamental IAM best practice</li> <li>You'll encounter it frequently in real-world AWS environments</li> <li>CDK makes implementation straightforward</li> </ul> <p>This pattern implements a security best practice: requiring MFA for elevated permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">accountId</span> <span class="o">=</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">account</span><span class="p">;</span> <span class="c1">// Create IAM user</span> <span class="kd">const</span> <span class="nx">switchRoleUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">User</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SwitchRoleUser</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SwitchRoleUser</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">userSecret</span><span class="p">.</span><span class="nf">secretValueFromJson</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">),</span> <span class="na">passwordResetRequired</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Create role with MFA requirement</span> <span class="kd">const</span> <span class="nx">readOnlyRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ReadOnlyRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PrincipalWithConditions</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">AccountPrincipal</span><span class="p">(</span><span class="nx">accountId</span><span class="p">),</span> <span class="p">{</span> <span class="na">Bool</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:MultiFactorAuthPresent</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span> <span class="p">},</span> <span class="p">}</span> <span class="p">),</span> <span class="na">maxSessionDuration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">hours</span><span class="p">(</span><span class="mi">4</span><span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">ReadOnlyAccess</span><span class="dl">'</span><span class="p">),</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Create policy to allow assuming the role</span> <span class="kd">const</span> <span class="nx">assumeRolePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Policy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AssumeRolePolicy</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sts:AssumeRole</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">readOnlyRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Create group and attach policy</span> <span class="kd">const</span> <span class="nx">switchRoleGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Group</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SwitchRoleGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{});</span> <span class="nx">assumeRolePolicy</span><span class="p">.</span><span class="nf">attachToGroup</span><span class="p">(</span><span class="nx">switchRoleGroup</span><span class="p">);</span> <span class="c1">// Add user to group</span> <span class="nx">switchRoleUser</span><span class="p">.</span><span class="nf">addToGroup</span><span class="p">(</span><span class="nx">switchRoleGroup</span><span class="p">);</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"SwitchRoleUserReadOnlyRole660C7C3B"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::Role"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AssumeRolePolicyDocument"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:MultiFactorAuthPresent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:root"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ManagedPolicyArns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Fn::Join"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::Partition"</span><span class="p">},</span><span class="w"> </span><span class="s2">":iam::aws:policy/ReadOnlyAccess"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"MaxSessionDuration"</span><span class="p">:</span><span class="w"> </span><span class="mi">14400</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Understanding the MFA Requirement </h3> <p>The key part is the condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:MultiFactorAuthPresent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This means:</p> <ul> <li>Users <strong>must</strong> authenticate with MFA before assuming the role</li> <li>Without MFA, the <code>AssumeRole</code> API call will fail</li> <li>Even if the user has the <code>sts:AssumeRole</code> permission</li> </ul> <h3> How to Use Switch Role </h3> <ol> <li>Enable MFA for the user: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws iam create-virtual-mfa-device <span class="se">\</span> <span class="nt">--virtual-mfa-device-name</span> SwitchRoleUser-MFA <span class="se">\</span> <span class="nt">--outfile</span> QRCode.png <span class="se">\</span> <span class="nt">--bootstrap-method</span> QRCodePNG aws iam enable-mfa-device <span class="se">\</span> <span class="nt">--user-name</span> SwitchRoleUser <span class="se">\</span> <span class="nt">--serial-number</span> arn:aws:iam::123456789012:mfa/SwitchRoleUser-MFA <span class="se">\</span> <span class="nt">--authentication-code1</span> 123456 <span class="se">\</span> <span class="nt">--authentication-code2</span> 789012 </code></pre> </div> <ol> <li>Assume the role: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws sts assume-role <span class="se">\</span> <span class="nt">--role-arn</span> arn:aws:iam::123456789012:role/ReadOnlyRole <span class="se">\</span> <span class="nt">--role-session-name</span> ReadOnlySession <span class="se">\</span> <span class="nt">--serial-number</span> arn:aws:iam::123456789012:mfa/SwitchRoleUser-MFA <span class="se">\</span> <span class="nt">--token-code</span> 123456 </code></pre> </div> <ol> <li>Use in AWS Console:</li> </ol> <ul> <li>Log in as SwitchRoleUser</li> <li>Click on account name → Switch Role</li> <li>Enter Account ID and Role Name</li> <li>You'll be prompted for MFA code</li> </ul> <h3> Benefits of Switch Role Pattern </h3> <ol> <li> <strong>Separation of Duties</strong>: Regular permissions vs elevated permissions</li> <li> <strong>Audit Trail</strong>: Clear logs of when elevated permissions were used</li> <li> <strong>Time-Limited</strong>: <code>maxSessionDuration</code> enforces automatic expiration</li> <li> <strong>MFA Protection</strong>: Extra security layer for sensitive operations</li> </ol> <h2> Deploy and Verify </h2> <h3> Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check differences</span> cdk diff <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Deploy</span> cdk deploy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h3> Verification </h3> <ol> <li>Check IAM Users: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># List all users</span> aws iam list-users <span class="c"># Get specific user details</span> aws iam get-user <span class="nt">--user-name</span> SecretsPasswordUser </code></pre> </div> <ol> <li>Check Attached Policies: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># List user policies</span> aws iam list-attached-user-policies <span class="nt">--user-name</span> PasswordUser <span class="c"># List inline policies</span> aws iam list-user-policies <span class="nt">--user-name</span> PasswordUser </code></pre> </div> <ol> <li>Verify Secrets Manager: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Get secret value</span> aws secretsmanager get-secret-value <span class="se">\</span> <span class="nt">--secret-id</span> &lt;secret-arn&gt; <span class="se">\</span> <span class="nt">--query</span> SecretString <span class="se">\</span> <span class="nt">--output</span> text </code></pre> </div> <ol> <li>Test Switch Role: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Assume role with MFA</span> aws sts assume-role <span class="se">\</span> <span class="nt">--role-arn</span> &lt;role-arn&gt; <span class="se">\</span> <span class="nt">--role-session-name</span> TestSession <span class="se">\</span> <span class="nt">--serial-number</span> &lt;mfa-device-arn&gt; <span class="se">\</span> <span class="nt">--token-code</span> &lt;mfa-code&gt; </code></pre> </div> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete stack</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Force deletion without confirmation</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--force</span> <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <p><strong>Important</strong>: IAM users and roles are retained by default. If you want to delete them, you need to manually remove them or set appropriate deletion policies.</p> <h2> Best Practices </h2> <h3> Security </h3> <ol> <li>Never Hardcode Passwords: Always use Secrets Manager or Parameter Store</li> <li>Enable MFA: Especially for privileged accounts</li> <li>Use Switch Roles: Separate regular and elevated permissions</li> <li>Principle of Least Privilege: Grant only necessary permissions</li> <li>Regular Audits: Review IAM policies and access patterns</li> <li>Password Policies: Enforce strong password requirements</li> <li>Access Key Rotation: Rotate access keys regularly (or avoid them entirely)</li> </ol> <h3> Password Management </h3> <ol> <li>Use Secrets Manager: For all password storage</li> <li>Auto-Generate: Let AWS create strong passwords</li> <li>Require Reset: Force password change on first login</li> </ol> <h3> Policy Management </h3> <ol> <li>Prefer Managed Policies: For common permissions</li> <li>Use Inline Policies: For specific, one-off permissions</li> <li>Group-Based Management: Manage permissions by role, not individual users</li> </ol> <h3> Operations </h3> <ol> <li>CloudTrail Logging: Monitor all IAM activities</li> <li>Naming Conventions: Use clear, consistent names</li> <li>Separate Environments: Different IAM configurations for dev/test/prod</li> </ol> <h2> Summary </h2> <p>In this exercise, we learned IAM fundamentals through AWS CDK.</p> <h3> What We Learned </h3> <ol> <li>IAM Basics: Users, groups, roles, and policies</li> <li>Secure Passwords: Using Secrets Manager instead of hardcoded values</li> <li>CloudFormation Integration: Dynamic secret resolution with <code>{{resolve:secretsmanager:...}}</code> </li> <li>Policy Types: Managed vs inline policies and when to use each</li> <li>Switch Roles: Implementing role assumption with MFA requirements</li> <li>Best Practices: Least privilege, MFA, and group-based management</li> </ol> <h3> Key Takeaways </h3> <ul> <li>Security First: IAM is the foundation of AWS security</li> <li>Secrets Manager: Essential for password management</li> <li>MFA: Critical for elevated permissions</li> <li>Groups: Simplify permission management</li> <li>Audit: CloudTrail and regular reviews are essential</li> </ul> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/" rel="noopener noreferrer">AWS IAM Official Documentation</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">IAM Best Practices</a></li> <li><a href="https://docs.aws.amazon.com/secretsmanager/" rel="noopener noreferrer">AWS Secrets Manager</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html" rel="noopener noreferrer">IAM Policy Reference</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises iam AWS CDK 100 Drill Exercises: Index & Progress (#001-#010) TOMOAKI ishihara Sun, 07 Dec 2025 15:53:46 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-index-progress-001-010-27bk https://dev.to/aws-builders/aws-cdk-100-drill-exercises-index-progress-001-010-27bk <h1> AWS CDK 100 Drill Exercises: #001-#010 </h1> <h2> 📊 Progress Overview </h2> <p><strong>Exercises in this set: 10</strong> | <strong>Completed: 7 / 10</strong></p> <p>██████████████□□□□□□ 70%</p> <p><strong>Level Distribution:</strong></p> <ul> <li>Level 100: 2 exercises</li> <li>Level 200: 2 exercises</li> <li>Level 300: 2 exercises</li> <li>Level 400: 0 exercise</li> </ul> <ul> <li> <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-001-s3-bucket-fundamentals-from-default-settings-to-practical-1hmd">#001: S3 Bucket Fundamentals —— From Default Settings to Practical Customization</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmywwncptpf1v8351er0r.png" alt="Architecture Overview" width="800" height="480"> </li> <li> <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-002-iam-basics-users-roles-and-secure-password-management-1npa">#002: IAM Basics —— Users, Roles, and Secure Password Management</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ribo9w353xvl8nqekea.png" alt="Architecture Overview" width="800" height="547"> </li> <li> <a href="https://dev.to/issy929/aws-cdk-100-drill-exercises-003-vpc-basics-from-network-configuration-to-security-4a43">#003: VPC Basics —— From Network Configuration to Security</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1nxbfirgnrehraei5ejj.png" alt="Architecture Overview" width="800" height="560"> </li> <li> <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-004-nat-instance-v2-cost-effective-nat-with-automated-scheduling-49li">#004: NAT Instance V2 — Cost-Effective NAT with Automated Scheduling and Patch Management</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8i22f5s1jqctcj4qkzdb.png" alt="Architecture Overview" width="800" height="573"> </li> <li> <a href="https://dev.to/aws-builders/aws-cdk-100-drill-exercises-005-cdk-parameters-managing-parameters-with-typescript-vs-cdkjson-12b9">#005: CDK Parameters —— Managing Parameters with TypeScript vs cdk.json</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F746ecmphw6b83s4hofc1.png" alt="Architecture Overview" width="800" height="617"> </li> <li> <a href="https://dev.to/issy929/aws-cdk-100-drill-exercises-006-vpc-peering-cross-account-network-integration-and-dns-546">#006: VPC Peering - Cross-Account Network Integration and DNS Resolution Automation</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1777pu4fy705jt9i7f8i.png" alt="Architecture Overview" width="800" height="570"> </li> <li> <a href="https://dev.to/issy929/aws-cdk-100-drill-exercises-007-sqs-lambda-firehose-building-event-driven-data-pipelines-2ki8">#007: SQS-Lambda-Firehose —— Building Event-Driven Data Pipelines</a> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsv2k3j195xjxgj0s6t7.png" alt="Architecture Overview" width="800" height="572"> </li> <li>#008: </li> <li>#009: </li> <li>#010:</li> </ul> <h2> 📈 Next Steps </h2> <p>Continue your journey with [Index #011-#020] →</p> <p><strong>💬 Questions or suggestions? <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">Join the discussion on GitHub</a></strong></p> aws cdk devops 100drillexercises AWS CDK 100 Drill Exercises #001: S3 Bucket Fundamentals —— From Default Settings to Practical Customization TOMOAKI ishihara Sun, 07 Dec 2025 15:48:48 +0000 https://dev.to/aws-builders/aws-cdk-100-drill-exercises-001-s3-bucket-fundamentals-from-default-settings-to-practical-1hmd https://dev.to/aws-builders/aws-cdk-100-drill-exercises-001-s3-bucket-fundamentals-from-default-settings-to-practical-1hmd <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz27r3b4j3ikksvzdfre9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz27r3b4j3ikksvzdfre9.png" alt="Level 100" width="70" height="20"></a></p> <h2> Introduction </h2> <p>This is the first exercise in the "AWS CDK 100 Drill Exercises" series.</p> <p>For more about AWS CDK 100 Drill Exercises, see <a href="https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949">this introduction article</a>.</p> <p>Through these 100 exercises, we'll progressively learn practical AWS CDK patterns. For this first exercise, I've chosen S3 buckets because they're an ideal starting point for learning AWS CDK fundamentals.</p> <h3> Why Start with S3? </h3> <ol> <li>Simple Structure: No complex dependencies like networking or security groups</li> <li>Rich Configuration Options: Practical features including encryption, lifecycle rules, and versioning</li> <li>CloudFormation Comparison: Easy to understand how CDK's defaults translate to CloudFormation</li> <li>Cost Effective: Low-cost experimentation for learning purposes</li> </ol> <h3> What You'll Learn </h3> <ul> <li>How minimal CDK code translates to CloudFormation templates</li> <li>Default behavior and customization of L2 Constructs</li> <li>S3 bucket security best practices</li> <li>Cost optimization through lifecycle rules</li> <li>Versioning and noncurrent version management</li> </ul> <p><strong>📁 Code Repository</strong>: All code examples for this exercise are available on <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures/tree/main/infrastructure/cdk-workspaces/workspaces/s3-basics" rel="noopener noreferrer">GitHub</a>.</p> <h2> Architecture Overview </h2> <p>Here's what we'll build in this exercise:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmywwncptpf1v8351er0r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmywwncptpf1v8351er0r.png" alt="Architecture Overview" width="800" height="480"></a></p> <p>We'll implement eight different patterns:</p> <ol> <li>CDKDefault: Completely default settings</li> <li>Named: Explicitly specify bucket name</li> <li>AutoDeleteObjects: Auto-delete objects on bucket removal</li> <li>BlockPublicAccessOff: Partial public access configuration</li> <li>EncryptionSSEKMSManaged: AWS-managed KMS encryption</li> <li>EncryptionSSEKMSCustomer: Customer-managed KMS encryption</li> <li>LifecycleRules: Cost optimization through lifecycle transitions</li> <li>VersioningEnabled: Versioning with lifecycle management</li> </ol> <h2> Prerequisites </h2> <p>To follow along, you'll need:</p> <ul> <li>AWS CLI v2 installed and configured</li> <li>Node.js 20+</li> <li>AWS CDK CLI (<code>npm install -g aws-cdk</code>)</li> <li>Basic TypeScript knowledge</li> <li>AWS Account (Free Tier works for most exercises)</li> </ul> <h2> Project Directory Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>s3-basics/ ├── bin/ │ └── s3-basics.ts # Application entry point ├── lib/ │ ├── stacks/ │ │ └── s3-basics-stack.ts # Stack definition │ └── stages/ │ └── s3-basics-stage.ts # Stage definition ├── test/ │ ├── compliance │ │ └── cdk-nag.test.ts # Test code (covered in later exercises) │ ├── snapshot │ │ └── snapshot.test.ts # Test code (covered in later exercises) │ └── unit │ └── s3-basics.test.ts # Test code (covered in later exercises) ├── cdk.json ├── package.json └── tsconfig.json </code></pre> </div> <h2> Pattern 1: Understanding CDK Defaults </h2> <p>Let's start with the simplest implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">s3</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">S3BasicStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">bucket</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">IBucket</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// S3 bucket with completely default settings</span> <span class="k">this</span><span class="p">.</span><span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CDKDefault</span><span class="dl">'</span><span class="p">,</span> <span class="p">{});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This minimal code creates an S3 bucket. Let's examine what CloudFormation template this generates.</p> <p>Generated CloudFormation:</p> <p>Running <code>cdk synth</code> produces the following CloudFormation template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Resources"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CDKDefaultE8B73DAC"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UpdateReplacePolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Retain"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DeletionPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Retain"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:cdk:path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dev/DrillexercisesS3Basic/CDKDefault/Resource"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Default Configuration Details </h3> <p>Let's examine what CDK automatically configures.</p> <h4> 1. Logical ID Generation </h4> <p>The Construct ID <code>CDKDefault</code> gets a hash suffix <code>E8B73DAC</code>, resulting in the logical ID <code>CDKDefaultE8B73DAC</code>. This hash ensures uniqueness within the stack.</p> <h4> 2. UpdateReplacePolicy and DeletionPolicy </h4> <p>Both are set to <code>Retain</code>, meaning the S3 bucket persists even after stack deletion - a safe default.</p> <p>AWS Documentation: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-updatereplacepolicy.html" rel="noopener noreferrer">UpdateReplacePolicy</a> and <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html" rel="noopener noreferrer">DeletionPolicy</a></p> <p>⚠️ Note: If you deploy this code and destroy the stack, you'll need to manually delete the <code>CDKDefault</code> bucket.</p> <h4> 3. Implicit Settings </h4> <p>While not explicitly shown in the CloudFormation template, these settings apply:</p> <ul> <li>Encryption: SSE-S3 (Amazon S3-managed encryption keys)</li> <li>Public Access: Completely blocked (recommended)</li> <li>Versioning: Disabled</li> <li>Bucket Name: Auto-generated by AWS</li> </ul> <p>These are AWS default values. CDK prioritizes secure defaults, so even without explicit configuration, you get a safe setup.</p> <h2> Pattern 2: Specifying Bucket Name </h2> <p>This example explicitly specifies a bucket name.<br> However, for real projects, we recommend NOT specifying bucket names. The <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#bucketname" rel="noopener noreferrer">AWS documentation</a> also recommends CloudFormation auto-generation.</p> <p>Reasons for auto-generation:</p> <ul> <li>New buckets can't be created during resource replacement <ul> <li>During replacement, new resources are created before old ones are deleted, causing name conflicts</li> </ul> </li> <li>CDK-generated names are sufficiently unique</li> <li>Improves deployment flexibility</li> </ul> <p>Only specify bucket names when absolutely necessary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">accountId</span> <span class="o">=</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">account</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">regionNoHyphens</span> <span class="o">=</span> <span class="nx">region</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bucketName</span> <span class="o">=</span> <span class="p">[</span> <span class="nx">props</span><span class="p">.</span><span class="nx">project</span><span class="p">,</span> <span class="c1">// Project name</span> <span class="nx">props</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="c1">// Environment identifier</span> <span class="dl">'</span><span class="s1">namedbucket</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Purpose</span> <span class="nx">accountId</span><span class="p">,</span> <span class="c1">// AWS Account ID</span> <span class="nx">regionNoHyphens</span> <span class="c1">// Region (hyphens removed)</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">).</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NamedBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">bucketName</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">isAutoDeleteObject</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Result example: myproject-dev-logs-123456789012-apnortheast1</span> </code></pre> </div> <p>Key Bucket Name Rules:</p> <ul> <li>Must be globally unique</li> <li>Only lowercase letters, numbers, periods (<code>.</code>), and hyphens (<code>-</code>) allowed</li> <li>3-63 characters in length</li> </ul> <p>For detailed naming rules, refer to the <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#general-purpose-bucket-names" rel="noopener noreferrer">official documentation</a>.</p> <h2> Pattern 3: Deletion Behavior Control </h2> <p>In development environments, you often want to delete buckets and their objects together when removing the stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AutoDeleteObjects</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Generated CloudFormation:</p> <p>This configuration adds the following to the CloudFormation template:</p> <ol> <li>S3 Bucket: <code>DeletionPolicy</code> changed to <code>Delete</code> </li> <li>Bucket Policy: Permissions for custom resource</li> <li>Custom Resource: Lambda function to delete objects</li> <li>IAM Role: Lambda execution role </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"AutoDeleteObjects9931B84E"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Tags"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-cdk:auto-delete-objects"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UpdateReplacePolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Delete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DeletionPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Delete"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"AutoDeleteObjectsPolicy6BD2BF78"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::BucketPolicy"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">bucket</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="err">details</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"AutoDeleteObjectsAutoDeleteObjectsCustomResourceF9A68CC5"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Custom::S3AutoDeleteObjects"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">custom</span><span class="w"> </span><span class="err">resource</span><span class="w"> </span><span class="err">details</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::IAM::Role"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">role</span><span class="w"> </span><span class="err">details</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::Lambda::Function"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Runtime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nodejs22.x"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">900</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">Lambda</span><span class="w"> </span><span class="err">function</span><span class="w"> </span><span class="err">details</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Critical Warning </h3> <p>Consider carefully before using <code>autoDeleteObjects: true</code> in production environments.</p> <ul> <li>Increases risk of accidental data deletion</li> <li>Audit logs and retention-required data may be lost</li> </ul> <p>Use only in development/test environments. For production, explicitly set <code>removalPolicy: cdk.RemovalPolicy.RETAIN</code> to prioritize data protection.</p> <h2> Pattern 4: Public Access Control </h2> <p>S3 bucket public access settings are crucial for security. By default, public access blocking is enabled, but this configuration disables it partially.</p> <p>CDK Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Allow public policy only (block everything else)</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">BlockPublicAccessOff</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">blockPublicAccess</span><span class="p">:</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">BlockPublicAccess</span><span class="p">({</span> <span class="na">blockPublicPolicy</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}),</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"BlockPublicAccessOff9C2A29A0"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"PublicAccessBlockConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"BlockPublicAcls"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"BlockPublicPolicy"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"IgnorePublicAcls"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"RestrictPublicBuckets"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Four Public Access Block Settings </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Default</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>BlockPublicAcls</td> <td>true</td> <td>Deny public ACL settings</td> </tr> <tr> <td>BlockPublicPolicy</td> <td>true</td> <td>Deny public bucket policies</td> </tr> <tr> <td>IgnorePublicAcls</td> <td>true</td> <td>Ignore public ACLs</td> </tr> <tr> <td>RestrictPublicBuckets</td> <td>true</td> <td>Restrict public access</td> </tr> </tbody> </table></div> <h3> Best Practices </h3> <p>Normally, keep all settings <code>true</code> (complete blocking). If public access is needed, consider:</p> <ol> <li>Use CloudFront: Keep S3 private, deliver via CloudFront</li> <li>Signed URLs: Grant temporary access permissions</li> <li>Strict Bucket Policies: IP address restrictions, etc.</li> </ol> <h2> Pattern 5: Encryption Configuration </h2> <p>S3 offers three encryption methods.</p> <h3> 1. SSE-S3 (Default) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Explicit specification</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EncryptionSSES3</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BucketEncryption</span><span class="p">.</span><span class="nx">S3_MANAGED</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <ul> <li>AWS-managed encryption keys</li> <li>No additional cost</li> <li>AWS handles key rotation automatically</li> </ul> <h3> 2. SSE-KMS (AWS-Managed Key) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EncryptionSSEKMSManaged</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BucketEncryption</span><span class="p">.</span><span class="nx">KMS_MANAGED</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"EncryptionSSEKMSManagedBEDBF190"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"BucketEncryption"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ServerSideEncryptionConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ServerSideEncryptionByDefault"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"SSEAlgorithm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws:kms"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li>Uses AWS-managed KMS keys</li> <li>Auditable via CloudTrail</li> <li>Charged for KMS API calls</li> </ul> <h3> 3. SSE-KMS (Customer-Managed Key) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EncryptionSSEKMSCustomer</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">BucketEncryption</span><span class="p">.</span><span class="nx">KMS</span><span class="p">,</span> <span class="na">encryptionKey</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">aws_kms</span><span class="p">.</span><span class="nc">Key</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CustomKmsKey</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">enableKeyRotation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}),</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <ul> <li>Full key management control</li> <li>Configurable key rotation</li> <li>Granular access control</li> </ul> <h2> Pattern 6: Lifecycle Rules </h2> <p>Lifecycle rules are essential for cost optimization.</p> <p>CDK Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">lifecycleBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">LifecycleRules</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">lifecycleRules</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">MoveToIAAfter30Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Adding rules later</span> <span class="nx">lifecycleBucket</span><span class="p">.</span><span class="nf">addLifecycleRule</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">MoveToGlacierAfter90Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">GLACIER</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="nx">lifecycleBucket</span><span class="p">.</span><span class="nf">addLifecycleRule</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ExpireAfter365Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">expiration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">365</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"LifecycleRules2799D541"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"LifecycleConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MoveToIAAfter30Days"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enabled"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Transitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StorageClass"</span><span class="p">:</span><span class="w"> </span><span class="s2">"STANDARD_IA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TransitionInDays"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MoveToGlacierAfter90Days"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enabled"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Transitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StorageClass"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GLACIER"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TransitionInDays"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ExpirationInDays"</span><span class="p">:</span><span class="w"> </span><span class="mi">365</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ExpireAfter365Days"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enabled"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Storage Class Selection </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Storage Class</th> <th>Use Case</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Standard</td> <td>Frequent access</td> <td>High</td> </tr> <tr> <td>Standard IA</td> <td>30 days+ (monthly access)</td> <td>Medium</td> </tr> <tr> <td>Glacier Instant Retrieval</td> <td>90 days+ (annual access)</td> <td>Low</td> </tr> <tr> <td>Glacier Flexible Retrieval</td> <td>Archive (After 90 days (annual access) )</td> <td>Low</td> </tr> <tr> <td>Glacier Deep Archive</td> <td>Archive (rare access)</td> <td>Lowest</td> </tr> </tbody> </table></div> <h3> Cost Optimization Tips </h3> <ol> <li>Analyze Access Patterns: Use S3 Storage Lens and access logs</li> <li>Gradual Transitions: STANDARD → STANDARD_IA → GLACIER INSTANT RETRIEVAL</li> <li>Set Expiration: Auto-delete unnecessary data</li> </ol> <h2> Pattern 7: Versioning with Lifecycle Management </h2> <p>Finally, let's examine a configuration with versioning enabled.</p> <p>CDK Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VersioningEnabled</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">versioned</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">lifecycleRules</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ExpireNonCurrentVersionsAfter90Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">noncurrentVersionExpiration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="na">noncurrentVersionsToRetain</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NonCurrentVersionTransitionToIAAfter30Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">noncurrentVersionTransitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CurrentVersionTransitionToIAAfter60Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">60</span><span class="p">),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CurrentVersionTransitionToGlacierAfter90Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">GLACIER</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ExpireCurrentVersionsAfter365Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">expiration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">365</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AbortIncompleteMultipartUploadsAfter7Days</span><span class="dl">'</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">abortIncompleteMultipartUploadAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">7</span><span class="p">),</span> <span class="p">}</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h3> What is Versioning? </h3> <p>With <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html" rel="noopener noreferrer">versioning</a> enabled, all changes to objects are preserved.</p> <ul> <li>Current Version: Latest state</li> <li>Noncurrent Versions: Previous states</li> </ul> <p>Generated CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"VersioningEnabledC271D012"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"VersioningConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enabled"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"LifecycleConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ExpireNonCurrentVersionsAfter90Days"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NoncurrentVersionExpiration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"NewerNoncurrentVersions"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"NoncurrentDays"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enabled"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">other</span><span class="w"> </span><span class="err">rules</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Lifecycle Rule Details </h3> <h4> 1. Noncurrent Version Expiration </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">noncurrentVersionExpiration</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="nx">noncurrentVersionsToRetain</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> </code></pre> </div> <ul> <li>Delete noncurrent versions after 90 days</li> <li>But retain the newest 3 versions</li> </ul> <h4> 2. Noncurrent Version Transitions </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">noncurrentVersionTransitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <ul> <li>Transition noncurrent versions to STANDARD_IA after 30 days</li> </ul> <h4> 3. Current Version Transitions </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">transitions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">60</span><span class="p">),</span> <span class="p">},</span> <span class="p">{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">GLACIER</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <ul> <li>Transition to STANDARD_IA after 60 days</li> <li>Transition to GLACIER after 90 days</li> </ul> <h4> 4. Abort Incomplete Multipart Uploads </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">abortIncompleteMultipartUploadAfter</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">7</span><span class="p">),</span> </code></pre> </div> <p>Auto-delete interrupted multipart uploads after 7 days, reducing unnecessary storage costs.</p> <h2> Deploy and Verify </h2> <h3> Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check differences</span> cdk diff <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Deploy</span> cdk deploy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h3> Verification </h3> <ol> <li> <p>AWS Management Console</p> <ul> <li>Check created buckets in S3 Console</li> <li>Verify encryption settings in Properties tab</li> <li>Check lifecycle rules in Management tab</li> </ul> </li> <li><p>AWS CLI<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List buckets</span> aws s3 <span class="nb">ls</span> <span class="c"># Check versioning configuration</span> aws s3api get-bucket-versioning <span class="nt">--bucket</span> &lt;bucket-name&gt; <span class="c"># Check lifecycle configuration</span> aws s3api get-bucket-lifecycle-configuration <span class="nt">--bucket</span> &lt;bucket-name&gt; <span class="c"># Check encryption configuration</span> aws s3api get-bucket-encryption <span class="nt">--bucket</span> &lt;bucket-name&gt; </code></pre> </div> <h3> Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete stack</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev <span class="c"># Skip confirmation prompt</span> cdk destroy <span class="s2">"**"</span> <span class="nt">--force</span> <span class="nt">--project</span><span class="o">=</span>sample <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <h2> Best Practices </h2> <h3> Security </h3> <ol> <li>Block All Public Access: Keep defaults unless specifically needed</li> <li>Encryption is Mandatory: Minimum SSE-S3, recommended SSE-KMS</li> <li>Enable Versioning: For data protection and compliance</li> <li>Enable Access Logging: For security audits and troubleshooting</li> </ol> <h3> Cost Optimization </h3> <ol> <li>Configure Lifecycle Rules: Choose storage classes based on access patterns</li> <li>Delete Incomplete Uploads: Auto-delete after ~7 days</li> <li>Manage Noncurrent Versions: Retain only necessary generations</li> <li>Consider S3 Intelligent-Tiering: When access patterns are unclear</li> </ol> <h3> Operations </h3> <ol> <li>Naming Conventions: Include project name, environment, and purpose</li> <li>Tagging: Essential for cost allocation and resource management</li> <li>CloudTrail Integration: Audit API calls</li> <li>CloudWatch Metrics: Monitor bucket size and request counts</li> </ol> <h2> Summary </h2> <p>In this exercise, we learned AWS CDK fundamentals through S3 buckets.</p> <h3> What We Learned </h3> <ol> <li>CDK Defaults: Secure configurations with minimal code</li> <li>CloudFormation Translation: How CDK code converts</li> <li>Deletion Control: Using <code>autoDeleteObjects</code> and <code>removalPolicy</code> </li> <li>Three Encryption Methods: SSE-S3, SSE-KMS (AWS-managed), SSE-KMS (Customer-managed)</li> <li>Lifecycle Rules: Gradual transitions for cost optimization</li> <li>Versioning: Comprehensive management of current and noncurrent versions</li> </ol> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/home.html" rel="noopener noreferrer">AWS CDK Official Documentation</a></li> <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html" rel="noopener noreferrer">S3 Best Practices</a></li> <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html" rel="noopener noreferrer">S3 Lifecycle Configuration</a></li> </ul> <p>Let's continue learning practical AWS CDK patterns through the 100 drill exercises!<br> If you found this helpful, please ⭐ the repository!</p> <p>📌 You can see the entire code in <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">My GitHub Repository</a>.</p> aws cdk 100drillexercises s3 Introducing: AWS CDK 100 Drill Exercises - Learn by Building TOMOAKI ishihara Tue, 02 Dec 2025 15:34:06 +0000 https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949 https://dev.to/aws-builders/introducing-aws-cdk-100-drill-exercises-learn-by-building-5949 <h2> What is AWS CDK 100 Drill Exercises? </h2> <p>AWS CDK 100 Drill Exercises is a comprehensive, hands-on learning series where I'll create and share 100 practical AWS infrastructure implementations using the AWS Cloud Development Kit (CDK). Each exercise focuses on real-world scenarios, from basic networking setups to advanced multi-region architectures.</p> <p><strong>Goal:</strong> Master AWS CDK through deliberate practice while building a valuable reference library for the community.</p> <h2> 🏷️ Tags for This Series </h2> <p>I'm using #100drillexercises as a dedicated tag for this learning series. Follow this tag to track all exercises as they're published!</p> <p>Additional tags to stay updated:<br> <code>#aws</code> <code>#cdk</code> <code>#devtools</code> <code>#100drillexercises</code></p> <h2> 💡 The Inspiration Behind This Project </h2> <p>The idea came from an article (or book—my memory is a bit fuzzy!) about design practice. The author recommended a "100 design challenge" where you recreate existing designs, then analyze and reflect on each one. Through this repetitive, deliberate practice, designers expand their creative vocabulary and develop a deeper understanding of design principles.</p> <p>When I read that, a question struck me:</p> <blockquote> <p>Could this approach work for AWS CDK?</p> </blockquote> <h2> Why AWS CDK Needs This </h2> <h3> The Problem: Limited Real-World Experience </h3> <p>In our day-to-day work, we typically encounter a limited set of infrastructure patterns.</p> <ul> <li>Project constraints: Most engineers work on 1-3 projects per year</li> <li>Pattern repetition: Similar architectures across projects</li> <li>Limited exposure: Rarely get hands-on with cutting-edge patterns</li> <li>Passive learning: Attending AWS Summit sessions and reading case studies is valuable, but without actually <em>building</em>, the knowledge doesn't stick</li> </ul> <h3> The Reality Check </h3> <p>I've experienced this countless times:</p> <ul> <li>Watching AWS Summit technical sessions and thinking "I totally get this"</li> <li>Reading company tech blogs about innovative architectures</li> <li>Seeing lightning talks showcasing clever solutions</li> <li>Admiring architecture diagrams in presentations</li> </ul> <p><strong>But here's the truth: Seeing ≠ Understanding</strong></p> <p>When you see an architecture diagram at a conference, you might think "That's clever!" </p> <p>But when you actually sit down to implement it? Different story:</p> <ul> <li>"Wait, how do they handle cross-account permissions?"</li> <li>"What's the actual security group configuration?"</li> <li>"How do they manage the deployment order?"</li> <li>"Why is my Lambda timing out when theirs works perfectly?"</li> </ul> <p>These questions only surface when you're hands-on-keyboard, building it yourself.</p> <h2> Learning by Doing </h2> <p>This project is built on a simple principle.</p> <blockquote> <p>You don't truly understand something until you've built it yourself.</p> </blockquote> <p>By implementing 100 different infrastructure patterns with AWS CDK, I'll..</p> <ol> <li>Deepen my understanding of AWS services and CDK patterns</li> <li>Discover edge cases that documentation doesn't cover</li> <li>Build practical experience with architectures I'd never encounter in my day job</li> <li>Create reusable patterns for future projects</li> <li>Document learnings to help others avoid common pitfalls</li> </ol> <p>Will I make mistakes along the way? Absolutely. That's kind of the point.</p> <h2> Community Contribution </h2> <p>But this isn't just about my personal growth. I'm sharing this journey because..</p> <h3> For Learners </h3> <ul> <li>Progressive difficulty: From Level 100 (Foundational) to Level 400 (Expert)</li> <li>Complete code examples: Every exercise includes working, tested code</li> <li>Real-world focus: Patterns you'll actually use in production</li> <li>Best practices: Following AWS Well-Architected Framework principles</li> </ul> <h3> For the Community </h3> <ul> <li>Reference library: Searchable collection of CDK patterns</li> <li>Open source: All code available on GitHub</li> <li>Collaborative learning: Feedback and improvements welcome</li> <li>Bridge the gap: From concept to implementation</li> </ul> <h2> What to Expect </h2> <h3> Exercise Structure </h3> <p>Every exercise provides these components.</p> <ul> <li>Clear objectives: What you'll build and why</li> <li>Architecture diagram: Visual overview of the infrastructure</li> <li>Level indicator: 100/200/300/400 complexity rating</li> <li>Step-by-step implementation: Annotated CDK code</li> <li>Best practices: Security, cost optimization, operations tips</li> <li>Verification steps: How to test your deployment</li> <li>Common pitfalls: Issues I encountered and how to solve them</li> </ul> <h3> Coverage Areas </h3> <p>The 100 exercises cover these key areas.</p> <ul> <li>Foundation &amp; Networking: VPC, security groups, routing</li> <li>Storage &amp; Data: S3, RDS, DynamoDB, EFS</li> <li>Compute &amp; Serverless: Lambda, ECS, EC2, Auto Scaling</li> <li>Distribution &amp; CDN: CloudFront, Global Accelerator</li> <li>Security &amp; Compliance: IAM, Secrets Manager, KMS, Config</li> <li>Monitoring &amp; Observability: CloudWatch, X-Ray</li> <li>DevOps &amp; Automation: CI/CD pipelines, multi-region deployments</li> </ul> <h3> Release Schedule </h3> <ul> <li>Initial release: Building a Basic VPC</li> <li>Regular updates: 1-2 new exercises per week</li> <li>Community-driven: Taking requests and feedback</li> </ul> <h2> Exercise Levels &amp; Focus Areas </h2> <p>The 100 exercises are organized by AWS's technical content complexity levels. Each level builds on previous knowledge while introducing new concepts and patterns.</p> <h3> Foundational (Level 100) </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz27r3b4j3ikksvzdfre9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz27r3b4j3ikksvzdfre9.png" alt="Level 100" width="70" height="20"></a> </p> <p><strong>Overview</strong>: Introduction to AWS CDK basics and fundamental AWS service configurations.</p> <p><strong>Target Audience</strong>: </p> <ul> <li>AWS CDK beginners</li> <li>Those learning Infrastructure as Code for the first time</li> <li>Developers familiar with AWS Console wanting to learn CDK</li> </ul> <p><strong>Example Patterns</strong>:</p> <ul> <li>Basic VPC with public/private subnets</li> <li>S3 bucket with versioning and encryption</li> <li>Single Lambda function with CloudWatch Logs</li> <li>Security groups with simple ingress/egress rules</li> </ul> <h3> Intermediate (Level 200) </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkpovqovupuz0fqscdot.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkpovqovupuz0fqscdot.png" alt="Level 200" width="70" height="20"></a> </p> <p><strong>Overview</strong>: Implementing best practices and service features with proper configurations.</p> <p><strong>Target Audience</strong>:</p> <ul> <li>Developers comfortable with Level 100 concepts</li> <li>Those implementing production-ready infrastructure</li> <li>Engineers seeking to apply AWS best practices</li> </ul> <p><strong>Example Patterns</strong>:</p> <ul> <li>VPC with NAT Gateways and proper routing</li> <li>Static website hosting with S3 + CloudFront</li> <li>Lambda with API Gateway integration</li> <li>RDS with Multi-AZ configuration</li> <li>Application Load Balancer setups</li> </ul> <h3> Advanced (Level 300) </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1wyy0xk7f46wb5kdjqb.png" alt="Level 300" width="70" height="20"></a></p> <p><strong>Overview</strong>: Detailed implementations of complex architectures and service integrations.</p> <p><strong>Target Audience</strong>:</p> <ul> <li>Experienced CDK users</li> <li>Solution architects designing scalable systems</li> <li>Engineers handling complex production workloads</li> </ul> <p><strong>Example Patterns</strong>:</p> <ul> <li>Multi-tier web applications with ECS/EKS</li> <li>Event-driven architectures with EventBridge</li> <li>Aurora Global Database configurations</li> <li>Step Functions orchestration patterns</li> <li>Custom CDK Constructs (L3) development</li> </ul> <h3> Expert (Level 400) </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F894fqcbc0zcfbcgprc7k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F894fqcbc0zcfbcgprc7k.png" alt="Level 400" width="70" height="20"></a></p> <p><strong>Overview</strong>: Enterprise-level implementations involving multiple services, accounts, and advanced architectural patterns.</p> <p><strong>Target Audience</strong>:</p> <ul> <li>Senior engineers and architects</li> <li>Those managing large-scale AWS environments</li> <li>Engineers implementing enterprise governance</li> </ul> <p><strong>Example Patterns</strong>:</p> <ul> <li>Multi-account deployment strategies with CDK Pipelines</li> <li>Cross-region disaster recovery architectures</li> <li>Advanced security implementations (WAF, Shield, GuardDuty integration)</li> <li>Cost optimization automation patterns</li> <li>Hybrid cloud integration with Direct Connect</li> </ul> <h2> Who Is This For? </h2> <h3> Is this guide right for you? </h3> <ul> <li>You're learning AWS CDK and want hands-on practice</li> <li>You have basic AWS knowledge (or are working through it!)</li> <li>You understand TypeScript/JavaScript fundamentals</li> <li>You understand CloudFormation but want to level up to CDK</li> <li>You're preparing for AWS certifications</li> <li>You want to learn by building, not just reading</li> <li>You appreciate well-documented, real-world examples</li> </ul> <h2> Getting Started </h2> <h3> Prerequisites </h3> <ul> <li>AWS Account (Free Tier works for most exercises)</li> <li>AWS CLI v2</li> <li>Node.js 20+</li> <li>AWS CDK CLI</li> <li>Basic TypeScript knowledge</li> </ul> <h3> Follow Along </h3> <ul> <li>GitHub: All code available at <a href="https://github.com/ishiharatma/aws-cdk-reference-architectures" rel="noopener noreferrer">aws-cdk-reference-architectures</a> </li> <li>Dev.to: Follow for new exercise announcements</li> <li>Discussion: GitHub Discussions for questions and feedback</li> </ul> <h2> Join the Journey </h2> <p>This is a learning journey, not a finished course. I'm actively documenting my discoveries, incorporating community feedback, exploring new patterns, and developing my AWS skills in real-time.</p> <ul> <li>Documenting my discoveries and mistakes</li> <li>Incorporating community feedback</li> <li>Exploring new patterns and architectures</li> <li>Developing my AWS skills in real-time</li> </ul> <h3> How to Contribute </h3> <ul> <li>⭐ Star the repository</li> <li>💬 Share your own implementations</li> <li>🐛 Report bugs or suggest improvements</li> <li>📢 Tell others if you find this useful</li> <li>🤔 Request patterns you need</li> </ul> <p>💭 What patterns or architectures would you like to see covered in this series? Drop a comment below!</p> <p>🔔 Follow me to get notified when new exercises are published!</p> <p><em>This project is part of my journey as an AWS Community Builder in the Dev Tools category, focusing on helping developers build better with AWS CDK.</em></p> aws cdk 100drillexercises devtools Mastering AWS CDK #3 - AWS CDK Development: Best Practices and Workflow TOMOAKI ishihara Tue, 25 Nov 2025 02:27:27 +0000 https://dev.to/aws-builders/mastering-aws-cdk-3-aws-cdk-development-best-practices-and-workflow-1f37 https://dev.to/aws-builders/mastering-aws-cdk-3-aws-cdk-development-best-practices-and-workflow-1f37 <h1> AWS CDK Development: Best Practices and Workflow </h1> <p>In the previous parts of this series, we covered <strong><a href="https://dev.to/aws-builders/introduction-to-aws-cdk-fundamentals-and-benefits-2k1e">Part1: AWS CDK fundamentals</a></strong> and <strong><a href="https://dev.to/issy929/aws-cdk-in-practice-components-commands-and-versions-4ea1">Part2: components and commands</a></strong>. Now, let's explore how to structure your CDK projects effectively and implement best practices that will help you build maintainable infrastructure code.</p> <h2> AWS CDK Development Workflow </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foxdmqhwp5qcne65cb5tr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foxdmqhwp5qcne65cb5tr.png" alt="CDK Development Workflow" width="800" height="600"></a></p> <p>The typical AWS CDK development workflow follows these steps:</p> <ol> <li>Initialize a project with <code>cdk init</code> </li> <li>Edit the App definition to define your stacks</li> <li>Create stack definitions with the resources you need</li> <li>Write tests for your infrastructure code</li> <li>For the first deployment: <ul> <li>Run <code>cdk bootstrap</code> to prepare your AWS environment</li> <li>Execute <code>cdk deploy</code> to deploy your resources</li> </ul> </li> <li>For subsequent deployments: <ul> <li>(Optional) Run <code>cdk diff</code> to check for changes</li> <li>Execute <code>cdk deploy</code> to update your resources</li> </ul> </li> </ol> <p>Let's explore what you need to get started and how to organize your projects for maximum efficiency.</p> <h2> Prerequisites for AWS CDK Development </h2> <h3> Knowledge Requirements </h3> <p>Before diving into AWS CDK, it helps to have:</p> <ul> <li>A solid understanding of AWS services and concepts (AWS Solutions Architect Associate level is ideal)</li> <li>Experience with CloudFormation templates</li> <li>Programming experience in at least one of the supported languages</li> </ul> <h3> Technical Requirements </h3> <p>At minimum, you'll need:</p> <ul> <li>AWS CLI v2 installed and configured</li> <li>Node.js (even if you're using Python, Java, or another language for your CDK code)</li> <li>A text editor or IDE</li> </ul> <p>For a more productive development experience, consider:</p> <ul> <li>Git for version control</li> <li>An IDE like VS Code with AWS CDK extensions</li> <li>Docker for local testing</li> <li>A CI/CD pipeline for automated deployments</li> </ul> <h2> Recommended Project Structure </h2> <p>When I first started with CDK, I used the default structure from <code>cdk init</code>. <br> After managing several production deployments, I evolved to this more organized <br> approach that has served me well across multiple projects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>project-root/ ├─ bin/ # App definition (entry point) ├─ lib/ │ ├─ stages/ # Stage definitions │ ├─ stacks/ # Stack definitions │ ├─ aspects/ # Apply policies consistently across resources │ ├─ constructs/ # Build reusable, standardized infrastructure components │ ├─ types/ # Ensure type safety and clear contracts between components │ ├─ utils/ # Shared utility functions ├─ parameters/ # Environment-specific configuration files ├─ src/ # Lambda functions, HTML, and other source files ├─ test/ # Test files │ ├─ snapshot/ # Snapshot tests │ ├─ compliance/ # Security and compliance tests | ├─ validation/ # validation tests │ ├─ unit/ # Unit tests │ ├─ integration/ # integration tests ├─ node_modules/ ├─ cdk.context.json # Context values used by CDK ├─ cdk.json # CDK configuration ├─ jest.config.js # Test configuration ├─ package.json ├─ tsconfig.json ├─ README.md </code></pre> </div> <p>The key advantages of this structure:</p> <ul> <li> <strong>Clear separation of concerns</strong>: Each directory has a specific purpose</li> <li> <strong>Dynamic configuration</strong>: Environment-specific settings in the parameters directory</li> <li> <strong>Reusable components</strong>: Common resources in dedicated directories</li> <li> <strong>Organized asset management</strong>: Application code separate from infrastructure code</li> </ul> <h2> Stack Organization Strategies </h2> <p>One critical decision in CDK development is how to organize your resources into stacks. While CloudFormation has a limit of 500 resources per stack(<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html" rel="noopener noreferrer">see CloudFormation quotas</a>), the decision to split or combine stacks shouldn't be driven by technical limits alone.</p> <h3> When to Keep Resources in a Single Stack </h3> <p>As a general rule, you should <strong>prefer single, cohesive stacks</strong> unless you have a specific reason to split them. Resources that share the same lifecycle are good candidates to keep together.</p> <p>Benefits of single stacks:</p> <ul> <li>Simpler deployment and rollback</li> <li>Atomic updates (all or nothing)</li> <li>No cross-stack reference complications</li> <li>Easier to understand resource relationships</li> </ul> <h3> When to Split Resources into Multiple Stacks </h3> <p>Consider splitting stacks when:</p> <ol> <li> <strong>Resource lifecycles differ significantly</strong> <ul> <li>Example: You want to preserve storage resources even if you delete application resources</li> </ul> </li> <li> <strong>You approach CloudFormation limits</strong> <ul> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html" rel="noopener noreferrer">CloudFormation quotas</a> include limits on template size, number of resources, etc.</li> </ul> </li> <li> <strong>You need different deployment frequencies</strong> <ul> <li>Example: Network infrastructure rarely changes, while application resources change frequently</li> </ul> </li> <li> <strong>You need to apply different security or compliance controls</strong> <ul> <li>Example: Production database stack requires stricter approval processes than development stacks</li> </ul> </li> </ol> <h3> The Challenge of Cross-Stack References </h3> <p>One major consideration when splitting stacks is managing cross-stack references. While AWS CDK makes these references easier to work with, they still create dependencies that can complicate stack updates and deletions.</p> <p>For example, if Stack B references a resource in Stack A, you can't delete Stack A while Stack B is still using that resource—leading to a potential "deadlock" situation.</p> <p>To resolve cross-stack reference issues:</p> <ol> <li><strong>Use exports and imports sparingly</strong></li> <li> <strong>Consider using parameters</strong> for values that might be shared</li> <li> <strong>Design for independence</strong> where possible</li> <li> <strong>Document dependencies</strong> between stacks clearly</li> </ol> <h2> Construct ID Naming Conventions </h2> <p>The Construct ID is the second parameter when creating a construct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MyBucket</span><span class="dl">"</span><span class="p">,</span> <span class="p">{});</span> </code></pre> </div> <p>Following consistent naming conventions for Construct IDs improves readability and maintenance:</p> <h3> Rule 1: Use PascalCase </h3> <p>Prefer PascalCase (e.g., <code>DatabaseCluster</code>, <code>ApiGateway</code>) for Construct IDs. This aligns with CloudFormation's conventions for logical IDs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Good</span> <span class="kd">const</span> <span class="nx">userTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">UserTable</span><span class="dl">"</span><span class="p">,</span> <span class="p">{...});</span> <span class="c1">// Less ideal</span> <span class="kd">const</span> <span class="nx">userTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user_table</span><span class="dl">"</span><span class="p">,</span> <span class="p">{...});</span> </code></pre> </div> <p><strong>Tip:</strong> When generating Construct IDs dynamically from configuration files or external sources, use the <a href="https://www.npmjs.com/package/change-case-commonjs" rel="noopener noreferrer"><code>change-case-commonjs</code></a> library to ensure consistent naming:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">pascalCase</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">change-case-commonjs</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Convert from various formats to PascalCase</span> <span class="kd">const</span> <span class="nx">resourceName</span> <span class="o">=</span> <span class="nf">pascalCase</span><span class="p">(</span><span class="dl">'</span><span class="s1">user_profile_table</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// "UserProfileTable"</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="nx">resourceName</span><span class="p">,</span> <span class="p">{...});</span> </code></pre> </div> <h3> Rule 2: Keep Names Simple and Descriptive </h3> <p>Avoid overly long or complex names. CDK truncates IDs at 240 characters when generating CloudFormation logical IDs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Good</span> <span class="kd">const</span> <span class="nx">prodDatabase</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ProductionDatabase</span><span class="dl">"</span><span class="p">,</span> <span class="p">{...});</span> <span class="c1">// Too verbose</span> <span class="kd">const</span> <span class="nx">prodDatabase</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ProductionMySQLDatabaseInstanceForUserManagementSystem</span><span class="dl">"</span><span class="p">,</span> <span class="p">{...});</span> </code></pre> </div> <h3> Rule 3: Avoid Redundancy in Nested Constructs </h3> <p>This one trips up a lot of developers (including me when I was starting out!). <br> When creating custom constructs that will be nested, avoid repeating the same <br> information in IDs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Avoid redundancy like this:</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">DatabaseConstruct</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="c1">// "DatabaseDatabase" becomes redundant in the generated logical ID</span> <span class="k">this</span><span class="p">.</span><span class="nx">database</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Database</span><span class="dl">'</span><span class="p">,</span> <span class="p">{...});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage:</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DatabaseConstruct</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Database</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> From Construct ID to Logical ID </h2> <p>It's helpful to understand how CDK transforms your Construct IDs into CloudFormation logical IDs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">logBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">LogsBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{});</span> </code></pre> </div> <p>In the generated CloudFormation template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Resources"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"LogsBucket9C4D8843"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::S3::Bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The logical ID <code>LogsBucket9C4D8843</code> is created by combining your Construct ID with a hash suffix that ensures uniqueness within the CloudFormation template.</p> <h2> Dynamic Parameters and Environment Management </h2> <p>When working with multiple environments (development, testing, production), you need a way to parameterize your infrastructure code.</p> <h3> Passing Parameters to CDK Commands </h3> <p>You can pass context values to CDK commands using the <code>-c</code> flag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">-c</span> <span class="nb">env</span><span class="o">=</span>prod <span class="nt">-c</span> <span class="nv">region</span><span class="o">=</span>us-east-1 </code></pre> </div> <p>And access these values in your code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">environment</span> <span class="o">=</span> <span class="nx">scope</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nx">scope</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">region</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_REGION</span><span class="p">;</span> </code></pre> </div> <h3> Environment-Specific Validations </h3> <p>You can implement safety checks to prevent accidental deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Environment validation</span> <span class="kd">const</span> <span class="nx">envName</span> <span class="o">=</span> <span class="nx">app</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">tryGetContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">validEnvs</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stage</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">prod</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">validEnvs</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">envName</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Invalid environment specified. Please use: </span><span class="p">${</span><span class="nx">validEnvs</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Visual warning for production deployments</span> <span class="kd">const</span> <span class="nx">isProduction</span> <span class="o">=</span> <span class="nx">envName</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">prod</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">isProduction</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="se">\</span><span class="s1">x1b[31m</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Red text</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">!!!!!!!!!! CAUTION !!!!!!!!!!</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1"> DEPLOYING TO PRODUCTION </span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">!!!!!!!!!! CAUTION !!!!!!!!!!</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="se">\</span><span class="s1">x1b[0m</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Reset color</span> <span class="p">}</span> </code></pre> </div> <h3> Preventing Stack Deletion </h3> <p>For critical infrastructure stacks, you can enable termination protection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">databaseStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DatabaseStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ProductionDatabase</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">terminationProtection</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Prevents accidental deletion</span> <span class="c1">// ...other properties</span> <span class="p">});</span> </code></pre> </div> <p>To delete this stack, you'll need to first disable termination protection using the AWS Console or AWS CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enabled</span> aws cloudformation update-termination-protection <span class="nt">--stack-name</span> your-stackname <span class="nt">--enable-termination-protection</span> <span class="c"># Disabled</span> aws cloudformation update-termination-protection <span class="nt">--stack-name</span> your-stackname <span class="nt">--no-enable-termination-protection</span> </code></pre> </div> <h2> Tagging Resources </h2> <p>Consistent tagging is essential for resource management, cost allocation, and security compliance. AWS CDK makes it easy to apply tags to all resources in your application or specific stacks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Tag all resources in the application</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">Project</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MyProject</span><span class="dl">'</span><span class="p">);</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">Environment</span><span class="dl">'</span><span class="p">,</span> <span class="nx">envName</span><span class="p">);</span> <span class="c1">// Tag all resources in a specific stack</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">myStack</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">Component</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">API</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Apply additional tags</span> <span class="kd">const</span> <span class="nx">tags</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Owner</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DevTeam</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CostCenter</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CC1234</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Compliance</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SOC2</span><span class="dl">'</span> <span class="p">};</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">tags</span><span class="p">).</span><span class="nf">forEach</span><span class="p">(([</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h2> Linking AWS CLI Profiles to Environments </h2> <p>To reduce the risk of deploying to the wrong environment, you can create a convention that links your AWS CLI profiles to your environment names:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"deploy:all"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk deploy --all -c project=${npm_config_project} -c env=${npm_config_env} --profile ${npm_config_project}-${npm_config_env}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"destroy:all"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk destroy --all -c project=${npm_config_project} -c env=${npm_config_env} --profile ${npm_config_project}-${npm_config_env}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run deploy:all <span class="nt">--project</span><span class="o">=</span>myapp <span class="nt">--env</span><span class="o">=</span>dev </code></pre> </div> <p>This command uses the AWS CLI profile named <code>myapp-dev</code> for deployments to the development environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[profile myapp-dev] region = us-west-2 [profile myapp-prod] region = us-east-1 </code></pre> </div> <p>This approach ensures the AWS CLI profile matches the environment you're targeting, reducing the risk of deployment mistakes.</p> <h2> CDK Metadata: What It Is and When to Disable It </h2> <p>By default, CDK adds metadata to the generated CloudFormation templates for telemetry purposes. If you prefer not to include this metadata, you can disable it:</p> <h3> Version Reporting </h3> <p><a href="https://docs.aws.amazon.com/cdk/v2/guide/usage-data.html" rel="noopener noreferrer">see Configure AWS CDK Library usage data reporting</a></p> <p>This information is used to improve the AWS CDK.<br> The AWS team collects and analyzes this information to understand how AWS CDK is being used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">CDKMetadata</span><span class="pi">:</span> <span class="na">CDKMetadata</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CDK::Metadata</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Analytics</span><span class="pi">:</span> <span class="s">v2:deflate64:H4sIAAAAAAAA/zPSszDXM1BMLC/WTU7J1s3JTNKrDi5JTM7WAQrFpyYb6Tmn5YUFOOsAqaDU4vzSouRUENs5Py8lsyQzP69WJy8/JVUvq1i/zMhAz1TPUDGrODNTt6g0ryQzN1UvCEIDANEI+cVnAAAA</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">Dev/SandboxVPCBasic/CDKMetadata/Default</span> </code></pre> </div> <p><strong>When to disable:</strong></p> <ul> <li>You have privacy or security concerns about sharing usage data</li> <li>Your organization's policies prohibit telemetry</li> <li>You want to minimize template size</li> </ul> <p><strong>How to disable:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk synth <span class="nt">--version-reporting</span> <span class="nb">false</span> <span class="c">#or</span> cdk synth <span class="nt">--no-version-reporting</span> </code></pre> </div> <h3> Path Metadata </h3> <p>Path metadata provides a hierarchical view of your CDK constructs in the CloudFormation console, making it easier to understand the relationship between resources and their construct definitions.</p> <p><strong>With path metadata enabled (default):</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqtosnkr3e890wwg9v9yw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqtosnkr3e890wwg9v9yw.jpg" alt="path-metadata-true" width="800" height="352"></a></p> <p>The CloudFormation console displays a tree structure showing how constructs are organized in your CDK code. Each resource includes metadata like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Resources</span><span class="pi">:</span> <span class="na">Vpc</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.0.0/16</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">Dev/SandboxVPCBasic/Vpc/Resource</span> </code></pre> </div> <p>This path (<code>Dev/SandboxVPCBasic/Vpc/Resource</code>) shows exactly where this VPC is defined in your CDK construct hierarchy.</p> <p><strong>With path metadata disabled:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcd3o5kp3mae2sh9sav33.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcd3o5kp3mae2sh9sav33.jpg" alt="path-metadata-false" width="800" height="437"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk synth <span class="nt">--path-metadata</span> <span class="nb">false</span> <span class="c">#or</span> cdk synth <span class="nt">--no-path-metadata</span> </code></pre> </div> <p>Without path metadata, the CloudFormation console shows a flat list of resources without the construct hierarchy.</p> <p><strong>Recommendation:</strong> <strong>Keep path metadata enabled</strong> (the default setting). </p> <p>I know some teams disable this to reduce template size, and I respect that <br> decision, but in my view, the debugging benefits far outweigh the minimal size <br> savings. I've spent hours debugging CloudFormation stacks, and having the <br> construct hierarchy visible has saved me countless times.</p> <p>Only consider disabling path metadata if you're hitting CloudFormation template size limits and have exhausted other optimization options.</p> <h3> Configuring Metadata in cdk.json </h3> <p>To permanently disable metadata in your project, add these settings to your <code>cdk.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"app"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx ts-node bin/my-app.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"versionReporting"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Disable</span><span class="w"> </span><span class="err">version</span><span class="w"> </span><span class="err">reporting</span><span class="w"> </span><span class="nl">"pathMetadata"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Not</span><span class="w"> </span><span class="err">recommended</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="err">see</span><span class="w"> </span><span class="err">above</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Best practice:</strong> Consider disabling only <code>versionReporting</code> while keeping <code>pathMetadata</code> enabled for better operational visibility.</p> <h2> Conclusion </h2> <p>Adopting these AWS CDK development best practices will help you create infrastructure that is maintainable, scalable, and secure. The structure and patterns you establish early in your CDK journey will pay dividends as your infrastructure grows in complexity.</p> <ol> <li>Organize your project with a clear directory structure that separates concerns</li> <li>Think carefully about stack boundaries and the implications of cross-stack references</li> <li>Follow consistent naming conventions for Construct IDs</li> <li>Implement safety measures for production deployments</li> <li>Use tags consistently across all resources</li> <li>Align AWS CLI profiles with your environment names</li> </ol> <p>In the next article, we'll explore how to test your AWS CDK applications effectively using snapshot tests, unit tests, and other validation techniques.</p> <p>What project structure do you use for your CDK applications? Have you found other techniques that help manage multi-environment deployments? Share your experiences in the comments!</p> <p><em>This article is part of the "Mastering AWS CDK" series, where we explore all aspects of using the AWS Cloud Development Kit for infrastructure as code.</em></p> aws cdk iac typescript AI-Powered Code Reviews with OpenRouter - Complete PR-Agent Setup Guide TOMOAKI ishihara Wed, 10 Sep 2025 23:58:20 +0000 https://dev.to/issy929/ai-powered-code-reviews-with-openrouter-complete-pr-agent-setup-guide-5m3 https://dev.to/issy929/ai-powered-code-reviews-with-openrouter-complete-pr-agent-setup-guide-5m3 <h2> 👋 Introduction </h2> <p>Code reviews take time, and large teams often struggle with PR . PR-Agent (now Qodo Merge) uses AI to automatically review pull requests, generate descriptions, and suggest improvements.</p> <p>This guide shows you how to set up PR-Agent with OpenRouter, giving you cost-effective access to multiple AI models (GPT-4o, Claude, Gemini, etc.) through a unified API.</p> <h2> 📌 Why OpenRouter? </h2> <h3> Challenges with Direct OpenAI API </h3> <ul> <li>Single provider dependency (OpenAI models only)</li> <li>Complex management of multiple provider APIs</li> <li>Difficult to compare pricing across different model</li> </ul> <h3> OpenRouter Benefits </h3> <ul> <li> <strong>Unified Multi-Model API</strong> - Access GPT-4o, Claude, Gemini, Llama, etc. through one interface</li> <li> <strong>Flexible Model Selection</strong> - Choose the right model for each task, optimizing cost-effectiveness</li> <li> <strong>Early Access to Latest Models</strong> - Quick access to new models like GPT-5</li> <li> <strong>Transparent Pricing</strong> - Clear pricing for each model (5.5% fee on credit purchases)</li> </ul> <h2> Prerequisites </h2> <ul> <li>GitHub repository (private or public)</li> <li>OpenRouter account (free to create)</li> <li>GitHub Actions permissions</li> </ul> <h2> Step 1: OpenRouter Setup </h2> <h3> 1.1 Account Creation and API Key </h3> <ol> <li>Visit <a href="https://openrouter.ai/" rel="noopener noreferrer">OpenRouter</a> and create an account</li> <li> <strong>Purchase Credits</strong> (Important) <ul> <li>Go to the "Credits" page in your dashboard</li> <li>Minimum purchase is $5 (5.5% fee applies to credit purchases)</li> <li>Auto-recharge option available for convenience</li> <li>⚠️ <strong>Free Tier</strong>: New accounts receive a small free credit allowance, but additional purchases are needed for production use(<a href="https://openrouter.ai/docs/faq#what-free-tier-options-exist" rel="noopener noreferrer">FAQ: What free tier options exist?</a>)</li> </ul> </li> <li>In the dashboard, go to "API Keys" and generate a new key</li> <li>Copy and securely store the key</li> </ol> <h3> 1.2 Available Models </h3> <p>OpenRouter provides access to models like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>openai/gpt-5 # Latest model (2025 release) openai/gpt-4o # Balanced performance anthropic/claude-3-opus-20240229 # High-quality analysis google/gemini-pro # Google's model meta-llama/llama-2-70b-chat # Open source </code></pre> </div> <p>Check pricing at <a href="https://openrouter.ai/models" rel="noopener noreferrer">OpenRouter Models</a>.</p> <h2> Step 2: GitHub Actions Workflow Setup </h2> <h3> 2.1 Configure Secrets </h3> <p>In your GitHub repository:</p> <ol> <li>Go to Settings → Secrets and variables → Actions</li> <li>Click "New repository secret"</li> <li>Add the following secret: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: OPENROUTER_API_KEY Value: or-xxxxxxxx (your OpenRouter API key) </code></pre> </div> <h3> 2.2 Create Workflow File </h3> <p>Create <code>.github/workflows/pr_agent.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Code Review(OpenRouter)</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">pull_request_review_comment</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">created</span><span class="pi">]</span> <span class="c1"># Concurrency control</span> <span class="na">concurrency</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">${{ github.repository }}-${{ github.event.number || github.head_ref || github.sha }}-${{ github.workflow }}-${{ github.event_name == 'pull_request_review_comment' &amp;&amp; 'pr_comment' || 'pr' }}</span> <span class="na">cancel-in-progress</span><span class="pi">:</span> <span class="s">${{ github.event_name != 'pull_request_review_comment' }}</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">pr_agent_job</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">github.event.sender.type != 'Bot' &amp;&amp;</span> <span class="s">github.event_name == 'pull_request' &amp;&amp;</span> <span class="s">github.event.pull_request.changed_files &lt; 50</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">issues</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run pr agent on every pull request</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PR Agent action step with OpenRouter</span> <span class="na">id</span><span class="pi">:</span> <span class="s">pragent</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">qodo-ai/pr-agent@main</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">OPENROUTER.KEY</span><span class="pi">:</span> <span class="s">${{ secrets.OPENROUTER_API_KEY }}</span> <span class="c1"># OpenRouter API認証</span> <span class="na">github_action_config.auto_review</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># enable\disable auto review</span> <span class="na">github_action_config.auto_describe</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># enable\disable auto describe</span> <span class="na">github_action_config.auto_improve</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># enable\disable auto improve</span> </code></pre> </div> <h2> Step 3: Configuration File </h2> <p>Create <code>.pr_agent.toml</code> in your repository root.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[config]</span> <span class="py">model</span> <span class="p">=</span> <span class="s">"openai/gpt-5"</span> <span class="c"># I specified gpt-5, but an error occurred. The correct setting is "openai/gpt-5".</span> <span class="py">fallback_models</span> <span class="p">=</span> <span class="p">[</span><span class="s">"openai/gpt-4o"</span><span class="p">,</span> <span class="s">"anthropic/claude-opus-4.1"</span><span class="p">]</span> <span class="py">ai_timeout</span> <span class="p">=</span> <span class="mi">300</span> <span class="py">custom_model_max_tokens</span> <span class="p">=</span> <span class="mi">200000</span> <span class="c"># Critical! Errors without this</span> <span class="py">response_language</span> <span class="p">=</span> <span class="s">"en-US"</span> <span class="py">ignore_pr_title</span> <span class="p">=</span> <span class="p">[</span><span class="s">"^</span><span class="se">\\</span><span class="s">[Auto</span><span class="se">\\</span><span class="s">]"</span><span class="p">,</span> <span class="s">"^Auto"</span><span class="p">]</span> <span class="py">ignore_pr_labels</span> <span class="p">=</span> <span class="p">[</span><span class="s">'invalid'</span><span class="p">]</span> <span class="nn">[ignore]</span> <span class="py">glob</span> <span class="p">=</span> <span class="p">[</span><span class="s">'dist/**'</span><span class="p">]</span> <span class="nn">[github_action_config]</span> <span class="c"># set as env var in .github/workflows/pr-agent.yaml</span> <span class="c">#auto_review = true</span> <span class="c">#auto_improve = true</span> <span class="c">#auto_describe = true</span> <span class="nn">[pr_reviewer]</span> <span class="py">extra_instructions</span> <span class="p">=</span> <span class="s">"""</span><span class="se">\ </span><span class="s">(1) Act as a highly experienced software engineer (2) Provide thorough review of code, documents, and articles (3) Suggest concrete code snippets for improvement (4) **Never** comment on indentation, whitespace, blank lines, or other purely stylistic issues unless they change program semantics. (5) **Priority Review Areas - Check systematically:** - **Security**: Plaintext passwords, SQL injection, input validation, exception leaks - **Error Handling**: Bare except clauses, missing try-catch, silent error suppression - **Resource Management**: Missing context managers (with statements), unclosed connections/files - **Type Safety**: Missing type hints, incorrect type usage, unjustified Any types - **Performance**: Inefficient algorithms (O(n²) or worse), unnecessary loops, memory leaks - **Code Quality**: Magic numbers, unclear variable names, unused imports/variables - **API Design**: Missing input validation, no error responses, required field checks - **Architecture**: Single responsibility violations, tight coupling, global state usage (6) Focus on concrete, actionable issues with specific code examples and fix recommendations. """</span> <span class="py">num_code_suggestions</span> <span class="p">=</span> <span class="mi">5</span> <span class="py">inline_code_comments</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">ask_and_reflect</span> <span class="p">=</span> <span class="kc">true</span> <span class="nn">[pr_description]</span> <span class="py">extra_instructions</span> <span class="p">=</span> <span class="s">"Generate clear and comprehensive descriptions"</span> <span class="py">generate_ai_title</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">add_original_user_description</span> <span class="p">=</span> <span class="kc">false</span> <span class="py">publish_description_as_comment</span> <span class="p">=</span> <span class="kc">true</span> <span class="nn">[pr_code_suggestions]</span> <span class="py">extra_instructions</span> <span class="p">=</span> <span class="s">"Provide actionable code suggestions with examples"</span> <span class="py">commitable_code_suggestions</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">demand_code_suggestions_self_review</span><span class="p">=</span><span class="kc">true</span> </code></pre> </div> <h2> Step 4: Testing the Setup </h2> <h3> 4.1 Create Test PR </h3> <p>Create a PR with intentionally problematic code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Missing type hints </span><span class="k">def</span> <span class="nf">fizz_buzz</span><span class="p">(</span><span class="n">n</span><span class="p">):</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">n</span><span class="p">):</span> <span class="k">if</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">15</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">FizzBuzz</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">3</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Fizz</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">i</span> <span class="o">%</span> <span class="mi">5</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Buzz</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">printo</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="c1"># Intentional bug </span> <span class="c1"># Security issue </span><span class="k">def</span> <span class="nf">add_user</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">users</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">user</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">:</span> <span class="n">password</span><span class="p">}</span> <span class="c1"># Plaintext password </span> <span class="n">users</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> </code></pre> </div> <h3> 4.2 Expected Output </h3> <p>PR-Agent will provide.</p> <p><strong>Auto-generated PR Description:</strong></p> <ul> <li>Summary of changes</li> <li>File-by-file change details</li> <li>Impact analysis</li> </ul> <p><strong>Code Review Comments:</strong></p> <ul> <li>Fix for <code>printo(i)</code> → <code>print(i)</code> </li> <li>Type hint suggestions</li> <li>Security warning about plaintext passwords</li> <li>Performance improvement suggestions</li> </ul> <h2> Step 5: Advanced Configuration </h2> <h3> 5.1 Cost Optimization </h3> <p>Use different models for different tasks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[config]</span> <span class="py">model</span> <span class="p">=</span> <span class="s">"openai/gpt-4o-mini"</span> <span class="c"># For lightweight tasks</span> <span class="py">model_turbo</span> <span class="p">=</span> <span class="s">"openai/gpt-5"</span> <span class="c"># For complex analysis</span> <span class="py">fallback_models</span> <span class="p">=</span> <span class="p">[</span><span class="s">"anthropic/claude-3.7-sonnet"</span><span class="p">,</span> <span class="s">"google/gemini-2.5-pro"</span><span class="p">]</span> </code></pre> </div> <h3> 5.2 Team-Specific Rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[pr_reviewer]</span> <span class="py">extra_instructions</span> <span class="p">=</span> <span class="s">"""</span><span class="se">\ </span><span class="s">(1) Company-specific checks: - Use structured logging for all log outputs - External API calls must have timeout settings - Database access must use transactions - Never hardcode secrets (API keys, passwords, etc.) """</span> </code></pre> </div> <h3> 5.3 File Exclusions </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[ignore]</span> <span class="py">glob</span> <span class="p">=</span> <span class="p">[</span><span class="s">'dist/**'</span><span class="p">,</span> <span class="s">'*.min.js'</span><span class="p">,</span> <span class="s">'node_modules/**'</span><span class="p">,</span> <span class="s">'__pycache__/**'</span><span class="p">]</span> <span class="nn">[config]</span> <span class="py">ignore_pr_title</span> <span class="p">=</span> <span class="p">[</span><span class="s">"^</span><span class="se">\\</span><span class="s">[Auto</span><span class="se">\\</span><span class="s">]"</span><span class="p">,</span> <span class="s">"^WIP:"</span><span class="p">,</span> <span class="s">"^Draft:"</span><span class="p">]</span> <span class="py">ignore_pr_labels</span> <span class="p">=</span> <span class="p">[</span><span class="s">'work-in-progress'</span><span class="p">,</span> <span class="s">'do-not-review'</span><span class="p">]</span> </code></pre> </div> <h2> Troubleshooting </h2> <h3> Common Issues and Solutions </h3> <p><strong>1. Model not recognized</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Error: Model openai/gpt-5 is not defined <span class="k">in </span>MAX_TOKENS Solution: Add custom_model_max_tokens <span class="o">=</span> 200000 to config </code></pre> </div> <p>This error occurs when using a model that PR-Agent doesn't recognize. The models supported by PR-Agent are listed in <a href="https://github.com/qodo-ai/pr-agent/blob/main/pr_agent/algo/__init__.py" rel="noopener noreferrer">this file</a>. If your chosen model isn't in this list, you need to set the custom_model_max_tokens configuration.</p> <p><strong>2. Inconsistent language responses</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[config]</span> <span class="py">response_language</span> <span class="p">=</span> <span class="s">"en-US"</span> <span class="c"># Be specific</span> <span class="nn">[pr_reviewer]</span> <span class="py">extra_instructions</span> <span class="p">=</span> <span class="s">"Always respond in English and explain technical terms clearly"</span> </code></pre> </div> <p><strong>3. GitHub Actions permission errors</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">issues</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># Add this line</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> </code></pre> </div> <p><strong>4. Timeouts on large PRs</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[config]</span> <span class="py">ai_timeout</span> <span class="p">=</span> <span class="mi">600</span> <span class="c"># Extend to 10 minutes</span> <span class="py">large_patch_policy</span> <span class="p">=</span> <span class="s">"clip"</span> <span class="c"># Split large PRs</span> </code></pre> </div> <h2> Cost Management Best Practices </h2> <h3> 1. Appropriate Model Selection </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Recommended Model</th> <th>Pricing (approx.)</th> </tr> </thead> <tbody> <tr> <td>Simple reviews</td> <td>gpt-4o-mini</td> <td>$0.15/1M tokens</td> </tr> <tr> <td>Detailed analysis</td> <td>gpt-4o</td> <td>$2.5/1M tokens</td> </tr> <tr> <td>Highest quality</td> <td>openai/gpt-5</td> <td>$1.25/1M tokens</td> </tr> </tbody> </table></div> <h3> 2. PR Size Limits </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">if</span><span class="pi">:</span> <span class="s">github.event.pull_request.changed_files &lt; </span><span class="m">50</span> <span class="c1"># Limit file count</span> </code></pre> </div> <h3> 3. Control Automatic Execution </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[config]</span> <span class="py">ignore_pr_labels</span> <span class="p">=</span> <span class="p">[</span><span class="s">'draft'</span><span class="p">,</span> <span class="s">'wip'</span><span class="p">,</span> <span class="s">'skip-ai-review'</span><span class="p">]</span> <span class="py">ignore_pr_title</span> <span class="p">=</span> <span class="p">[</span><span class="s">"^</span><span class="se">\\</span><span class="s">[WIP</span><span class="se">\\</span><span class="s">]"</span><span class="p">,</span> <span class="s">"^Draft:"</span><span class="p">,</span> <span class="s">"^Auto"</span><span class="p">]</span> </code></pre> </div> <h2> Impact Measurement </h2> <h3> Before/After Comparison Metrics </h3> <p><strong>Quantitative Metrics:</strong></p> <ul> <li>Reduced code review time</li> <li>Increased bug detection</li> <li>Earlier security issue identification</li> <li>Faster PR merge times</li> </ul> <p><strong>Qualitative Metrics:</strong></p> <ul> <li>Reduced reviewer burden</li> <li>Improved code quality</li> <li>Learning effect (developer skill improvement)</li> </ul> <h3> Real-World Results Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before: Average review time 2 hours/PR After: Average review time 45 minutes/PR (62% reduction) Security issue detection: - Before: 2 issues/month average - After: 8 issues/month average (4x increase) </code></pre> </div> <h2> 📝 Conclusion </h2> <p>Setting up PR-Agent with OpenRouter provides these benefits.</p> <p>✅ <strong>Cost Performance</strong> - Use multiple models through OpenRouter for cost optimization<br><br> ✅ <strong>Quality Improvement</strong> - Consistent review standards reduce oversights<br><br> ✅ <strong>Efficiency</strong> - Significant reduction in review time<br><br> ✅ <strong>Learning Effect</strong> - Developers learn best practices from AI feedback<br><br> ✅ <strong>Flexibility</strong> - Customizable for team-specific requirements</p> <p>We recommend starting with a small project for testing and gradually expanding. The configuration file allows extensive customization to match your team's needs.</p> <h2> 📚 References </h2> <ul> <li><a href="https://qodo-merge-docs.qodo.ai/" rel="noopener noreferrer">PR-Agent Official Documentation</a></li> <li><a href="https://openrouter.ai/" rel="noopener noreferrer">OpenRouter</a></li> <li><a href="https://qodo-merge-docs.qodo.ai/installation/github/" rel="noopener noreferrer">GitHub Actions Examples</a></li> <li><a href="https://qodo-merge-docs.qodo.ai/usage-guide/configuration_options/" rel="noopener noreferrer">Configuration Options</a></li> </ul> <p>Hope this guide helps improve your code review process! Feel free to share questions or suggestions in the comments.</p> github ai codereview openrouter CloudFront ECDSA Signed URLs: 91% Faster Generation, 55% Shorter URLs TOMOAKI ishihara Wed, 10 Sep 2025 16:04:48 +0000 https://dev.to/aws-builders/cloudfront-ecdsa-signed-urls-91-faster-generation-53-shorter-urls-54nf https://dev.to/aws-builders/cloudfront-ecdsa-signed-urls-91-faster-generation-53-shorter-urls-54nf <h2> 👋 Introduction </h2> <p>On September 9, 2025, Amazon CloudFront added support for <a href="https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm" rel="noopener noreferrer">ECDSA</a> (Elliptic Curve Digital Signature Algorithm) keys in signed URLs. Previously limited to RSA-2048, CloudFront now supports ECDSA P-256 (prime256v1), enabling significantly faster signature generation and shorter URLs.</p> <p>This article demonstrates implementing ECDSA signed URLs and compares performance with traditional RSA keys.</p> <p><a href="https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudfront-ecdsa-signed-urls/" rel="noopener noreferrer">https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudfront-ecdsa-signed-urls/</a></p> <h2> 📌 What's New </h2> <h3> Key Changes </h3> <ul> <li>CloudFront signed URLs now support ECDSA (P-256) alongside RSA</li> <li>Faster signature generation with lower CPU usage</li> <li>Smaller signature size resulting in shorter URLs</li> <li>Same security level as RSA with better performance</li> </ul> <h3> Expected Benefits </h3> <ul> <li>Performance: Faster signature generation for high-volume scenarios</li> <li>Efficiency: Reduced CPU usage, ideal for resource-constrained environments</li> <li>URL Length: Shorter URLs for SMS, QR codes, and other length-sensitive use cases</li> </ul> <h2> Implementation Guide </h2> <h3> 1. Generate Key Pairs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate ECDSA P-256 private key</span> openssl ecparam <span class="nt">-name</span> prime256v1 <span class="nt">-genkey</span> <span class="nt">-noout</span> <span class="nt">-out</span> ecdsa-private.pem <span class="c"># Generate public key</span> openssl ec <span class="nt">-in</span> ecdsa-private.pem <span class="nt">-pubout</span> <span class="nt">-out</span> ecdsa-public.pem <span class="c"># For comparison, generate RSA keys</span> openssl genrsa <span class="nt">-out</span> rsa-private.pem 2048 openssl rsa <span class="nt">-pubout</span> <span class="nt">-in</span> rsa-private.pem <span class="nt">-out</span> rsa-public.pem </code></pre> </div> <h3> 2. Register Public Keys with CloudFront </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Register ECDSA public key</span> <span class="nv">ECDSA_KEY_CONTENT</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat </span>ecdsa-public.pem<span class="si">)</span> <span class="nv">ECDSA_KEY_RESPONSE</span><span class="o">=</span><span class="si">$(</span>aws cloudfront create-public-key <span class="se">\</span> <span class="nt">--public-key-config</span> <span class="se">\</span> <span class="nv">Name</span><span class="o">=</span><span class="s2">"ecdsa-signing-key"</span>,CallerReference<span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span><span class="s2">"</span>,EncodedKey<span class="o">=</span><span class="s2">"</span><span class="nv">$ECDSA_KEY_CONTENT</span><span class="s2">"</span>,Comment<span class="o">=</span><span class="s2">"ECDSA P-256 key for signed URLs"</span><span class="si">)</span> <span class="nv">ECDSA_KEY_ID</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ECDSA_KEY_RESPONSE</span> | jq <span class="nt">-r</span> <span class="s1">'.PublicKey.Id'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"ECDSA Key ID: </span><span class="nv">$ECDSA_KEY_ID</span><span class="s2">"</span> </code></pre> </div> <h3> 3. Create Key Groups </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create ECDSA key group</span> <span class="nv">ECDSA_KEY_GROUP_RESPONSE</span><span class="o">=</span><span class="si">$(</span>aws cloudfront create-key-group <span class="se">\</span> <span class="nt">--key-group-config</span> <span class="se">\</span> <span class="nv">Name</span><span class="o">=</span><span class="s2">"ecdsa-key-group"</span>,Items<span class="o">=</span><span class="s2">"</span><span class="nv">$ECDSA_KEY_ID</span><span class="s2">"</span>,Comment<span class="o">=</span><span class="s2">"ECDSA key group"</span><span class="si">)</span> <span class="nv">ECDSA_KEY_GROUP_ID</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ECDSA_KEY_GROUP_RESPONSE</span> | jq <span class="nt">-r</span> <span class="s1">'.KeyGroup.Id'</span><span class="si">)</span> </code></pre> </div> <h3> 4. Configure CloudFront Distribution </h3> <p>⚠️ <strong>Important</strong>: Update your CloudFront distribution behavior settings.</p> <ol> <li>Go to your distribution's "Behaviors" tab</li> <li>Edit the relevant behavior</li> <li>Set "Restrict viewer access" to "Yes"</li> <li>Set "Trusted authorization type" to "Trusted key groups"</li> <li>Select your created key group</li> </ol> <h3> 5. Generate Signed URLs </h3> <h4> AWS CLI Limitation </h4> <p>⚠️ Important: As of September 9, 2025, the AWS CLI's cloudfront sign command doesn't support ECDSA keys and throws an error saying it's not an RSA key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># aws --version</span> <span class="c"># aws-cli/2.29.0 </span> <span class="c"># This will fail with ECDSA keys</span> aws cloudfront sign <span class="nt">--url</span> https://example.com/file.jpg <span class="se">\</span> <span class="nt">--key-pair-id</span> <span class="nv">$ECDSA_KEY_ID</span> <span class="se">\</span> <span class="nt">--private-key</span> file://ecdsa-private.pem <span class="se">\</span> <span class="nt">--date-less-than</span> <span class="s2">"2025-09-10T12:09:03Z"</span> <span class="c"># Error: RSA private key not found in PEM.</span> </code></pre> </div> <h4> Python Implementation </h4> <p>Here's a working Python implementation for ECDSA signed URLs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ecdsa_signer.py </span><span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">botocore.signers</span> <span class="kn">import</span> <span class="n">CloudFrontSigner</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">hashes</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.asymmetric</span> <span class="kn">import</span> <span class="n">ec</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.serialization</span> <span class="kn">import</span> <span class="n">load_pem_private_key</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.backends</span> <span class="kn">import</span> <span class="n">default_backend</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">def</span> <span class="nf">ecdsa_signer</span><span class="p">(</span><span class="n">message</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">ecdsa-private.pem</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">rb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">key_file</span><span class="p">:</span> <span class="n">private_key</span> <span class="o">=</span> <span class="nf">load_pem_private_key</span><span class="p">(</span> <span class="n">key_file</span><span class="p">.</span><span class="nf">read</span><span class="p">(),</span> <span class="n">password</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">backend</span><span class="o">=</span><span class="nf">default_backend</span><span class="p">()</span> <span class="p">)</span> <span class="k">return</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">ec</span><span class="p">.</span><span class="nc">ECDSA</span><span class="p">(</span><span class="n">hashes</span><span class="p">.</span><span class="nc">SHA1</span><span class="p">()))</span> <span class="k">def</span> <span class="nf">generate_signed_url</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">key_pair_id</span><span class="p">,</span> <span class="n">date_less_than</span><span class="p">):</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">cf_signer</span> <span class="o">=</span> <span class="nc">CloudFrontSigner</span><span class="p">(</span><span class="n">key_pair_id</span><span class="p">,</span> <span class="n">ecdsa_signer</span><span class="p">)</span> <span class="n">signed_url</span> <span class="o">=</span> <span class="n">cf_signer</span><span class="p">.</span><span class="nf">generate_presigned_url</span><span class="p">(</span> <span class="n">url</span><span class="p">,</span> <span class="n">date_less_than</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">date_less_than</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">Z</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">+00:00</span><span class="sh">"</span><span class="p">)),</span> <span class="p">)</span> <span class="n">processing_time_ms</span> <span class="o">=</span> <span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span><span class="p">)</span> <span class="o">*</span> <span class="mi">1000</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ECDSA processing time: </span><span class="si">{</span><span class="n">processing_time_ms</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">ms</span><span class="sh">"</span><span class="p">,</span> <span class="nb">file</span><span class="o">=</span><span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">)</span> <span class="k">return</span> <span class="n">signed_url</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">url</span> <span class="o">=</span> <span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">1</span> <span class="k">else</span> <span class="sh">"</span><span class="s">https://example.com/file.jpg</span><span class="sh">"</span> <span class="n">expiry_time</span> <span class="o">=</span> <span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">2</span> <span class="k">else</span> <span class="sh">"</span><span class="s">2025-09-10T12:09:03Z</span><span class="sh">"</span> <span class="n">key_pair_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ECDSA_KEY_ID</span><span class="sh">"</span><span class="p">)</span> <span class="n">signed_url</span> <span class="o">=</span> <span class="nf">generate_signed_url</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">key_pair_id</span><span class="p">,</span> <span class="n">expiry_time</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">signed_url</span><span class="p">)</span> </code></pre> </div> <h2> Performance Comparison </h2> <p>I ran performance tests comparing RSA and ECDSA signature generation.</p> <h3> Results Summary </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Test Runs</th> <th>RSA Average</th> <th>ECDSA Average</th> <th>Improvement</th> <th>RSA StdDev</th> <th>ECDSA StdDev</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>36.47ms</td> <td>3.04ms</td> <td>91.7%</td> <td>0.00ms</td> <td>0.00ms</td> </tr> <tr> <td>10</td> <td>35.93ms</td> <td>3.00ms</td> <td>91.6%</td> <td>2.54ms</td> <td>0.31ms</td> </tr> <tr> <td>20</td> <td>33.54ms</td> <td>2.60ms</td> <td>92.2%</td> <td>0.98ms</td> <td>0.21ms</td> </tr> <tr> <td>100</td> <td>34.39ms</td> <td>2.91ms</td> <td>91.5%</td> <td>1.33ms</td> <td>0.58ms</td> </tr> </tbody> </table></div> <h3> Key Findings </h3> <ul> <li>Performance: ECDSA is ~12x faster than RSA (91% improvement)</li> <li>URL Length: 55.1% shorter URLs (RSA: 448 chars → ECDSA: 201 chars)</li> <li>Consistency: Lower standard deviation shows more stable performance</li> </ul> <h3> Real URL Examples </h3> <p>RSA Signed URL (448 characters):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com/private-files/uploadtest.jpg?Expires=1757511063&amp;Signature=TNGmM2jrc5GRTalKgYhdZla1uaR~gOiX4HevKDMBbe5JkecwxGe0VoCqXB5KnCPgetRbbBE6JCtOdCYiTwGYxKpByOBJTMaS5Z3H9rqhln~wqQ0KZ-q5-lqvEPsxXlbBXbzJ0MDwNgzcCcu3GavsYGiceFr0veGw5RuYNLSs49HdFUKtdk~7wpI~bjdHzLDSaxoTKtIz0HDgii~VTPP769X~aOmG7~W0hm23nBP4WcTDe6Z8YvDRr61TqjixkNYrh4FiuUFFVuA2Tn0FUuaxcU5qVhtcl0ng8QqoyHUwWFju65h6g0TUM2iueJudQtV-CcoYf-UHlVOGQ39pnG9HxQ__&amp;Key-Pair-Id=ZZZZZZZZZZZZZ </code></pre> </div> <p>ECDSA Signed URL (201 characters):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com/private-files/uploadtest.jpg?Expires=1757511063&amp;Signature=MEQCIBO~LD6qEaVjiwGFFF233dOB~XJvi7SPhubaN0FjFsigAiBlLZAYz9sCp6aY93bE9z0SuZDhEH3Pw8uL-9rPODVbQw__&amp;Key-Pair-Id=WWWWWWWWWWWWWW </code></pre> </div> <h2> When to Use ECDSA </h2> <p>ECDSA is particularly beneficial for:</p> <ul> <li> <strong>High-volume URL generation</strong>: APIs generating many signed URLs</li> <li> <strong>Mobile/IoT devices</strong>: Resource-constrained environments</li> <li> <strong>URL length constraints</strong>: SMS, QR codes, social media</li> <li> <strong>Real-time applications</strong>: Where response time is critical</li> </ul> <h2> Conclusion </h2> <p>CloudFront's ECDSA support delivers significant performance improvements and URL size reductions. For high-load systems or resource-constrained environments, ECDSA provides substantial benefits while maintaining the same security level as RSA.</p> <p>The 91% performance improvement and 53% URL size reduction make ECDSA a compelling choice for modern applications requiring efficient signed URL generation.</p> <h2> Resources </h2> <ul> <li><a href="https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudfront-ecdsa-signed-urls/" rel="noopener noreferrer">AWS Official Announcement</a></li> <li><a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html" rel="noopener noreferrer">CloudFront Signed URLs Documentation</a></li> <li><a href="https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm" rel="noopener noreferrer">ECDSA Wikipedia</a></li> </ul> <p>Have you tried ECDSA signed URLs in your CloudFront setup? Share your experience in the comments!</p> aws cloudfront security performance