The latest articles on DEV Community by Johannes Konings (@johanneskonings). https://dev.to/johanneskonings https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F344113%2Feea7baf2-3529-4410-b7a3-ce40c7a53a9a.png https://dev.to/johanneskonings en Johannes Konings Mon, 30 Mar 2026 20:00:02 +0000 https://dev.to/aws-builders/cdk-mixin-for-deletion-protection-50b7 https://dev.to/aws-builders/cdk-mixin-for-deletion-protection-50b7 <h2> Introduction </h2> <p>This post builds on the <a href="https://dev.to/aws-builders/cleanup-resources-from-ephemeral-stacks-in-aws-cdk-with-aspects-and-property-injectors-1loi">AWS CDK Ephemeral Stacks Cleanup</a> pattern and focuses on permanent environments.<br><br> For permanent stacks, the goal is to couple CDK removal policies with CloudFormation deletion protection so critical resources are harder to delete by accident.</p> <h2> Mixin </h2> <p>A CDK mixin applies cross-cutting behavior across many constructs from one place.<br><br> This <code>DeletionProtectionMixin</code> sets stack-level termination protection and, for selected CloudFormation resources, enables deletion protection only when a retain-style removal policy is present.</p> <p>The mapping in <code>applyTo</code> follows CloudFormation property names:</p> <ul> <li> <code>Stack.terminationProtection</code> for stacks</li> <li> <code>deletionProtectionEnabled</code> for <code>AWS::Logs::LogGroup</code> and <code>AWS::DynamoDB::Table</code> </li> <li> <code>deletionProtection</code> for supported RDS, DocumentDB, and Neptune resources</li> </ul> <p>By checking <code>hasRetainRemovalPolicy</code> first, the mixin keeps lifecycle intent aligned: resources marked to be retained also get deletion-protection settings where the service supports them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CfnDeletionPolicy</span><span class="p">,</span> <span class="nx">CfnResource</span><span class="p">,</span> <span class="nx">Mixin</span><span class="p">,</span> <span class="nx">Stack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">docdb</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-docdb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">dynamodb</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">logs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-logs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">neptune</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-neptune</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">rds</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-rds</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">IConstruct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">constructs</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hasRetainRemovalPolicy</span> <span class="o">=</span> <span class="p">(</span><span class="nx">resource</span><span class="p">:</span> <span class="nx">CfnResource</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">deletionPolicy</span><span class="p">,</span> <span class="nx">updateReplacePolicy</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">resource</span><span class="p">.</span><span class="nx">cfnOptions</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="nx">deletionPolicy</span> <span class="o">===</span> <span class="nx">CfnDeletionPolicy</span><span class="p">.</span><span class="nx">RETAIN</span> <span class="o">||</span> <span class="nx">deletionPolicy</span> <span class="o">===</span> <span class="nx">CfnDeletionPolicy</span><span class="p">.</span><span class="nx">RETAIN_EXCEPT_ON_CREATE</span> <span class="o">||</span> <span class="nx">updateReplacePolicy</span> <span class="o">===</span> <span class="nx">CfnDeletionPolicy</span><span class="p">.</span><span class="nx">RETAIN</span> <span class="o">||</span> <span class="nx">updateReplacePolicy</span> <span class="o">===</span> <span class="nx">CfnDeletionPolicy</span><span class="p">.</span><span class="nx">RETAIN_EXCEPT_ON_CREATE</span> <span class="p">);</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">DeletionProtectionMixin</span> <span class="k">implements</span> <span class="nx">Mixin</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">supports</span><span class="p">(</span><span class="nx">construct</span><span class="p">:</span> <span class="nx">IConstruct</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">Stack</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">logs</span><span class="p">.</span><span class="nx">CfnLogGroup</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">dynamodb</span><span class="p">.</span><span class="nx">CfnTable</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">CfnDBCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">CfnDBInstance</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">CfnGlobalCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">docdb</span><span class="p">.</span><span class="nx">CfnDBCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">docdb</span><span class="p">.</span><span class="nx">CfnGlobalCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">neptune</span><span class="p">.</span><span class="nx">CfnDBCluster</span> <span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="nf">applyTo</span><span class="p">(</span><span class="nx">construct</span><span class="p">:</span> <span class="nx">IConstruct</span><span class="p">):</span> <span class="nx">IConstruct</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">Stack</span><span class="p">)</span> <span class="p">{</span> <span class="nx">construct</span><span class="p">.</span><span class="nx">terminationProtection</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="nx">construct</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">CfnResource</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="nf">hasRetainRemovalPolicy</span><span class="p">(</span><span class="nx">construct</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">construct</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">logs</span><span class="p">.</span><span class="nx">CfnLogGroup</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">dynamodb</span><span class="p">.</span><span class="nx">CfnTable</span><span class="p">)</span> <span class="p">{</span> <span class="nx">construct</span><span class="p">.</span><span class="nx">deletionProtectionEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="nx">construct</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">CfnDBCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">CfnDBInstance</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">CfnGlobalCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">docdb</span><span class="p">.</span><span class="nx">CfnDBCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">docdb</span><span class="p">.</span><span class="nx">CfnGlobalCluster</span> <span class="o">||</span> <span class="nx">construct</span> <span class="k">instanceof</span> <span class="nx">neptune</span><span class="p">.</span><span class="nx">CfnDBCluster</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">construct</span><span class="p">.</span><span class="nx">deletionProtection</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">construct</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/* Known future expansion targets. Top-level boolean-style deletionProtection: AWS::RDS::DBCluster, AWS::RDS::DBInstance, AWS::RDS::GlobalCluster, AWS::DocDB::DBCluster, AWS::DocDB::GlobalCluster, AWS::Neptune::DBCluster, AWS::EKS::Cluster, AWS::QLDB::Ledger, AWS::NeptuneGraph::Graph Top-level boolean-style deletionProtectionEnabled: AWS::Logs::LogGroup, AWS::DynamoDB::Table, AWS::DSQL::Cluster, AWS::SMSVOICE::PhoneNumber, AWS::SMSVOICE::Pool, AWS::SMSVOICE::ProtectConfiguration, AWS::SMSVOICE::SenderId Non-boolean mapping required: AWS::Cognito::UserPool (ACTIVE|INACTIVE), AWS::AutoScaling::AutoScalingGroup (none|prevent-force-deletion|prevent-all-deletion), AWS::VerifiedPermissions::PolicyStore ({ mode: ENABLED|DISABLED }) Nested-only: AWS::DynamoDB::GlobalTable.ReplicaSpecification.DeletionProtectionEnabled */</span> </code></pre> </div> <h2> app </h2> <p>At the app boundary, lifecycle determines which global policy is applied:</p> <ul> <li>Ephemeral stages use destroy-style cleanup behavior.</li> <li>Permanent stages apply <code>DeletionProtectionMixin</code> so stacks and selected stateful resources gain deletion protection.</li> </ul> <p>Applying the mixin once at <code>App</code> scope avoids repeating the same protection logic in every stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp">#!/usr/bin/env node </span><span class="k">import</span> <span class="p">{</span> <span class="nx">execSync</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:child_process</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">Mixins</span><span class="p">,</span> <span class="nx">RemovalPolicies</span><span class="p">,</span> <span class="nx">Tags</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">mixins</span> <span class="k">as</span> <span class="nx">s3Mixins</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DeletionProtectionMixin</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/mixins/DeletionProtection.ts</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// import { AwsSolutionsChecks, ServerlessChecks } from 'cdk-nag';</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">APPLICATION_RESOURCE_SCOPE_TAG_VALUE</span><span class="p">,</span> <span class="nx">RESOURCE_SCOPE_TAG_KEY</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/resource-tags.ts</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">resolveStageLifecycle</span><span class="p">,</span> <span class="nx">resolveStageName</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/stage-name.ts</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TanstackAwsAuroraExpressDummyStack</span><span class="p">,</span> <span class="nx">TanstackAwsStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/tanstack-aws.ts</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WORKLOAD_REGION</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/workload-region.ts</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">workloadAccount</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">();</span> <span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="nx">RESOURCE_SCOPE_TAG_KEY</span><span class="p">,</span> <span class="nx">APPLICATION_RESOURCE_SCOPE_TAG_VALUE</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">resolveLocalGitBranch</span> <span class="o">=</span> <span class="p">():</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">branchName</span> <span class="o">=</span> <span class="nf">execSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">git rev-parse --abbrev-ref HEAD</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">encoding</span><span class="p">:</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">,</span> <span class="na">stdio</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pipe</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span><span class="p">],</span> <span class="p">}).</span><span class="nf">trim</span><span class="p">();</span> <span class="k">return</span> <span class="nx">branchName</span> <span class="o">&amp;&amp;</span> <span class="nx">branchName</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">HEAD</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">branchName</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">stageSource</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_STAGE</span> <span class="o">??</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GITHUB_HEAD_REF</span> <span class="o">??</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GITHUB_REF_NAME</span> <span class="o">??</span> <span class="nf">resolveLocalGitBranch</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">appStage</span> <span class="o">=</span> <span class="nf">resolveStageName</span><span class="p">(</span><span class="nx">stageSource</span><span class="p">,</span> <span class="p">{</span> <span class="na">fallbackStage</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span><span class="p">,</span> <span class="na">lifecycle</span><span class="p">:</span> <span class="dl">'</span><span class="s1">permanent</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">appLifecycle</span> <span class="o">=</span> <span class="nf">resolveStageLifecycle</span><span class="p">(</span><span class="nx">appStage</span><span class="p">);</span> <span class="c1">// oxlint-disable-next-line no-console</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Deploying to stage: </span><span class="p">${</span><span class="nx">appStage</span><span class="p">}</span><span class="s2"> in region: </span><span class="p">${</span><span class="nx">WORKLOAD_REGION</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">new</span> <span class="nc">TanstackAwsStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="s2">`TanstackAwsStack-</span><span class="p">${</span><span class="nx">appStage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="nx">appStage</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">workloadAccount</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">WORKLOAD_REGION</span> <span class="p">},</span> <span class="p">});</span> <span class="p">...</span> <span class="k">if </span><span class="p">(</span><span class="nx">appLifecycle</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ephemeral</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">RemovalPolicies</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">destroy</span><span class="p">();</span> <span class="nx">Mixins</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">apply</span><span class="p">(</span><span class="k">new</span> <span class="nx">s3Mixins</span><span class="p">.</span><span class="nc">BucketAutoDeleteObjects</span><span class="p">());</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">appLifecycle</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">permanent</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">Mixins</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">apply</span><span class="p">(</span><span class="k">new</span> <span class="nc">DeletionProtectionMixin</span><span class="p">());</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Unknown appLifecycle: </span><span class="p">${</span><span class="nx">appLifecycle</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Result </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu978kfxcfvq3v2rtpkj4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu978kfxcfvq3v2rtpkj4.png" alt="CloudFormation stack with termination protection enabled" width="800" height="354"></a><br> <em>Stack-level protection: termination protection is enabled for the permanent environment.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkca5b9lzmdt9l2pweclt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkca5b9lzmdt9l2pweclt.png" alt="CloudWatch Logs log group with deletion protection enabled" width="800" height="504"></a><br> <em>Log group protection: <code>DeletionProtectionEnabled</code> is set alongside retain-style lifecycle intent.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3w5y9zog9x1wkvmpma5l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3w5y9zog9x1wkvmpma5l.png" alt="DynamoDB table with deletion protection enabled" width="800" height="506"></a><br> <em>DynamoDB protection: table deletion protection is active for persistent data.</em></p> <h2> Conclusion </h2> <p>A deletion-protection mixin gives permanent environments a consistent baseline: enforce stack termination protection, then enable resource-level deletion protection only for supported services and only when retain-style policies indicate persistence intent. This centralization reduces configuration drift, keeps lifecycle behavior predictable during updates and deletes, and makes the policy easy to apply uniformly at app scope.</p> <p>The boundary is intentional: not every CloudFormation resource exposes a native deletion-protection control, and some services require non-boolean or nested mappings. The safest extension path is to add resource types incrementally, document each property mapping explicitly, and keep the retain-policy gate so deletion protection remains aligned with lifecycle intent rather than applied indiscriminately.</p> <p>Aspects and property injection were also valid options for this problem space. In practice, property injection is scoped per construct type rather than as one cross-resource mapping, while aspects are more naturally geared toward traversal, validation, and invariant checks than direct cross-service property manipulation.</p> <h2> Sources and References </h2> <ul> <li> <strong>Earlier pattern this post builds on</strong>: <a href="https://johanneskonings.dev/blog/2025-06-14-aws-cdk-ephemeral-stacks-cleanup" rel="noopener noreferrer">AWS CDK Ephemeral Stacks Cleanup</a> </li> <li> <strong>CDK mixins guide</strong>: <a href="https://docs.aws.amazon.com/cdk/v2/guide/mixins.html" rel="noopener noreferrer">Mixins - AWS CDK v2 Developer Guide</a> </li> <li> <strong>CDK aspects guide</strong>: <a href="https://docs.aws.amazon.com/cdk/v2/guide/aspects.html" rel="noopener noreferrer">Aspects - AWS CDK v2 Developer Guide</a> </li> <li> <strong>CDK blueprints and property injection</strong>: <a href="https://docs.aws.amazon.com/cdk/v2/guide/blueprints.html" rel="noopener noreferrer">Configure constructs with CDK Blueprints - AWS CDK v2 Developer Guide</a> </li> <li> <strong>Stack termination protection</strong>: <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.StackProps.html#terminationprotection" rel="noopener noreferrer">AWS CDK API Reference - <code>StackProps.terminationProtection</code></a> </li> <li> <strong>CloudFormation deletion lifecycle</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html" rel="noopener noreferrer">DeletionPolicy attribute</a> </li> <li> <strong>CloudFormation replacement lifecycle</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html" rel="noopener noreferrer">UpdateReplacePolicy attribute</a> </li> <li> <strong>Dependency-injection tradeoffs</strong>: <a href="https://martinfowler.com/articles/injection.html" rel="noopener noreferrer">Inversion of Control Containers and the Dependency Injection pattern (Martin Fowler)</a> </li> <li> <strong>CloudWatch Logs deletion protection</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-loggroup.html" rel="noopener noreferrer">AWS::Logs::LogGroup (<code>DeletionProtectionEnabled</code>)</a> </li> <li> <strong>DynamoDB deletion protection</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html" rel="noopener noreferrer">AWS::DynamoDB::Table (<code>DeletionProtectionEnabled</code>)</a> </li> <li> <strong>RDS deletion protection</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html" rel="noopener noreferrer">AWS::RDS::DBCluster (<code>DeletionProtection</code>)</a>, <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html" rel="noopener noreferrer">AWS::RDS::DBInstance (<code>DeletionProtection</code>)</a>, <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-globalcluster.html" rel="noopener noreferrer">AWS::RDS::GlobalCluster (<code>DeletionProtection</code>)</a> </li> <li> <strong>DocumentDB deletion protection</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-docdb-dbcluster.html" rel="noopener noreferrer">AWS::DocDB::DBCluster (<code>DeletionProtection</code>)</a>, <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-docdb-globalcluster.html" rel="noopener noreferrer">AWS::DocDB::GlobalCluster (<code>DeletionProtection</code>)</a> </li> <li> <strong>Neptune deletion protection</strong>: <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-neptune-dbcluster.html" rel="noopener noreferrer">AWS::Neptune::DBCluster (<code>DeletionProtection</code>)</a> </li> </ul> aws cdk mixin Johannes Konings Sat, 28 Mar 2026 20:03:16 +0000 https://dev.to/aws-builders/aurora-postgresql-serverless-express-configuration-with-cdk-and-drizzle-4hi7 https://dev.to/aws-builders/aurora-postgresql-serverless-express-configuration-with-cdk-and-drizzle-4hi7 <h2> Introduction </h2> <p>This post documents a setup for Aurora PostgreSQL <strong>express configuration</strong> with:</p> <ul> <li>AWS CDK deployment</li> <li>an AWS SDK-based custom resource (because CloudFormation support is not available yet)</li> <li>Drizzle Kit and Drizzle Studio for schema and data verification</li> </ul> <p>The setup is not production-ready, but it can be used as a starting point for further development.</p> <p>AWS launch post:<br> <a href="https://aws.amazon.com/blogs/aws/announcing-amazon-aurora-postgresql-serverless-database-creation-in-seconds/" rel="noopener noreferrer">Announcing Amazon Aurora PostgreSQL Serverless database creation in seconds</a></p> <h2> CDK Custom Resource </h2> <p>Aurora express configuration currently requires calling the RDS API directly. In this setup, CDK uses <code>AwsCustomResource</code> with <code>CreateDBCluster</code> and cleanup calls.</p> <p>API reference:<br> <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/rds/command/CreateDBClusterCommand/" rel="noopener noreferrer">CreateDBClusterCommand</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Names</span><span class="p">,</span> <span class="nx">Stack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Effect</span><span class="p">,</span> <span class="nx">PolicyStatement</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-iam</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AwsCustomResource</span><span class="p">,</span> <span class="nx">AwsCustomResourcePolicy</span><span class="p">,</span> <span class="nx">PhysicalResourceId</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/custom-resources</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NagSuppressions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">cdk-nag</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">constructs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">DbAuroraExpressDummyProps</span> <span class="o">=</span> <span class="p">{</span> <span class="na">databaseName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">maxCapacity</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">minCapacity</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">schemaName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">toIdentifier</span> <span class="o">=</span> <span class="p">(</span><span class="nx">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">maxLength</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="kr">string</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">normalized</span> <span class="o">=</span> <span class="nx">value</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">a-z0-9-</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">-</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">compacted</span> <span class="o">=</span> <span class="nx">normalized</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-+/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">-</span><span class="dl">"</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/^-|-$/g</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">compacted</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="nx">maxLength</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">compacted</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">compacted</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">maxLength</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-+$/g</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">DbAuroraExpressDummy</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">clusterArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">databaseName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">schemaName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">DbAuroraExpressDummyProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">databaseName</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databaseName</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">schemaName</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">schemaName</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">minCapacity</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">minCapacity</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">maxCapacity</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">maxCapacity</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">stack</span> <span class="o">=</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">baseIdentifier</span> <span class="o">=</span> <span class="nf">toIdentifier</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">Names</span><span class="p">.</span><span class="nf">uniqueId</span><span class="p">(</span><span class="k">this</span><span class="p">)}</span><span class="s2">`</span><span class="p">,</span> <span class="mi">63</span><span class="p">);</span> <span class="c1">// Aurora Express creates an instance identifier from the cluster identifier</span> <span class="c1">// (suffix like "-instance-1"), so keep the cluster id shorter than 63 chars.</span> <span class="kd">const</span> <span class="nx">clusterIdentifier</span> <span class="o">=</span> <span class="nf">toIdentifier</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">baseIdentifier</span><span class="p">}</span><span class="s2">-aurora`</span><span class="p">,</span> <span class="mi">52</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">instanceIdentifier</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">clusterIdentifier</span><span class="p">}</span><span class="s2">-instance-1`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clusterResource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ExpressClusterFallback</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromStatements</span><span class="p">([</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">ec2:DescribeAvailabilityZones</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">iam:CreateServiceLinkedRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:CreateDBCluster</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:CreateDBInstance</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:DeleteDBCluster</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:DeleteDBInstance</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:DescribeDBClusters</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:EnableInternetAccessGateway</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">],</span> <span class="p">}),</span> <span class="p">]),</span> <span class="na">installLatestAwsSdk</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">onCreate</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">createDBCluster</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">ignoreErrorCodesMatching</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DBClusterAlreadyExistsFault</span><span class="dl">"</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">clusterIdentifier</span><span class="p">),</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="na">Engine</span><span class="p">:</span> <span class="dl">"</span><span class="s2">aurora-postgresql</span><span class="dl">"</span><span class="p">,</span> <span class="na">WithExpressConfiguration</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Keep explicit ACU limits while using Aurora express defaults.</span> <span class="na">ServerlessV2ScalingConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">MinCapacity</span><span class="p">:</span> <span class="nx">minCapacity</span><span class="p">,</span> <span class="na">MaxCapacity</span><span class="p">:</span> <span class="nx">maxCapacity</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">describeDBClusters</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">clusterIdentifier</span><span class="p">),</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="na">Engine</span><span class="p">:</span> <span class="dl">"</span><span class="s2">aurora-postgresql</span><span class="dl">"</span><span class="p">,</span> <span class="na">WithExpressConfiguration</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Keep explicit ACU limits while using Aurora express defaults.</span> <span class="na">ServerlessV2ScalingConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">MinCapacity</span><span class="p">:</span> <span class="nx">minCapacity</span><span class="p">,</span> <span class="na">MaxCapacity</span><span class="p">:</span> <span class="nx">maxCapacity</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="na">onDelete</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deleteDBCluster</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">ignoreErrorCodesMatching</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DBClusterNotFoundFault</span><span class="dl">"</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="na">DeleteAutomatedBackups</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">SkipFinalSnapshot</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">clusterLookupResource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ExpressClusterLookup</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromStatements</span><span class="p">([</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">rds:DescribeDBClusters</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">],</span> <span class="p">}),</span> <span class="p">]),</span> <span class="na">installLatestAwsSdk</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">onCreate</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">describeDBClusters</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">clusterIdentifier</span><span class="p">}</span><span class="s2">-lookup`</span><span class="p">),</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">describeDBClusters</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">clusterIdentifier</span><span class="p">}</span><span class="s2">-lookup`</span><span class="p">),</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">clusterLookupResource</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">addDependency</span><span class="p">(</span><span class="nx">clusterResource</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">instanceCleanupResource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ExpressInstanceCleanup</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nf">fromStatements</span><span class="p">([</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">rds:DeleteDBInstance</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:DescribeDBInstances</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:DescribeDBClusters</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">],</span> <span class="p">}),</span> <span class="p">]),</span> <span class="na">installLatestAwsSdk</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">onCreate</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">describeDBClusters</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">clusterIdentifier</span><span class="p">}</span><span class="s2">-instance-cleanup`</span><span class="p">),</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">describeDBClusters</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">clusterIdentifier</span><span class="p">}</span><span class="s2">-instance-cleanup`</span><span class="p">),</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBClusterIdentifier</span><span class="p">:</span> <span class="nx">clusterIdentifier</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">onDelete</span><span class="p">:</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deleteDBInstance</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RDS</span><span class="dl">"</span><span class="p">,</span> <span class="na">ignoreErrorCodesMatching</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DBInstanceNotFoundFault|InvalidDBInstanceStateFault</span><span class="dl">"</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">DBInstanceIdentifier</span><span class="p">:</span> <span class="nx">instanceIdentifier</span><span class="p">,</span> <span class="na">DeleteAutomatedBackups</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">SkipFinalSnapshot</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">instanceCleanupResource</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">addDependency</span><span class="p">(</span><span class="nx">clusterResource</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">clusterArn</span> <span class="o">=</span> <span class="nx">clusterLookupResource</span><span class="p">.</span><span class="nf">getResponseField</span><span class="p">(</span><span class="dl">"</span><span class="s2">DBClusters.0.DBClusterArn</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Aurora deployment observations </h2> <p>From Aurora PostgreSQL express configuration documentation and deployment output:</p> <ul> <li>The cluster is created without VPC association.</li> <li>Internet access gateway is enabled for connectivity.</li> <li>IAM authentication is required for gateway-based access.</li> <li>Encryption uses an AWS/RDS managed key (a customer-managed KMS key cannot be selected at create time in this flow).</li> <li>Data API is disabled by default at create time; it can be enabled later, with authentication constraints documented by AWS (<a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.html#CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.Settings" rel="noopener noreferrer">Express configuration settings</a>, <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.enabling.html" rel="noopener noreferrer">enabling</a>, <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html" rel="noopener noreferrer">usage and auth model</a>). I have not managed to get Data API working with this express setup yet.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8gm4oz9ywu953be38t99.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8gm4oz9ywu953be38t99.png" alt="Aurora cluster deployed with express configuration" width="800" height="348"></a></p> <h2> Teardown behavior </h2> <p>The custom resource includes explicit delete calls for both cluster and instance identifiers. During stack deletion, the cluster and instance cleanup sequence is visible in the AWS console. This is useful for ephemeral feature stacks where database infrastructure should be created and removed per branch or short-lived environment.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6r0sbrzybwvv4pfvsjwk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6r0sbrzybwvv4pfvsjwk.png" alt="Aurora cluster deletion state" width="800" height="243"></a></p> <h2> Drizzle integration </h2> <p>Drizzle is used for schema push, local studio inspection, and a simple seed script. Environment variables in this setup are managed with Varlock.</p> <p><a href="https://varlock.dev/" rel="noopener noreferrer">Varlock documentation</a></p> <p><a href="https://orm.drizzle.team/" rel="noopener noreferrer">Drizzle ORM documentation</a></p> <p>This setup was tested with the Drizzle beta track, which is expected to become v1 soon.</p> <h3> Required packages </h3> <p>Install these npm packages before running the examples:</p> <ul> <li>Runtime dependencies: <code>vp add @aws-sdk/rds-signer drizzle-orm pg varlock</code> </li> <li>Dev/tooling dependencies: <code>vp add -D drizzle-kit @types/pg</code> </li> </ul> <p>Note: this repository uses Vite+, so commands in this post use <code>vp</code> wrappers (such as <code>vp add</code>, <code>vp exec</code>, and <code>vp run</code>) instead of direct <code>npm</code> or <code>pnpm</code> commands.</p> <h3> Configuration (<code>drizzle-kit</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Signer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/rds-signer</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-kit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ENV</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">varlock/env</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hostname</span> <span class="o">=</span> <span class="nx">ENV</span><span class="p">.</span><span class="nx">HOSTNAME</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">5432</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">database</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">signer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Signer</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">ENV</span><span class="p">.</span><span class="nx">AWS_REGION</span><span class="p">,</span> <span class="nx">hostname</span><span class="p">,</span> <span class="nx">port</span><span class="p">,</span> <span class="nx">username</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signer</span><span class="p">.</span><span class="nf">getAuthToken</span><span class="p">();</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">dialect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">postgresql</span><span class="dl">"</span><span class="p">,</span> <span class="na">schema</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dummySchema.ts</span><span class="dl">"</span><span class="p">,</span> <span class="na">dbCredentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="nx">hostname</span><span class="p">,</span> <span class="nx">port</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">database</span><span class="p">,</span> <span class="na">ssl</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Schema </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">integer</span><span class="p">,</span> <span class="nx">pgSchema</span><span class="p">,</span> <span class="nx">text</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm/pg-core</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">DUMMY_SCHEMA_NAME</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">dummy</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dummySchema</span> <span class="o">=</span> <span class="nf">pgSchema</span><span class="p">(</span><span class="nx">DUMMY_SCHEMA_NAME</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">dummyTable</span> <span class="o">=</span> <span class="nx">dummySchema</span><span class="p">.</span><span class="nf">table</span><span class="p">(</span><span class="dl">"</span><span class="s2">dummy_table</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">integer</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">).</span><span class="nf">primaryKey</span><span class="p">(),</span> <span class="na">name</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">(),</span> <span class="p">});</span> </code></pre> </div> <p>Run this command to apply schema changes:<br> <code>vp exec varlock run -- vp exec drizzle-kit push --config=drizzle-user-password.config.ts</code></p> <p>Run this command to open Drizzle Studio:<br> <code>vp exec varlock run -- vp exec drizzle-kit studio --config=drizzle-user-password.config.ts</code></p> <p>Studio before seeding (table exists, no rows):</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzyukmm4ggla6hgrk2sq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzyukmm4ggla6hgrk2sq.png" alt="Drizzle Studio before seeding" width="800" height="608"></a></p> <h3> Seeding script </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp">#!/usr/bin/env node </span><span class="cm">/* oxlint-disable no-console */</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Signer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/rds-signer</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">drizzle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm/node-postgres</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ENV</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">varlock/env</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">dummyTable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../dummySchema.ts</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hostname</span> <span class="o">=</span> <span class="nx">ENV</span><span class="p">.</span><span class="nx">HOSTNAME</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">5432</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">database</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">postgres</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">signer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Signer</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">ENV</span><span class="p">.</span><span class="nx">AWS_REGION</span><span class="p">,</span> <span class="nx">hostname</span><span class="p">,</span> <span class="nx">port</span><span class="p">,</span> <span class="nx">username</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signer</span><span class="p">.</span><span class="nf">getAuthToken</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">ENV</span><span class="p">.</span><span class="nx">HOSTNAME</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">ENV</span><span class="p">.</span><span class="nx">AWS_REGION</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">drizzle</span><span class="p">({</span> <span class="na">connection</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="nx">hostname</span><span class="p">,</span> <span class="nx">port</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">database</span><span class="p">,</span> <span class="na">ssl</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">dummyTable</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">insertResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">dummyTable</span><span class="p">).</span><span class="nf">values</span><span class="p">([</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Dummy 1</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Dummy 2</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Dummy 3</span><span class="dl">"</span> <span class="p">},</span> <span class="p">]);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">insertResult</span><span class="p">);</span> </code></pre> </div> <p><code>vp exec varlock run -- node scripts/seed-dummy.ts</code></p> <h2> Result </h2> <ul> <li>Schema <code>dummy.dummy_table</code> is created successfully via Drizzle Kit.</li> <li>Seed script inserts three rows (<code>id</code> 1..3).</li> <li>Drizzle Studio confirms data visibility through the IAM-authenticated Aurora Express connection.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ee18mvqmz5h44ziqkdb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ee18mvqmz5h44ziqkdb.png" alt="Drizzle Studio after seeding with three rows" width="800" height="446"></a></p> <h2> Conclusion </h2> <p>Aurora PostgreSQL express configuration can be integrated into a CDK workflow today by using AWS SDK custom resources for create/delete operations. Drizzle works with this setup when authentication tokens are generated through the RDS signer and passed to Drizzle tooling/runtime.</p> <h2> Sources and References </h2> <ul> <li> <strong>AWS announcement</strong>: <a href="https://aws.amazon.com/blogs/aws/announcing-amazon-aurora-postgresql-serverless-database-creation-in-seconds/" rel="noopener noreferrer">Announcing Amazon Aurora PostgreSQL Serverless database creation in seconds</a> </li> <li> <strong>Aurora Express configuration docs</strong>: <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_GettingStartedAurora.AuroraPostgreSQL.ExpressConfig.html" rel="noopener noreferrer">Creating and connecting to an Aurora PostgreSQL cluster with express configuration</a> </li> <li> <strong>RDS Data API enablement</strong>: <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.enabling.html" rel="noopener noreferrer">Enabling the Amazon RDS Data API</a> </li> <li> <strong>RDS Data API usage/auth</strong>: <a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html" rel="noopener noreferrer">Using the Amazon RDS Data API</a> </li> <li> <strong>RDS API (SDK v3)</strong>: <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/rds/command/CreateDBClusterCommand/" rel="noopener noreferrer">CreateDBClusterCommand</a> </li> <li> <strong>Varlock</strong>: <a href="https://varlock.dev/" rel="noopener noreferrer">varlock.dev</a> </li> <li> <strong>Drizzle ORM</strong>: <a href="https://orm.drizzle.team/" rel="noopener noreferrer">orm.drizzle.team</a> </li> <li> <strong>Drizzle Kit</strong>: <a href="https://orm.drizzle.team/docs/drizzle-kit-overview" rel="noopener noreferrer">orm.drizzle.team/docs/drizzle-kit-overview</a> </li> </ul> aws cdk aurora drizzle Johannes Konings Sun, 11 Jan 2026 08:15:18 +0000 https://dev.to/aws-builders/tag-log-buckets-created-by-aws-cdk-for-third-party-tools-2lcp https://dev.to/aws-builders/tag-log-buckets-created-by-aws-cdk-for-third-party-tools-2lcp <h2> Overview </h2> <p>How you secure cloud configuration often starts with cdk-nag, but many teams also use third-party tools after deployments. Using the “server access logs not configured” example, this post shows how cdk-nag can interact with those tools by tagging log buckets created by the AWS CDK.</p> <p>This example focuses on the AwsSolutions-S1 rule from the AWS Solutions ruleset (<a href="https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#awssolutions" rel="noopener noreferrer">https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#awssolutions</a>).</p> <p>As of <a href="https://github.com/JohannesKonings/cdk-nag-custom-nag-pack/releases/tag/v0.0.11" rel="noopener noreferrer">@jaykingson/cdk-nag-custom-nag-pack v0.0.11</a>, this behavior is available via a log bucket tagger and an AwsSolutions-S1 suppression helper.</p> <h2> The cdk-nag log bucket behavior </h2> <p>If the log bucket and the source buckets are created in the same AWS CDK app, cdk-nag can identify that relationship and won’t raise AwsSolutions-S1 for the log bucket. If the app only provides the log bucket for usage outside the app, cdk-nag will raise AwsSolutions-S1.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fic3z6gbvnlahq3z1f15y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fic3z6gbvnlahq3z1f15y.png" alt="log bucket outside app" width="800" height="276"></a></p> <h2> The bridge to third party tools </h2> <p>If a third-party tool doesn’t check bucket dependencies and only checks whether the log bucket has server access logs enabled, it will still raise findings. One universal approach is to suppress those findings based on tags on the bucket itself.</p> <h2> The extension for cdk-nag to handle log bucket tagging </h2> <p>Because cdk-nag can identify the dependency within the app, it can also tag the log bucket to indicate that it is used for server access logs. e.g. <code>isLogBucket=true</code> and for better visibility an additional tag <code>LogBucketTaggedBy=cdk-nag</code> (or however you want the source to look).</p> <h2> The result </h2> <p>This app contains different usage patterns for log buckets and shows how the custom checks suppress and tag the log bucket.</p> <p>TypeScript example</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#!/usr/bin/env node import { App, Aspects, Stack } from "aws-cdk-lib"; import { CustomChecks, CustomChecksSuppressions, } from "@jaykingson/cdk-nag-custom-nag-pack"; import { Bucket } from "aws-cdk-lib/aws-s3"; const app = new App(); // Create two separate CloudFormation stacks to demonstrate cross-stack resource references // Stack 1 will contain the primary log bucket and a test bucket const stack = new Stack(app, "Stack"); // Stack 2 will demonstrate referencing log buckets from different stacks const stack2 = new Stack(app, "Stack2"); // Create a dedicated log bucket that will serve as the central logging destination // for other application buckets across the infrastructure const logBucketForOtherAppsBuckets = new Bucket( stack, "LogBucketForOtherAppsBuckets", { enforceSSL: true, }, ); // Usage of the new supression, which also tag as an log bucket CustomChecksSuppressions.addLogBucketS1Suppression( logBucketForOtherAppsBuckets, ); // Reference an existing log bucket in Stack2 by its ARN (Amazon Resource Name) // This demonstrates importing external resources that may already exist in your AWS account const logBucketLookup = Bucket.fromBucketArn( stack2, "LogBucketLookup", "arn:aws:s3:::log-bucket-lookup", ); // Create another log bucket in Stack 1 for demonstration purposes // This bucket will also serve as a logging destination for application buckets const logBucket = new Bucket(stack, "LogBucket", { enforceSSL: true, }); // Create a test application bucket in Stack 1 that logs access to the local log bucket // This demonstrates the standard pattern: application bucket → log bucket (same stack) new Bucket(stack, "TestBucket", { enforceSSL: true, serverAccessLogsBucket: logBucket, }); // Create a test bucket in Stack2 that references the imported log bucket // This shows how buckets can log to external/imported logging destinations new Bucket(stack2, "TestBucketLookup", { enforceSSL: true, serverAccessLogsBucket: logBucketLookup, }); // Create another test bucket in Stack2, but this time referencing the log bucket from Stack 1 // This demonstrates CROSS-STACK resource references - a powerful CDK feature // CDK automatically creates the necessary CloudFormation exports/imports new Bucket(stack2, "TestBucket2", { enforceSSL: true, serverAccessLogsBucket: logBucket, }); // Apply custom CDK Nag checks to the entire application using the Aspects pattern // Aspects run validation rules against all resources in the app before synthesis Aspects.of(app).add( new CustomChecks({ enableAwsSolutionChecks: true, // Enable AWS Solutions construct library compliance checks enableLogBucketTagger: true, // Automatically tag log buckets for third-party security scanners }), ); </code></pre> </div> <p><code>LogBucketForOtherAppsBucketsF118033B</code> has the suppression and the tags applied, and <code>LogBucketCC3B17E8</code> is treated as a log bucket because it is created and referenced within the app.</p> <p>The synthesized CloudFormation template</p> <p>CloudFormation template excerpt</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Resources": { "LogBucketForOtherAppsBucketsF118033B": { "Type": "AWS::S3::Bucket", "Properties": { "Tags": [ { "Key": "isLogBucket", "Value": "true" }, { "Key": "LogBucketTaggedBy", "Value": "cdkNagCustomChecks" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "Stack/LogBucketForOtherAppsBuckets/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "This is intended to be a log bucket. Log bucket does not require access logging to prevent infinite loop", "id": "AwsSolutions-S1" } ] } } }, ... "LogBucketCC3B17E8": { "Type": "AWS::S3::Bucket", "Properties": { "Tags": [ { "Key": "isLogBucket", "Value": "true" }, { "Key": "LogBucketTaggedBy", "Value": "cdkNagCustomChecks" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "Stack/LogBucket/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "This is intended to be a log bucket. Log bucket does not require access logging to prevent infinite loop", "id": "AwsSolutions-S1" } ] } } }, ... "TestBucket560B80BC": { "Type": "AWS::S3::Bucket", "Properties": { "LoggingConfiguration": { "DestinationBucketName": { "Ref": "LogBucketCC3B17E8" } } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "Stack/TestBucket/Resource" } }, ... "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/0WISw5AMBBAz2LfDoYTcAHhAFJVySiVmJaIuLtFJVbvg4AFQp6ok6UerVxogLvzSluhTu65gLsK2hov6sl9FtFsC+nr37GfR7htNDBzemAJOUKWzEwk9+A8rQbayBeDG/QVeAAAAA==" }, "Metadata": { "aws:cdk:path": "Stack/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Outputs": { "ExportsOutputRefLogBucketCC3B17E818DCEC53": { "Value": { "Ref": "LogBucketCC3B17E8" }, "Export": { "Name": "Stack:ExportsOutputRefLogBucketCC3B17E818DCEC53" } } }, } </code></pre> </div> <h2> Sources and links </h2> <ul> <li><a href="https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#awssolutions" rel="noopener noreferrer">https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#awssolutions</a></li> <li><a href="https://github.com/JohannesKonings/cdk-nag-custom-nag-pack/releases/tag/v0.0.11" rel="noopener noreferrer">https://github.com/JohannesKonings/cdk-nag-custom-nag-pack/releases/tag/v0.0.11</a></li> <li><a href="https://github.com/cdklabs/cdk-nag" rel="noopener noreferrer">https://github.com/cdklabs/cdk-nag</a></li> </ul> aws cdk cdknag Johannes Konings Thu, 08 Jan 2026 08:15:18 +0000 https://dev.to/aws-builders/using-server-sent-events-sse-to-sync-tanstack-db-from-aws-dynamodb-3chb https://dev.to/aws-builders/using-server-sent-events-sse-to-sync-tanstack-db-from-aws-dynamodb-3chb <h2> Introduction </h2> <p>As described in <a href="//./2025-12-27-tanstack-start-aws-db-multiple-entities">Simple example of TanStack DB with DynamoDB on AWS with multiple entities</a>, we set up a multi-entity data model using ElectroDB and TanStack DB collections. In this post, we will explore how to keep our TanStack DB in sync with AWS DynamoDB using Server Sent Events (SSE).</p> <p>TanStack DB has the advantage that it can update specific database entries without needing to refetch all the data. This capability enables real-time synchronization across multiple sessions when another user or process modifies the data. Instead of polling the database constantly or refreshing entire datasets, SSE allows the server to push only the changes that occurred, making the application more efficient and responsive.</p> <blockquote> <p><strong>⚠️ Disclaimer</strong> : This implementation is somewhat hacky and is intended to prove the approach and demonstrate the concept. It has not been battle-tested in production environments and may contain errors or edge cases that haven't been fully addressed.</p> </blockquote> <h2> Demo Video </h2> <p> <iframe src="https://www.youtube.com/embed/ZOf52x9ehYg"> </iframe> </p> <h2> Architecture Overview </h2> <p>The synchronization architecture consists of three main components working together:</p> <ol> <li> <strong>DynamoDB Streams</strong> : Captures all data changes from the main DynamoDB table</li> <li> <strong>Event Table</strong> : Stores a change log of all modifications for historical tracking</li> <li> <strong>SSE Endpoint</strong> : Streams these changes to connected clients in real-time</li> </ol> <p>This architecture enables multiple clients to stay synchronized with minimal latency while maintaining a complete audit trail of all data modifications.</p> <h2> DynamoDB Stream and Event Table </h2> <p>AWS DynamoDB Streams is a powerful feature that captures a time-ordered sequence of item-level modifications in any DynamoDB table. When enabled, DynamoDB Streams records every change (insert, update, delete) made to the table in near real-time.</p> <h3> How It Works </h3> <ol> <li> <strong>Stream Capture</strong> : When data changes in the main DynamoDB table, DynamoDB Streams captures these modifications</li> <li> <strong>Lambda Processing</strong> : A Lambda function is triggered by the stream and processes each change event</li> <li> <strong>Event Storage</strong> : The Lambda writes these events to a separate "Events" table, creating a persistent change log</li> <li> <strong>Query by Clients</strong> : The SSE endpoint can query this Events table to find changes since a specific timestamp</li> </ol> <p>This approach provides several benefits:</p> <ul> <li> <strong>Historical Audit Trail</strong> : All changes are permanently stored in the Events table</li> <li> <strong>Efficient Polling</strong> : Clients only need to query for events after their last known event ID</li> <li> <strong>Decoupling</strong> : The stream processing is separate from client synchronization logic</li> </ul> <p>For more information, see the <a href="https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html" rel="noopener noreferrer">AWS DynamoDB Streams documentation</a>.</p> <h3> Implementation Links </h3> <p>The complete implementation is available in the repository:</p> <ul> <li> <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2026-01-08-tanstack-start-aws-db-multiple-entities-sse/lib/constructs/dynamo-table.ts" rel="noopener noreferrer">DynamoDB stream setup</a> - Table configuration with streams enabled</li> <li> <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2026-01-08-tanstack-start-aws-db-multiple-entities-sse/lambda/dynamodb-stream/index.ts" rel="noopener noreferrer">Lambda function for stream processing</a> - Processes DynamoDB stream events</li> <li> <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2026-01-08-tanstack-start-aws-db-multiple-entities-sse/app/entities/events.ts" rel="noopener noreferrer">Events table schema and setup</a> - ElectroDB entity definition for events</li> </ul> <h2> Server Sent Events (SSE) Setup </h2> <p><a href="https://en.wikipedia.org/wiki/Server-sent_events" rel="noopener noreferrer">Server-Sent Events (SSE)</a> is a standard web technology that enables servers to push real-time updates to clients over a single HTTP connection. Unlike WebSockets which provide bidirectional communication, SSE is unidirectional (server to client) and uses simple HTTP, making it easier to implement and more compatible with existing infrastructure like load balancers and proxies.</p> <h3> Why SSE for Database Synchronization? </h3> <p>SSE is ideal for this use case because:</p> <ul> <li> <strong>Automatic Reconnection</strong> : The browser's native <code>EventSource</code> API handles reconnection automatically</li> <li> <strong>Simple Protocol</strong> : Uses standard HTTP, no special server infrastructure needed</li> <li> <strong>Efficient</strong> : Keeps a single connection open, pushing updates only when changes occur</li> <li> <strong>Last-Event-ID</strong> : Built-in support for resuming from the last received event after reconnection</li> </ul> <h3> SSE Endpoint Implementation </h3> <p>A Server-Sent Events endpoint is created using TanStack Router's <code>createFileRoute</code> API. This endpoint streams changes from the Events table to connected clients. Here's how the implementation works:</p> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Polling Mechanism</strong> : Queries the Events table every 500ms for new changes</li> <li> <strong>Heartbeat</strong> : Sends keepalive messages every 15 seconds to prevent connection timeout</li> <li> <strong>Graceful Timeout</strong> : Closes the connection before Lambda timeout (14 minutes), allowing automatic reconnection</li> <li> <strong>Last-Event-ID Support</strong> : Clients can reconnect and resume from their last received event</li> <li> <strong>Efficient Queries</strong> : Only fetches events newer than the client's last known event</li> </ul> <p>Click to view the SSE endpoint implementation</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// oxlint-disable no-magic-numbers // oxlint-disable init-declarations // oxlint-disable no-ternary // oxlint-disable max-statements // oxlint-disable no-console import { DynamoDBClient } from "@aws-sdk/client-dynamodb"; import { DynamoDBDocumentClient, QueryCommand } from "@aws-sdk/lib-dynamodb"; import { createFileRoute } from "@tanstack/react-router"; import { TIMEOUT_IN_SECONDS } from "../../../../lib/constructs/type"; // ============================================================================= // Constants // ============================================================================= const STREAM_DURATION_MS = (TIMEOUT_IN_SECONDS - 4) * 1000; const RETRY_MS = 1000; const POLL_INTERVAL_MS = 500; const HEARTBEAT_INTERVAL_MS = 15000; // Send heartbeat every 15 seconds to prevent connection timeout const EVENTS_TABLE = process.env.EVENTS_TABLE ?? ""; // ============================================================================= // DynamoDB Client // ============================================================================= const ddbClient = DynamoDBDocumentClient.from(new DynamoDBClient({})); // ============================================================================= // Helper Functions // ============================================================================= /** Query events from the Events table since a given sort key */ const queryEventsSince = async ( lastEventSk: string | null, ): Promise&amp;gt;&amp;gt; =&amp;gt; { if (!EVENTS_TABLE) { console.log("Persons SSE: EVENTS_TABLE not configured"); return []; } const params = { TableName: EVENTS_TABLE, KeyConditionExpression: lastEventSk ? "pk = :pk AND sk &amp;gt; :sk" : "pk = :pk", ExpressionAttributeValues: lastEventSk ? { ":pk": "EVENTS", ":sk": lastEventSk } : { ":pk": "EVENTS" }, ScanIndexForward: true, Limit: 100, }; console.log( "Persons SSE: Querying events table:", EVENTS_TABLE, "cursor:", lastEventSk, ); const result = await ddbClient.send(new QueryCommand(params)); console.log( "Persons SSE: Query returned", result.Items?.length ?? 0, "events", ); return (result.Items ?? []) as Array&amp;gt;; }; /** Format an event as SSE data */ const formatSseEvent = (event: Record): string =&amp;gt; { const data = { timestamp: event.createdAt, eventType: event.eventType, entityType: event.entityType, entity: event.entity, oldEntity: event.oldEntity, }; return `event: change\nid: ${event.sk}\ndata: ${JSON.stringify(data)}\n\n`; }; // ============================================================================= // SSE Stream Route for Persons DB // ============================================================================= /** * SSE Stream API Route for Persons Database * * Streams entity change events (persons, addresses, bank accounts, etc.) * to connected clients using Server-Sent Events. * * Based on the simple /api/events blueprint pattern. */ export const Route = createFileRoute("/api/persons-stream")({ server: { handlers: { GET: async ({ request }) =&amp;gt; { // Check if Events table is configured if (!EVENTS_TABLE) { return new Response("SSE not configured - EVENTS_TABLE not set", { status: 503, }); } // Get last event ID from header for reconnection const lastEventId = request.headers.get("Last-Event-ID"); let lastSk = lastEventId; const encoder = new TextEncoder(); let pollIntervalId: ReturnType; let heartbeatIntervalId: ReturnType; let timeoutId: ReturnType; const stream = new ReadableStream({ async start(controller) { // Send retry directive so EventSource knows how long to wait before reconnecting controller.enqueue(encoder.encode(`retry: ${RETRY_MS}\n\n`)); // Send initial connected event controller.enqueue( encoder.encode( 'event: connected\ndata: {"status":"connected"}\n\n', ), ); console.log( "Persons SSE: Client connected, EVENTS_TABLE:", EVENTS_TABLE, ); // Define the poll function const poll = async (): Promise =&amp;gt; { try { // Query for new events const events = await queryEventsSince(lastSk); // Send each event for (const event of events) { controller.enqueue(encoder.encode(formatSseEvent(event))); lastSk = event.sk as string; console.log( "Persons SSE: Sent event:", event.eventType, event.entityType, ); } } catch (error) { console.error("Persons SSE: Poll error:", error); } }; // Define the heartbeat function const sendHeartbeat = (): void =&amp;gt; { try { controller.enqueue(encoder.encode(": heartbeat\n\n")); console.log("Persons SSE: Heartbeat sent"); } catch (error) { console.error("Persons SSE: Heartbeat error:", error); } }; // Do an immediate first poll await poll(); // Then poll at regular intervals pollIntervalId = setInterval(() =&amp;gt; { poll(); }, POLL_INTERVAL_MS); // Send heartbeats at regular intervals to keep connection alive heartbeatIntervalId = setInterval( sendHeartbeat, HEARTBEAT_INTERVAL_MS, ); // Gracefully close the stream before Lambda timeout // EventSource will automatically reconnect timeoutId = setTimeout(() =&amp;gt; { clearInterval(pollIntervalId); clearInterval(heartbeatIntervalId); // Send a final event to signal graceful close controller.enqueue( encoder.encode( 'event: reconnect\ndata: {"reason":"timeout"}\n\n', ), ); controller.close(); console.log( "Persons SSE: Stream closed gracefully before timeout", ); }, STREAM_DURATION_MS); }, cancel() { clearInterval(pollIntervalId); clearInterval(heartbeatIntervalId); clearTimeout(timeoutId); console.log("Persons SSE: Client disconnected"); }, }); return new Response(stream, { headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", Connection: "keep-alive", "X-Accel-Buffering": "no", }, }); }, }, }, }); </code></pre> </div> <h3> Understanding the SSE Flow </h3> <ol> <li> <strong>Client Connection</strong> : When a client connects, the endpoint sends a <code>retry</code> directive and a <code>connected</code> event</li> <li> <strong>Initial Poll</strong> : Immediately queries for any events since the client's <code>Last-Event-ID</code> </li> <li> <strong>Continuous Polling</strong> : Sets up an interval to poll for new events every 500ms</li> <li> <strong>Event Streaming</strong> : Each new event is formatted and sent to the client with a unique ID</li> <li> <strong>Heartbeat</strong> : Sends comment lines (<code>: heartbeat</code>) to keep the connection alive</li> <li> <strong>Graceful Close</strong> : Before Lambda timeout, sends a <code>reconnect</code> event and closes the stream</li> </ol> <p>The client's browser automatically reconnects using the built-in <code>EventSource</code> retry mechanism, and the server resumes streaming from the last event ID.</p> <h3> ElectroDB Integration (Future Enhancement) </h3> <p>ElectroDB, the library used for DynamoDB entity management, has community discussions about built-in change tracking. This could potentially simplify the stream processing in the future. See <a href="https://github.com/tywalch/electrodb/issues/74" rel="noopener noreferrer">ElectroDB issue #74</a> for more details.</p> <h2> The SSE Hook </h2> <p>The client-side implementation uses a custom React hook (<code>useSseSync</code>) that manages the SSE connection and applies changes to TanStack DB collections. This hook abstracts away the complexity of SSE connection management and provides a clean API for components to use.</p> <h3> Hook Architecture </h3> <p>The hook is structured into several key sections:</p> <ol> <li> <strong>Constants &amp; Configuration</strong> : Defines the SSE endpoint and flag for preventing loops</li> <li> <strong>Type Definitions</strong> : TypeScript interfaces for entity types, event types, and state</li> <li> <strong>Collection Update Functions</strong> : Specialized functions for INSERT, MODIFY, and REMOVE operations</li> <li> <strong>Change Application Logic</strong> : Routes events to the correct collection and operation</li> <li> <strong>Connection Management</strong> : Handles EventSource lifecycle and reconnection</li> </ol> <h3> Key Features </h3> <ul> <li> <strong>Automatic Reconnection</strong> : Uses native <code>EventSource</code> which handles reconnections automatically</li> <li> <strong>Loop Prevention</strong> : Uses a flag to prevent SSE updates from triggering writes back to DynamoDB</li> <li> <strong>Type-Safe Updates</strong> : Strongly typed entity handlers for all five entity types (Person, Address, BankAccount, ContactInfo, Employment)</li> <li> <strong>State Management</strong> : Tracks connection status and last sync time</li> <li> <strong>Manual Reconnection</strong> : Provides a <code>reconnect()</code> function for forced reconnection</li> </ul> <p>Click to view the SSE synchronization hook implementation</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// oxlint-disable no-ternary import type { Address, BankAccount, ContactInfo, Employment, Person, } from "#src/webapp/types/person"; import { addressesCollection, bankAccountsCollection, contactsCollection, employmentsCollection, personsCollection, } from "#src/webapp/db-collections/persons"; import { useCallback, useEffect, useRef, useState } from "react"; // ============================================================================= // Constants // ============================================================================= const SSE_ENDPOINT = "/api/persons-stream"; // Flag to track when we're applying SSE changes // This prevents SSE updates from triggering DynamoDB writes let isApplyingSseChange = false; /** * Check if currently applying an SSE change * Collection handlers can use this to skip server writes */ export const isFromSse = (): boolean =&amp;gt; isApplyingSseChange; // ============================================================================= // Types // ============================================================================= type EntityType = | "person" | "address" | "bankAccount" | "contactInfo" | "employment"; type EventType = "INSERT" | "MODIFY" | "REMOVE"; interface ChangeEventData { timestamp?: string; eventType?: EventType; entityType?: EntityType; entity?: object | null; oldEntity?: object; } interface SseSyncState { isConnected: boolean; lastSyncTime: Date | null; } // ============================================================================= // Collection Update Functions // ============================================================================= /** * Apply an INSERT change to the collection */ const applyInsert = ( entityType: EntityType, entity: object | null | undefined, ): void =&amp;gt; { if (!entity) { return; } // Note: TanStack DB collections handle duplicates gracefully // If the entity already exists, this becomes an update operation switch (entityType) { case "person": personsCollection.insert(entity as Person); break; case "address": addressesCollection.insert(entity as Address); break; case "bankAccount": bankAccountsCollection.insert(entity as BankAccount); break; case "contactInfo": contactsCollection.insert(entity as ContactInfo); break; case "employment": employmentsCollection.insert(entity as Employment); break; } }; /** * Apply a MODIFY change to the collection */ const applyModify = ( entityType: EntityType, entity: object | null | undefined, ): void =&amp;gt; { if (!entity) { return; } const entityWithId = entity as { id: string }; switch (entityType) { case "person": personsCollection.update(entityWithId.id, (draft) =&amp;gt; { Object.assign(draft, entity); }); break; case "address": addressesCollection.update(entityWithId.id, (draft) =&amp;gt; { Object.assign(draft, entity); }); break; case "bankAccount": bankAccountsCollection.update(entityWithId.id, (draft) =&amp;gt; { Object.assign(draft, entity); }); break; case "contactInfo": contactsCollection.update(entityWithId.id, (draft) =&amp;gt; { Object.assign(draft, entity); }); break; case "employment": employmentsCollection.update(entityWithId.id, (draft) =&amp;gt; { Object.assign(draft, entity); }); break; } }; /** * Apply a REMOVE change to the collection */ const applyRemove = ( entityType: EntityType, entity: object | null | undefined, oldEntity: object | undefined, ): void =&amp;gt; { const entityWithId = entity as { id: string } | null | undefined; const oldEntityWithId = oldEntity as { id: string } | undefined; const removeId = entityWithId?.id ?? oldEntityWithId?.id; if (!removeId) { return; } switch (entityType) { case "person": personsCollection.delete(removeId); break; case "address": addressesCollection.delete(removeId); break; case "bankAccount": bankAccountsCollection.delete(removeId); break; case "contactInfo": contactsCollection.delete(removeId); break; case "employment": employmentsCollection.delete(removeId); break; } }; /** * Apply a change event to the appropriate TanStack DB collection. * Only applies changes if they differ from current collection state. */ const applyChangeToCollection = (data: ChangeEventData): void =&amp;gt; { if (!data.entityType || !data.eventType) { return; } switch (data.eventType) { case "INSERT": applyInsert(data.entityType, data.entity); break; case "MODIFY": applyModify(data.entityType, data.entity); break; case "REMOVE": applyRemove(data.entityType, data.entity, data.oldEntity); break; } }; // ============================================================================= // Hook // ============================================================================= /** * Hook for real-time SSE synchronization with TanStack DB. * Uses native EventSource to receive entity changes from the persons-stream endpoint. * * **IMPORTANT: Preventing Endless Loops** * This hook sets a global `isApplyingSseChange` flag when applying SSE changes. * Collection mutation handlers (onInsert/onUpdate/onDelete) should check `isFromSse()` * and skip DynamoDB writes when true. This breaks the loop: * * - SSE event -&amp;gt; isApplyingSseChange=true -&amp;gt; collection mutation -&amp;gt; onInsert checks isFromSse() * -&amp;gt; returns true -&amp;gt; ✅ skips DynamoDB write * - Local user mutation -&amp;gt; isApplyingSseChange=false -&amp;gt; onInsert checks isFromSse() * -&amp;gt; returns false -&amp;gt; ✅ writes to DynamoDB -&amp;gt; stream -&amp;gt; SSE event (handled above) * * This approach allows SSE to update local state without triggering server writes, * while user-initiated changes still persist to DynamoDB as expected. * * EventSource automatically handles reconnection using the `retry` directive from * the server. The server also sends a `reconnect` event before graceful timeout * to signal the client that a reconnection is expected. * * Based on the simple /api/events blueprint pattern. * * @returns Object with isConnected, lastSyncTime, and reconnect function */ export const useSseSync = (): SseSyncState &amp;amp; { reconnect: () =&amp;gt; void } =&amp;gt; { const eventSourceRef = useRef(null); const [state, setState] = useState({ isConnected: false, lastSyncTime: null, }); const connect = useCallback(() =&amp;gt; { // Close existing connection if any if (eventSourceRef.current) { eventSourceRef.current.close(); } // Create new EventSource connection const eventSource = new EventSource(SSE_ENDPOINT); eventSourceRef.current = eventSource; // Handle connection open eventSource.onopen = () =&amp;gt; { setState((prev) =&amp;gt; ({ ...prev, isConnected: true })); }; // Handle connection error - EventSource will automatically reconnect // Based on the retry directive from the server eventSource.onerror = () =&amp;gt; { setState((prev) =&amp;gt; ({ ...prev, isConnected: false })); }; // Handle 'connected' event from server eventSource.addEventListener("connected", () =&amp;gt; { setState((prev) =&amp;gt; ({ ...prev, isConnected: true })); }); // Handle 'change' events (entity changes) eventSource.addEventListener("change", (event: MessageEvent) =&amp;gt; { try { const data = JSON.parse(event.data) as ChangeEventData; // Set flag to indicate we're applying SSE changes // This prevents mutation handlers from writing back to DynamoDB isApplyingSseChange = true; try { applyChangeToCollection(data); } finally { // Always reset the flag, even if an error occurs isApplyingSseChange = false; } if (data.timestamp) { setState((prev) =&amp;gt; ({ ...prev, lastSyncTime: new Date(data.timestamp as string), })); } } catch { // Ignore parse errors } }); // Handle 'reconnect' event (server signaling graceful close before timeout) // EventSource will automatically reconnect using the retry directive eventSource.addEventListener("reconnect", () =&amp;gt; { setState((prev) =&amp;gt; ({ ...prev, isConnected: false })); }); }, []); const disconnect = useCallback(() =&amp;gt; { if (eventSourceRef.current) { eventSourceRef.current.close(); eventSourceRef.current = null; } setState((prev) =&amp;gt; ({ ...prev, isConnected: false })); }, []); const reconnect = useCallback(() =&amp;gt; { disconnect(); connect(); }, [connect, disconnect]); useEffect(() =&amp;gt; { // Connect on mount connect(); // Disconnect on unmount return () =&amp;gt; { disconnect(); }; }, [connect, disconnect]); return { ...state, reconnect, }; }; </code></pre> </div> <h2> Avoiding Infinite Loops </h2> <p>One of the most critical challenges when implementing real-time synchronization is preventing infinite loops. Without proper safeguards, the following cycle can occur:</p> <ol> <li>SSE receives a change event from the server</li> <li>Hook applies the change to the TanStack DB collection</li> <li>Collection's <code>onUpdate</code>/<code>onInsert</code>/<code>onDelete</code> handler triggers</li> <li>Handler writes the change back to DynamoDB</li> <li>DynamoDB Stream captures this "new" change</li> <li>Lambda writes it to the Events table</li> <li>SSE endpoint streams it back to the client</li> <li> <strong>Loop repeats infinitely</strong> ♾️</li> </ol> <h3> The Solution: Global Flag Pattern </h3> <p>The implementation uses a module-level flag (<code>isApplyingSseChange</code>) to break this cycle. Here's how it works:</p> <p><strong>When SSE Updates Occur:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SSE event received → Set isApplyingSseChange = true → Apply change to collection → Collection handler checks isFromSse() → Returns true, so SKIP DynamoDB write ✅ → Reset isApplyingSseChange = false </code></pre> </div> <p><strong>When User Makes Changes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User modifies data → isApplyingSseChange = false → Apply change to collection → Collection handler checks isFromSse() → Returns false, so WRITE to DynamoDB ✅ → DynamoDB Stream → Events table → SSE → Other clients </code></pre> </div> <h3> Implementation in Collection Handlers </h3> <p>Your collection mutation handlers should implement this check:</p> <p>Click to view example collection handler with loop prevention</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { isFromSse } from "./useSseSync"; personsCollection = createCollection({ // ... other config onInsert: async (person) =&amp;gt; { // Check if this change came from SSE if (isFromSse()) { console.log("Skipping DynamoDB write - change from SSE"); return; // Don't write back to DynamoDB } // This is a user-initiated change, write to DynamoDB await writeToDynamoDB(person); }, onUpdate: async (person) =&amp;gt; { if (isFromSse()) return; await updateDynamoDB(person); }, onDelete: async (id) =&amp;gt; { if (isFromSse()) return; await deleteFromDynamoDB(id); }, }); </code></pre> </div> <p>This pattern ensures that:</p> <ul> <li>✅ SSE updates modify local state without server writes</li> <li>✅ User changes persist to DynamoDB and propagate to other clients</li> <li>✅ No infinite loops or duplicate operations</li> <li>✅ Clean separation between sync and user-initiated changes</li> </ul> <h2> Using the Hook in Components </h2> <p>To use the SSE synchronization in your React components, simply call the <code>useSseSync</code> hook:</p> <p>Click to view example component usage</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { useSseSync } from "./useSseSync"; function PersonsList() { const { isConnected, lastSyncTime, reconnect } = useSseSync(); return ( {isConnected ? ( &lt;span&gt;🟢 Connected&lt;/span&gt; ) : ( &lt;span&gt;🔴 Disconnected&lt;/span&gt; )} {lastSyncTime &amp;amp;&amp;amp; ( &lt;span&gt;Last sync: {lastSyncTime.toLocaleTimeString()}&lt;/span&gt; )} Reconnect {/* Your persons list component */} ); } </code></pre> </div> <p>The hook automatically:</p> <ul> <li>Establishes the SSE connection on mount</li> <li>Applies incoming changes to TanStack DB collections</li> <li>Handles reconnection on errors or timeouts</li> <li>Cleans up the connection on unmount</li> </ul> <h2> Cost Considerations </h2> <ul> <li> <strong>Long-Running Connections</strong> : Each SSE connection keeps a Lambda instance running for up to 14 minutes</li> <li> <strong>Concurrent Connections</strong> : Each connected client requires a separate Lambda instance</li> <li> <strong>Polling Overhead</strong> : The 500ms polling interval means continuous DynamoDB queries, even when no changes occur</li> </ul> <h2> Other Options </h2> <p>While SSE provides a good balance of simplicity and functionality, other approaches may be better suited for specific use cases:</p> <h3> 1. WebSocket (Bidirectional) </h3> <p><strong>When to use:</strong></p> <ul> <li>Need bidirectional communication (client can send messages to server)</li> <li>High-frequency updates (many changes per second)</li> <li>Lower latency requirements</li> <li>Building chat or collaborative editing features</li> </ul> <p><strong>Implementation:</strong></p> <ul> <li>AWS API Gateway WebSocket API</li> <li>Requires connection state management (connection IDs in DynamoDB)</li> <li>More complex than SSE but more flexible</li> </ul> <h3> 2. Short Polling </h3> <p><strong>When to use:</strong></p> <ul> <li>Simple use case with infrequent updates</li> <li>Need to support older browsers without SSE</li> <li>Want explicit control over refresh timing</li> </ul> <p><strong>Implementation:</strong></p> <ul> <li>Standard HTTP requests on an interval (e.g., every 5-10 seconds)</li> <li>Simpler than SSE but less efficient</li> <li>Higher latency than push-based approaches</li> </ul> <h3> 3. GraphQL Subscriptions </h3> <p><strong>When to use:</strong></p> <ul> <li>Already using GraphQL (AWS AppSync)</li> <li>Need fine-grained subscription filtering</li> <li>Want managed infrastructure</li> </ul> <p><strong>Implementation:</strong></p> <ul> <li>AWS AppSync with DynamoDB resolvers</li> <li>Built-in authorization and subscription management</li> <li>Higher per-request cost than Lambda</li> </ul> <h3> 4. Custom WebSocket Collection (TanStack DB) </h3> <p>TanStack DB supports creating custom collections with bidirectional WebSocket synchronization. This is the most integrated approach but requires the most implementation effort.</p> <p><strong>When to use:</strong></p> <ul> <li>Need full bidirectional sync (client changes immediately propagate)</li> <li>Want conflict resolution at the collection level</li> <li>Building offline-first applications</li> </ul> <p><strong>Resources:</strong></p> <ul> <li><a href="https://tanstack.com/db/latest/docs/guides/collection-options-creator#complete-example-websocket-collection" rel="noopener noreferrer">TanStack DB Collection Options Guide</a></li> <li>Requires implementing custom WebSocket server and protocol</li> <li>Most complex option but provides the richest synchronization features</li> </ul> <h2> Conclusion </h2> <p>This implementation demonstrates how to build real-time data synchronization between AWS DynamoDB and TanStack DB using Server-Sent Events. The key takeaways are:</p> <ol> <li> <strong>DynamoDB Streams + Events Table</strong> : Provides a reliable, queryable change log</li> <li> <strong>SSE with TanStack Router</strong> : Simple, standards-based approach to server push</li> <li> <strong>Loop Prevention</strong> : Critical pattern using a global flag to prevent infinite updates</li> <li> <strong>Automatic Reconnection</strong> : Built-in browser support makes SSE resilient</li> <li> <strong>Cost Awareness</strong> : Monitor Lambda and DynamoDB costs, especially with many concurrent connections</li> </ol> <p>The SSE approach works well for:</p> <ul> <li>✅ Applications with moderate update frequency (seconds to minutes)</li> <li>✅ Primarily server-to-client updates</li> <li>✅ Standard web browsers</li> <li>✅ Simple implementation requirements</li> </ul> <p>For applications requiring bidirectional real-time communication, lower latency, or offline support, consider WebSocket or TanStack DB's custom collection approach.</p> <h2> Source Code </h2> <p>The complete implementation is available on GitHub:</p> <ul> <li><a href="https://github.com/JohannesKonings/tanstack-aws/tree/2026-01-08-tanstack-start-aws-db-multiple-entities-sse" rel="noopener noreferrer">Repository Tag: 2026-01-08-tanstack-start-aws-db-multiple-entities-sse</a></li> <li><a href="https://github.com/JohannesKonings/tanstack-aws/pull/13" rel="noopener noreferrer">Pull Request #13 - Implementation</a></li> </ul> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html" rel="noopener noreferrer">AWS DynamoDB Streams Documentation</a></li> <li><a href="https://en.wikipedia.org/wiki/Server-sent_events" rel="noopener noreferrer">Server-Sent Events (Wikipedia)</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/API/EventSource" rel="noopener noreferrer">MDN: EventSource API</a></li> <li><a href="https://tanstack.com/db/latest/docs/guides/collection-options-creator" rel="noopener noreferrer">TanStack DB Collection Options</a></li> <li><a href="https://github.com/tywalch/electrodb/issues/74" rel="noopener noreferrer">ElectroDB Issue #74 - Change Tracking</a></li> <li><a href="https://tanstack.com/router/latest/docs/framework/react/guide/file-based-routing" rel="noopener noreferrer">TanStack Router File Routes</a></li> </ul> aws cdk tanstack Johannes Konings Wed, 31 Dec 2025 08:15:18 +0000 https://dev.to/aws-builders/use-a-customized-cdk-bootstrap-template-1ph3 https://dev.to/aws-builders/use-a-customized-cdk-bootstrap-template-1ph3 <h2> Introduction </h2> <p>In some cases, the CDK bootstrap resources need changes beyond what's possible with the standard bootstrap parameters. While the CDK provides <a href="https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-customizing.html" rel="noopener noreferrer">customization options</a>, certain configurations require customizing of the template.</p> <p>This post demonstrates how to:</p> <ul> <li>Encrypt the staging bucket with a custom KMS key</li> <li>Enable server access logs for the staging bucket</li> <li>Validate CloudFormation templates with cdk-nag before deployment</li> <li>Use the CDK Toolkit library to orchestrate the entire process in TypeScript</li> </ul> <p>While the KMS key can be configured via bootstrap parameters, server access logging requires template customization. Since TypeScript is used for the CDK setup, all scripting will also be in TypeScript using the <a href="https://docs.aws.amazon.com/cdk/api/toolkit-lib/" rel="noopener noreferrer">AWS CDK Toolkit library</a>.</p> <p>Additionally, we'll use cdk-nag to bridge the gap between CloudFormation templates and CDK validation rules.</p> <h2> Create the Resources for Bootstrap via CloudFormation </h2> <p>Before customizing the bootstrap template, we need to create supporting resources via CloudFormation:</p> <ol> <li>A KMS key for encrypting the staging bucket</li> <li>A log bucket for storing server access logs</li> </ol> <p>These resources will be referenced during the bootstrap process via CloudFormation exports.</p> <h3> KMS Key Template </h3> <p>Show KMS template</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWSTemplateFormatVersion: "2010-09-09" Description: KMS Key for encrypting the CDK bootstrap bucket Resources: CdkBootstrapKmsKey: Type: AWS::KMS::Key DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: Description: KMS Key for CDK Bootstrap Bucket EnableKeyRotation: true KeyPolicy: Version: "2012-10-17" Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: "kms:*" Resource: "*" - Sid: Allow CDK roles to use the key Effect: Allow Principal: AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: - "kms:Encrypt" - "kms:Decrypt" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:DescribeKey" Resource: "*" Condition: StringLike: "aws:PrincipalArn": - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-*-cfn-exec-role-*" - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-*-file-publishing-role-*" - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-*-image-publishing-role-*" - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-*-lookup-role-*" - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-*-deploy-role-*" "kms:ViaService": - !Sub "s3.${AWS::Region}.amazonaws.com" - !Sub "ecr.${AWS::Region}.amazonaws.com" ArnLike: "kms:EncryptionContext:aws:s3:arn": - !Sub "arn:${AWS::Partition}:s3:::cdk-*-assets-${AWS::AccountId}-${AWS::Region}/*" "kms:EncryptionContext:aws:ecr:arn": - !Sub "arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/cdk-*-container-assets-*" CdkBootstrapKmsKeyAlias: Type: AWS::KMS::Alias Properties: AliasName: alias/cdk-bootstrap-key TargetKeyId: !Ref CdkBootstrapKmsKey Outputs: CdkBootstrapKmsKeyId: Value: !Ref CdkBootstrapKmsKey Description: ID of the KMS key for CDK bootstrap Export: Name: cdk-bootstrap-kms-key-id </code></pre> </div> <h3> S3 Log Bucket Template </h3> <p>Show S3 log bucket template</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWSTemplateFormatVersion: "2010-09-09" Description: "CloudFormation template for S3 log bucket with encryption and lifecycle policies" Resources: LogBucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true LifecycleConfiguration: Rules: - Id: DeleteLogsAfterRetention Status: Enabled ExpirationInDays: 90 - Id: DeleteOldVersions Status: Enabled NoncurrentVersionExpiration: NoncurrentDays: 30 Tags: - Key: Purpose Value: ApplicationLogs - Key: Environment Value: Bootstrap LogBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref LogBucket PolicyDocument: Version: "2012-10-17" Statement: # AWS Best Practice: Restrict log delivery to buckets in the same account # See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html - Sid: AllowS3LogDeliveryWrite Effect: Allow Principal: Service: logging.s3.amazonaws.com Action: s3:PutObject Resource: !Sub "${LogBucket.Arn}/*" Condition: # Restrict to buckets in the same account StringEquals: aws:SourceAccount: !Ref AWS::AccountId - Sid: AllowS3LogDeliveryAclCheck Effect: Allow Principal: Service: logging.s3.amazonaws.com Action: s3:GetBucketAcl Resource: !GetAtt LogBucket.Arn # Note: DenyUnencryptedObjectUploads removed per AWS best practices # Bucket default encryption (SSE-S3) ensures all objects are encrypted # The S3 logging service doesn't set explicit encryption headers - Sid: DenyInsecureTransport Effect: Deny Principal: "*" Action: s3:* Resource: - !GetAtt LogBucket.Arn - !Sub "${LogBucket.Arn}/*" Condition: Bool: aws:SecureTransport: "false" Outputs: LogBucketName: Description: Name of the log bucket Value: !Ref LogBucket Export: Name: log-bucket-name </code></pre> </div> <h3> The Deployment Script </h3> <p>A CDK app can have stacks deployed to different regions. Each region needs to be bootstrapped, so the KMS key and log bucket must be created in every region.</p> <p>Using the CDK Toolkit library, we can extract the regions from the CDK app and deploy the CloudFormation templates accordingly.</p> <p>The script creates CloudFormation outputs to make the resource values retrievable during bootstrap.</p> <p>Show deploy script</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import * as fs from "node:fs"; import * as path from "node:path"; import { CloudFormationClient, CreateStackCommand, type CreateStackCommandInput, UpdateStackCommand, type UpdateStackCommandInput, type Tag, } from "@aws-sdk/client-cloudformation"; import { Toolkit } from "@aws-cdk/toolkit-lib"; // Parse command line arguments const args = process.argv.slice(2); const DRY_RUN = args.includes("--dry-run"); interface TemplateConfig { filename: string; stackName: string; description: string; } const getRegions = async (): Promise =&amp;gt; { const toolkit = new Toolkit(); const appPath = path.join(import.meta.dirname, "../../bin/app.ts"); const cloudAssemblySource = await toolkit.fromCdkApp(`pnpx tsx ${appPath}`); const cloudAssembly = await toolkit.synth(cloudAssemblySource); const list = await toolkit.list(cloudAssembly); const regions = list.map((stack) =&amp;gt; stack.environment.region); return regions; }; const templates: TemplateConfig[] = [ { filename: "bootstrap-kms-key.yaml", stackName: "cdk-bootstrap-kms-key", description: "KMS Key for encrypting the CDK bootstrap bucket", }, { filename: "log-bucket.yaml", stackName: "cdk-bootstrap-log-bucket", description: "S3 log bucket with encryption and lifecycle policies", }, ]; // Tags to apply to all stacks const commonTags: Tag[] = [ { Key: "Environment", Value: "bootstrap" }, { Key: "ManagedBy", Value: "cdk-bootstrap" }, { Key: "Purpose", Value: "cdk-deployment" }, ]; async function loadTemplateContent(templatePath: string): Promise { try { const content = fs.readFileSync(templatePath, "utf-8"); console.log(`✓ Loaded template: ${templatePath}`); return content; } catch (error) { console.error(`✗ Failed to load template: ${templatePath}`); throw error; } } async function deployOrUpdateStack( config: TemplateConfig, templateContent: string, region: string, ): Promise { const cfClient = new CloudFormationClient({ region }); if (DRY_RUN) { console.log(`✓ [DRY RUN] Would deploy/update stack`); return "dry-run-stack-id"; } // Try to update first try { const updateParams: UpdateStackCommandInput = { StackName: config.stackName, TemplateBody: templateContent, Tags: commonTags, }; const updateCommand = new UpdateStackCommand(updateParams); const response = await cfClient.send(updateCommand); console.log(`✓ Stack updated`); return response.StackId!; } catch (error: any) { // If stack doesn't exist, create it if (error.message?.includes("does not exist")) { const createParams: CreateStackCommandInput = { StackName: config.stackName, TemplateBody: templateContent, Tags: commonTags, OnFailure: "DELETE", TimeoutInMinutes: 10, EnableTerminationProtection: true, }; const createCommand = new CreateStackCommand(createParams); const response = await cfClient.send(createCommand); console.log(`✓ Stack created`); return response.StackId!; } // If no changes are detected during update, it's still successful if (error.message?.includes("No updates are to be performed")) { console.log(`✓ Stack is up to date (no changes needed)`); return ""; } throw error; } } async function deployTemplate( config: TemplateConfig, templatePath: string, region: string, ): Promise { try { const templateContent = await loadTemplateContent(templatePath); console.log(`\n📦 Deploying stack: ${config.stackName} to ${region}`); const stackId = await deployOrUpdateStack(config, templateContent, region); if (stackId) { console.log(` Stack ID: ${stackId}`); } } catch (error: any) { console.error(`✗ Failed to deploy stack ${config.stackName}:`); console.error(` ${error.message}`); throw error; } } async function main(): Promise { const cfTemplatesDir = path.join(import.meta.dirname, "../cf-templates"); const regions = await getRegions(); console.log("🚀 Starting CloudFormation template deployment...\n"); if (DRY_RUN) { console.log("⚠️ DRY RUN MODE - No actual changes will be made\n"); } console.log(`Template directory: ${cfTemplatesDir}`); console.log(`Regions: ${regions.join(", ")}\n`); try { for (const region of regions) { console.log(`\n🌍 Deploying to region: ${region}`); for (const template of templates) { const templatePath = path.join(cfTemplatesDir, template.filename); await deployTemplate(template, templatePath, region); } } if (DRY_RUN) { console.log("\n✅ Dry run completed successfully! No changes were made."); } else { console.log("\n✅ All templates deployed successfully!"); } } catch (error) { console.error("\n❌ Deployment failed"); process.exit(1); } } main(); </code></pre> </div> <h2> Validate CloudFormation Templates with cdk-nag </h2> <p>Resources within a CDK app can be validated with <a href="https://github.com/cdklabs/cdk-nag" rel="noopener noreferrer">cdk-nag</a>. To validate CloudFormation templates outside the CDK app, we can create a helper app that applies the same rule set to our CloudFormation templates.</p> <p>As described in the <a href="https://github.com/cdklabs/cdk-nag?tab=readme-ov-file#using-on-cloudformation-templates" rel="noopener noreferrer">cdk-nag documentation</a>, CloudFormation templates can be included via the <code>CfnInclude</code> construct and validated using cdk-nag aspects.</p> <p>This approach ensures:</p> <ul> <li>The same validation rules are applied consistently</li> <li>The same suppression mechanisms can be used</li> <li>All infrastructure code follows the same security standards</li> </ul> <p>Run the validation with this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pnpm exec tsx bootstrap/app.ts </code></pre> </div> <p>Show cdk-nag validation script</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { CfnInclude } from "aws-cdk-lib/cloudformation-include"; import { Stack, StackProps } from "aws-cdk-lib"; import { Toolkit } from "@aws-cdk/toolkit-lib"; import { App, Aspects } from "aws-cdk-lib"; import { AwsSolutionsChecks, NagSuppressions } from "cdk-nag"; // Set region and avoid IMDS lookup for local checks process.env.AWS_REGION = process.env.AWS_REGION || "us-east-1"; process.env.AWS_SDK_LOAD_CONFIG = "false"; // Prevent credential lookup process.env.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE = "IPv4"; // Prevent IMDS timeout const toolkit = new Toolkit(); const cloudAssemblySource = await toolkit.fromAssemblyBuilder(async () =&amp;gt; { const app = new App(); const stack = new Stack(app, "CdkNagCheckStack"); new CfnInclude(stack, "BootstrapKmsKey", { templateFile: "./bootstrap/cf-templates/bootstrap-kms-key.yaml", }); const logBucket = new CfnInclude(stack, "LogBucket", { templateFile: "./bootstrap/cf-templates/log-bucket.yaml", }); NagSuppressions.addResourceSuppressions( logBucket, [ { id: "AwsSolutions-S1", reason: "Log bucket does not have server access logs enabled", }, ], true, ); Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true })); return app.synth(); }); try { await toolkit.synth(cloudAssemblySource); console.log("\n✓ Bootstrap templates synthesized successfully"); } catch (error) { console.error("\n✗ CDK Nag violations or synthesis errors found:"); console.error(error); process.exit(1); } </code></pre> </div> <h2> Create the Customized CDK Bootstrap Template </h2> <h3> Get the Default Template </h3> <p>Customizations should be based on the standard CDK bootstrap template to ensure all necessary resources are included and the process remains compatible with future CDK versions. First, retrieve the default template using the CDK CLI.</p> <p>Since the Toolkit library doesn't provide functionality to retrieve the standard template, we use the CDK CLI via a child process.</p> <p>Show script to get default template</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { execSync } from "node:child_process"; import { mkdirSync, writeFileSync } from "node:fs"; import { join } from "node:path"; import { CDK_STANDDARD_TEMPLATE_FILE_NAME } from "./bootstrap"; const resultCdkStandardTemplate = execSync( "pnpm exec cdk bootstrap --show-template", { encoding: "utf8", }, ); const generatedDir = join(import.meta.dirname, "..", "generated"); mkdirSync(generatedDir, { recursive: true }); writeFileSync( join(generatedDir, CDK_STANDDARD_TEMPLATE_FILE_NAME), resultCdkStandardTemplate, ); </code></pre> </div> <h3> Customize the Template </h3> <p>Using a YAML parser, the standard template is loaded and modified to add the logging configuration to the staging bucket.</p> <p>The log bucket configuration is embedded into the template using the CloudFormation <code>Fn::ImportValue</code> function, which references the log bucket created earlier. This approach is necessary because there's no way to pass the log bucket name as a parameter during the bootstrap process itself.</p> <p>Show template customization script</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { mkdirSync, readFileSync, writeFileSync } from "node:fs"; import { join } from "node:path"; import { parse, stringify } from "yaml"; import { CDK_CUSTOMIZED_TEMPLATE_FILE_NAME, CDK_STANDDARD_TEMPLATE_FILE_NAME, } from "./bootstrap"; const cdkStandardTemplate = readFileSync( join( import.meta.dirname, "..", "generated", CDK_STANDDARD_TEMPLATE_FILE_NAME, ), { encoding: "utf8", }, ); const cdkBootstrapTemplate = parse(cdkStandardTemplate); if (!cdkBootstrapTemplate) { throw new Error("Failed to load cdk bootstrap template"); } // Add LoggingConfiguration to StagingBucket using Fn::ImportValue if (cdkBootstrapTemplate.Resources?.StagingBucket?.Properties) { cdkBootstrapTemplate.Resources.StagingBucket.Properties.LoggingConfiguration = { DestinationBucketName: { "Fn::ImportValue": "log-bucket-name" }, LogFilePrefix: "staging-bucket-logs/", }; } const generatedDir = join(import.meta.dirname, "..", "generated"); mkdirSync(generatedDir, { recursive: true }); writeFileSync( join(generatedDir, CDK_CUSTOMIZED_TEMPLATE_FILE_NAME), stringify(cdkBootstrapTemplate), ); </code></pre> </div> <h2> Bootstrap with the Customized Template </h2> <p>Finally, execute the CDK bootstrap process with the customized template using the Toolkit library.</p> <p>Since the KMS key was created via CloudFormation, its ID must be retrieved using the CloudFormation Stack Outputs. The script:</p> <ol> <li>Extracts environments (account/region pairs) from the CDK app</li> <li>Retrieves the KMS key ID for each region from CloudFormation outputs</li> <li>Passes the KMS key ID as a parameter to the bootstrap process</li> </ol> <p>Note that the log bucket configuration is already embedded in the customized template via <code>Fn::ImportValue</code>, while the KMS key ID is passed as a parameter.</p> <p>Show bootstrap script</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { BootstrapEnvironments, BootstrapStackParameters, Toolkit, } from "@aws-cdk/toolkit-lib"; import { CloudFormationClient, DescribeStacksCommand, } from "@aws-sdk/client-cloudformation"; import path from "node:path"; import { join } from "node:path"; export const CDK_STANDDARD_TEMPLATE_FILE_NAME = "resultCdkStandardTemplate.yaml"; export const CDK_CUSTOMIZED_TEMPLATE_FILE_NAME = "resultCdkCustomizedTemplate.yaml"; const toolkit = new Toolkit(); const templateFilePath = join( import.meta.dirname, "..", "generated", "resultCdkCustomizedTemplate.yaml", ); const appPath = path.join(import.meta.dirname, "../../bin/app.ts"); const cloudAssemblySource = await toolkit.fromCdkApp(`pnpx tsx ${appPath}`); // const environments: BootstrapEnvironments = // BootstrapEnvironments.fromCloudAssemblySource(cloudAssemblySource); const cloudAssembly = await toolkit.synth(cloudAssemblySource); const list = await toolkit.list(cloudAssembly); const environmentsFromApp = list.map((stack) =&amp;gt; { return { account: stack.environment.account, region: stack.environment.region, }; }); for (const environmentFromApp of environmentsFromApp) { // Get KMS Key ID from stack output const cfnClient = new CloudFormationClient({ region: environmentFromApp.region, }); const describeStacksResponse = await cfnClient.send( new DescribeStacksCommand({ StackName: "cdk-bootstrap-kms-key", }), ); const kmsKeyOutput = describeStacksResponse.Stacks?.[0]?.Outputs?.find( (output) =&amp;gt; output.ExportName === "cdk-bootstrap-kms-key-id", ); const kmsKeyId = kmsKeyOutput?.OutputValue; const environments: BootstrapEnvironments = BootstrapEnvironments.fromList([ `aws://${environmentFromApp.account}/${environmentFromApp.region}`, ]); console.log( `Bootstrapping environment ${environmentFromApp.account}/${environmentFromApp.region} with KMS Key ID: ${kmsKeyId}`, ); await toolkit.bootstrap(environments, { parameters: { parameters: { kmsKeyId, }, keepExistingParameters: true, }, source: { source: "custom", templateFile: templateFilePath, }, }); } </code></pre> </div> <p>After executing this script, the staging bucket will have:</p> <p><strong>Custom KMS encryption:</strong><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl9k8hdtgb08hfi6dqp6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl9k8hdtgb08hfi6dqp6.png" alt="staging-bucket-custom-kms-encrypted" width="800" height="336"></a></p> <p><strong>Server access logging configuration:</strong><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe9elu1ykt4tca4kisse2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe9elu1ykt4tca4kisse2.png" alt="staging-bucket-server-access-logging" width="800" height="147"></a></p> <h2> Conclusion </h2> <p>With a customized CDK bootstrap template, you can extend the bootstrap resources beyond what's possible with standard parameters. The CDK Toolkit library is an excellent tool for orchestrating the entire workflow in TypeScript, from extracting environments to deploying customized bootstrap stacks.</p> <p>This approach enables:</p> <ul> <li>Advanced security configurations like custom KMS encryption and access logging</li> <li>Consistent validation using cdk-nag across both CDK and CloudFormation resources</li> <li>Type-safe, programmatic control over the bootstrap process</li> <li>Multi-region deployments with region-specific resource management</li> </ul> <h2> Sources and References </h2> <ul> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-customizing.html" rel="noopener noreferrer">AWS CDK Bootstrapping - Customizing</a></li> <li><a href="https://docs.aws.amazon.com/cdk/api/toolkit-lib/" rel="noopener noreferrer">AWS CDK Toolkit Library</a></li> <li><a href="https://github.com/cdklabs/cdk-nag" rel="noopener noreferrer">cdk-nag GitHub Repository</a></li> <li><a href="https://github.com/cdklabs/cdk-nag?tab=readme-ov-file#using-on-cloudformation-templates" rel="noopener noreferrer">Using cdk-nag on CloudFormation Templates</a></li> </ul> aws cdk cdknag cloudformation Johannes Konings Sat, 27 Dec 2025 08:15:18 +0000 https://dev.to/aws-builders/simple-example-of-tanstack-db-with-dynamodb-on-aws-with-multiple-entities-21l8 https://dev.to/aws-builders/simple-example-of-tanstack-db-with-dynamodb-on-aws-with-multiple-entities-21l8 <h2> Introduction </h2> <p>In <a href="https://dev.to/blog/2025-12-20-tanstack-start-aws-db-simple/">Simple example of TanStack DB with DynamoDB on AWS</a>, I describe how to use TanStack DB with a single entity in combination with DynamoDB.<br> This post contains a simple example with multiple entities and how to sync single table design with TanStack DB collections.</p> <p>At a high level, we’ll go from infrastructure (a DynamoDB table), to a small DynamoDB client, to a TanStack Start server route, and finally to a TanStack DB collection that powers a simple UI.</p> <p><strong>Update:</strong> This post has been updated to include performance optimizations using global collections instead of factory-based per-person collections. This enables instant sub-millisecond navigation between person details without network requests. See the Improved data retrieval section for details.</p> <p>The complete implementation is available in the <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">tanstack-aws repository</a>, which serves as a working example and template for this deployment pattern.</p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftuo3qee5xrxjdx1tedty.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftuo3qee5xrxjdx1tedty.png" alt="TanStack DB Architecture"></a></p> <h2> Disclaimer </h2> <p>This is an enhancement of a very simple example to get you started with TanStack DB and DynamoDB on AWS with multiple entities, but still simple. It is not production-ready and lacks features like error handling, security, and optimizations.</p> <h2> Demo Video </h2> <p>The following video demonstrates the improved data retrieval with global collections, showing instant navigation between person details:</p> <p> <iframe src="https://www.youtube.com/embed/TP4k8dHPL7w"> </iframe> </p> <h2> The data model </h2> <p>This example implements a multi-entity data model for managing persons with related information. The schemas are defined using Zod as the single source of truth, with ElectroDB entities derived from these schemas to ensure type safety throughout the stack.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp63o0hgp65jjr0pa0j6p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp63o0hgp65jjr0pa0j6p.png" alt="mermaid description"></a></p> <h2> DynamoDB single table design </h2> <p>All entities are stored in a single DynamoDB table using a carefully designed key structure that enables efficient querying patterns.</p> <h3> Key Structure </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Entity</th> <th>Partition Key (pk)</th> <th>Sort Key (sk)</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Person</td> <td><code>PERSON#&lt;personId&gt;</code></td> <td><code>PROFILE</code></td> <td>Person profile data</td> </tr> <tr> <td>Address</td> <td><code>PERSON#&lt;personId&gt;</code></td> <td><code>ADDRESS#&lt;addressId&gt;</code></td> <td>Person's addresses</td> </tr> <tr> <td>BankAccount</td> <td><code>PERSON#&lt;personId&gt;</code></td> <td><code>BANK#&lt;bankId&gt;</code></td> <td>Person's bank accounts</td> </tr> <tr> <td>ContactInfo</td> <td><code>PERSON#&lt;personId&gt;</code></td> <td><code>CONTACT#&lt;contactId&gt;</code></td> <td>Person's contact info</td> </tr> <tr> <td>Employment</td> <td><code>PERSON#&lt;personId&gt;</code></td> <td><code>EMPLOYMENT#&lt;employmentId&gt;</code></td> <td>Person's employment history</td> </tr> </tbody> </table></div> <p>This structure groups all data for a single person under the same partition key, allowing efficient retrieval of a person and all their related entities in a single query.</p> <h3> Access Patterns </h3> <p>The design supports the following access patterns:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Access Pattern</th> <th>Key Condition</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Get all persons</td> <td>GSI1: <code>gsi1pk = PERSONS</code> </td> <td>List all persons</td> </tr> <tr> <td>Get all addresses</td> <td>GSI1: <code>gsi1pk = ADDRESSES</code> </td> <td>List all addresses (for global collection)</td> </tr> <tr> <td>Get all bank accounts</td> <td>GSI1: <code>gsi1pk = BANKACCOUNTS</code> </td> <td>List all bank accounts (for global collection)</td> </tr> <tr> <td>Get all contacts</td> <td>GSI1: <code>gsi1pk = CONTACTS</code> </td> <td>List all contacts (for global collection)</td> </tr> <tr> <td>Get all employments</td> <td>GSI1: <code>gsi1pk = EMPLOYMENTS</code> </td> <td>List all employments (for global collection)</td> </tr> <tr> <td>Get person by ID</td> <td> <code>pk = PERSON#&lt;id&gt;</code>, <code>sk = PROFILE</code> </td> <td>Single person lookup</td> </tr> <tr> <td>Get person with all data</td> <td><code>pk = PERSON#&lt;id&gt;</code></td> <td>Get person + all related entities (collection query)</td> </tr> <tr> <td>Get person's addresses</td> <td> <code>pk = PERSON#&lt;id&gt;</code>, <code>sk begins_with ADDRESS#</code> </td> <td>All addresses for a person</td> </tr> <tr> <td>Get person's bank accounts</td> <td> <code>pk = PERSON#&lt;id&gt;</code>, <code>sk begins_with BANK#</code> </td> <td>All bank accounts for a person</td> </tr> <tr> <td>Get person's contacts</td> <td> <code>pk = PERSON#&lt;id&gt;</code>, <code>sk begins_with CONTACT#</code> </td> <td>All contacts for a person</td> </tr> <tr> <td>Get person's employment</td> <td> <code>pk = PERSON#&lt;id&gt;</code>, <code>sk begins_with EMPLOYMENT#</code> </td> <td>All employment records for a person</td> </tr> </tbody> </table></div> <p>The table entries will look a little bit different as ElectroDB will take care of the attribute mapping.</p> <h3> Global Secondary Indexes </h3> <p><strong>GSI1: Multi-Entity Type Index</strong></p> <p>GSI1 is shared by ALL entity types using different partition key templates. This single GSI handles all "get all entities of type X" queries efficiently without table scans.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Entity</th> <th>gsi1pk Template</th> <th>gsi1sk</th> <th>Query Method</th> </tr> </thead> <tbody> <tr> <td>Person</td> <td><code>PERSONS</code></td> <td><code>lastName#firstName#id</code></td> <td><code>PersonEntity.query.allPersons({})</code></td> </tr> <tr> <td>Address</td> <td><code>ADDRESSES</code></td> <td><code>personId#id</code></td> <td><code>AddressEntity.query.allAddresses({})</code></td> </tr> <tr> <td>BankAccount</td> <td><code>BANKACCOUNTS</code></td> <td><code>personId#id</code></td> <td><code>BankAccountEntity.query.allBankAccounts({})</code></td> </tr> <tr> <td>ContactInfo</td> <td><code>CONTACTS</code></td> <td><code>personId#id</code></td> <td><code>ContactInfoEntity.query.allContacts({})</code></td> </tr> <tr> <td>Employment</td> <td><code>EMPLOYMENTS</code></td> <td><code>personId#id</code></td> <td><code>EmploymentEntity.query.allEmployments({})</code></td> </tr> </tbody> </table></div> <p><strong>Benefits of Single GSI1 for All Entities:</strong></p> <ul> <li>✅ <strong>No scans</strong> - Each entity type query uses an efficient Query operation</li> <li>✅ <strong>Single GSI</strong> - Reduces infrastructure complexity and costs</li> <li>✅ <strong>Template-based partitioning</strong> - Clean separation by entity type</li> <li>✅ <strong>ElectroDB auto-populates</strong> - gsi1pk/gsi1sk populated automatically on write</li> </ul> <p>This approach enables the global collections pattern for TanStack DB, where all entities are loaded once at startup and filtered client-side for instant navigation.</p> <h2> ElectroDB as DynamoDB client </h2> <p><a href="https://electrodb.dev/" rel="noopener noreferrer">ElectroDB</a> simplifies working with single-table designs that contain multiple entities. In this example, a single DynamoDB table stores Person, Address, BankAccount, ContactInfo, and Employment entities using composite keys. ElectroDB handles the complexity of query building, attribute mapping, and relationship management across these entities, eliminating the need to manually construct DynamoDB expressions. It provides type-safe entity definitions (derived from Zod schemas), automatic key generation, and collection queries that efficiently retrieve related entities together—making single-table designs more maintainable and less error-prone than raw DynamoDB client code.</p> <p>The schema looks like this:</p> <p>Click to expand ElectroDB schema</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">getDdbDocClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/integrations/ddb-client/ddbClient.ts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">zodToElectroDBAttributes</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/integrations/electrodb/zod-to-electrodb.ts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AddressSchema</span><span class="p">,</span> <span class="nx">BankAccountSchema</span><span class="p">,</span> <span class="nx">ContactInfoSchema</span><span class="p">,</span> <span class="nx">EmploymentSchema</span><span class="p">,</span> <span class="nx">PersonSchema</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/types/person.ts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Entity</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">EntityConfiguration</span><span class="p">,</span> <span class="nx">Service</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">electrodb</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// =============================================================================</span> <span class="c1">// Table Configuration</span> <span class="c1">// =============================================================================</span> <span class="kd">const</span> <span class="nx">TABLE_NAME</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DDB_PERSONS_TABLE_NAME</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">TanstackAwsStack-db-persons</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">getEntityConfig</span> <span class="o">=</span> <span class="p">():</span> <span class="nx">EntityConfiguration</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nf">getDdbDocClient</span><span class="p">(),</span> <span class="na">table</span><span class="p">:</span> <span class="nx">TABLE_NAME</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// =============================================================================</span> <span class="c1">// Derived ElectroDB Attributes from Zod Schemas (Single Source of Truth)</span> <span class="c1">// =============================================================================</span> <span class="kd">const</span> <span class="nx">personAttributes</span> <span class="o">=</span> <span class="nf">zodToElectroDBAttributes</span><span class="p">(</span><span class="nx">PersonSchema</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">addressAttributes</span> <span class="o">=</span> <span class="nf">zodToElectroDBAttributes</span><span class="p">(</span><span class="nx">AddressSchema</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bankAccountAttributes</span> <span class="o">=</span> <span class="nf">zodToElectroDBAttributes</span><span class="p">(</span><span class="nx">BankAccountSchema</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">contactInfoAttributes</span> <span class="o">=</span> <span class="nf">zodToElectroDBAttributes</span><span class="p">(</span><span class="nx">ContactInfoSchema</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">employmentAttributes</span> <span class="o">=</span> <span class="nf">zodToElectroDBAttributes</span><span class="p">(</span><span class="nx">EmploymentSchema</span><span class="p">);</span> <span class="c1">// =============================================================================</span> <span class="c1">// Person Entity</span> <span class="c1">// =============================================================================</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">PersonEntity</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entity</span><span class="p">(</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="p">{</span> <span class="na">entity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Person</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">attributes</span><span class="p">:</span> <span class="nx">personAttributes</span><span class="p">,</span> <span class="na">indexes</span><span class="p">:</span> <span class="p">{</span> <span class="na">primary</span><span class="p">:</span> <span class="p">{</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[]</span> <span class="p">},</span> <span class="p">},</span> <span class="c1">// GSI1: List all persons</span> <span class="na">allPersons</span><span class="p">:</span> <span class="p">{</span> <span class="na">index</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GSI1</span><span class="dl">"</span><span class="p">,</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[],</span> <span class="na">template</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PERSONS</span><span class="dl">"</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">lastName</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">firstName</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="nf">getEntityConfig</span><span class="p">(),</span> <span class="p">);</span> <span class="c1">// =============================================================================</span> <span class="c1">// Address Entity</span> <span class="c1">// =============================================================================</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">AddressEntity</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entity</span><span class="p">(</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="p">{</span> <span class="na">entity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Address</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">attributes</span><span class="p">:</span> <span class="nx">addressAttributes</span><span class="p">,</span> <span class="na">indexes</span><span class="p">:</span> <span class="p">{</span> <span class="na">primary</span><span class="p">:</span> <span class="p">{</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="c1">// GSI1: Query all addresses</span> <span class="na">allAddresses</span><span class="p">:</span> <span class="p">{</span> <span class="na">index</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GSI1</span><span class="dl">"</span><span class="p">,</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[],</span> <span class="na">template</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ADDRESSES</span><span class="dl">"</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="nf">getEntityConfig</span><span class="p">(),</span> <span class="p">);</span> <span class="c1">// =============================================================================</span> <span class="c1">// BankAccount Entity</span> <span class="c1">// =============================================================================</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">BankAccountEntity</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entity</span><span class="p">(</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="p">{</span> <span class="na">entity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">BankAccount</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">attributes</span><span class="p">:</span> <span class="nx">bankAccountAttributes</span><span class="p">,</span> <span class="na">indexes</span><span class="p">:</span> <span class="p">{</span> <span class="na">primary</span><span class="p">:</span> <span class="p">{</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="c1">// GSI1: Query all bank accounts</span> <span class="na">allBankAccounts</span><span class="p">:</span> <span class="p">{</span> <span class="na">index</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GSI1</span><span class="dl">"</span><span class="p">,</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[],</span> <span class="na">template</span><span class="p">:</span> <span class="dl">"</span><span class="s2">BANKACCOUNTS</span><span class="dl">"</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="nf">getEntityConfig</span><span class="p">(),</span> <span class="p">);</span> <span class="c1">// =============================================================================</span> <span class="c1">// ContactInfo Entity</span> <span class="c1">// =============================================================================</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">ContactInfoEntity</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entity</span><span class="p">(</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="p">{</span> <span class="na">entity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ContactInfo</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">attributes</span><span class="p">:</span> <span class="nx">contactInfoAttributes</span><span class="p">,</span> <span class="na">indexes</span><span class="p">:</span> <span class="p">{</span> <span class="na">primary</span><span class="p">:</span> <span class="p">{</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="c1">// GSI1: Query all contacts</span> <span class="na">allContacts</span><span class="p">:</span> <span class="p">{</span> <span class="na">index</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GSI1</span><span class="dl">"</span><span class="p">,</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[],</span> <span class="na">template</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CONTACTS</span><span class="dl">"</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="nf">getEntityConfig</span><span class="p">(),</span> <span class="p">);</span> <span class="c1">// =============================================================================</span> <span class="c1">// Employment Entity</span> <span class="c1">// =============================================================================</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">EmploymentEntity</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entity</span><span class="p">(</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="p">{</span> <span class="na">entity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Employment</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">attributes</span><span class="p">:</span> <span class="nx">employmentAttributes</span><span class="p">,</span> <span class="na">indexes</span><span class="p">:</span> <span class="p">{</span> <span class="na">primary</span><span class="p">:</span> <span class="p">{</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="c1">// GSI1: Query all employments</span> <span class="na">allEmployments</span><span class="p">:</span> <span class="p">{</span> <span class="na">index</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GSI1</span><span class="dl">"</span><span class="p">,</span> <span class="na">pk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[],</span> <span class="na">template</span><span class="p">:</span> <span class="dl">"</span><span class="s2">EMPLOYMENTS</span><span class="dl">"</span> <span class="p">},</span> <span class="na">sk</span><span class="p">:</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">composite</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">personId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="nf">getEntityConfig</span><span class="p">(),</span> <span class="p">);</span> <span class="c1">// =============================================================================</span> <span class="c1">// Persons Service - Collection Queries</span> <span class="c1">// =============================================================================</span> <span class="k">new</span> <span class="nc">Service</span><span class="p">(</span> <span class="p">{</span> <span class="na">person</span><span class="p">:</span> <span class="nx">PersonEntity</span><span class="p">,</span> <span class="na">address</span><span class="p">:</span> <span class="nx">AddressEntity</span><span class="p">,</span> <span class="na">bankAccount</span><span class="p">:</span> <span class="nx">BankAccountEntity</span><span class="p">,</span> <span class="na">contactInfo</span><span class="p">:</span> <span class="nx">ContactInfoEntity</span><span class="p">,</span> <span class="na">employment</span><span class="p">:</span> <span class="nx">EmploymentEntity</span><span class="p">,</span> <span class="p">},</span> <span class="nf">getEntityConfig</span><span class="p">(),</span> <span class="p">);</span> </code></pre> </div> <p>Certain fields are derived from Zod schemas to ensure type safety throughout the stack and have a single source of truth</p> <p><strong>Full implementation</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/src/webapp/types/person.ts" rel="noopener noreferrer">person.ts (Zod Schemas)</a> | <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/src/webapp/integrations/electrodb/entities.ts" rel="noopener noreferrer">entities.ts (ElectroDB Entities)</a> | <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/src/webapp/integrations/electrodb/zod-to-electrodb.ts" rel="noopener noreferrer">zod-to-electrodb.ts</a></p> <h2> The persons client </h2> <p>This wrapper around ElectroDB entities provides type-safe methods for performing CRUD operations on persons and their related entities. The updated version includes <code>getAllX</code> methods for each entity type that query GSI1 to support global collections.</p> <p><strong>Full implementation</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/src/webapp/integrations/electrodb/personsClient.ts" rel="noopener noreferrer">personsClient.ts</a></p> <p>Click to expand personsClient.ts</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cm">/** * ElectroDB-based Persons Client * * Uses ElectroDB entities for type-safe DynamoDB operations. */</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Address</span><span class="p">,</span> <span class="nx">BankAccount</span><span class="p">,</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="nx">Employment</span><span class="p">,</span> <span class="nx">Person</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/types/person.ts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AddressEntity</span><span class="p">,</span> <span class="nx">BankAccountEntity</span><span class="p">,</span> <span class="nx">ContactInfoEntity</span><span class="p">,</span> <span class="nx">EmploymentEntity</span><span class="p">,</span> <span class="nx">PersonEntity</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/integrations/electrodb/entities.ts</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// =============================================================================</span> <span class="c1">// Person Operations</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Get all persons using GSI1 */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getAllPersons</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">PersonEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">allPersons</span><span class="p">({}).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">lastName</span><span class="p">,</span> <span class="na">dateOfBirth</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">dateOfBirth</span><span class="p">,</span> <span class="na">gender</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">gender</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">updatedAt</span><span class="p">,</span> <span class="p">}));</span> <span class="p">};</span> <span class="cm">/** * Create a new person */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createPerson</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">person</span><span class="p">:</span> <span class="nx">Person</span><span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">PersonEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">person</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Person</span><span class="p">;</span> <span class="p">};</span> <span class="cm">/** * Update a person * Uses put with merged data to ensure GSI1 composite keys are properly formatted */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updatePerson</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">updates</span><span class="p">:</span> <span class="nb">Partial</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="c1">// First, get the current person to merge with updates</span> <span class="kd">const</span> <span class="nx">current</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">PersonEntity</span><span class="p">.</span><span class="nf">get</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">personId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">current</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Person with id </span><span class="p">${</span><span class="nx">personId</span><span class="p">}</span><span class="s2"> not found`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Merge current data with updates and use put to replace the item</span> <span class="kd">const</span> <span class="nx">updatedPerson</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">firstName</span> <span class="o">??</span> <span class="nx">current</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">lastName</span> <span class="o">??</span> <span class="nx">current</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">lastName</span><span class="p">,</span> <span class="na">dateOfBirth</span><span class="p">:</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">dateOfBirth</span> <span class="o">??</span> <span class="nx">current</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">dateOfBirth</span><span class="p">,</span> <span class="na">gender</span><span class="p">:</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">gender</span> <span class="o">??</span> <span class="nx">current</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">gender</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nx">current</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nx">updates</span><span class="p">.</span><span class="nx">updatedAt</span> <span class="o">??</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">PersonEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">updatedPerson</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Person</span><span class="p">;</span> <span class="p">};</span> <span class="cm">/** * Delete a person and all related entities */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deletePerson</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="c1">// Delete all related entities first</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">addresses</span><span class="p">,</span> <span class="nx">bankAccounts</span><span class="p">,</span> <span class="nx">contacts</span><span class="p">,</span> <span class="nx">employments</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nx">AddressEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">primary</span><span class="p">({</span> <span class="nx">personId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="nx">BankAccountEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">primary</span><span class="p">({</span> <span class="nx">personId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="nx">ContactInfoEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">primary</span><span class="p">({</span> <span class="nx">personId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="nx">EmploymentEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">primary</span><span class="p">({</span> <span class="nx">personId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="p">]);</span> <span class="c1">// Delete all related items</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="p">...</span><span class="nx">addresses</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">addr</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">AddressEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">addr</span><span class="p">.</span><span class="nx">id</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="p">),</span> <span class="p">...</span><span class="nx">bankAccounts</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">bank</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">BankAccountEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">bank</span><span class="p">.</span><span class="nx">id</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="p">),</span> <span class="p">...</span><span class="nx">contacts</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">contact</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">ContactInfoEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">contact</span><span class="p">.</span><span class="nx">id</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="p">),</span> <span class="p">...</span><span class="nx">employments</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">emp</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">EmploymentEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">emp</span><span class="p">.</span><span class="nx">id</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="p">),</span> <span class="nx">PersonEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">personId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">};</span> <span class="c1">// =============================================================================</span> <span class="c1">// Address Operations</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Get all addresses using GSI1 (allAddresses) * Uses partition key template 'ADDRESSES' for efficient querying */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getAllAddresses</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AddressEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">allAddresses</span><span class="p">({}).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Address</span><span class="p">[];</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createAddress</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">address</span><span class="p">:</span> <span class="nx">Address</span><span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AddressEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">address</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Address</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updateAddress</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">address</span><span class="p">:</span> <span class="nx">Address</span><span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AddressEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">address</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Address</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deleteAddress</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">addressId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">AddressEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">addressId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// =============================================================================</span> <span class="c1">// BankAccount Operations</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Get all bank accounts using GSI1 (allBankAccounts) */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getAllBankAccounts</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">BankAccountEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">allBankAccounts</span><span class="p">({}).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">BankAccount</span><span class="p">[];</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createBankAccount</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">bankAccount</span><span class="p">:</span> <span class="nx">BankAccount</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">BankAccountEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">bankAccount</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">BankAccount</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updateBankAccount</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">bankAccount</span><span class="p">:</span> <span class="nx">BankAccount</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">BankAccountEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">bankAccount</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">BankAccount</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deleteBankAccount</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">bankAccountId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">BankAccountEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">bankAccountId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// =============================================================================</span> <span class="c1">// ContactInfo Operations</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Get all contacts using GSI1 (allContacts) */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getAllContacts</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ContactInfoEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">allContacts</span><span class="p">({}).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">ContactInfo</span><span class="p">[];</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createContact</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">contact</span><span class="p">:</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ContactInfoEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">contact</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">ContactInfo</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updateContact</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">contact</span><span class="p">:</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ContactInfoEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="nx">contact</span><span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">ContactInfo</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deleteContact</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">contactId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">ContactInfoEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">contactId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">();</span> <span class="p">};</span> <span class="c1">// =============================================================================</span> <span class="c1">// Employment Operations</span> <span class="c1">// =============================================================================</span> <span class="c1">// Helper to convert null to undefined for ElectroDB compatibility</span> <span class="kd">const</span> <span class="nx">normalizeEmployment</span> <span class="o">=</span> <span class="p">(</span><span class="nx">employment</span><span class="p">:</span> <span class="nx">Employment</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">employment</span><span class="p">,</span> <span class="na">endDate</span><span class="p">:</span> <span class="nx">employment</span><span class="p">.</span><span class="nx">endDate</span> <span class="o">??</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="cm">/** * Get all employments using GSI1 (allEmployments) */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getAllEmployments</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">EmploymentEntity</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">allEmployments</span><span class="p">({}).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Employment</span><span class="p">[];</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createEmployment</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">employment</span><span class="p">:</span> <span class="nx">Employment</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">EmploymentEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span> <span class="nf">normalizeEmployment</span><span class="p">(</span><span class="nx">employment</span><span class="p">),</span> <span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Employment</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">updateEmployment</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">employment</span><span class="p">:</span> <span class="nx">Employment</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">EmploymentEntity</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span> <span class="nf">normalizeEmployment</span><span class="p">(</span><span class="nx">employment</span><span class="p">),</span> <span class="p">).</span><span class="nf">go</span><span class="p">();</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Employment</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">deleteEmployment</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">employmentId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">EmploymentEntity</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">personId</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">employmentId</span> <span class="p">}).</span><span class="nf">go</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> The new GSI for DynamoDB </h2> <p>The DynamoDB table uses a single GSI that serves all entity types with different partition key templates. This enables efficient querying of all entities of a specific type without table scans.</p> <p><strong>Full implementation</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/lib/constructs/DatabasePersons.ts" rel="noopener noreferrer">DatabasePersons.ts</a></p> <p>Click to expand DatabasePersons.ts</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AttributeType</span><span class="p">,</span> <span class="nx">BillingMode</span><span class="p">,</span> <span class="nx">ProjectionType</span><span class="p">,</span> <span class="nx">Table</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib/aws-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">constructs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">DatabasePersons</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">dbPersons</span><span class="p">:</span> <span class="nx">Table</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">dbPersons</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Persons</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="na">sortKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="na">billingMode</span><span class="p">:</span> <span class="nx">BillingMode</span><span class="p">.</span><span class="nx">PAY_PER_REQUEST</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// GSI1: Multi-entity type index</span> <span class="c1">// Serves all entity types with different gsi1pk templates:</span> <span class="c1">// - PERSONS, ADDRESSES, BANKACCOUNTS, CONTACTS, EMPLOYMENTS</span> <span class="k">this</span><span class="p">.</span><span class="nx">dbPersons</span><span class="p">.</span><span class="nf">addGlobalSecondaryIndex</span><span class="p">({</span> <span class="na">indexName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GSI1</span><span class="dl">"</span><span class="p">,</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1pk</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="na">sortKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gsi1sk</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="na">projectionType</span><span class="p">:</span> <span class="nx">ProjectionType</span><span class="p">.</span><span class="nx">ALL</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> The TanStack DB collection with server functions </h2> <p>The updated implementation uses <strong>global collections</strong> instead of factory-based per-person collections. This approach loads all entities once at app startup and enables instant sub-millisecond navigation between person details without network requests.</p> <p><strong>Full implementation</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/src/webapp/db-collections/persons.ts" rel="noopener noreferrer">persons.ts (collections)</a></p> <p>Click to expand persons.ts (TanStack DB global collections)</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">electrodbClient</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/integrations/electrodb/personsClient</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/integrations/tanstack-query/root-provider</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">Address</span><span class="p">,</span> <span class="nx">AddressSchema</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">BankAccount</span><span class="p">,</span> <span class="nx">BankAccountSchema</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="nx">ContactInfoSchema</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Employment</span><span class="p">,</span> <span class="nx">EmploymentSchema</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Person</span><span class="p">,</span> <span class="nx">PersonSchema</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/types/person</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">queryCollectionOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tanstack/query-db-collection</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createCollection</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tanstack/react-db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createServerFn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tanstack/react-start</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// =============================================================================</span> <span class="c1">// Server Functions - Global Fetchers</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Get all persons (profile only) */</span> <span class="kd">const</span> <span class="nx">fetchPersons</span> <span class="o">=</span> <span class="nf">createServerFn</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">handler</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">electrodbClient</span><span class="p">.</span><span class="nf">getAllPersons</span><span class="p">(),</span> <span class="p">);</span> <span class="cm">/** * Get all addresses (global) */</span> <span class="kd">const</span> <span class="nx">fetchAllAddresses</span> <span class="o">=</span> <span class="nf">createServerFn</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">handler</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">electrodbClient</span><span class="p">.</span><span class="nf">getAllAddresses</span><span class="p">(),</span> <span class="p">);</span> <span class="cm">/** * Get all bank accounts (global) */</span> <span class="kd">const</span> <span class="nx">fetchAllBankAccounts</span> <span class="o">=</span> <span class="nf">createServerFn</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">handler</span><span class="p">(</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">electrodbClient</span><span class="p">.</span><span class="nf">getAllBankAccounts</span><span class="p">(),</span> <span class="p">);</span> <span class="cm">/** * Get all contacts (global) */</span> <span class="kd">const</span> <span class="nx">fetchAllContacts</span> <span class="o">=</span> <span class="nf">createServerFn</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">handler</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">electrodbClient</span><span class="p">.</span><span class="nf">getAllContacts</span><span class="p">(),</span> <span class="p">);</span> <span class="cm">/** * Get all employments (global) */</span> <span class="kd">const</span> <span class="nx">fetchAllEmployments</span> <span class="o">=</span> <span class="nf">createServerFn</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">handler</span><span class="p">(</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">electrodbClient</span><span class="p">.</span><span class="nf">getAllEmployments</span><span class="p">(),</span> <span class="p">);</span> <span class="c1">// ... mutation server functions (createPersonFn, updatePersonFn, etc.)</span> <span class="c1">// =============================================================================</span> <span class="c1">// TanStack DB Global Collections</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Persons Collection - Main collection for person profiles * * Uses eager sync mode (default) - all persons loaded upfront. * Good for datasets &amp;lt; 10k rows. */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">personsCollection</span> <span class="o">=</span> <span class="nf">createCollection</span><span class="p">(</span> <span class="nf">queryCollectionOptions</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">fetchPersons</span><span class="p">(),</span> <span class="na">queryClient</span><span class="p">:</span> <span class="nf">getContext</span><span class="p">().</span><span class="nx">queryClient</span><span class="p">,</span> <span class="na">getKey</span><span class="p">:</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">onInsert</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">transaction</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">transaction</span><span class="p">.</span><span class="nx">mutations</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">mutation</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">createPersonFn</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="nx">mutation</span><span class="p">.</span><span class="nx">modified</span> <span class="k">as</span> <span class="nx">Person</span> <span class="p">}),</span> <span class="p">),</span> <span class="p">);</span> <span class="p">},</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">transaction</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">transaction</span><span class="p">.</span><span class="nx">mutations</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">mutation</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">updatePersonFn</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">personId</span><span class="p">:</span> <span class="nx">mutation</span><span class="p">.</span><span class="nx">key</span> <span class="k">as</span> <span class="kr">string</span><span class="p">,</span> <span class="na">updates</span><span class="p">:</span> <span class="nx">mutation</span><span class="p">.</span><span class="nx">changes</span> <span class="k">as</span> <span class="nb">Partial</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">),</span> <span class="p">);</span> <span class="p">},</span> <span class="na">onDelete</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">transaction</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">transaction</span><span class="p">.</span><span class="nx">mutations</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">mutation</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">deletePersonFn</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="nx">mutation</span><span class="p">.</span><span class="nx">key</span> <span class="k">as</span> <span class="kr">string</span> <span class="p">}),</span> <span class="p">),</span> <span class="p">);</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">);</span> <span class="cm">/** * Global Addresses Collection * * All addresses loaded once, joined client-side with persons. * Enables instant navigation between person details without network calls. */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">addressesCollection</span> <span class="o">=</span> <span class="nf">createCollection</span><span class="p">(</span> <span class="nf">queryCollectionOptions</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">addresses</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">fetchAllAddresses</span><span class="p">(),</span> <span class="na">queryClient</span><span class="p">:</span> <span class="nf">getContext</span><span class="p">().</span><span class="nx">queryClient</span><span class="p">,</span> <span class="na">getKey</span><span class="p">:</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="c1">// ... onInsert, onUpdate, onDelete handlers</span> <span class="p">}),</span> <span class="p">);</span> <span class="cm">/** * Global Bank Accounts Collection */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">bankAccountsCollection</span> <span class="o">=</span> <span class="nf">createCollection</span><span class="p">(</span> <span class="nf">queryCollectionOptions</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">bankAccounts</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">fetchAllBankAccounts</span><span class="p">(),</span> <span class="na">queryClient</span><span class="p">:</span> <span class="nf">getContext</span><span class="p">().</span><span class="nx">queryClient</span><span class="p">,</span> <span class="na">getKey</span><span class="p">:</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="c1">// ... onInsert, onUpdate, onDelete handlers</span> <span class="p">}),</span> <span class="p">);</span> <span class="cm">/** * Global Contacts Collection */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">contactsCollection</span> <span class="o">=</span> <span class="nf">createCollection</span><span class="p">(</span> <span class="nf">queryCollectionOptions</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">contacts</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">fetchAllContacts</span><span class="p">(),</span> <span class="na">queryClient</span><span class="p">:</span> <span class="nf">getContext</span><span class="p">().</span><span class="nx">queryClient</span><span class="p">,</span> <span class="na">getKey</span><span class="p">:</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="c1">// ... onInsert, onUpdate, onDelete handlers</span> <span class="p">}),</span> <span class="p">);</span> <span class="cm">/** * Global Employments Collection */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">employmentsCollection</span> <span class="o">=</span> <span class="nf">createCollection</span><span class="p">(</span> <span class="nf">queryCollectionOptions</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">employments</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">fetchAllEmployments</span><span class="p">(),</span> <span class="na">queryClient</span><span class="p">:</span> <span class="nf">getContext</span><span class="p">().</span><span class="nx">queryClient</span><span class="p">,</span> <span class="na">getKey</span><span class="p">:</span> <span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="c1">// ... onInsert, onUpdate, onDelete handlers</span> <span class="p">}),</span> <span class="p">);</span> </code></pre> </div> <p>The key difference from the previous factory-based approach is that all collections are now <strong>global singletons</strong> that load all entities once at app startup. The client-side filtering using TanStack DB's <code>eq()</code> operator provides instant navigation between persons.</p> <h2> The hook </h2> <p>Custom React hooks provide a clean interface for components to interact with the TanStack DB collections. The updated <code>usePersons</code> hook now also prefetches all entity data for instant person detail loading. The <code>usePersonDetail</code> hook uses TanStack DB's <code>eq()</code> operator to filter the global collections client-side, providing sub-millisecond navigation.</p> <p><strong>Full implementation</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/src/webapp/hooks/useDbPersons.ts" rel="noopener noreferrer">useDbPersons.ts</a></p> <p>Click to expand useDbPersons.ts</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Address</span><span class="p">,</span> <span class="nx">BankAccount</span><span class="p">,</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="nx">Employment</span><span class="p">,</span> <span class="nx">Person</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/types/person</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">addressesCollection</span><span class="p">,</span> <span class="nx">bankAccountsCollection</span><span class="p">,</span> <span class="nx">contactsCollection</span><span class="p">,</span> <span class="nx">employmentsCollection</span><span class="p">,</span> <span class="nx">personsCollection</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/db-collections/persons</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eq</span><span class="p">,</span> <span class="nx">useLiveQuery</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tanstack/react-db</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// =============================================================================</span> <span class="c1">// Prefetch Person Entities Hook</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Hook to prefetch all person-related entity collections. * Call this after persons are loaded to ensure entity data is available * immediately when a user selects a person. */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">usePrefetchPersonEntities</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">addressesQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span><span class="nx">addressesCollection</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bankAccountsQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span><span class="nx">bankAccountsCollection</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">contactsQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span><span class="nx">contactsCollection</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">employmentsQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span><span class="nx">employmentsCollection</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">isLoading</span><span class="p">:</span> <span class="nx">addressesQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">bankAccountsQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">contactsQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">employmentsQuery</span><span class="p">.</span><span class="nx">isLoading</span><span class="p">,</span> <span class="na">isReady</span><span class="p">:</span> <span class="o">!</span><span class="nx">addressesQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span><span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span> <span class="o">!</span><span class="nx">bankAccountsQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span><span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span> <span class="o">!</span><span class="nx">contactsQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span><span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span> <span class="o">!</span><span class="nx">employmentsQuery</span><span class="p">.</span><span class="nx">isLoading</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// =============================================================================</span> <span class="c1">// Persons List Hook</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Hook for accessing and mutating the persons collection. * Also prefetches entity data for instant person detail loading. */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">usePersons</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span><span class="nx">personsCollection</span><span class="p">);</span> <span class="c1">// Prefetch entity data once persons start loading</span> <span class="kd">const</span> <span class="nx">entitiesPrefetch</span> <span class="o">=</span> <span class="nf">usePrefetchPersonEntities</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">addPerson</span> <span class="o">=</span> <span class="p">(</span><span class="nx">person</span><span class="p">:</span> <span class="nx">Person</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">personsCollection</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">person</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">updatePerson</span> <span class="o">=</span> <span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">changes</span><span class="p">:</span> <span class="nb">Partial</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">personsCollection</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="p">(</span><span class="nx">draft</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">assign</span><span class="p">(</span><span class="nx">draft</span><span class="p">,</span> <span class="nx">changes</span><span class="p">,</span> <span class="p">{</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">deletePerson</span> <span class="o">=</span> <span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">personsCollection</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">};</span> <span class="k">return</span> <span class="p">{</span> <span class="na">persons</span><span class="p">:</span> <span class="nx">query</span><span class="p">.</span><span class="nx">data</span> <span class="o">??</span> <span class="p">[],</span> <span class="na">isLoading</span><span class="p">:</span> <span class="nx">query</span><span class="p">.</span><span class="nx">isLoading</span><span class="p">,</span> <span class="na">isError</span><span class="p">:</span> <span class="nx">query</span><span class="p">.</span><span class="nx">isError</span><span class="p">,</span> <span class="na">isEntitiesReady</span><span class="p">:</span> <span class="nx">entitiesPrefetch</span><span class="p">.</span><span class="nx">isReady</span><span class="p">,</span> <span class="nx">addPerson</span><span class="p">,</span> <span class="nx">updatePerson</span><span class="p">,</span> <span class="nx">deletePerson</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// =============================================================================</span> <span class="c1">// Combined Person Detail Hook (Using TanStack DB Joins)</span> <span class="c1">// =============================================================================</span> <span class="cm">/** * Hook for accessing a person with all related entities using global collections. * * Benefits over factory-based collections: * - All data loaded once at app startup * - Navigation between persons is instant (sub-millisecond) * - No network requests when switching between person details * - Differential dataflow updates only what changed */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">usePersonDetail</span><span class="p">(</span><span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Query person by ID using eq() from global collection</span> <span class="kd">const</span> <span class="nx">personQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span> <span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">query</span> <span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">persons</span><span class="p">:</span> <span class="nx">personsCollection</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(({</span> <span class="nx">persons</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">persons</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">personId</span><span class="p">)),</span> <span class="p">[</span><span class="nx">personId</span><span class="p">],</span> <span class="p">);</span> <span class="c1">// Query addresses for this person from global collection</span> <span class="kd">const</span> <span class="nx">addressesQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span> <span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">query</span> <span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">addresses</span><span class="p">:</span> <span class="nx">addressesCollection</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(({</span> <span class="nx">addresses</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">addresses</span><span class="p">.</span><span class="nx">personId</span><span class="p">,</span> <span class="nx">personId</span><span class="p">)),</span> <span class="p">[</span><span class="nx">personId</span><span class="p">],</span> <span class="p">);</span> <span class="c1">// Query bank accounts for this person from global collection</span> <span class="kd">const</span> <span class="nx">bankAccountsQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span> <span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">query</span> <span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">bankAccounts</span><span class="p">:</span> <span class="nx">bankAccountsCollection</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(({</span> <span class="nx">bankAccounts</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">bankAccounts</span><span class="p">.</span><span class="nx">personId</span><span class="p">,</span> <span class="nx">personId</span><span class="p">)),</span> <span class="p">[</span><span class="nx">personId</span><span class="p">],</span> <span class="p">);</span> <span class="c1">// Query contacts for this person from global collection</span> <span class="kd">const</span> <span class="nx">contactsQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span> <span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">query</span> <span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">contacts</span><span class="p">:</span> <span class="nx">contactsCollection</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(({</span> <span class="nx">contacts</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">contacts</span><span class="p">.</span><span class="nx">personId</span><span class="p">,</span> <span class="nx">personId</span><span class="p">)),</span> <span class="p">[</span><span class="nx">personId</span><span class="p">],</span> <span class="p">);</span> <span class="c1">// Query employments for this person from global collection</span> <span class="kd">const</span> <span class="nx">employmentsQuery</span> <span class="o">=</span> <span class="nf">useLiveQuery</span><span class="p">(</span> <span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nx">query</span> <span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">employments</span><span class="p">:</span> <span class="nx">employmentsCollection</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(({</span> <span class="nx">employments</span> <span class="p">})</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">employments</span><span class="p">.</span><span class="nx">personId</span><span class="p">,</span> <span class="nx">personId</span><span class="p">)),</span> <span class="p">[</span><span class="nx">personId</span><span class="p">],</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">isLoading</span> <span class="o">=</span> <span class="nx">personQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">addressesQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">bankAccountsQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">contactsQuery</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">||</span> <span class="nx">employmentsQuery</span><span class="p">.</span><span class="nx">isLoading</span><span class="p">;</span> <span class="c1">// Person mutations</span> <span class="kd">const</span> <span class="nx">updatePerson</span> <span class="o">=</span> <span class="p">(</span><span class="nx">changes</span><span class="p">:</span> <span class="nb">Partial</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">personsCollection</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">personId</span><span class="p">,</span> <span class="p">(</span><span class="nx">draft</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">assign</span><span class="p">(</span><span class="nx">draft</span><span class="p">,</span> <span class="nx">changes</span><span class="p">,</span> <span class="p">{</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">deletePerson</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">personsCollection</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">personId</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// ... mutation functions for addresses, bank accounts, contacts, employments</span> <span class="k">return</span> <span class="p">{</span> <span class="na">person</span><span class="p">:</span> <span class="nx">personQuery</span><span class="p">.</span><span class="nx">data</span><span class="p">?.[</span><span class="mi">0</span><span class="p">],</span> <span class="na">addresses</span><span class="p">:</span> <span class="nx">addressesQuery</span><span class="p">.</span><span class="nx">data</span> <span class="o">??</span> <span class="p">[],</span> <span class="na">bankAccounts</span><span class="p">:</span> <span class="nx">bankAccountsQuery</span><span class="p">.</span><span class="nx">data</span> <span class="o">??</span> <span class="p">[],</span> <span class="na">contacts</span><span class="p">:</span> <span class="nx">contactsQuery</span><span class="p">.</span><span class="nx">data</span> <span class="o">??</span> <span class="p">[],</span> <span class="na">employments</span><span class="p">:</span> <span class="nx">employmentsQuery</span><span class="p">.</span><span class="nx">data</span> <span class="o">??</span> <span class="p">[],</span> <span class="nx">isLoading</span><span class="p">,</span> <span class="nx">updatePerson</span><span class="p">,</span> <span class="nx">deletePerson</span><span class="p">,</span> <span class="c1">// ... other mutation functions</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Improved data retrieval: Global collections </h2> <p>The key improvement in this update is the shift from <strong>factory-based per-person collections</strong> to <strong>global collections</strong>. This architectural change provides significant performance benefits:</p> <h3> Previous approach (Factory Collections) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Created new collection for each personId - multiple network requests</span> <span class="kd">const</span> <span class="nx">createAddressesCollection</span> <span class="o">=</span> <span class="p">(</span><span class="nx">personId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">createCollection</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">persons</span><span class="dl">"</span><span class="p">,</span> <span class="nx">personId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">addresses</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">fetchAddresses</span><span class="p">(</span><span class="nx">personId</span><span class="p">),</span> <span class="c1">// Network request per person</span> <span class="p">});</span> </code></pre> </div> <h3> New approach (Global Collections) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Single global collection - one network request, client-side filtering</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">addressesCollection</span> <span class="o">=</span> <span class="nf">createCollection</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">addresses</span><span class="dl">"</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">fetchAllAddresses</span><span class="p">(),</span> <span class="c1">// Uses GSI1: gsi1pk = 'ADDRESSES'</span> <span class="p">});</span> </code></pre> </div> <h3> Performance comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Factory Collections</th> <th>Global Collections</th> </tr> </thead> <tbody> <tr> <td>Network requests per navigation</td> <td>4-5 (one per entity)</td> <td>0 (data already loaded)</td> </tr> <tr> <td>Time to show person details</td> <td>100-500ms</td> <td>&lt;1ms</td> </tr> <tr> <td>Memory efficiency</td> <td>Duplicate per person</td> <td>Normalized, shared data</td> </tr> <tr> <td>Cache reuse</td> <td>None</td> <td>Full TanStack Query cache</td> </tr> </tbody> </table></div> <h3> When to use which approach </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Data Size</th> <th>Recommended Mode</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td>&lt; 10k rows</td> <td>Eager (global)</td> <td>Load everything upfront, instant queries</td> </tr> <tr> <td>10k-50k rows</td> <td>Progressive</td> <td>Fast first paint, background sync</td> </tr> <tr> <td>&gt; 50k rows</td> <td>On-demand</td> <td>Query-driven loading with predicate push</td> </tr> </tbody> </table></div> <p>Our persons example uses <strong>Eager mode</strong> since typical datasets are well under 10k entities.</p> <h2> Seed the database </h2> <p>A seed script populates the DynamoDB table with realistic test data using Faker. It creates persons with all related entities, handles batching to avoid throttling, and supports clearing existing data before seeding.</p> <p><strong>Full implementation</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/blob/2025-12-27-tanstack-start-aws-db-multiple-entities-update/scripts/seed-persons.ts" rel="noopener noreferrer">seed-persons.ts</a></p> <p>Click to expand seed-persons.ts</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp">#!/usr/bin/env node </span><span class="c1">// oxlint-disable max-statements</span> <span class="cm">/* oxlint-disable no-console, no-await-in-loop, no-magic-numbers */</span> <span class="cm">/** * Seed Script for DB Persons * * Populates the DynamoDB Persons table with fake data. * Uses ElectroDB client and faker data generators. * * Usage: * pnpm seed:persons * pnpm seed:persons 100 # Seed 100 persons * pnpm seed:persons --clear # Clear existing data first */</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="nx">Employment</span><span class="p">,</span> <span class="nx">PersonWithRelations</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/types/person.ts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generatePersons</span><span class="p">,</span> <span class="nx">initFaker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/data/fake-persons.ts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createAddress</span><span class="p">,</span> <span class="nx">createBankAccount</span><span class="p">,</span> <span class="nx">createContact</span><span class="p">,</span> <span class="nx">createEmployment</span><span class="p">,</span> <span class="nx">createPerson</span><span class="p">,</span> <span class="nx">deletePerson</span><span class="p">,</span> <span class="nx">getAllPersons</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">#src/webapp/integrations/electrodb/personsClient.ts</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// =============================================================================</span> <span class="c1">// Configuration</span> <span class="c1">// =============================================================================</span> <span class="kd">const</span> <span class="nx">DEFAULT_COUNT</span> <span class="o">=</span> <span class="mi">50</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">BATCH_SIZE</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">LOG_INTERVAL</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="c1">// =============================================================================</span> <span class="c1">// Helpers</span> <span class="c1">// =============================================================================</span> <span class="kd">const</span> <span class="nx">normalizeContactInfo</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">contact</span><span class="p">:</span> <span class="nx">ContactInfo</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Omit</span> <span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span> <span class="p">{</span> <span class="na">isVerified</span><span class="p">:</span> <span class="nx">boolean</span> <span class="p">}</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">contact</span><span class="p">,</span> <span class="na">isVerified</span><span class="p">:</span> <span class="nx">contact</span><span class="p">.</span><span class="nx">isVerified</span> <span class="o">??</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">normalizeEmployment</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">employment</span><span class="p">:</span> <span class="nx">Employment</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Omit</span> <span class="o">&amp;</span><span class="nx">amp</span><span class="p">;</span> <span class="p">{</span> <span class="na">endDate</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">}</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">employment</span><span class="p">,</span> <span class="na">endDate</span><span class="p">:</span> <span class="nx">employment</span><span class="p">.</span><span class="nx">endDate</span> <span class="o">??</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">sleep</span> <span class="o">=</span> <span class="p">(</span><span class="nx">ms</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">ms</span><span class="p">));</span> <span class="c1">// =============================================================================</span> <span class="c1">// Seed Functions</span> <span class="c1">// =============================================================================</span> <span class="kd">const</span> <span class="nx">seedOnePerson</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">personData</span><span class="p">:</span> <span class="nx">PersonWithRelations</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="c1">// Create the person</span> <span class="k">await</span> <span class="nf">createPerson</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">lastName</span><span class="p">,</span> <span class="na">dateOfBirth</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">dateOfBirth</span><span class="p">,</span> <span class="na">gender</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">gender</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">,</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nx">personData</span><span class="p">.</span><span class="nx">updatedAt</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Create related entities in parallel</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="p">...</span><span class="nx">personData</span><span class="p">.</span><span class="nx">addresses</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">addr</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">createAddress</span><span class="p">(</span><span class="nx">addr</span><span class="p">)),</span> <span class="p">...</span><span class="nx">personData</span><span class="p">.</span><span class="nx">bankAccounts</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">bank</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">createBankAccount</span><span class="p">(</span><span class="nx">bank</span><span class="p">)),</span> <span class="p">...</span><span class="nx">personData</span><span class="p">.</span><span class="nx">contacts</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">contact</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">createContact</span><span class="p">(</span><span class="nf">normalizeContactInfo</span><span class="p">(</span><span class="nx">contact</span><span class="p">)),</span> <span class="p">),</span> <span class="p">...</span><span class="nx">personData</span><span class="p">.</span><span class="nx">employments</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">emp</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="nf">createEmployment</span><span class="p">(</span><span class="nf">normalizeEmployment</span><span class="p">(</span><span class="nx">emp</span><span class="p">)),</span> <span class="p">),</span> <span class="p">]);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">seedPersonsBatch</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">persons</span><span class="p">:</span> <span class="nx">PersonWithRelations</span><span class="p">[],</span> <span class="p">):</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">successCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">person</span> <span class="k">of</span> <span class="nx">persons</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">seedOnePerson</span><span class="p">(</span><span class="nx">person</span><span class="p">);</span> <span class="nx">successCount</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Failed to seed person </span><span class="p">${</span><span class="nx">person</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">:`</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">successCount</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">clearAllPersons</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Clearing existing persons...</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">existingPersons</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAllPersons</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">deletedCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">person</span> <span class="k">of</span> <span class="nx">existingPersons</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">deletePerson</span><span class="p">(</span><span class="nx">person</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="nx">deletedCount</span><span class="o">++</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">deletedCount</span> <span class="o">%</span> <span class="nx">LOG_INTERVAL</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">` Deleted </span><span class="p">${</span><span class="nx">deletedCount</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">existingPersons</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> persons...`</span><span class="p">,</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Failed to delete person </span><span class="p">${</span><span class="nx">person</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">:`</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Cleared </span><span class="p">${</span><span class="nx">deletedCount</span><span class="p">}</span><span class="s2"> persons`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">deletedCount</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// =============================================================================</span> <span class="c1">// Main</span> <span class="c1">// =============================================================================</span> <span class="kd">const</span> <span class="nx">main</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="c1">// Parse arguments</span> <span class="kd">const</span> <span class="nx">args</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">shouldClear</span> <span class="o">=</span> <span class="nx">args</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">--clear</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">countArg</span> <span class="o">=</span> <span class="nx">args</span><span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">arg</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="o">!</span><span class="nx">arg</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">--</span><span class="dl">"</span><span class="p">));</span> <span class="kd">let</span> <span class="nx">count</span> <span class="o">=</span> <span class="nx">DEFAULT_COUNT</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">countArg</span><span class="p">)</span> <span class="p">{</span> <span class="nx">count</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">countArg</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">.</span><span class="nf">repeat</span><span class="p">(</span><span class="mi">60</span><span class="p">));</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">DB Persons Seed Script</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">.</span><span class="nf">repeat</span><span class="p">(</span><span class="mi">60</span><span class="p">));</span> <span class="c1">// Check for table name</span> <span class="kd">const</span> <span class="nx">tableName</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DDB_PERSONS_TABLE_NAME</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">tableName</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Error: DDB_PERSONS_TABLE_NAME environment variable not set</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="s2">Run: export DDB_PERSONS_TABLE_NAME=</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Table: </span><span class="p">${</span><span class="nx">tableName</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Clear if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">shouldClear</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">clearAllPersons</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Generate fake data</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Generating </span><span class="p">${</span><span class="nx">count</span><span class="p">}</span><span class="s2"> persons...`</span><span class="p">);</span> <span class="nf">initFaker</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">persons</span> <span class="o">=</span> <span class="nf">generatePersons</span><span class="p">(</span><span class="nx">count</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Generated </span><span class="p">${</span><span class="nx">persons</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> persons with relations`</span><span class="p">);</span> <span class="c1">// Seed in batches</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\nSeeding in batches of </span><span class="p">${</span><span class="nx">BATCH_SIZE</span><span class="p">}</span><span class="s2">...`</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">totalSeeded</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">idx</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">idx</span> <span class="o">&amp;</span><span class="nx">lt</span><span class="p">;</span> <span class="nx">persons</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">idx</span> <span class="o">+=</span> <span class="nx">BATCH_SIZE</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">batch</span> <span class="o">=</span> <span class="nx">persons</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">idx</span><span class="p">,</span> <span class="nx">idx</span> <span class="o">+</span> <span class="nx">BATCH_SIZE</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">seeded</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">seedPersonsBatch</span><span class="p">(</span><span class="nx">batch</span><span class="p">);</span> <span class="nx">totalSeeded</span> <span class="o">+=</span> <span class="nx">seeded</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">` Seeded </span><span class="p">${</span><span class="nx">totalSeeded</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">persons</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> persons...`</span><span class="p">);</span> <span class="c1">// Small delay to avoid throttling</span> <span class="k">await</span> <span class="nf">sleep</span><span class="p">(</span><span class="mi">100</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">.</span><span class="nf">repeat</span><span class="p">(</span><span class="mi">60</span><span class="p">));</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Seed Complete: </span><span class="p">${</span><span class="nx">totalSeeded</span><span class="p">}</span><span class="s2"> persons created`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">.</span><span class="nf">repeat</span><span class="p">(</span><span class="mi">60</span><span class="p">));</span> <span class="p">};</span> <span class="nf">main</span><span class="p">().</span><span class="k">catch</span><span class="p">((</span><span class="nx">error</span><span class="p">)</span> <span class="o">=&amp;</span><span class="nx">gt</span><span class="p">;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Seed script failed:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvgzsr764w7nvo0jgwar6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvgzsr764w7nvo0jgwar6.png" alt="result ddb"></a></p> <h2> Result </h2> <p>The implementation demonstrates a multi-entity data model with DynamoDB's single table design. The DynamoDB table shows the hierarchical key structure with person profiles and related entities stored efficiently. The UI displays the person list with all associated data managed through TanStack DB collections.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fasr4w7c7l7k04yfn4pf2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fasr4w7c7l7k04yfn4pf2.png" alt="result page"></a></p> <h2> Conclusion </h2> <p>Because ElectroDB handles the entities and single table design, it's more or less a direct mapping from the ElectroDB client to TanStack DB collections.<br> At least for the described data model and access patterns.</p> <p>The update to global collections demonstrates how TanStack DB's architecture enables significant performance improvements with minimal code changes. By loading all entities once at startup and filtering client-side, navigation between person details becomes instant—no network requests needed.</p> <p>At this size of around 10-50 persons, this approach works well. With much more data (&gt;10k rows), you may need to consider progressive or on-demand loading strategies. TanStack DB's query-driven sync patterns support these scenarios as your data grows.</p> <h2> Sources and References </h2> <ul> <li> <strong>Examples (full implementation on GitHub)</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">github.com/JohannesKonings/tanstack-aws</a> </li> <li> <strong>Original tag</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/releases/tag/2025-12-27-tanstack-start-aws-db-multiple-entities" rel="noopener noreferrer">2025-12-27-tanstack-start-aws-db-multiple-entities</a> </li> <li> <strong>Updated tag (global collections)</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws/releases/tag/2025-12-27-tanstack-start-aws-db-multiple-entities-update" rel="noopener noreferrer">2025-12-27-tanstack-start-aws-db-multiple-entities-update</a> </li> <li> <strong>TanStack DB documentation</strong>: <a href="https://tanstack.com/db/latest" rel="noopener noreferrer">tanstack.com/db/latest</a> </li> <li> <strong>TanStack DB 0.5 Query-Driven Sync</strong>: <a href="https://tanstack.com/blog/tanstack-db-0.5-query-driven-sync" rel="noopener noreferrer">tanstack.com/blog/tanstack-db-0.5-query-driven-sync</a> </li> <li> <strong>ElectroDB documentation</strong>: <a href="https://electrodb.dev/" rel="noopener noreferrer">electrodb.dev</a> </li> </ul> aws cdk tanstack Johannes Konings Sat, 20 Dec 2025 08:15:18 +0000 https://dev.to/aws-builders/simple-example-of-tanstack-db-with-dynamodb-on-aws-4k5e https://dev.to/aws-builders/simple-example-of-tanstack-db-with-dynamodb-on-aws-4k5e <h2> Introduction </h2> <p>In <a href="https://dev.to/aws-builders/deploy-tanstack-start-serverless-on-aws-4j7e">Deploying TanStack Start on AWS with Lambda Function URLs</a>, I describe how to deploy TanStack Start serverless on AWS. This post contains a simple example of using TanStack DB (<a href="https://tanstack.com/db/latest" rel="noopener noreferrer">https://tanstack.com/db/latest</a>) with DynamoDB on AWS.</p> <p>At a high level, we’ll go from infrastructure (a DynamoDB table), to a small DynamoDB client, to a TanStack Start server route, and finally to a TanStack DB collection that powers a simple UI.</p> <p>The complete implementation is available in the <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">tanstack-aws repository</a>, which serves as a working example and template for this deployment pattern.</p> <h2> Disclaimer </h2> <p>This is a very simple example to get you started with TanStack DB and DynamoDB on AWS. It is not production-ready and lacks features like error handling, security, and optimizations.</p> <h2> TanStack DB </h2> <p>This (<a href="https://frontendatscale.com/blog/tanstack-db/" rel="noopener noreferrer">https://frontendatscale.com/blog/tanstack-db/</a>) blog post explains the concepts of TanStack DB very well. In short, TanStack DB is a client-first database that runs in the browser or in a server environment. It provides a simple API to store, query, and sync data. TanStack DB is based on collections, with existing sync engines like ElectricSQL (<a href="https://tanstack.com/db/latest/docs/collections/electric-collection" rel="noopener noreferrer">https://tanstack.com/db/latest/docs/collections/electric-collection</a>).</p> <p>This post uses the Query Collection to wire it via an API to DynamoDB (<a href="https://tanstack.com/db/latest/docs/collections/query-collection" rel="noopener noreferrer">https://tanstack.com/db/latest/docs/collections/query-collection</a>).</p> <p>The idea is straightforward: TanStack DB remains the place where your app reads and writes “records” (in this case, todos), while the collection’s fetch and mutation hooks delegate persistence to your own backend API.</p> <h2> DynamoDB in CDK </h2> <p>This is a very simple configuration, just to store the todos.</p> <p>To keep the example focused, the table uses a generic partition key and sort key (<code>pk</code>/<code>sk</code>). That makes it easy to evolve into a single-table design later, while keeping the code here minimal.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { AttributeType, BillingMode, Table } from "aws-cdk-lib/aws-dynamodb"; import { Construct } from "constructs"; export class DatabaseTodos extends Construct { public readonly dbTodos: Table; constructor(scope: Construct, id: string) { super(scope, id); this.dbTodos = new Table(this, "Todos", { partitionKey: { name: "pk", type: AttributeType.STRING }, sortKey: { name: "sk", type: AttributeType.STRING }, billingMode: BillingMode.PAY_PER_REQUEST, }); } } </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/DatabaseTodos.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/DatabaseTodos.ts</a></p> <p>This table needs to be wired to the web app server Lambda.</p> <p>In the web app construct, the table construct is added. The Lambda is allowed to read and write data to the table.</p> <p>Concretely, that means (1) creating the table, (2) passing the table name into the server function, and (3) granting the function read/write permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const databaseTodos = new DatabaseTodos(this, "DatabaseTodos"); const webappServer = new WebappServer(this, "WebappServer", { tableName: databaseTodos.dbTodos.tableName, }); databaseTodos.dbTodos.grantReadWriteData(webappServer.webappServer); </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/Webapp.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/Webapp.ts</a></p> <p>The passed table name is exposed as an environment variable in the Lambda function.</p> <p>This keeps the application code decoupled from CDK: the Lambda only needs to know an env var, and CDK is responsible for wiring that value at deploy time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>this.webappServer = new Function(this, "WebappServer", { code: Code.fromAsset( path.join( path.dirname(new URL(import.meta.url).pathname), "../../.output/server", ), ), // functionName: PhysicalName.GENERATE_IF_NEEDED, handler: "index.handler", memorySize: 2048, runtime: Runtime.NODEJS_24_X, // oxlint-disable-next-line no-magic-numbers timeout: Duration.seconds(60), environment: { DDB_TODOS_TABLE_NAME: tableName, }, }); </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappServer.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappServer.ts</a></p> <h2> A DynamoDB Client </h2> <p>In this example, a simple wrapper around the DynamoDB client is used. In larger projects, something like <a href="https://electrodb.dev/" rel="noopener noreferrer">https://electrodb.dev/</a> can help. This is the bridge from the API behind TanStack DB to DynamoDB.</p> <p>The client below implements the four operations the demo needs: list todos, create a todo, update one or more todos, and delete todos in batches.</p> <p>Here is the environment variable used for the table name.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { DynamoDBClient } from "@aws-sdk/client-dynamodb"; import { BatchWriteCommand, DynamoDBDocumentClient, PutCommand, QueryCommand, UpdateCommand, } from "@aws-sdk/lib-dynamodb"; import { type Todo, todoSchema, type TodoUpdate } from "@/webapp/types/todo"; const TODOS_PK = "TODO"; const TODOS_TABLE_ENV = "DDB_TODOS_TABLE_NAME"; const EMPTY_LENGTH = 0; const INITIAL_ATTEMPT = 0; const NEXT_ATTEMPT_INCREMENT = 1; const MAX_RETRY_ATTEMPTS = 3; const MAX_BATCH_WRITE_ITEMS = 25; let ddbDocSingleton: DynamoDBDocumentClient | null = null; export const getDdbDocClient = (): DynamoDBDocumentClient =&gt; { if (!ddbDocSingleton) { ddbDocSingleton = DynamoDBDocumentClient.from(new DynamoDBClient({}), { marshallOptions: { removeUndefinedValues: true, }, }); } return ddbDocSingleton; }; export const requireEnvVar = (name: string): string =&gt; { const value = process.env[name]; if (!value) { throw new Error(`Missing env var: ${name}`); } return value; }; export const getTodosTableName = (): string =&gt; requireEnvVar(TODOS_TABLE_ENV); const todoSortKey = (id: number): string =&gt; `TODO#${id}`; const parseTodoItem = (item: Record&lt;string, unknown&gt;): Todo | null =&gt; { const parsed = todoSchema.safeParse({ id: item.id, name: item.name, status: item.status, }); if (!parsed.success) { return null; } return parsed.data; }; const chunkItems = &lt;Item&gt;(items: Item[], chunkSize: number): Item[][] =&gt; { const out: Item[][] = []; for (let index = EMPTY_LENGTH; index &lt; items.length; index += chunkSize) { out.push(items.slice(index, index + chunkSize)); } return out; }; export type TodosDdbClient = { getTodos: () =&gt; Promise&lt;Todo[]&gt;; putTodo: (todo: Todo) =&gt; Promise&lt;Todo&gt;; updateTodos: (updates: TodoUpdate[]) =&gt; Promise&lt;void&gt;; deleteTodos: (ids: number[]) =&gt; Promise&lt;void&gt;; }; const retryBatchWrite = async (args: { ddbDoc: DynamoDBDocumentClient; requestItems: unknown; attempt: number; }): Promise&lt;void&gt; =&gt; { const response = await args.ddbDoc.send( new BatchWriteCommand({ RequestItems: args.requestItems as never, }), ); const unprocessedItems = response.UnprocessedItems; if ( !unprocessedItems || Object.keys(unprocessedItems).length === EMPTY_LENGTH ) { return; } if (args.attempt + NEXT_ATTEMPT_INCREMENT &gt;= MAX_RETRY_ATTEMPTS) { return; } await retryBatchWrite({ ddbDoc: args.ddbDoc, requestItems: unprocessedItems, attempt: args.attempt + NEXT_ATTEMPT_INCREMENT, }); }; export const createTodosDdbClient = (): TodosDdbClient =&gt; { const ddbDoc = getDdbDocClient(); return { getTodos: async () =&gt; { const tableName = getTodosTableName(); const result = await ddbDoc.send( new QueryCommand({ TableName: tableName, KeyConditionExpression: "#pk = :pk", ExpressionAttributeNames: { "#pk": "pk", }, ExpressionAttributeValues: { ":pk": TODOS_PK, }, }), ); const items = (result.Items ?? []) .map((item) =&gt; parseTodoItem(item)) .filter((todo): todo is Todo =&gt; todo !== null); return items; }, putTodo: async (todo: Todo) =&gt; { const tableName = getTodosTableName(); await ddbDoc.send( new PutCommand({ TableName: tableName, Item: { pk: TODOS_PK, sk: todoSortKey(todo.id), id: todo.id, name: todo.name, status: todo.status, }, }), ); return todo; }, updateTodos: async (updates: TodoUpdate[]) =&gt; { const tableName = getTodosTableName(); await Promise.all( updates.map(async (update) =&gt; { const sets: string[] = []; const names: Record&lt;string, string&gt; = { "#pk": "pk", "#sk": "sk", }; const values: Record&lt;string, unknown&gt; = {}; if (update.changes.name !== undefined) { names["#name"] = "name"; values[":name"] = update.changes.name; sets.push("#name = :name"); } if (update.changes.status !== undefined) { names["#status"] = "status"; values[":status"] = update.changes.status; sets.push("#status = :status"); } if (sets.length === EMPTY_LENGTH) { return; } try { await ddbDoc.send( new UpdateCommand({ TableName: tableName, Key: { pk: TODOS_PK, sk: todoSortKey(update.id), }, UpdateExpression: `SET ${sets.join(", ")}`, ConditionExpression: "attribute_exists(#pk) AND attribute_exists(#sk)", ExpressionAttributeNames: names, ExpressionAttributeValues: values, }), ); } catch (error) { const errorName = (error as { name?: string } | undefined)?.name; if (errorName !== "ConditionalCheckFailedException") { throw error; } } }), ); }, deleteTodos: async (ids: number[]) =&gt; { const tableName = getTodosTableName(); const groups = chunkItems(ids, MAX_BATCH_WRITE_ITEMS); await Promise.all( groups.map(async (group) =&gt; { const requestItems = { [tableName]: group.map((id) =&gt; ({ DeleteRequest: { Key: { pk: TODOS_PK, sk: todoSortKey(id), }, }, })), }; await retryBatchWrite({ ddbDoc, requestItems, attempt: INITIAL_ATTEMPT, }); }), ); }, }; }; </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/integrations/ddb-client/ddbClient.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/integrations/ddb-client/ddbClient.ts</a></p> <h2> The API connection to DynamoDB </h2> <p>With the DynamoDB client created above, you can create an API that connects TanStack DB to DynamoDB.</p> <p>In TanStack Start, this is a server route with standard HTTP verbs. The route validates input, calls the DynamoDB client, and returns JSON responses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// oxlint-disable func-style import { createFileRoute } from "@tanstack/react-router"; import { createTodosDdbClient } from "@/webapp/integrations/ddb-client/ddbClient"; import { createTodoRequestSchema, deleteTodosRequestSchema, updateTodosRequestSchema, } from "@/webapp/types/todo"; const todosClient = createTodosDdbClient(); export const Route = createFileRoute("/demo/api/ddb-todos")({ server: { handlers: { // oxlint-disable-next-line arrow-body-style GET: async () =&gt; { const items = await todosClient.getTodos(); return Response.json(items); }, POST: async ({ request }) =&gt; { const requestJson = await request.json(); const todoParsed = createTodoRequestSchema.parse(requestJson); const saved = await todosClient.putTodo(todoParsed); return Response.json(saved); }, PUT: async ({ request }) =&gt; { const requestJson = await request.json(); const updates = updateTodosRequestSchema.parse(requestJson); await todosClient.updateTodos(updates); return Response.json({ ok: true }); }, DELETE: async ({ request }) =&gt; { const requestJson = await request.json(); const ids = deleteTodosRequestSchema.parse(requestJson); await todosClient.deleteTodos(ids); return Response.json({ ok: true }); }, }, }, }); </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/routes/demo/api.ddb-todos.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/routes/demo/api.ddb-todos.ts</a></p> <h2> The TanStack DB collection </h2> <p>The collection uses the API to fetch and mutate data in DynamoDB.</p> <p>This is the key integration point: the collection fetches via the <code>queryFn</code>, and the transaction callbacks (<code>onInsert</code>, <code>onUpdate</code>, <code>onDelete</code>) translate local writes into API calls.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { queryCollectionOptions } from "@tanstack/query-db-collection"; import { createCollection } from "@tanstack/react-db"; import { getContext } from "@/webapp/integrations/tanstack-query/root-provider"; import { type Todo, todoSchema } from "../types/todo"; // const todoApiPath = '/demo/api/tq-todos'; const todoApiPath = "/demo/api/ddb-todos"; const api = { async fetchTodos(): Promise&lt;Todo[]&gt; { const response = await fetch(todoApiPath); if (!response.ok) { throw new Error("Failed to fetch todos"); } const data = await response.json(); return todoSchema.array().parse(data); }, async createTodos(todo: Omit&lt;Todo, "id"&gt;) { await fetch(todoApiPath, { method: "POST", headers: { "Content-Type": "application/json", }, body: JSON.stringify(todo), }); }, async updateTodos( updates: { id: number; changes: Partial&lt;Omit&lt;Todo, "id"&gt;&gt; }[], ) { await fetch(todoApiPath, { method: "PUT", headers: { "Content-Type": "application/json", }, body: JSON.stringify(updates), }); }, async deleteTodos(ids: number[]) { await fetch(todoApiPath, { method: "DELETE", headers: { "Content-Type": "application/json", }, body: JSON.stringify(ids), }); }, }; export const todosCollection = createCollection( queryCollectionOptions&lt;Todo&gt;({ queryKey: ["todos"], queryFn: () =&gt; api.fetchTodos(), queryClient: getContext().queryClient, getKey: (item) =&gt; item.id, onInsert: async ({ transaction }) =&gt; { const newItems = transaction.mutations.map((mutation) =&gt; ({ id: Math.random(), // Temporary ID; real ID should be assigned by the server name: mutation.modified.name, status: mutation.modified.status, })); for (const item of newItems) { api.createTodos(item); } }, onUpdate: async ({ transaction }) =&gt; { const updates = transaction.mutations.map((mutation) =&gt; ({ id: mutation.key, changes: mutation.changes, })); await api.updateTodos(updates); }, onDelete: async ({ transaction }) =&gt; { const ids = transaction.mutations.map((mutation) =&gt; mutation.key); await api.deleteTodos(ids); }, }), ); </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/db-collections/todos.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/db-collections/todos.ts</a></p> <h2> The hook </h2> <p>These hooks provide a small, UI-friendly API on top of the collection. Components can call <code>addTodo</code>/<code>toggleTodoStatus</code>/<code>deleteTodo</code>, and <code>useTodos</code> subscribes to the live query for rendering.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { useLiveQuery } from "@tanstack/react-db"; // oxlint-disable func-style import { todosCollection } from "@/webapp/db-collections/todos"; import type { Todo } from "../types/todo"; export function useTodo() { const addTodo = async ({ name, status }: Omit&lt;Todo, "id"&gt;) =&gt; { // oxlint-disable-next-line no-magic-numbers const randomId = Math.floor(Math.random() * 1000000); todosCollection.insert({ id: randomId, name, status }); }; const toggleTodoStatus = (id: number, status: "pending" | "completed") =&gt; { todosCollection.update(id, (draft) =&gt; { if (draft) { draft.status = status; } }); }; const deleteTodo = (id: number) =&gt; { todosCollection.delete(id); }; return { addTodo, toggleTodoStatus, deleteTodo }; } export function useTodos() { const { data: todos } = useLiveQuery((todoQuery) =&gt; todoQuery.from({ todo: todosCollection }).select(({ todo }) =&gt; ({ ...todo, })), ); return todos as Todo[]; } </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/hooks/useDbTodos.ts" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/hooks/useDbTodos.ts</a></p> <h2> The component </h2> <p>Finally, the UI component is just a thin layer over the hooks: render the list, submit a new todo, toggle completion, and delete items.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// oxlint-disable func-style import { createFileRoute } from "@tanstack/react-router"; import { Trash2 } from "lucide-react"; import { useState } from "react"; import { useTodo, useTodos } from "@/webapp/hooks/useDbTodos"; export const Route = createFileRoute("/demo/db-todo")({ ssr: false, component: DbTodos, }); function DbTodos() { const todos = useTodos(); const { addTodo, toggleTodoStatus, deleteTodo } = useTodo(); const [todo, setTodo] = useState&lt;string&gt;(""); const submitTodo = () =&gt; { if (todo.trim() !== "") { addTodo({ name: todo, status: "pending" }); setTodo(""); } }; const handleTodoStatusToggle = (todoItem: (typeof todos)[number]) =&gt; { if (todoItem.status === "completed") { toggleTodoStatus(todoItem.id, "pending"); } else { toggleTodoStatus(todoItem.id, "completed"); } }; return ( &lt;div className="flex items-center justify-center min-h-screen bg-linear-to-br from-purple-100 to-blue-100 p-4 text-white" style={{ backgroundImage: "radial-gradient(50% 50% at 95% 5%, #4a90c2 0%, #317eb9 50%, #1e4d72 100%)", }} &gt; &lt;div className="w-full max-w-2xl p-8 rounded-xl backdrop-blur-md bg-black/50 shadow-xl border-8 border-black/10"&gt; &lt;h1 className="text-2xl mb-4"&gt;DB Todo list&lt;/h1&gt; &lt;ul className="mb-4 space-y-2"&gt; {todos?.map((todoItem) =&gt; { const isCompleted = todoItem.status === "completed"; let textClasses = ""; if (isCompleted) { textClasses = "line-through opacity-60"; } return ( &lt;li key={todoItem.id} className="bg-white/10 border border-white/20 rounded-lg p-3 backdrop-blur-sm shadow-md flex items-center gap-3" &gt; &lt;input type="checkbox" checked={isCompleted} onChange={() =&gt; handleTodoStatusToggle(todoItem)} className="w-5 h-5 cursor-pointer accent-blue-400" /&gt; &lt;span className={`text-lg text-white flex-1 ${textClasses}`}&gt; {todoItem.name} &lt;/span&gt; &lt;button type="button" onClick={() =&gt; deleteTodo(todoItem.id)} className="text-white/80 hover:text-red-300 p-2 rounded-full hover:bg-white/10 transition-colors" aria-label={`Delete todo ${todoItem.name}`} &gt; &lt;Trash2 className="w-5 h-5" aria-hidden="true" /&gt; &lt;/button&gt; &lt;/li&gt; ); })} &lt;/ul&gt; &lt;div className="flex flex-col gap-2"&gt; &lt;input type="text" value={todo} onChange={(event) =&gt; setTodo(event.target.value)} onKeyDown={(event) =&gt; { if (event.key === "Enter") { submitTodo(); } }} placeholder="Enter a new todo..." className="w-full px-4 py-3 rounded-lg border border-white/20 bg-white/10 backdrop-blur-sm text-white placeholder-white/60 focus:outline-none focus:ring-2 focus:ring-blue-400 focus:border-transparent" /&gt; &lt;button // oxlint-disable-next-line no-magic-numbers disabled={todo.trim().length === 0} onClick={submitTodo} className="bg-blue-500 hover:bg-blue-600 disabled:bg-blue-500/50 disabled:cursor-not-allowed text-white font-bold py-3 px-4 rounded-lg transition-colors" &gt; Add todo &lt;/button&gt; &lt;/div&gt; &lt;/div&gt; &lt;/div&gt; ); } </code></pre> </div> <p><a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/routes/demo/db-todo.tsx" rel="noopener noreferrer">https://github.com/JohannesKonings/tanstack-aws/blob/main/src/webapp/routes/demo/db-todo.tsx</a></p> <h2> Result </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpzlnzjitkmgqm9e3tky.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpzlnzjitkmgqm9e3tky.png" alt="result" width="800" height="347"></a></p> <h2> Conclusion </h2> <p>This is a simple example and implementation of TanStack DB with DynamoDB on AWS. In a more complete example, you’d need to figure out how to map a single-table design in DynamoDB to multiple collections in TanStack DB.</p> <p>From here, the next natural steps are adding authentication/authorization on the API, better id generation (server-assigned ids), and a more explicit data model to support multiple entity types.</p> <h2> Sources and References </h2> <ul> <li> <strong>Examples (full implementation on GitHub)</strong>: <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">github.com/JohannesKonings/tanstack-aws</a> </li> <li> <strong>TanStack DB documentation</strong> : <a href="https://tanstack.com/db/latest" rel="noopener noreferrer">tanstack.com/db/latest</a> </li> </ul> aws cdk tanstack Johannes Konings Sat, 13 Dec 2025 08:15:18 +0000 https://dev.to/aws-builders/monitor-multiple-resources-using-a-single-cloudwatch-alarm-with-cdk-3adh https://dev.to/aws-builders/monitor-multiple-resources-using-a-single-cloudwatch-alarm-with-cdk-3adh <h2> Introduction </h2> <p>CloudWatch <strong>Metrics Insights query alarms</strong> (aka “multi-metric alarms”) let one alarm evaluate many <em>individual</em> resources. You write a Metrics Insights SQL query (with <code>GROUP BY</code>), and CloudWatch keeps the alarm’s contributor set up to date as resources are created/deleted.</p> <p>Before this announcement, you had two imperfect choices:</p> <ul> <li>Create one alarm per resource (granular, but high maintenance as resources change).</li> <li>Use aggregated metrics (low maintenance, but you lose per-resource visibility and actions).</li> </ul> <p>The September 2025 feature (<a href="https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudwatch-alarm-multiple-metrics/" rel="noopener noreferrer">https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudwatch-alarm-multiple-metrics/</a>) adds query alarms that evaluate many individual metrics with one alarm, preserving per-resource visibility and actions while removing the per-resource alarm sprawl.</p> <p>Pubudu Jayawardana already described how to use it here <a href="https://pubudu.dev/posts/cloudwatch-multi-metric-alarms/" rel="noopener noreferrer">https://pubudu.dev/posts/cloudwatch-multi-metric-alarms/</a>, this post focuses on how to implement the pattern in AWS CDK with concise, working examples (SQS DLQs with tag-based queries, and SFN across all state machines).</p> <h2> Account Configuration </h2> <p>If you want <code>WHERE tag.X = 'Y'</code> filters in Metrics Insights queries, enable <em>resource tags on telemetry</em>: <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/EnableResourceTagsOnTelemetry.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/EnableResourceTagsOnTelemetry.html</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbnziljn5n9n7r8tm1iqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbnziljn5n9n7r8tm1iqv.png" alt="cloudwatch settings tags" width="800" height="450"></a></p> <p>As of 2025-12, this setting isn’t exposed as a CloudFormation resource. CloudWatch may take up to a few hours to fully enrich all metrics after enabling.</p> <p>CLI equivalent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws observabilityadmin start-telemetry-enrichment </code></pre> </div> <p>If you want this in CDK, use a Lambda-backed custom resource that calls the same API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/observabilityadmin/command/StartTelemetryEnrichmentCommand/ // https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/EnableResourceTagsOnTelemetry.html new AwsCustomResource(this, "StartTelemetryEnrichment", { onCreate: { service: "@aws-sdk/client-observabilityadmin", action: "StartTelemetryEnrichment", physicalResourceId: PhysicalResourceId.of("StartTelemetryEnrichment"), }, installLatestAwsSdk: true, // policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }), policy: AwsCustomResourcePolicy.fromStatements([ new PolicyStatement({ effect: Effect.ALLOW, actions: [ "observabilityadmin:StartTelemetryEnrichment", "iam:CreateServiceLinkedRole", "resource-explorer-2:CreateIndex", "resource-explorer-2:CreateManagedView", "resource-explorer-2:CreateStreamingAccessForService", ], resources: ["*"], }), ]), }); </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3exil0nyke6nafdimbm2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3exil0nyke6nafdimbm2.png" alt="cloudwatch settings tags activated" width="800" height="123"></a></p> <h2> Example 1: one alarm for all DLQs (tag filtered) </h2> <p>Tag only the DLQs you want included (opt-in):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const dlq1 = new Queue(this, "DLQ1"); Tags.of(dlq1).add("isDlq", "true"); Tags.of(dlq1).add("monitor", "true"); new Queue(this, "Queue1", { deadLetterQueue: { queue: dlq1, maxReceiveCount: 3, }, }); const dlq2 = new Queue(this, "DLQ2"); Tags.of(dlq2).add("isDlq", "true"); Tags.of(dlq2).add("monitor", "true"); new Queue(this, "Queue2", { deadLetterQueue: { queue: dlq2, maxReceiveCount: 5, }, }); const dlq3 = new Queue(this, "DLQ3"); Tags.of(dlq3).add("isDlq", "true"); Tags.of(dlq3).add("monitor", "false"); new Queue(this, "Queue3", { deadLetterQueue: { queue: dlq3, maxReceiveCount: 5, }, }); const expressionDlq = new MathExpression({ expression: `SELECT MAX(ApproximateNumberOfMessagesVisible) FROM SCHEMA("AWS/SQS", QueueName) WHERE tag.monitor = 'true' AND tag.isDlq = 'true' GROUP BY QueueName ORDER BY COUNT() DESC`, usingMetrics: {}, period: Duration.minutes(1), label: "DLQ messages", }); new Alarm(this, "DlqAlarm", { metric: expressionDlq, threshold: 1, evaluationPeriods: 1, comparisonOperator: ComparisonOperator.GREATER_THAN_OR_EQUAL_TO_THRESHOLD, alarmDescription: "Alarm if any tagged DLQ has visible messages", alarmName: "DLQ-Alarm", }); </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6fx368rgbqaprip4ity1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6fx368rgbqaprip4ity1.png" alt="cloudwatch dlq alarm" width="800" height="436"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm43rrk4b26kmtzar4mcj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm43rrk4b26kmtzar4mcj.png" alt="cloudwatch dlq ok" width="800" height="436"></a></p> <h2> Example 2: one alarm for failed Step Functions executions </h2> <p>Tag filtering only works for resource types supported by <em>resource tags for telemetry</em> (SQS is supported; Step Functions isn’t listed): <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingResourceTagsForTelemetry.html#SupportedAWSInfrastructureMetrics" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingResourceTagsForTelemetry.html#SupportedAWSInfrastructureMetrics</a></p> <p>So for Step Functions, this alarms across all state machines in the account/region.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const sfn1 = new StateMachine(this, "StateMachine1", { definitionBody: DefinitionBody.fromChainable(new Fail(this, "FailState1")), }); const sfn2 = new StateMachine(this, "StateMachine2", { definitionBody: DefinitionBody.fromChainable(new Fail(this, "FailState2")), }); const expressionSfn = new MathExpression({ expression: `SELECT MAX(ExecutionsFailed) FROM SCHEMA("AWS/States", StateMachineName) GROUP BY StateMachineName ORDER BY COUNT() DESC`, usingMetrics: {}, period: Duration.minutes(1), label: "Sfn failed executions", }); new Alarm(this, "SfnAlarm", { metric: expressionSfn, threshold: 1, evaluationPeriods: 1, comparisonOperator: ComparisonOperator.GREATER_THAN_OR_EQUAL_TO_THRESHOLD, alarmDescription: "Alarm if any state machine has failed executions", alarmName: "SFN-Alarm", }); </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ar9cam5i64vazrd8cxw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ar9cam5i64vazrd8cxw.png" alt="cloudwatch sfn alarm" width="800" height="419"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frjkdy5toybfubrauek3g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frjkdy5toybfubrauek3g.png" alt="cloudwatch sfn ok" width="800" height="418"></a></p> <h2> Sources </h2> <ul> <li>Feature announcement: <a href="https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudwatch-alarm-multiple-metrics/" rel="noopener noreferrer">https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudwatch-alarm-multiple-metrics/</a> </li> <li>CloudWatch docs (alarms on Metrics Insights queries): <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-alarms.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-alarms.html</a> </li> <li>CloudWatch docs (create a Metrics Insights alarm): <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-alarm-create.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-alarm-create.html</a> </li> <li>CloudWatch docs (enable resource tags on telemetry): <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/EnableResourceTagsOnTelemetry.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/EnableResourceTagsOnTelemetry.html</a> </li> <li>CloudWatch docs (supported resources for tag enrichment): <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingResourceTagsForTelemetry.html#SupportedAWSInfrastructureMetrics" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingResourceTagsForTelemetry.html#SupportedAWSInfrastructureMetrics</a> </li> <li>CloudWatch docs (Metrics Insights quotas, incl. 500 time series limit): <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-limits.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-limits.html</a> </li> <li>Background article: <a href="https://pubudu.dev/posts/cloudwatch-multi-metric-alarms/" rel="noopener noreferrer">https://pubudu.dev/posts/cloudwatch-multi-metric-alarms/</a> </li> </ul> aws cdk cloudwatch Johannes Konings Sat, 06 Dec 2025 08:15:18 +0000 https://dev.to/aws-builders/use-cdk-notifier-to-check-cloudformation-predeployment-validations-in-pull-requests-49ga https://dev.to/aws-builders/use-cdk-notifier-to-check-cloudformation-predeployment-validations-in-pull-requests-49ga <h2> Overview </h2> <p>This post builds on the previous example on <a href="https://dev.to/aws-builders/use-cdk-notifier-to-compare-changes-in-pull-requests-3o70">using cdk-notifier to compare changes in pull requests</a>. It demonstrates how to extend the workflow by adding CloudFormation change set validation alongside <code>cdk diff</code> to provide more comprehensive pre-deployment validation.</p> <p>This approach leverages CloudFormation's pre-deployment validation capabilities, which are detailed in AWS's blog post on <a href="https://aws.amazon.com/blogs/devops/accelerate-infrastructure-development-with-cloudformation-pre-deployment-validation-and-simplified-troubleshooting/" rel="noopener noreferrer">Accelerate infrastructure development with CloudFormation pre-deployment validation and simplified troubleshooting</a>.</p> <h2> Use Case </h2> <p>The cdk diff via the cdk-notifier in pull requests helps a lot to understand what will happen after the merge, but not all deployment issues can be identified with the diff alone.</p> <p>For example, adding a role with the same name as an existing role in the account will lead to a deployment failure, but this is not visible in the diff.</p> <p>Also, adding multiple Global Secondary Indexes (GSIs) to an existing DynamoDB table in one deployment will fail, but the diff does not show this limitation. ⚠️ Unfortunately, I didn't manage to raise this problem in the deployment validation.</p> <h2> The Extended Example </h2> <p>This example enhances the original feature stacks scenario with two key additions:</p> <h3> Infrastructure Changes </h3> <p>The example adds:</p> <ol> <li> <strong>Global Secondary Indexes (GSIs)</strong> to the DynamoDB table</li> <li> <strong>CloudWatch LogGroup</strong> to the stack </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { App, Stack, StackProps, aws_dynamodb as dynamodb } from "aws-cdk-lib"; import { LogGroup } from "aws-cdk-lib/aws-logs"; import { Construct } from "constructs"; export class CdkNotfifierFeatureStackExample extends Stack { constructor(scope: Construct, id: string, props: StackProps = {}) { super(scope, id, props); const table = new dynamodb.Table(this, "Table", { tableName: `Table-${branchName}`, partitionKey: { name: "id", type: dynamodb.AttributeType.STRING }, billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, }); // Add CloudWatch LogGroup new LogGroup(this, "LogGroup", { logGroupName: "alreadyexisting", }); // Add GSI 1 table.addGlobalSecondaryIndex({ indexName: "GSI1", partitionKey: { name: "gsi1pk", type: dynamodb.AttributeType.STRING }, sortKey: { name: "gsi1sk", type: dynamodb.AttributeType.STRING }, }); // Add GSI 2 table.addGlobalSecondaryIndex({ indexName: "GSI2", partitionKey: { name: "gsi2pk", type: dynamodb.AttributeType.STRING }, sortKey: { name: "gsi2sk", type: dynamodb.AttributeType.STRING }, }); } } const app = new App(); const branchName = process.env.BRANCH_NAME || "dev"; console.log(`Deploying with stack postfix ${branchName}`); new CdkNotfifierFeatureStackExample( app, `cdk-notifier-feature-stacks-${branchName}`, ); app.synth(); </code></pre> </div> <h3> Extended GitHub Action Workflow </h3> <p>The workflow now performs both <code>cdk diff</code> and <code>cdk deploy --method prepare-change-set</code>. These command results are aggregated into a single log file, which is then processed by cdk-notifier to create a comprehensive report.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- name: Check diff and change-set to main run: | pnpm install --frozen-lockfile ECHO=$(echo "## Check the diff to main") echo $ECHO | tee -a cdk.log NPM_CONFIG_LOGLEVEL=error BRANCH_NAME=main pnpm exec cdk diff --progress=events &amp;&gt; &gt;(tee -a cdk.log) ECHO=$(echo "## Check the change-set to main") echo $ECHO | tee -a cdk.log NPM_CONFIG_LOGLEVEL=error BRANCH_NAME=main pnpm exec cdk deploy --all --method prepare-change-set &amp;&gt; &gt;(tee -a cdk.log) || true echo "create cdk-notifier report" echo "BRANCH_NAME: $BRANCH_NAME" echo "GITHUB_OWNER: $GITHUB_OWNER" echo "GITHUB_REPO: $GITHUB_REPO" cdk-notifier \ --owner ${{ env.GITHUB_OWNER }} \ --repo ${{ env.GITHUB_REPO }} \ --token ${{ secrets.GITHUB_TOKEN }} \ --log-file ./cdk.log \ --tag-id diff-to-main \ --pull-request-id ${{ env.PULL_REQUEST_ID }} \ --vcs github \ --ci circleci \ --template extendedWithResources </code></pre> </div> <p>Results in the Pull Request:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1z37yzamgpbu8kman6ud.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1z37yzamgpbu8kman6ud.png" alt="pull-request-report" width="800" height="1190"></a></p> <h2> Deployment Error with Multiple GSIs </h2> <p>When trying to deploy multiple GSIs to an existing table, the deployment validation will show the error:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrf1mkl2s4pvqt1apw52.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrf1mkl2s4pvqt1apw52.png" alt="dynamodb-gsi-error" width="800" height="467"></a></p> <h2> Further Enhancements </h2> <p>Future improvements could include: checking the change set via the AWS CLI to describe the change set to get more detailed information about the changes planned by CloudFormation.</p> <p><code>aws cloudformation describe-change-set</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fatf4b1iunwcg821jn8ht.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fatf4b1iunwcg821jn8ht.png" alt="deployment-validation-report" width="800" height="331"></a></p> <h2> Nice to Have (if not overlooked) </h2> <ul> <li>The cdk diff creates by default a change set, which could be reported back in the diff</li> </ul> <h2> Code and References </h2> <ul> <li>Full example repository: <a href="https://github.com/JohannesKonings/cdk-notifier-examples" rel="noopener noreferrer">https://github.com/JohannesKonings/cdk-notifier-examples</a> </li> <li>Related PR with changes: <a href="https://github.com/JohannesKonings/cdk-notifier-examples/pull/12" rel="noopener noreferrer">https://github.com/JohannesKonings/cdk-notifier-examples/pull/12</a> </li> <li>cdk-notifier project: <a href="https://github.com/karlderkaefer/cdk-notifier" rel="noopener noreferrer">https://github.com/karlderkaefer/cdk-notifier</a> </li> </ul> <h2> Previous Post </h2> <p>For the foundational concepts behind this example, refer to the earlier post: <a href="https://dev.to/aws-builders/use-cdk-notifier-to-compare-changes-in-pull-requests-3o70">Use cdk-notifier to compare changes in pull requests</a></p> aws cdk cdknotifier cloudformation Johannes Konings Sun, 30 Nov 2025 08:15:18 +0000 https://dev.to/aws-builders/deploy-tanstack-start-serverless-on-aws-4j7e https://dev.to/aws-builders/deploy-tanstack-start-serverless-on-aws-4j7e <h2> Introduction </h2> <p>This guide demonstrates how to deploy a <a href="https://tanstack.com/start" rel="noopener noreferrer">TanStack Start</a> application on AWS using a serverless architecture. TanStack Start is a full-stack React framework that provides server-side rendering, routing, and data fetching capabilities. We'll deploy it using AWS Lambda, API Gateway with streaming support, CloudFront for CDN, and S3 for static assets.</p> <p>The complete implementation is available in the <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">tanstack-aws repository</a>, which serves as a working example and template for this deployment pattern.</p> <h2> Disclaimer </h2> <p>This is a straightforward implementation guide focused on the core deployment architecture. It does not cover production best practices such as WAF, comprehensive monitoring, structured logging, automated CI/CD pipelines, or security hardening. Use this as a starting point and extend it with production-grade features as needed.</p> <h2> Architecture </h2> <p>The deployment architecture consists of the following AWS services:</p> <ul> <li> <strong>AWS Lambda</strong> : Runs the TanStack Start server-side rendering with Node.js 24.x runtime</li> <li> <strong>API Gateway (REST API)</strong>: Provides HTTP endpoint with streaming support for Lambda responses</li> <li> <strong>CloudFront</strong> : CDN for distributing both dynamic and static content globally</li> <li> <strong>S3</strong> : Hosts static assets (JavaScript, CSS, images) generated during build</li> <li> <strong>IAM</strong> : Manages permissions for Lambda to access AWS Bedrock (for AI features)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13uudb37i000mpe3t26v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13uudb37i000mpe3t26v.png" alt="architecture" width="587" height="361"></a></p> <p>The architecture leverages streaming responses through API Gateway, which is essential for server-side rendering and AI-powered features that stream content to the client.</p> <h2> Implementation Steps </h2> <h3> Create the TanStack Start App </h3> <p>Start by creating a new TanStack Start application using the official CLI as described in the <a href="https://tanstack.com/start/latest/docs/framework/react/quick-start" rel="noopener noreferrer">TanStack Start Quick Start</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm create @tanstack/start </code></pre> </div> <p>When prompted, select <strong>Nitro</strong> as the deployment adapter since it provides a built-in AWS Lambda preset with streaming support.</p> <h4> Organize Project Structure </h4> <p>Move the generated TanStack application files to a <code>src/webapp</code> directory to separate the web application from the infrastructure code. This allows you to maintain both the CDK infrastructure and the application in the same repository.</p> <blockquote> <p><strong>Reference</strong> : See the project structure in <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">tanstack-aws repository</a></p> </blockquote> <h4> Configure Vite and Nitro </h4> <p>Update your <code>vite.config.ts</code> to configure Nitro for AWS Lambda deployment with streaming enabled. This configuration is crucial for enabling response streaming:</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/vite.config.ts" rel="noopener noreferrer"><code>vite.config.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const config = defineConfig({ plugins: [ devtools(), nitro({ awsLambda: { streaming: true }, preset: "aws-lambda", }), viteTsConfigPaths({ projects: ["./tsconfig.json"], }), tailwindcss(), tanstackStart({ srcDirectory: "src/webapp", }), viteReact(), ], }); </code></pre> </div> <p><strong>Key configuration points:</strong></p> <ul> <li> <code>awsLambda: { streaming: true }</code>: Enables response streaming for Lambda</li> <li> <code>preset: 'aws-lambda'</code>: Uses Nitro's AWS Lambda adapter</li> <li> <code>srcDirectory: 'src/webapp'</code>: Points to the application source directory</li> </ul> <h3> Set Up AWS CDK Infrastructure </h3> <p>You can maintain the CDK infrastructure code in the same repository as your application. The infrastructure uses several custom constructs to deploy the complete stack.</p> <blockquote> <p><strong>Reference</strong> : All constructs are in <a href="https://github.com/JohannesKonings/tanstack-aws/tree/main/lib/constructs" rel="noopener noreferrer"><code>lib/constructs/</code></a></p> </blockquote> <h3> Webapp Server Lambda </h3> <p>Create a Lambda function construct that deploys the Nitro build output. The Lambda function runs the server-side rendering and API endpoints.</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappServer.ts" rel="noopener noreferrer"><code>lib/constructs/WebappServer.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Code, Function, Runtime } from "aws-cdk-lib/aws-lambda"; import { Duration, Tags } from "aws-cdk-lib"; import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam"; import { Construct } from "constructs"; import path from "node:path"; export class WebappServer extends Construct { readonly webappServer: Function; constructor(scope: Construct, id: string) { super(scope, id); this.webappServer = new Function(this, "WebappServer", { code: Code.fromAsset( path.join( path.dirname(new URL(import.meta.url).pathname), "../../.output/server", ), ), handler: "index.handler", memorySize: 2048, runtime: Runtime.NODEJS_24_X, timeout: Duration.seconds(60), }); Tags.of(this.webappServer).add("IsWebAppServer", "true"); this.webappServer.addToRolePolicy( new PolicyStatement({ actions: [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", ], effect: Effect.ALLOW, resources: ["*"], }), ); } } </code></pre> </div> <p><strong>Important details:</strong></p> <ul> <li> <strong>Code source</strong> : Points to <code>.output/server</code> generated by Nitro's build process (<code>nitro build</code>)</li> <li> <strong>Handler</strong> : <code>index.handler</code> is the default entry point created by Nitro</li> <li> <strong>Memory</strong> : 2048 MB provides adequate resources for SSR operations</li> <li> <strong>Runtime</strong> : Node.js 24.x for latest features and performance</li> <li> <strong>Bedrock permissions</strong> : Added for AI chat functionality (optional, remove if not needed)</li> </ul> <h3> Assets Bucket and Deployment </h3> <p>Create an S3 bucket to host static assets generated during the build process:</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappAssetsBucket.ts" rel="noopener noreferrer"><code>lib/constructs/WebappAssetsBucket.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Bucket } from "aws-cdk-lib/aws-s3"; import { Construct } from "constructs"; export class WebappAssetsBucket extends Construct { readonly assetsBucket: Bucket; constructor(scope: Construct, id: string) { super(scope, id); this.assetsBucket = new Bucket(this, "AssetsBucket"); } } </code></pre> </div> <p>Use the <code>BucketDeployment</code> construct to automatically upload static assets to S3 after each build and invalidate the CloudFront cache:</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappAssetsDeployment.ts" rel="noopener noreferrer"><code>lib/constructs/WebappAssetsDeployment.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { BucketDeployment, Source } from "aws-cdk-lib/aws-s3-deployment"; import { Bucket } from "aws-cdk-lib/aws-s3"; import { Construct } from "constructs"; import type { Distribution } from "aws-cdk-lib/aws-cloudfront"; import path from "node:path"; type WebappAssetsDeploymentProps = { assetsBucket: Bucket; distribution: Distribution; }; export class WebappAssetsDeployment extends Construct { constructor( scope: Construct, id: string, props: WebappAssetsDeploymentProps, ) { super(scope, id); const { assetsBucket, distribution } = props; const sourcePath = path.join( path.dirname(new URL(import.meta.url).pathname), "../../.output/public", ); new BucketDeployment(this, "AssetBucketDeployment", { destinationBucket: assetsBucket, distribution, distributionPaths: ["/*"], sources: [Source.asset(sourcePath)], }); } } </code></pre> </div> <p><strong>Key features:</strong></p> <ul> <li> <strong>Source</strong> : Points to <code>.output/public</code> where Nitro generates static assets</li> <li> <strong>Cache invalidation</strong> : <code>distributionPaths: ["/*"]</code> invalidates CloudFront cache on deployment</li> <li> <strong>Automatic deployment</strong> : Runs during CDK deployment to sync assets</li> </ul> <h3> API Gateway with Streaming </h3> <p>Create a REST API Gateway that integrates with the Lambda function and enables streaming responses:</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappApi.ts" rel="noopener noreferrer"><code>lib/constructs/WebappApi.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { EndpointType, LambdaRestApi, ResponseTransferMode, } from "aws-cdk-lib/aws-apigateway"; import { Construct } from "constructs"; import { Function } from "aws-cdk-lib/aws-lambda"; type WebappApiProps = { webappServer: Function; }; export class WebappApi extends Construct { readonly webappApi: LambdaRestApi; constructor(scope: Construct, id: string, props: WebappApiProps) { super(scope, id); const { webappServer } = props; this.webappApi = new LambdaRestApi(this, "WebappApi", { endpointConfiguration: { types: [EndpointType.REGIONAL], }, handler: webappServer, integrationOptions: { responseTransferMode: ResponseTransferMode.STREAM, }, }); } } </code></pre> </div> <p><strong>Critical configuration:</strong></p> <ul> <li> <strong><code>ResponseTransferMode.STREAM</code></strong> : Enables streaming responses from Lambda, essential for SSR and AI streaming</li> <li> <strong><code>LambdaRestApi</code></strong> : Automatically creates proxy integration for all routes</li> </ul> <h3> CloudFront Distribution </h3> <p>Set up CloudFront to serve both dynamic content (from API Gateway) and static assets (from S3):</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/WebappDistribution.ts" rel="noopener noreferrer"><code>lib/constructs/WebappDistribution.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { AllowedMethods, CachePolicy, Distribution, OriginRequestPolicy, PriceClass, ResponseHeadersPolicy, ViewerProtocolPolicy, } from "aws-cdk-lib/aws-cloudfront"; import { Construct } from "constructs"; import { RestApiOrigin, S3BucketOrigin, } from "aws-cdk-lib/aws-cloudfront-origins"; import type { Bucket } from "aws-cdk-lib/aws-s3"; import type { RestApi } from "aws-cdk-lib/aws-apigateway"; type DistributionProps = { webappServerApi: RestApi; assetsBucket: Bucket; }; export class WebappDistribution extends Construct { public readonly distribution: Distribution; constructor(scope: Construct, id: string, props: DistributionProps) { super(scope, id); const { webappServerApi, assetsBucket } = props; const s3BucketOrigin = S3BucketOrigin.withOriginAccessControl(assetsBucket); const defaultBehavior = { allowedMethods: AllowedMethods.ALLOW_ALL, cachePolicy: CachePolicy.CACHING_DISABLED, origin: new RestApiOrigin(webappServerApi), originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER, responseHeadersPolicy: ResponseHeadersPolicy.SECURITY_HEADERS, viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS, }; const staticAssetBehavior = { cachePolicy: CachePolicy.CACHING_OPTIMIZED, origin: s3BucketOrigin, viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS, }; this.distribution = new Distribution(this, "Distribution", { additionalBehaviors: { "/assets/*": staticAssetBehavior, "/favicon.ico": staticAssetBehavior, "/images/*": staticAssetBehavior, "/site.webmanifest": staticAssetBehavior, }, defaultBehavior, priceClass: PriceClass.PRICE_CLASS_100, }); } } </code></pre> </div> <p><strong>Key configuration:</strong></p> <ul> <li> <strong>Default behavior</strong> : Routes all requests to API Gateway with caching disabled (for dynamic SSR content)</li> <li> <strong>Additional behaviors</strong> : Routes specific paths (<code>/assets/*</code>, <code>/images/*</code>, etc.) to S3 with optimized caching</li> <li> <strong>Origin Access Control</strong> : Uses OAC (recommended over OAI) for secure S3 access</li> <li> <strong>Security headers</strong> : Automatically adds security headers to responses</li> <li> <strong>Price class</strong> : <code>PRICE_CLASS_100</code> uses edge locations in North America and Europe (adjust as needed)</li> </ul> <h3> Wire Everything Together </h3> <p>Create a main construct that integrates all the components:</p> <blockquote> <p><strong>Reference</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/lib/constructs/Webapp.ts" rel="noopener noreferrer"><code>lib/constructs/Webapp.ts</code></a><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Construct } from "constructs"; import { WebappDistribution } from "./WebappDistribution.ts"; import { WebappServer } from "./WebappServer.ts"; import { WebappAssetsDeployment } from "./WebappAssetsDeployment.ts"; import { WebappAssetsBucket } from "./WebappAssetsBucket.ts"; import { WebappApi } from "./WebappApi.ts"; export class Webapp extends Construct { constructor(scope: Construct, id: string) { super(scope, id); const webappServer = new WebappServer(this, "WebappServer"); const webappApi = new WebappApi(this, "WebappApi", { webappServer: webappServer.webappServer, }); const assetsBucket = new WebappAssetsBucket(this, "WebappAssetsBucket"); const distribution = new WebappDistribution(this, "WebappDistribution", { assetsBucket: assetsBucket.assetsBucket, webappServerApi: webappApi.webappApi, }); new WebappAssetsDeployment(this, "WebappAssetsDeployment", { assetsBucket: assetsBucket.assetsBucket, distribution: distribution.distribution, }); } } </code></pre> </div> <p>This construct orchestrates the deployment by:</p> <ol> <li>Creating the Lambda function with the server code</li> <li>Setting up API Gateway to route requests to Lambda</li> <li>Creating the S3 bucket for static assets</li> <li>Configuring CloudFront distribution with proper routing</li> <li>Deploying static assets and invalidating the cache</li> </ol> <h3> Build and Deploy </h3> <p>To build and deploy the application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Install dependencies pnpm install # Build the TanStack Start application pnpm webapp:build # Deploy the CDK stack pnpm cdk deploy </code></pre> </div> <blockquote> <p><strong>Reference</strong> : See <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/package.json" rel="noopener noreferrer"><code>package.json</code></a> for all available scripts</p> </blockquote> <p><strong>Build process:</strong></p> <ol> <li> <code>pnpm webapp:build</code> runs <code>vite build</code>, which uses Nitro to compile the app</li> <li>Nitro generates two outputs: <ul> <li> <code>.output/server/</code> - Lambda function code</li> <li> <code>.output/public/</code> - Static assets</li> </ul> </li> <li>CDK deployment packages the Lambda code and uploads static assets to S3</li> </ol> <h2> Results </h2> <p>After deployment, you'll receive a CloudFront URL where your application is accessible. The architecture provides:</p> <ul> <li> <strong>Fast global delivery</strong> : CloudFront CDN serves content from edge locations</li> <li> <strong>Efficient caching</strong> : Static assets cached at edge, dynamic content from Lambda</li> <li> <strong>Streaming support</strong> : Real-time responses for SSR and AI features</li> <li> <strong>Scalability</strong> : Auto-scaling Lambda functions handle traffic spikes</li> </ul> <h3> Example Deployment </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbp654yaka0b5kma6h75.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbp654yaka0b5kma6h75.png" alt="deployed start page" width="800" height="509"></a></p> <p>The template repository includes a demo chat application powered by AWS Bedrock (Claude AI) with streaming responses:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbq06puemuzvex28i7bj7.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbq06puemuzvex28i7bj7.gif" alt="tanchat" width="560" height="352"></a></p> <h2> Key Dependencies </h2> <p>The implementation relies on these main packages (see <a href="https://github.com/JohannesKonings/tanstack-aws/blob/main/package.json" rel="noopener noreferrer"><code>package.json</code></a> for exact versions):</p> <p><strong>TanStack ecosystem:</strong></p> <ul> <li> <code>@tanstack/react-start</code> - Full-stack React framework</li> <li> <code>@tanstack/react-router</code> - File-based routing</li> <li> <code>@tanstack/react-query</code> - Data fetching and caching</li> <li> <code>@tanstack/store</code> - State management</li> </ul> <p><strong>Build tools:</strong></p> <ul> <li> <code>nitro</code> - Universal JavaScript server with AWS Lambda preset</li> <li> <code>vite</code> - Frontend build tool</li> <li> <code>tailwindcss</code> - Utility-first CSS framework</li> </ul> <p><strong>AWS infrastructure:</strong></p> <ul> <li> <code>aws-cdk-lib</code> - AWS Cloud Development Kit</li> <li> <code>constructs</code> - CDK construct library</li> </ul> <h2> Alternative Deployment Options </h2> <p>While this guide focuses on API Gateway, the template repository also demonstrates Lambda Function URLs as an alternative origin. Function URLs provide a simpler setup but may require additional configuration for authentication (e.g., Lambda@Edge for SigV4 signing).</p> <blockquote> <p><strong>Note</strong> : The commented code in the reference implementation shows the Function URL approach for comparison.</p> </blockquote> <h2> Sources and References </h2> <ul> <li> <strong>Template repository</strong> : <a href="https://github.com/JohannesKonings/tanstack-aws" rel="noopener noreferrer">github.com/JohannesKonings/tanstack-aws</a> </li> <li> <strong>TanStack Start</strong> : <a href="https://tanstack.com/start" rel="noopener noreferrer">tanstack.com/start</a> </li> <li> <strong>Nitro framework</strong> : <a href="https://nitro.unjs.io" rel="noopener noreferrer">nitro.unjs.io</a> </li> <li> <strong>AWS CDK</strong> : <a href="https://docs.aws.amazon.com/cdk" rel="noopener noreferrer">docs.aws.amazon.com/cdk</a> </li> <li> <strong>Inspired by</strong> : <a href="https://github.com/zhe/tanstack-start-aws-cdk" rel="noopener noreferrer">github.com/zhe/tanstack-start-aws-cdk</a> </li> </ul> aws cdk tanstack Johannes Konings Fri, 28 Nov 2025 08:15:18 +0000 https://dev.to/aws-builders/encrypt-all-lambda-environment-variables-with-aws-cdk-aspectsmixins-7of https://dev.to/aws-builders/encrypt-all-lambda-environment-variables-with-aws-cdk-aspectsmixins-7of <h2> Introduction </h2> <p>If you need to ensure that all AWS Lambda environment variables are encrypted with a customer-managed KMS key for compliance or security requirements, you can achieve this using AWS CDK aspects or mixins.</p> <p>While Lambda functions that you create directly can be configured with the <code>environmentEncryption</code> property, third-party libraries or construct libraries may create Lambda functions where you don't have direct control over their configuration.</p> <p>In such cases, you can use aspects or mixins to enforce encryption on all Lambda functions in your CDK app, regardless of how they were created.</p> <h2> Aspect, Property Injection or Mixin? </h2> <p><a href="https://docs.aws.amazon.com/cdk/v2/guide/aspects.html" rel="noopener noreferrer">Aspects</a> are a way to modify the CDK synth result on a L1 level after the constructs have been created. They are executed during the Prepare phase of the CDK lifecycle, after all constructs are created.</p> <p><a href="https://docs.aws.amazon.com/cdk/v2/guide/blueprints.html" rel="noopener noreferrer">Property Injection</a> is a way to modify the properties of L2 constructs before they are instantiated. Property injection happens during the Construct phase, at the time each construct is created.</p> <p><a href="https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/mixins-preview/README.md" rel="noopener noreferrer">Mixins</a> can be used to modify constructs at any level (L1, L2, or L3). They are executed immediately when applied, unlike Aspects which execute later during synthesis.</p> <h3> Implementation </h3> <p>The stack look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export class StackMain extends Stack { readonly encryptionKey: Key; constructor(scope: Construct, id: string, props: StackMainProps) { super(scope, id, props); this.encryptionKey = new Key(this, "EncryptionKey", { enableKeyRotation: true, }); // Direct Lambda - environment encryption can be set directly new Function(this, "MyFunction", { code: Code.fromInline( 'exports.handler = async function(event, context) { return "Hello World"; };', ), handler: "index.handler", runtime: Runtime.NODEJS_LATEST, environmentEncryption: this.encryptionKey, environment: { DUMMY: "dummy", }, }); // Indirect Lambda from third-party library - environment encryption cannot be controlled directly // Note: This is a hypothetical third-party construct for demonstration purposes new Lambda(this, "DummyThirdPartyLambda"); } } </code></pre> </div> <p>The app could look like this (using either Aspect or Mixin):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const app = new App(); const stack = new StackMain(app, "StackMain", {}); // Option 1: Use Aspect (recommended for production - stable API) Aspects.of(app).add( new LambdaEnvEncryptionSetterAspect(stack.encryptionKey.keyArn), ); // Option 2: Use Mixin (developer preview - more flexible but API may change) // Mixins.of(app).apply( // new LambdaEnvEncryptionSetterMixin(stack.encryptionKey.keyArn), // ); // could not be used because the functions are created before the property injection happens, but the key is needed for the injection // PropertyInjectors.of(app).add( // new LambdaEnvEncryptionSetterAspectPropertyInjection(stack.encryptionKey), // ); </code></pre> </div> <h3> Aspect </h3> <p>Here is an example of an aspect that encrypts all Lambda environment variables. This aspect operates on L1 (CfnFunction) constructs and sets the <code>kmsKeyArn</code> property during the synthesis Prepare phase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import type { IAspect } from "aws-cdk-lib"; import { CfnFunction } from "aws-cdk-lib/aws-lambda"; import type { IConstruct } from "constructs"; export class LambdaEnvEncryptionSetterAspect implements IAspect { public readonly kmsKeyArn: string; constructor(kmsKeyArn: string) { this.kmsKeyArn = kmsKeyArn; } visit(node: IConstruct): void { if (node instanceof CfnFunction) { node.kmsKeyArn = this.kmsKeyArn; } } } </code></pre> </div> <h3> Property Injector </h3> <p>Property Injection cannot be used in this specific case because:</p> <ol> <li>Property Injection only works with L2 constructs (like <code>lambda.Function</code>), not L1 constructs (like <code>lambda.CfnFunction</code>)</li> <li>Third-party libraries might create L1 constructs directly, bypassing the L2 construct layer</li> <li>Creating the KMS key in the same stack while trying to inject it creates a timing issue, as injection happens during construct instantiation</li> </ol> <p>Here's what the code would look like if you could use it (for reference only):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { type InjectionContext, type IPropertyInjector } from "aws-cdk-lib"; import { IKey } from "aws-cdk-lib/aws-kms"; import { Function, FunctionProps } from "aws-cdk-lib/aws-lambda"; export class LambdaEnvEncryptionSetterPropertyInjector implements IPropertyInjector { public readonly constructUniqueId: string; constructor(private readonly key: IKey) { this.constructUniqueId = Function.PROPERTY_INJECTION_ID; } public inject( originalProps: FunctionProps, _context: InjectionContext, ): FunctionProps { return { ...originalProps, environmentEncryption: this.key, }; } } </code></pre> </div> <h3> Mixin </h3> <p>Mixins are currently in developer preview (as of November 2025). Unlike Aspects, Mixins are applied immediately when called, giving you more control over when and how changes are applied. Here is an example of a mixin that encrypts all Lambda environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import { Mixin } from "@aws-cdk/mixins-preview/core"; import "@aws-cdk/mixins-preview/with"; import { IConstruct } from "constructs"; import { CfnFunction } from "aws-cdk-lib/aws-lambda"; export class LambdaEnvEncryptionSetterMixin implements Mixin { private readonly kmsKeyArn: string; constructor(kmsKeyArn: string) { this.kmsKeyArn = kmsKeyArn; } public supports(construct: IConstruct): boolean { return construct instanceof CfnFunction; } public applyTo(construct: IConstruct): IConstruct { if (construct instanceof CfnFunction) { construct.kmsKeyArn = this.kmsKeyArn; } return construct; } } </code></pre> </div> <h2> Conclusion </h2> <p>Using AWS CDK aspects or mixins, you can enforce encryption on all AWS Lambda environment variables in your CDK app, even when using third-party libraries that create Lambda functions. This approach ensures that your Lambda functions adhere to security best practices without requiring direct control over their configuration.</p> <h3> Which Approach to Use? </h3> <p>Based on the <a href="https://github.com/aws/aws-cdk-rfcs/pull/824" rel="noopener noreferrer">AWS CDK Mixins RFC</a>, the recommended usage is:</p> <ul> <li> <strong>Aspects</strong> : Use for validation and compliance enforcement. This is the stable, production-ready approach.</li> <li> <strong>Mixins</strong> : Use for making changes to constructs. However, since Mixins are still in Developer Preview, the API may change.</li> </ul> <p><strong>Recommendation for Production</strong> : Use <strong>Aspects</strong> for now, as they provide a stable API and are specifically designed for this type of cross-cutting concern. Once Mixins reach general availability, they may offer additional benefits for construct composition.</p> <h2> Sources </h2> <ul> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/aspects.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cdk/v2/guide/aspects.html</a></li> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/blueprints.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cdk/v2/guide/blueprints.html</a></li> <li><a href="https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/mixins-preview/README.md" rel="noopener noreferrer">https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/mixins-preview/README.md</a></li> <li><a href="https://dev.to/aws-heroes/using-aws-cdk-property-injectors-2mo5">https://dev.to/aws-heroes/using-aws-cdk-property-injectors-2mo5</a></li> <li><a href="https://dev.to/aws-heroes/aws-cdk-introduces-mixins-a-major-feature-for-flexible-construct-composition-developer-preview-583d">https://dev.to/aws-heroes/aws-cdk-introduces-mixins-a-major-feature-for-flexible-construct-composition-developer-preview-583d</a></li> <li><a href="https://dev.to/aws/announcing-aws-cdk-mixins-composable-abstractions-for-aws-resources-588m">https://dev.to/aws/announcing-aws-cdk-mixins-composable-abstractions-for-aws-resources-588m</a></li> <li><a href="https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption" rel="noopener noreferrer">https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption</a></li> </ul> aws cdk lambda Johannes Konings Thu, 27 Nov 2025 08:15:18 +0000 https://dev.to/aws-builders/granular-statement-cdk-nag-awssolutions-iam5-suppressions-16pn https://dev.to/aws-builders/granular-statement-cdk-nag-awssolutions-iam5-suppressions-16pn <h2> Overview </h2> <p>cdk-nag’s AwsSolutions-IAM5 rule is one of the most frequent findings in real-world stacks. It flags wildcard permissions in both <code>Action</code> (e.g., <code>kms:GenerateDataKey*</code>) and <code>Resource</code> (e.g., <code>*</code>) when there is no evidence-backed suppression. The challenge is that some AWS APIs are designed to require <code>*</code> (e.g., <a href="https://docs.aws.amazon.com/xray/latest/devguide/security_iam_service-with-iam.html" rel="noopener noreferrer">AWS X-Ray</a>). Blanket suppressions hide too much. This post demonstrates how to record granular evidence specifically for actions that require <code>*</code>, ensuring that all other findings remain active.</p> <h2> Understanding the Problem </h2> <h3> Why IAM5 triggers </h3> <p>You’ll hit AwsSolutions-IAM5 when a policy uses an asterisk (<code>"*"</code>) in the resource or wildcards in actions. This is beneficial because least privilege is critical. However, several AWS APIs require <code>*</code> by design, or you might initially group actions broadly before refining the scope. Common examples include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>new PolicyStatement({ actions: ["xray:PutTelemetryRecords", "xray:PutTraceSegments"], resources: ["*"], effect: Effect.ALLOW, }); new PolicyStatement({ actions: ["kms:GenerateDataKey*", "kms:ReEncrypt*"], resources: [ "arn:aws:kms:eu-central-1:471112809534:key/a096e96c-780e-48eb-993b-5b8cc46d8fd7", ], effect: Effect.ALLOW, }), </code></pre> </div> <h3> Example Failure </h3> <p>An IAM5 failure typically looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Error at /StackMain/MyRole/Policy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permissions. </code></pre> </div> <h3> Why blanket suppression isn't enough </h3> <p>Suppressing the entire resource or the entire rule hides legitimate issues and loses the evidence that auditors expect. The goal is to:</p> <ul> <li>Keep the rule active for statements that can be scoped.</li> <li>Provide explicit evidence for the few actions that require <code>*</code>. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Bad: over-broad, hides everything NagSuppressions.addResourceSuppressions(role, [ { id: "AwsSolutions-IAM5", reason: "needs wildcard" }, ]); </code></pre> </div> <p>This approach makes reviews harder and weakens the principle of least privilege.</p> <h2> The Solution </h2> <h3> Overview </h3> <p>The solution involves using granular suppressions that document exactly which actions require <code>*</code> and why. Everything else remains flagged by cdk-nag. The<a href="https://github.com/JohannesKonings/cdk-nag-custom-nag-pack" rel="noopener noreferrer">cdk-nag-custom-nag-pack</a> automates this by:</p> <ol> <li>Inspecting policy statements with <code>*</code>.</li> <li>Adding a single AwsSolutions-IAM5 suppression per resource with <code>appliesTo</code> evidence for only those actions.</li> <li>Leaving non-allowed wildcard actions reported so you can scope them properly.</li> </ol> <h3> Implementation </h3> <p>The repository includes a dedicated helper (<code>iam5NagSuppressions.ts</code>) that applies these granular suppressions automatically. The essential components are:</p> <ul> <li> <strong>Statement scanning</strong> : Iterates IAM policy statements and selects those with <code>Resource: *</code> (including arrays that contain <code>*</code>).</li> <li> <strong>Evidence builder</strong> : Produces <code>appliesTo</code> entries for <code>Resource::*</code> and only the allow-listed <code>Action::&lt;service:operation&gt;</code> values present in the statement.</li> <li> <strong>Targeting</strong> : Attaches a single <code>AwsSolutions-IAM5</code> suppression to each IAM Policy construct via its path, leaving any non-allowed wildcard actions unsuppressed (so they continue to fail until scoped).</li> </ul> <p>You can find the source code here: <a href="https://github.com/JohannesKonings/cdk-nag-custom-nag-pack/blob/main/src/iam5NagSuppressions.ts" rel="noopener noreferrer">iam5NagSuppressions.ts</a></p> <h3> Critical Difference: String-Based vs. Statement-Based Suppressions </h3> <p><strong>Important:</strong> There are two fundamentally different approaches to granular IAM5 suppressions, each offering different levels of safety:</p> <h4> 1. cdk-nag's Built-in <code>appliesTo</code> </h4> <p>The standard cdk-nag approach (see Example 6 in the <a href="https://github.com/cdklabs/cdk-nag?tab=readme-ov-file#suppressing-a-rule" rel="noopener noreferrer">cdk-nag docs</a>) relies on string patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NagSuppressions.addResourceSuppressions( lambda, [ { id: "AwsSolutions-IAM5", reason: "X-Ray requires wildcard", appliesTo: ["Resource::*"], }, ], true, ); </code></pre> </div> <p><strong>The Problem:</strong> This suppresses <code>Resource::*</code> and the specified actions <strong>anywhere they appear</strong> in the construct tree. If you later add a new policy statement like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// This will be silently suppressed! new PolicyStatement({ actions: ["xray:PutTelemetryRecords"], // Matches the suppression resources: ["*"], // Matches the suppression effect: Effect.ALLOW, }); </code></pre> </div> <p>The suppression hides it because the <strong>strings match</strong> , even though this might be an unintended permission you added months later.</p> <h4> 2. cdk-nag-custom-nag-pack's Statement Validation </h4> <p>The <a href="https://github.com/JohannesKonings/cdk-nag-custom-nag-pack?tab=readme-ov-file#granular-awssolutions-iam5-suppressions" rel="noopener noreferrer">cdk-nag-custom-nag-pack approach</a> requires exact statement matching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const policyStatementForSuppression: PolicyStatementProps = { actions: ["xray:PutTelemetryRecords", "xray:PutTraceSegments"], resources: ["*"], effect: Effect.ALLOW, }; Iam5NagSuppressions.addIam5StatementResourceSuppressions( lambda, { id: "AwsSolutions-IAM5", reason: "X-Ray requires wildcard", appliesTo: [policyStatementForSuppression], }, true, ); </code></pre> </div> <p><strong>The Benefit:</strong> The suppression applies only if there is an <strong>exact match</strong> of the entire policy statement (Effect, Actions, Resources). If you add a new statement with different actions or resources later:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// This will NOT be suppressed - it will be flagged! new PolicyStatement({ actions: ["xray:PutTelemetryRecords", "s3:*"], // Different actions resources: ["*"], effect: Effect.ALLOW, }); </code></pre> </div> <p>It will be flagged because the statement does not match exactly. This prevents the accidental hiding of new wildcards added over time.</p> <p><strong>Key Takeaway:</strong> The <code>cdk-nag-custom-nag-pack</code> method validates the complete policy statement structure, whereas cdk-nag's built-in <code>appliesTo</code> relies on string patterns that may inadvertently suppress unrelated future wildcards.</p> <h3> Benefits </h3> <p>This statement-based approach:</p> <ul> <li>Documents exactly why <code>*</code> is needed for specific AWS APIs</li> <li>Keeps AwsSolutions-IAM5 active for everything else</li> <li>Produces review-ready evidence via <code>appliesTo</code> </li> <li><strong>Prevents accidental suppression of future wildcard permissions</strong></li> </ul> <h3> Lambda Construct Wildcard Scenario </h3> <p>The <code>aws-lambda.Function</code> construct (and its default execution role or managed policies) often introduces unavoidable wildcard permissions, such as those required for CloudWatch Logs creation or X-Ray tracing.</p> <p><strong>The Risk:</strong> If you suppress <code>AwsSolutions-IAM5</code> broadly at the Function or Role level, you inadvertently hide <em>every</em> future wildcard you might add (e.g., <code>s3:*</code> or <code>dynamodb:*</code>).</p> <p><strong>The Granular Strategy:</strong></p> <ol> <li> <strong>Isolate:</strong> Put truly unavoidable wildcard actions (e.g., <code>logs:CreateLogGroup</code>, <code>xray:PutTraceSegments</code>) in their own dedicated <code>PolicyStatement</code>.</li> <li> <strong>Suppress:</strong> Apply the suppression <em>only</em> to that specific statement, citing the AWS service limitation as the reason.</li> <li> <strong>Scope:</strong> Ensure all other actions are scoped to specific ARNs (log streams, tables, buckets, queues, etc.).</li> <li> <strong>Avoid:</strong> Do not use parent-level suppressions, as they mask future configuration drift.</li> </ol> <p><strong>Result:</strong> Required wildcards are documented and allowed, while accidental broad permissions continue to be reported.</p> <h2> Additional Resources </h2> <ul> <li><a href="https://github.com/JohannesKonings/cdk-nag-custom-nag-pack?tab=readme-ov-file#granular-awssolutions-iam5-suppressions" rel="noopener noreferrer">cdk-nag-custom-nag-pack - Granular IAM5 suppressions</a></li> <li><a href="https://github.com/cdklabs/cdk-nag" rel="noopener noreferrer">cdk-nag documentation</a></li> </ul> aws cdk cdknag