DEV Community: Koby Bass The latest articles on DEV Community by Koby Bass (@kobybass). https://dev.to/kobybass https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1451467%2Fdd3bdffd-92af-4d95-9dea-69b159151b91.jpeg DEV Community: Koby Bass https://dev.to/kobybass en TypeScript AWS Policies Koby Bass Fri, 07 Mar 2025 19:09:25 +0000 https://dev.to/kobybass/typescript-aws-policies-4nan https://dev.to/kobybass/typescript-aws-policies-4nan <blockquote> <p>For more details and CDK libraries, check out the <a href="https://github.com/kobybum/cdk-libs" rel="noopener noreferrer">@cdklib project readme</a>.<br> This post is also available on <a href="https://koby.one/blog/DevOps/aws-policy" rel="noopener noreferrer">my blog</a></p> </blockquote> <p>After working with AWS for a while, I've found myself writing the same IAM policy patterns over and over. Whether you're using CDK, Terraform, or just the AWS console, policy creation often involves copying JSON snippets and tweaking them for your specific resources.</p> <p>I wanted a more TypeScript-friendly way to handle this common task, so I built <code>@cdklib/aws-policy</code> - a simple library that brings type safety to AWS IAM policies.</p> <p>It's designed to work with any TypeScript project, whether you're using infrastructure as code tools or creating resources dynamically (tenant provisioning, etc).</p> <h2> Life As We Know It </h2> <p>If you've worked with AWS IAM policies in TypeScript, you're probably familiar with awkward patterns like these:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Approach 1: JSON.stringify a raw object</span> <span class="kd">const</span> <span class="nx">bucketPolicy</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">arn:aws:s3:::my-bucket</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">arn:aws:s3:::my-bucket/*</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="c1">// Approach 2: Template literals</span> <span class="kd">const</span> <span class="nx">bucketName</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">app-assets</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">policyJson</span> <span class="o">=</span> <span class="s2">`{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">", "arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">/*" ] } ] }`</span><span class="p">;</span> <span class="c1">// Approach 3: CDK policies with duplicated statement wrappers</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">/*`</span><span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>These approaches have several drawbacks:</p> <ul> <li>No TypeScript intellisense for action names or effect types</li> <li>Duplication of Version and Statement wrapper boilerplate (that never changes)</li> <li>Error-prone when you need to modify for multiple resources</li> <li>Inconsistent approaches across your codebase</li> </ul> <h2> Life with <code>@cdklib/aws-policy</code> </h2> <p>At its core, <code>@cdklib/aws-policy</code> lets you:</p> <ol> <li>Create policies with TypeScript instead of JSON</li> <li>Get intellisense and type checking for your policy statements</li> <li>Build reusable policy templates with parameters</li> <li>Easily import AWS examples into your codebase</li> </ol> <p>Let's look at how it works.</p> <h2> Basic Usage </h2> <p>First, install the package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @cdklib/aws-policy </code></pre> </div> <p>Here's a simple example of creating a policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AwsPolicy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@cdklib/aws-policy</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Create a policy with multiple statements</span> <span class="kd">const</span> <span class="nx">bucketPolicy</span> <span class="o">=</span> <span class="nx">AwsPolicy</span><span class="p">.</span><span class="k">from</span><span class="p">(</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">arn:aws:s3:::my-bucket</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">arn:aws:s3:::my-bucket/*</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Deny</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">s3:DeleteObject</span><span class="dl">"</span><span class="p">,</span> <span class="na">Resource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:s3:::my-bucket/*</span><span class="dl">"</span><span class="p">,</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Get JSON output - the Version is automatically added</span> <span class="kd">const</span> <span class="nx">policyJson</span> <span class="o">=</span> <span class="nx">bucketPolicy</span><span class="p">.</span><span class="nf">toJson</span><span class="p">();</span> </code></pre> </div> <p>This gives you the same JSON policy you'd write by hand, but with TypeScript's help along the way. If you try to use an invalid effect type or forget a required field, your editor will let you know immediately.</p> <h2> Importing AWS Examples </h2> <p>Many times you just want to copy an example from the AWS docs and use it in your code.</p> <p>The library makes it extremely easy - just copy paste the statements, and format-on-save will do the rest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Example straight from AWS docs:</span> <span class="c1">// {</span> <span class="c1">// "Effect": "Allow",</span> <span class="c1">// "Action": "s3:ListBucket",</span> <span class="c1">// "Resource": "arn:aws:s3:::example_bucket"</span> <span class="c1">// }</span> <span class="c1">// Import into TypeScript</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="nx">AwsPolicy</span><span class="p">.</span><span class="k">from</span><span class="p">({</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">,</span> <span class="na">Resource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:s3:::example_bucket</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>You can also import existing policy JSON from files or APIs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">rawStatement</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">policy.json</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">importedPolicy</span> <span class="o">=</span> <span class="nx">AwsPolicy</span><span class="p">.</span><span class="nf">fromRaw</span><span class="p">(</span><span class="nx">rawStatement</span><span class="p">);</span> </code></pre> </div> <h2> Reusable Policy Templates </h2> <p>As you build more AWS resources, you'll find yourself creating similar policies with slight variations. For example, you might need S3 bucket policies with different bucket names. That's where prepared policies become useful:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AwsPreparedPolicy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@cdklib/aws-policy</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Define a reusable policy template</span> <span class="kd">const</span> <span class="nx">s3BucketPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AwsPreparedPolicy</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">(({</span><span class="nx">bucketName</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">/*`</span><span class="p">,</span> <span class="p">],</span> <span class="p">}));</span> <span class="c1">// Use it for different buckets</span> <span class="kd">const</span> <span class="nx">userDataPolicy</span> <span class="o">=</span> <span class="nx">s3BucketPolicy</span><span class="p">.</span><span class="nf">fill</span><span class="p">({</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user-data</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">appAssetsPolicy</span> <span class="o">=</span> <span class="nx">s3BucketPolicy</span><span class="p">.</span><span class="nf">fill</span><span class="p">({</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">app-assets</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// You can also partially fill templates with .fillPartial() for progressive parameter filling</span> <span class="kd">const</span> <span class="nx">partialPolicy</span> <span class="o">=</span> <span class="nx">s3BucketPolicy</span><span class="p">.</span><span class="nf">fillPartial</span><span class="p">({</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user-data</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">fullPolicy</span> <span class="o">=</span> <span class="nx">partialPolicy</span><span class="p">.</span><span class="nf">fill</span><span class="p">({</span> <span class="na">otherParam</span><span class="p">:</span> <span class="dl">"</span><span class="s2">value</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <p>This approach helps eliminate duplicate code while keeping your policies type-safe.</p> <h2> Integration with CdkConfig </h2> <p>If you're using the <code>@cdklib/config</code> library I mentioned in my <a href="https://koby.one/blog/DevOps/cdk-config/" rel="noopener noreferrer">previous post</a>, you can create policies that use the CDK scope to access configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AwsPreparedPolicy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@cdklib/aws-policy</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">awsConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./config/aws</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Define a policy that includes scope as a parameter</span> <span class="kd">const</span> <span class="nx">s3BucketPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AwsPreparedPolicy</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">;</span> <span class="nl">bucketName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">(({</span> <span class="nx">scope</span><span class="p">,</span> <span class="nx">bucketName</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Get config values from scope</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accountId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">awsConfig</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">scope</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="p">[</span><span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">/*`</span><span class="p">],</span> <span class="na">Principal</span><span class="p">:</span> <span class="p">{</span> <span class="na">AWS</span><span class="p">:</span> <span class="s2">`arn:aws:iam::</span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">:root`</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">});</span> <span class="c1">// Provide scope and parameters</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="nx">s3BucketPolicy</span><span class="p">.</span><span class="nf">fill</span><span class="p">({</span> <span class="na">scope</span><span class="p">:</span> <span class="nx">myApp</span><span class="p">,</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">app-assets</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Combining Policies </h2> <p>You can combine multiple policies together, for example granting S3 read access and Lambda invoke access.</p> <p>The policy statements are combined - the library does not attempt to merge policies logically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Define individual policies</span> <span class="kd">const</span> <span class="nx">s3ReadPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AwsPreparedPolicy</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">(</span> <span class="p">({</span><span class="nx">bucketName</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListBucket</span><span class="dl">"</span><span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">bucketName</span><span class="p">}</span><span class="s2">/*`</span><span class="p">,</span> <span class="p">],</span> <span class="p">})</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">lambdaInvokePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AwsPreparedPolicy</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">functionName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">(</span> <span class="p">({</span><span class="nx">functionName</span><span class="p">})</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lambda:InvokeFunction</span><span class="dl">"</span><span class="p">,</span> <span class="na">Resource</span><span class="p">:</span> <span class="s2">`arn:aws:lambda:*:*:function:</span><span class="p">${</span><span class="nx">functionName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">})</span> <span class="p">);</span> <span class="c1">// Combine policies - parameters are combined</span> <span class="kd">const</span> <span class="nx">combinedPolicy</span> <span class="o">=</span> <span class="nx">AwsPreparedPolicy</span><span class="p">.</span><span class="nf">combine</span><span class="p">(</span> <span class="nx">s3ReadPolicy</span><span class="p">,</span> <span class="nx">lambdaInvokePolicy</span> <span class="p">);</span> <span class="c1">// Fill with all required parameters</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="nx">combinedPolicy</span><span class="p">.</span><span class="nf">fill</span><span class="p">({</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">my-bucket</span><span class="dl">"</span><span class="p">,</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">my-function</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Closing Thoughts </h2> <p>The <code>@cdklib/aws-policy</code> library is a small utility that makes working with AWS IAM policies a bit nicer in TypeScript projects.</p> <p>The library is open source and available on GitHub, where you can find more examples and documentation. Feel free to use it, modify it, or build on it to fit your needs.</p> CDK Configuration Koby Bass Wed, 05 Mar 2025 15:30:17 +0000 https://dev.to/kobybass/cdk-configuration-5108 https://dev.to/kobybass/cdk-configuration-5108 <h2> Preface </h2> <p>Over the last 3 years I've started numerous IAC projects that utilized CDKs heavily -</p> <ul> <li>AWS CDK infrastructure and CloudFormation template generation</li> <li> <code>cdktf</code> for Terraform IAC</li> <li> <code>cdk8s</code> with ArgoCD for Kubernetes</li> </ul> <p>The main reason I like this stack so much, is the type-safety and easier learning curve that it provides.</p> <p>New people can easily navigate in the project, with the best intellisense and type safety that TypeScript can provide.</p> <p>While I really recommend using these tools, it's an emerging technology and hard to migrate to. If you're starting a new project, or a new company, I'd highly recommend you consider them.</p> <p>I'll cover these topics more thoroughly in future posts, but for now I'll focus on the configuration library that I've been developing over the last few years.</p> <blockquote> <h3> 💡 </h3> <p>I've met, and talked to many DevOps engineers who are against using anything other than plain Terraform and Helm. I've converted some of them to the dark side<br> But as they say - Different strokes for different folks.</p> </blockquote> <h2> <code>@cdklib/config</code> </h2> <p>Have you ever struggled with managing configuration across your dev, staging, and prod environments? You're not alone. While tools like Terragrunt (for Terraform) and Helm (for Kubernetes) handle this beautifully, we've been missing something similar in the CDK world.</p> <p>That's why I built <code>@cdklib/config</code> - a simple, type-safe configuration library for CDK projects. Whether you're using AWS CDK, cdktf, or cdk8s, this tool can help bring some sanity to your infrastructure code.</p> <h2> The Configuration Headache in CDK </h2> <p>If you've worked on CDK projects with multiple environments, you've probably faced these issues:</p> <ul> <li>Values hard-coded all over your code</li> <li>Messy if/else statements for different environments</li> <li>No type checking for your config values</li> <li>Each team member handling config differently</li> </ul> <p>These issues might not matter much in small projects, but they become real headaches as things grow.</p> <p>Another issue you may encounter, is having to copy a bunch of role ARNs to your Kubernetes / Helm charts.</p> <h2> How @cdklib/config Helps </h2> <p>This library brings a simple approach to configuration with several key benefits:</p> <ul> <li> <strong>Type safety</strong> - get TypeScript help with your configuration (using Zod for validation)</li> <li> <strong>Nested environments</strong> - organize configs like dev → dev/staging → dev/east/staging</li> <li> <strong>Calculated values</strong> - compute values based on environment and other settings</li> <li> <strong>Modular design</strong> - organize config logically for your needs</li> <li> <strong>Easy CDK integration</strong> - works with the CDK context system you already use</li> </ul> <h2> Getting Started </h2> <p>Installing is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @cdklib/config </code></pre> </div> <h3> Customizing Environment IDs (Recommended) </h3> <p>By default, an environment ID is any string. This is undesirable, since it's prone to typos and mistakes.</p> <p>For better type safety, you can define your own environment IDs in a <code>.d.ts</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// cdklib-config.d.ts</span> <span class="kr">declare</span> <span class="kr">module</span> <span class="dl">"</span><span class="s2">@cdklib/config/types</span><span class="dl">"</span> <span class="p">{</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">EnvId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">global</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">dev/staging</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">dev/qa</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">prod/us-central-1</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Then add this file to your <code>tsconfig.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="s2">"path/to/cdklib-config.d.ts"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This gives you autocompletion for your environments when using <code>set</code> and <code>get</code> methods.</p> <h3> Basic Example </h3> <p>Here's how to configure AWS account info across environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CdkConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@cdklib/config</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Define your configuration schema</span> <span class="kd">const</span> <span class="nx">awsSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">accountId</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">region</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()).</span><span class="nf">optional</span><span class="p">(),</span> <span class="p">});</span> <span class="c1">// Create and configure</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">awsConfig</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CdkConfig</span><span class="p">(</span><span class="nx">awsSchema</span><span class="p">)</span> <span class="p">.</span><span class="nf">setDefault</span><span class="p">({</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">ManagedBy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CDK</span><span class="dl">"</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">dev</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">accountId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">123456789012</span><span class="dl">"</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Environment</span><span class="p">:</span> <span class="dl">"</span><span class="s2">development</span><span class="dl">"</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">prod</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">accountId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">987654321098</span><span class="dl">"</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-west-2</span><span class="dl">"</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Environment</span><span class="p">:</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Get configuration for a specific environment</span> <span class="kd">const</span> <span class="nx">devConfig</span> <span class="o">=</span> <span class="nx">awsConfig</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">dev/staging</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">devConfig</span><span class="p">);</span> <span class="c1">// {</span> <span class="c1">// accountId: '123456789012',</span> <span class="c1">// region: 'us-east-1',</span> <span class="c1">// tags: { ManagedBy: 'CDK', Environment: 'development' }</span> <span class="c1">// }</span> </code></pre> </div> <p>What I love about this approach:</p> <ol> <li>Your configuration is <strong>type-safe</strong> - TypeScript helps you include all the required fields</li> <li>It's <strong>validated when you run it</strong> - clear errors if you're missing something important, before you start applying your infrastructure</li> <li>It's <strong>all in one place</strong> - no more hunting through code for environment settings</li> </ol> <h2> Building Nested Environments </h2> <p>As projects grow, you often need more detailed environment definitions. The library makes this simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">awsConfig</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CdkConfig</span><span class="p">(</span><span class="nx">awsSchema</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">dev</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">accountId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">123456789012</span><span class="dl">"</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">dev/staging</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Environment</span><span class="p">:</span> <span class="dl">"</span><span class="s2">staging</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">stagingConfig</span> <span class="o">=</span> <span class="nx">awsConfig</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">dev/staging</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// {</span> <span class="c1">// accountId: '123456789012', // Inherited from 'dev'</span> <span class="c1">// region: 'us-east-1', // Inherited from 'dev'</span> <span class="c1">// tags: { Environment: 'staging' }</span> <span class="c1">// }</span> </code></pre> </div> <p>Child environments inherit from sub paths, which means less copy-pasting and more consistency.</p> <h2> Adding to Your CDK Projects </h2> <p>We utilize the construct tree, and propagated context to pass the EnvId. Nested stacks and constructs can simply call <code>.get(scope)</code> with either their parent's or their <code>this</code> prop.</p> <p>Integrating with CDK is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">Stack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getEnvId</span><span class="p">,</span> <span class="nx">initialContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@cdklib/config</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">awsConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./config/aws</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eksConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./config/eks</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Initialize app with an environment context</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">({</span> <span class="na">context</span><span class="p">:</span> <span class="nf">initialContext</span><span class="p">(</span><span class="dl">"</span><span class="s2">dev/staging</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> <span class="kd">class</span> <span class="nc">MyInfraStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="c1">// Get configuration for this environment</span> <span class="kd">const</span> <span class="nx">aws</span> <span class="o">=</span> <span class="nx">awsConfig</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">eks</span> <span class="o">=</span> <span class="nx">eksConfig</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="c1">// Use the configuration values in your constructs</span> <span class="k">new</span> <span class="nx">eks</span><span class="p">.</span><span class="nc">Cluster</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">EksCluster</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">clusterName</span><span class="p">:</span> <span class="nx">eks</span><span class="p">.</span><span class="nx">clusterName</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="nx">eks</span><span class="p">.</span><span class="nx">version</span><span class="p">,</span> <span class="na">nodeSize</span><span class="p">:</span> <span class="nx">eks</span><span class="p">.</span><span class="nx">nodeSize</span><span class="p">,</span> <span class="na">minNodes</span><span class="p">:</span> <span class="nx">eks</span><span class="p">.</span><span class="nx">minNodes</span><span class="p">,</span> <span class="na">maxNodes</span><span class="p">:</span> <span class="nx">eks</span><span class="p">.</span><span class="nx">maxNodes</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>getEnvId</code> utility lets you access the environment ID from any construct, so you can get the right config wherever you need it.</p> <p>Tags, specficially are better managed using <a href="https://developer.hashicorp.com/terraform/cdktf/concepts/aspects" rel="noopener noreferrer">Aspects</a>, which I'll cover separately</p> <h2> CDKTF Integration </h2> <p>If you're using Terraform CDK, <code>@cdklib/config</code> works just as well with it. You can use either an app-per-environment or stack-per-environment approach, depending on your workflow. The library integrates seamlessly with the CDKTF context system, similar to how it works with AWS CDK.</p> <p>Check out the readme for more examples of CDKTF integration.</p> <h2> Wrapping Up </h2> <p>Managing configuration is one of those things that's easy to overlook but can make a huge difference in your daily CDK work. With <code>@cdklib/config</code>, you get a simple, type-safe way to handle configuration across all your CDK projects.</p> <p>The library is lightweight and can dramatically simplify how you manage environment settings in your infrastructure code.</p> <p>The library is intentionally lightweight and simple. Copy it, modify it or contribute. I just want you to have a better time.</p> <p>For more examples and best practices, take a look at the <a href="https://github.com/kobybum/cdk-libs" rel="noopener noreferrer">project readme</a>.</p> <p>This blog post is also available on my <a href="https://koby.one/blog/DevOps/cdk-config" rel="noopener noreferrer">personal blog</a>.</p> <h3> I'm wondering 🤔 </h3> <ul> <li>Are you using CDKs (cdk8s / cdktf / aws cdk)? Would you like to try it? What's stopping you?</li> <li>How are you managing config in your CDK apps?</li> <li>Any questions?</li> </ul>