I’ve been working with Amazon Web Services for nearly two years now. I started with plain CloudFormation templates and switched to the Cloud Development Kit about 8 months ago. It’s a pretty neat tool and makes deploying resources fairly easy. What I enjoy about it the most is how you can modularize your code and how easy you can share resources across stacks. However, I encourage you to start learning CloudFormation before jumping into CDK right away because CDK compiles to CloudFormation templates and sometimes you need to know how they work, otherwise you run in some issues. Let me show you an example:

const myBucketArnParam = StringParameter.fromStringParameterName(this, 'MyBucketArnParam', '/my-bucket/arn');
const myBucket = Bucket.fromBucketArn(this, 'MyBucket', myBucketArnParam.stringValue);

console.info(myBucketArnParam.stringValue);
bucket.grantRead(someRole);

CDK Pitfalls

One might think that the value of myBucketArnParam will be printed to the console. But actually it prints: ${Token[TOKEN.575]} because the SSM parameter is not resolved at compile time but when the template is executed. The other problem is that .grantRead() should give “permission to use the key to decrypt the contents of the bucket […]”. This is only right, if the bucket and the key are in the same stack because the key policy must be created alongside the key. In other words you will not be allowed to decrypt the data. Anyway, let’s come to the topic of this article.

#typescript #config