Skip to content

Instantly share code, notes, and snippets.

@ran-isenberg
Last active June 30, 2023 09:57
cdk.py
from aws_cdk import RemovalPolicy
from aws_cdk import aws_dynamodb as dynamodb
from aws_cdk import aws_iam as iam
from constructs import Construct
class IdempotencyConstruct(Construct):
def __init__(self, scope: Construct, name: str, lambda_role: iam.Role) -> None:
super().__init__(scope, name)
self.idempotency_table = dynamodb.Table(
self,
"IdempotencyTable",
partition_key=dynamodb.Attribute(name="id", type=dynamodb.AttributeType.STRING),
billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
removal_policy=RemovalPolicy.DESTROY,
time_to_live_attribute="expiration",
point_in_time_recovery=True,
)
self.idempotency_table.grant(
lambda_role, "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem"
)
@airmonitor
Copy link

Hey Ryan,

I'm wondering why you selected way for adding IAM permissions manually in line 20 instead of using a method "grant_read_write_data"?

self.idempotency_table.grant_read_write_data(lambda_role)

Regards
Tom

@ran-isenberg
Copy link
Author

hey @airmonitor , it's Ran :)
I didn't use it because it grants more attributes than I might require, making it a potential security risk. It's always best to give the least permissions possible.
In addition, I think it provides visibility and teaches you IAM.
I talk about more CDK best practices in my blog post: https://www.ranthebuilder.cloud/post/aws-cdk-best-practices-from-the-trenches

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment