Last active
June 30, 2023 09:57
cdk.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from aws_cdk import RemovalPolicy | |
from aws_cdk import aws_dynamodb as dynamodb | |
from aws_cdk import aws_iam as iam | |
from constructs import Construct | |
class IdempotencyConstruct(Construct): | |
def __init__(self, scope: Construct, name: str, lambda_role: iam.Role) -> None: | |
super().__init__(scope, name) | |
self.idempotency_table = dynamodb.Table( | |
self, | |
"IdempotencyTable", | |
partition_key=dynamodb.Attribute(name="id", type=dynamodb.AttributeType.STRING), | |
billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST, | |
removal_policy=RemovalPolicy.DESTROY, | |
time_to_live_attribute="expiration", | |
point_in_time_recovery=True, | |
) | |
self.idempotency_table.grant( | |
lambda_role, "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" | |
) |
hey @airmonitor , it's Ran :)
I didn't use it because it grants more attributes than I might require, making it a potential security risk. It's always best to give the least permissions possible.
In addition, I think it provides visibility and teaches you IAM.
I talk about more CDK best practices in my blog post: https://www.ranthebuilder.cloud/post/aws-cdk-best-practices-from-the-trenches
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey Ryan,
I'm wondering why you selected way for adding IAM permissions manually in line 20 instead of using a method "grant_read_write_data"?
self.idempotency_table.grant_read_write_data(lambda_role)
Regards
Tom