refactor

Author: anthony-nhs

Makefile

@@ -98,7 +98,6 @@ cdk-deploy: guard-STACK_NAME
 		--context logRetentionInDays=$$LOG_RETENTION_IN_DAYS \
 		--context slackBotToken=$$SLACK_BOT_TOKEN \
 		--context slackSigningSecret=$$SLACK_SIGNING_SECRET
-
 cdk-synth:
 	npx cdk synth \
 		--quiet \
@@ -109,7 +108,8 @@ cdk-synth:
 		--context commitId=undefined \
 		--context logRetentionInDays=30 \
 		--context slackBotToken=dummy \
-		--context slackSigningSecret=dummy
+		--context slackSigningSecret=dummy \
+		--context cfnDriftDetectionGroup=dummy
 	./scripts/fix_cfn_guard.sh
 
 cdk-diff:

packages/cdk/constructs/DynamoDbTable.ts

@@ -28,15 +28,15 @@ export class DynamoDbTable extends Construct {
   constructor(scope: Construct, id: string, props: DynamoDbTableProps) {
     super(scope, id)
 
-    this.kmsKey = new Key(this, "TableKey", {
+    const kmsKey = new Key(this, "TableKey", {
       enableKeyRotation: true,
       description: `KMS key for ${props.tableName} DynamoDB table encryption`,
       removalPolicy: RemovalPolicy.DESTROY
     })
 
-    this.kmsKey.addAlias(`alias/${props.tableName}-dynamodb-key`)
+    kmsKey.addAlias(`alias/${props.tableName}-dynamodb-key`)
 
-    this.table = new TableV2(this, props.tableName, {
+    const table = new TableV2(this, props.tableName, {
       tableName: props.tableName,
       partitionKey: props.partitionKey,
       sortKey: props.sortKey,
@@ -46,7 +46,10 @@ export class DynamoDbTable extends Construct {
         pointInTimeRecoveryEnabled: true
       },
       removalPolicy: RemovalPolicy.DESTROY,
-      encryption: TableEncryptionV2.customerManagedKey(this.kmsKey)
+      encryption: TableEncryptionV2.customerManagedKey(kmsKey)
     })
+
+    this.kmsKey = kmsKey
+    this.table = table
   }
 }

packages/cdk/constructs/LambdaFunction.ts

@@ -26,7 +26,6 @@ export interface LambdaFunctionProps {
   readonly handler: string
   readonly environmentVariables: {[key: string]: string}
   readonly additionalPolicies?: Array<IManagedPolicy>
-  readonly role?: Role
   readonly logRetentionInDays: number
   readonly logLevel: string
 }
@@ -111,20 +110,10 @@ export class LambdaFunction extends Construct {
       ...(props.additionalPolicies ?? [])
     ]
 
-    // Use provided role or create new one with required policies
-    let role: Role
-    if (props.role) {
-      role = props.role
-      // Attach any missing managed policies to the provided role
-      for (const policy of requiredPolicies) {
-        role.addManagedPolicy(policy)
-      }
-    } else {
-      role = new Role(this, "LambdaRole", {
-        assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
-        managedPolicies: requiredPolicies
-      })
-    }
+    const role = new Role(this, "LambdaRole", {
+      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+      managedPolicies: requiredPolicies
+    })
 
     // Create Lambda function with Python runtime and monitoring
     const lambdaFunction = new LambdaFunctionResource(this, props.functionName, {

packages/cdk/constructs/S3Bucket.ts

@@ -20,14 +20,14 @@ export class S3Bucket extends Construct {
   constructor(scope: Construct, id: string, props: S3BucketProps) {
     super(scope, id)
 
-    this.kmsKey = new Key(this, "BucketKey", {
+    const kmsKey = new Key(this, "BucketKey", {
       enableKeyRotation: true,
       description: `KMS key for ${props.bucketName} S3 bucket encryption`,
       removalPolicy: RemovalPolicy.DESTROY
     })
-    this.kmsKey.addAlias(`alias/${props.bucketName}-s3-key`)
+    kmsKey.addAlias(`alias/${props.bucketName}-s3-key`)
 
-    this.bucket = new Bucket(this, props.bucketName, {
+    const bucket = new Bucket(this, props.bucketName, {
       blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
       encryption: BucketEncryption.KMS,
       encryptionKey: this.kmsKey,
@@ -37,5 +37,8 @@ export class S3Bucket extends Construct {
       versioned: props.versioned ?? false,
       objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
     })
+
+    this.kmsKey = kmsKey
+    this.bucket = bucket
   }
 }

packages/cdk/constructs/SecretWithParameter.ts

@@ -18,18 +18,21 @@ export class SecretWithParameter extends Construct {
     super(scope, id)
 
     // Create secret in AWS Secrets Manager
-    this.secret = new Secret(this, "Secret", {
+    const secret = new Secret(this, "Secret", {
       secretName: props.secretName,
       description: props.description,
       secretStringValue: SecretValue.unsafePlainText(props.secretValue)
     })
 
     // Create SSM parameter that references the secret
-    this.parameter = new StringParameter(this, "Parameter", {
+    const parameter = new StringParameter(this, "Parameter", {
       parameterName: props.parameterName,
-      stringValue: `{{resolve:secretsmanager:${this.secret.secretName}}}`,
+      stringValue: `{{resolve:secretsmanager:${secret.secretName}}}`,
       description: `Reference to ${props.description}`,
       tier: ParameterTier.STANDARD
     })
+
+    this.secret = secret
+    this.parameter = parameter
   }
 }