Skip to content

Commit e96f2e6

Browse files
committed
docs: add deterministic-synthesis row to the CDK best-practices table
The foundational AWS CDK best-practices guidance emphasizes deterministic synthesis (no environment lookups, all decisions at synth time, committable cdk.context.json). The template already follows this — verified no *.from_lookup and no CfnParameter/CfnCondition in the codebase, and .gitignore intentionally keeps cdk.context.json committable — but the practice wasn't named in the best-practices table. Add the row.
1 parent 57de71b commit e96f2e6

1 file changed

Lines changed: 1 addition & 0 deletions

File tree

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,7 @@ This template is built to follow the official [AWS CDK best practices](https://d
216216
| **Separate infrastructure and application code** | `hello_world/` (CDK) vs `lambda/` (handler) vs `tests/`, with isolated dependency groups ||
217217
| **Define retain policies on stateful/critical resources** | `retain_data` flips tables, buckets, and CMKs to `RETAIN` with deletion + termination protection ([retain_data](#stateful-data-stack-and-retain_data)) ||
218218
| **Use generated, not physical, resource names** | `table_name` / `parameter_name` / `log_group_name` left unset so CDK derives them — avoids replacement failures and cross-region collisions ([composition](#stack-and-construct-composition)) ||
219+
| **Deterministic synthesis** | No environment lookups (`*.from_lookup`) and no `CfnParameter`/`CfnCondition` — every decision is made at synth time from context, not deferred to deploy; `cdk.context.json` is kept committable (not gitignored) for the moment a fork adds a lookup ||
219220
| **Don't change logical IDs of stateful resources** | Logical IDs frozen in a committed list; a renaming refactor (= replacement = data loss) fails at PR time | `TestLogicalIdStability` ([Tests](#tests)) |
220221
| **Least-privilege IAM; write explicit, scoped policies** | Scoped grants; wildcard IAM only where unavoidable, each with a per-resource justification ([Security](#security)) | cdk-nag `IAM5` |
221222
| **Security defaults aren't enough — cdk-nag in the synth loop** | Five rule packs (AwsSolutions, Serverless, NIST/HIPAA/PCI) plus a bespoke validation Aspect fail every synth ([CDK security checks](#cdk-security-checks)) | `cdk synth` + `TestNagCompliance` |

0 commit comments

Comments
 (0)