Anyone have some favourite CDK examples of using SST with Secrets manager, parameter store, and IAM permissions? For example, passing configuration around between stacks using SSM, and generating specific IAM permissions for ARNs created in other stacks?

Hey @Drew don’t have an example at hand. Here are some snippets that might help.

Creating SSM in stackA:

const paramInStackA = new ssm.StringParameter(this, "Param", {
  stringValue: "Foo",
});

Consuming SSM in stackB:

ssm.StringParameter.valueForStringParameter(this, paramInStackA.parameterName);

Generating specific IAM permissions for ARNs created in other stack?

Say u want to grant the Lambda functions in stackB the permission to fetch the SSM params created in stackA. Do this in stackB:

fnInStackB.attachPermissions([
 new iam.PolicyStatement({
   actions: ["..."],
   effect: iam.Effect.ALLOW,
   resources: [
     paramInStackA.parameterArn,
   ],
 }),
]);

That’s perfect Frank. Thanks! 🙏

In addition, one of my favorite things about CDK is the permission helper methods. They are supposed to be "best practice". CDK resource

appEventBus.*grantPutEventsTo*(lambdaFn)

Accessing CDK resource from SST class

sessionTable.dynamodbTable.*grantReadData*(lambdaFn)

I’m hopeful that this pattern won’t be as brittle.

It definitely isnt. The handing of things between stacks using class variables uses Cfn Exports, which are quite brittle. SSM and such are much more decoupled. Still order dependent, but Cfn wont trip you up nearly as much.