I'm working on a project that involves both AWS Amplify for frontend hosting and authentication and AWS CDK for backend resource management. I've come across a challenge where I need to share resource ARNs (e.g., State Machine ARNs) between the two.
AWS Amplify Lambda Function Snippet:
const command = new StartExecutionCommand({
stateMachineArn: process.env.ENV === "prod" ? "" :"",
input: JSON.stringify(record),
name: "xyz",
});
To achieve this, I've considered storing these ARNs in AWS Secrets Manager, which my Lambda functions can then retrieve. However, I'm concerned about potential issues, like if the ARN changes during a CDK update but the secret in Secrets Manager hasn't been updated yet.
- Are there best practices or patterns for integrating AWS Amplify and AWS CDK to share resource identifiers or configurations?
- What pitfalls should I be aware of, and how can I mitigate potential issues like race conditions between CDK resource updates and Secrets Manager updates?
- Is there a more efficient way to do this without involving Secrets Manager or another service?
Any insights or recommendations would be greatly appreciated!
You want to expose non-secret identifiers from your backend CDK stack to an existing Lambda created with the Amplify CLI.1
One option is to store the backend ARNs as environment variables in your "Amplify" Lambda function. The env vars would be updated every time your backend stack changes, triggered by an event. Here's how it would work:
There are other approaches. You could use a Custom Resource instead of events to trigger the Updater Lambda. You could store the ARNs in Systems Manager Parameters instead of as environment variables.2
Also consider migrating your frontend to the CDK as well. You'd use the @aws-cdk/aws-amplify-alpha module. That would make the entire problem disappear.