-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcdk.json
More file actions
50 lines (46 loc) · 3.15 KB
/
Copy pathcdk.json
File metadata and controls
50 lines (46 loc) · 3.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
"app": "uv run --group cdk --group test python3 app.py",
"watch": {
"include": ["**"],
"exclude": [
"README.md",
"cdk*.json",
"requirements*.txt",
"source.bat",
"**/__pycache__",
"**/.venv*",
"*.egg-info"
]
},
"context": {
"@aws-cdk/aws-lambda:recognizeLayerVersion": true,
"@aws-cdk/core:checkSecretUsage": true,
"@aws-cdk/core:target-partitions": ["aws"],
"_comment_safe_flags": "These flags are safe to enable — they produce zero CloudFormation template drift against the currently deployed stacks.",
"@aws-cdk/core:validateSnapshotRemovalPolicy": true,
"@aws-cdk/core:enableAdditionalMetadataCollection": true,
"@aws-cdk/core:explicitStackTags": true,
"@aws-cdk/core:aspectPrioritiesMutating": true,
"@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
"@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
"@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
"@aws-cdk/aws-lambda:useCdkManagedLogGroup": true,
"@aws-cdk/aws-cloudfront:defaultFunctionRuntimeV2_0": true,
"@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
"@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
"@aws-cdk/customresources:installLatestAwsSdkDefault": false,
"_comment_template_changing_flags": "These flags produce real CloudFormation changes and were validated via cdk diff before enabling.",
"@aws-cdk/core:enablePartitionLiterals": true,
"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
"@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
"@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
"_comment_iam_flags": "These flags restructure IAM policies for least-privilege. Enabled together to minimize deploy churn.",
"@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true,
"@aws-cdk/aws-iam:minimizePolicies": true,
"_skipped_@aws-cdk/aws-apigateway:disableCloudWatchRole": "Incompatible with NIST 800-53 R5 — execution logging (APIG6 / APIGWExecutionLoggingEnabled) requires the account-level CloudWatch role",
"_skipped_@aws-cdk/aws-iam:standardizedServicePrincipals": "Synth-tested locally: emits real template drift on the backend stack (different service-principal computation in some IAM policies). Flip during a planned IAM migration with cdk diff review, not as a no-drift cleanup.",
"_comment_production_switches": "Production-fork switches, default false. This is the STICKY home for them: a value set here applies to every `make deploy` (a CLI `-c flag=true` overrides it for a single run). retain_data is safe to flip true from the FIRST deploy — it flips the data + audit stacks (tables, buckets, CMKs) to RETAIN with deletion/termination protection. appconfig_monitor is deliberately NOT listed here: it must never be set on a cold/first deploy (its alarm starts INSUFFICIENT_DATA, which AppConfig treats as a rollback signal and aborts the create) — add it here, or run `make deploy-appconfig-monitor`, only AFTER a first successful deploy. See README 'Deployment safety'.",
"retain_data": false
}
}