Which combination of actions will meet these requirements with the LEAST development overhead?
(Choose two.)
Use a unit testing framework to write custom unit tests against the cdk.out file that the AWS CDK generates. Run the unit tests in a continuous integration and continuous delivery (CI/CD) pipeline that is invoked after any commit to the repository.
Use the CDK assertions module to integrate unit tests with the application. Run the unit tests in a continuous integration and continuous delivery (CI/CD) pipeline that is invoked after any commit to the repository.
Use the CDK runtime context to set key-value pairs that must be present in the cdk.out file that the AWS CDK generates. Fail the stack synthesis if any violations are present.
Write a script that searches the application for specific key configuration strings. Configure the script to produce a report of any security violations.
Use the CDK Aspects class to create custom rules to apply to the CDK application. Fall the stack synthesis if any violations are present.
Explanations:
Writing custom unit tests against thecdk.outfile introduces unnecessary complexity and overhead, as the output file is generated from synthesized constructs rather than the constructs themselves. This method may lead to brittle tests that are difficult to maintain.
Using the CDK assertions module allows for direct unit testing of the CDK constructs in a straightforward manner. This approach integrates seamlessly with the CDK and provides a simple way to validate the infrastructure code directly, ensuring that critical configurations are correctly set. Running these tests in a CI/CD pipeline ensures automated validation on commits, which meets both requirements effectively.
Utilizing the CDK runtime context for validation does not directly address the need for unit tests. While it may help enforce specific conditions during synthesis, it does not provide a comprehensive mechanism for testing the configurations of the constructs themselves, making it less effective for validation purposes.
Writing a script to search for configuration strings may identify some security violations, but it lacks the structured approach that CDK assertions provide. This method would likely be less comprehensive and could lead to missed configurations or violations, thus increasing the potential for errors.
The CDK Aspects class can be used to create rules that automatically apply to all constructs within a CDK application. This approach can enforce security best practices and fail stack synthesis if violations are found, aligning well with the requirement to validate configurations in a systematic manner while keeping development overhead low.
To the best of my knowledge, the answer is:
Use the CDK assertions module to integrate unit tests with the application. Run the unit tests in a continuous integration and continuous delivery (CI/CD) pipeline that is invoked after any commit to the repository.
If memory serves me right, the answer is:
Use the CDK assertions module to integrate unit tests with the application. Run the unit tests in a continuous integration and continuous delivery (CI/CD) pipeline that is invoked after any commit to the repository.