[fimbulvetr]

IMO you should try to keep the code as DSL as possible, and only use the imperative features when it makes a lot of sense. For instance if you have like 10 security groups to add and you just put it in a for loop. You should not embed actual account numbers, regions, etc etc in your code (i.e. a cdk synth should not show arns with arn:aws:1283830383 but rather arn:aws:ACCOUNT_NUMBER) you do that by doing something like:

resources: [`arn:aws:${cdk.Aws.AccountNubmer}`]

(I know I got the arn format wrong and probably messed up the account number, but you get the gist I hope)

The reason is if you follow those rules strictly enough, you can still deploy that template in most accounts (dev, test, prod and so on), which has always been one of the core strengths of CF (and others) when done properly.

And I prefer to NOT use If statements in typescript if it can be done in Cloudformation with conditions or other items. For instance, if you only want to deploy a secondary rds slave in prod, use a CF condition and not a typescript 'if (accountNumber === myProdAccount)' because that means your typescript needs to know which account it's synthing for, which by default it does not.

IOW, try to use typescript to build DSL that's still in the spirit of DSL and you'll avoid a lot of traps that novices get themselves into.