Patrício's DevOps Vault

00. What is AWS CDK?

3 min read

What is AWS CDK?

AWS CDK, (Cloud Development Kit), is an open-source framework to define AWS infrastructure using programming languages. (E.g. TypeScript, Python, Java, etc.).

AWS CDK

How does CDK work?

When using CDK, the developers will write code using their preferred language, (e.g. Python).

CDK will then make use of the JSII Compiler, (compiler that takes in code written in other languages and generates TypeScript code), to generate a CloudFormation template.

Compilation Process

This process is transparent to the user

Installing CDK

AWS CDK is available to download as an npm package, so nodejsand npmneed to be installed first.

CDK as an npm package

To install CDK as a global dependency, run:

npm install -g aws-cdk

Verify with:

cdk --version

To use CDK, the AWS CLI also needs to be installed and configured with proper credentials.

Installing the AWS CLI

To install the AWS CLI, refer to the oficial documentation.

Verify with:

aws --version

Configuring the AWS CLI

To configure the AWS CLI, run the following command:

aws configure

This will prompt you with the next steps asking for your AWS credentials. (Use an IAM user with access keys).

Initializing a CDK project

To initialize a new CDK project, the following needs to be run inside an empty directory:

cdk init app --language <language>

Note: Replace <language> with the actual language, such as python, typescript, etc.

This command will generate a template inside the folder such as the following:

| .venv -> Virtual environment folder for Python dependencies.
| tests -> Directory for the project’s unit and integration tests.
| .gitignore
| app.py -> Main entry point for the CDK application (where stacks are defined).
| cdk.json -> CDK toolkit configuration (e.g., app entry point, context, etc.).
| README.md
| requirements-dev.txt -> Python dependencies for development (e.g., testing, linting).
| requirements.txt -> Python dependencies for runtime (e.g., `aws-cdk-lib`).
| source.bat -> Windows) Helper script to activate the virtual environment.

Synthesizing code to CloudFormation

In order for CDK to synthesize the written code into CloudFormation stacks, the following command needs to be run:

cdk synth

Note: Follow the instructions on the README.mdfile in order to perform this command.

Bootstraping CDK

Bootstrapping AWS CDK is the process of preparing the AWS environment so that AWS CDK can deploy resources on one’s behalf.

To bootstrap CDK, run:

cdk bootstrap <account-id>/<region>

In order for bootstrap to succeed, the following permissions need to be added to the CDK IAM User:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCDKBootstrapping",
			"Effect": "Allow",
			"Action": [
				"cloudformation:CreateChangeSet",
				"cloudformation:DeleteChangeSet",
				"cloudformation:DeleteStack",
				"cloudformation:DescribeChangeSet",
				"cloudformation:DescribeEvents",
				"cloudformation:DescribeStackEvents",
				"cloudformation:DescribeStacks",
				"cloudformation:ExecuteChangeSet",
				"cloudformation:GetTemplate",
				"ecr:CreateRepository",
				"ecr:DeleteRepository",
				"ecr:DescribeRepositories",
				"ecr:PutLifecyclePolicy",
				"ecr:SetRepositoryPolicy",
				"iam:AttachRolePolicy",
				"iam:CreateRole",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:PutRolePolicy",
				"iam:TagRole",
				"s3:CreateBucket",
				"s3:DeleteBucket",
				"s3:DeleteBucketPolicy",
				"s3:PutBucketPolicy",
				"s3:PutBucketPublicAccessBlock",
				"s3:PutBucketVersioning",
				"s3:PutEncryptionConfiguration",
				"s3:PutLifecycleConfiguration",
				"ssm:DeleteParameter",
				"ssm:GetParameter",
				"ssm:GetParameters",
				"ssm:PutParameter"
			],
			"Resource": "*"
		}
	]
}

Troubleshooting tip

Make sure that your IAM User can assume the generated CKD roles. Otherwise, commands such as cdk deploy will fail with a warning similar to this one:

current credentials could not be used to assume 'arn:aws:iam::000000000000:role/cdk-hnb659fds-file-publishing-role-000000000000-eu-west-1', but are for the right account. Proceeding anyway.

Related

Graph View

Backlinks